October 13,
2015
What Social Media Activity Tells a Trained Forensic Examiner
For better
or for worse, social media has become a driving force in many aspects of our
lives. It helps individuals stay in
touch with friends, relatives, former classmates and other acquaintances. It also helps business drive users to
websites, advertise and (hopefully) generate revenue. Heck, even this little ole blog gets posted
across multiple social media platforms to help generate "buzz" for a
startup digital forensic consulting business.
But what value does that social media activity have when conducting
investigations? What can the social
media data tell a trained digital forensic examiner?
This subject
is yet another where I'll emphasize the value of possessing honed investigative
skills in addition to being a practicing, competent, trained forensic
examiner. The basis of how to conduct
investigations involving social media, web activity or other electronically
stored information (ESI) or even simply basic online investigations, comes
through training and experience. Through
the Internet Crimes Against Children
(ICAC) Task Force, I was trained how to effectively track down people and
gather intelligence online, mostly without their knowledge. This served me quite well in law enforcement
and now serves me well in private investigations. But taking that training a
step further into the findings of a digital forensic examination, we can incorporate
that training and experience to dig even deeper to find out what the user(s)
may be doing online.
As an
example, we'll use the current “flagship” of social media, Facebook. Facebook has revolutionized how people stay
in touch and they are constantly evolving the offerings they put forth. What was once an online yearbook for college
students has now become a multi-billion dollar mega online conglomerate of
services. Over time, users have gained
the ability to search for other users, chat with other users, send links,
videos, pictures and now even voice messages.
And the best part is, most or all of this data is available to us when
we get ahold of your computer and/or mobile device. Because Facebook is so ubiquitous across the
user spectrum, almost everyone has an account, which means there's social media
evidence almost everywhere.
And the
great thing about social media is, it's tailor-made for us by us. We choose who we want to be
"friends" with. We decide who
to communicate with and for what purpose(s).
We seek out and "follow" or "like" different social
causes, businesses, political candidates, entertainers... the number and scope
of what we can tell the social media world about ourselves is virtually
boundless. Most social media users don't
give much thought to the fact that they are sacrificing personal information security
when they follow these things, too.
So when we
conduct a digital forensic investigation, we’re looking for clues about all of
these things. If the case involves a
subject suspected of infidelity, perhaps they were using Facebook messenger to
send messages to their paramour instead of regular text or email. And even if they were somewhat clever and
never became "friends" with the other party on Facebook, the account
information for the other user is recoverable and will lead right back to that
person almost instantly. In the case of
a law enforcement agent investigating someone suspected of having terrorist
ties, perhaps they "liked" or followed anarchist, hate or radical
religious groups. With tools that
specialize in extracting and reporting this information like Magnet Forensics Internet Evidence
Finder, the forensic evidence in these cases becomes vital to painting the
picture of the truth. The best thing for
us in the digital age is, if there's any digital evidence of it, we'll probably
find it.
And while Facebook
is a good example, the potential for valuable evidence doesn't end there. Twitter, Tindr, Snap Chat, Linked In... they
all provide valuable pieces of information by way of personal and/or
professional interests, potential romantic relationships, life events and
random online rants (which happen more often than you might think). One final point that should not be overlooked
is the responsibility of the investigator and/or examiner to stay abreast of
the changes in social media. Like with
most things in the digital age, social media is ever-changing. It’s a competitive market and their challenge
is to gain new users while still maintaining a certain level of service and
user expectation, lest they become MySpace.
But the investigators and forensic examiners have to stay up with these
changes to be able to consistently deliver quality service. Is it time-consuming? You bet!
But it’s also extremely important to successful, accurate
investigations.
Regardless
of the platform, social media really does intertwine into all of our
lives. Because of that, it becomes a
virtual mountain of valuable personal information that a digital forensic
examiner and investigator can use to help find the truth. Now go search for it!
Author:
Patrick J.
Siewert, SCERS, BCERT, LCE
Principal
Consultant
Professional
Digital Forensic Consulting, LLC
Based in
Richmond, Virginia
Available
Globally
About the Author:
Patrick Siewert is the Principal
Consultant of Pro Digital Forensic Consulting, based in Richmond,
Virginia. In 15 years of law
enforcement, he investigated hundreds of high-tech crimes, incorporating
digital forensics into the investigations, and was responsible for
investigating some of the highest jury and plea bargain child exploitation
cases in Virginia court history. A
graduate of both SCERS and BCERT (among others), Siewert continues to hone his
digital forensic expertise in the private sector while growing his consulting
business marketed toward litigators, professional investigators and
corporations.
