The information within social media accounts can be a treasure trove for litigation or corporate investigation, but there are challenges to their forensic preservation. This paper outlines the capabilities of some industry standard tools as well as considerations for social media collection, preservation and investigation. Overall, know that the market and social media software changes rapidly enough that industry-standard tools can work one day but not the next; client and vendor expectations should adjust accordingly.
What Kind of Information is Available?
This is often the first question from those wanting to collect from social media, and the answer depends almost entirely on the type of social media platform; commonly requested platforms include Facebook, Twitter, Instagram, Google, Snapchat, and WhatsApp. Examples include friends, people they communicate with, timelines of activity, location information sometimes, people's comments, people they follow, posted images. Generally, deleted material is not available since there is no actual device being forensically collected (data is stored in the cloud). The data is presented to users and the public through the software portal but it is not on a device such as a cell phone that can be forensically collected in a bit by bit manner. The timeline of information that is available also varies by social media type.
New social media platforms and tools arrive frequently and changes to the programs mean collection software may not work as it did in the recent past. For instance, Facebook has recently made changes about privacy settings and those changes or future ones can make it less likely to find information.
What Platforms Are Used?
Figuring out which social media platforms a user has is surprisingly difficult. If it's a case where the collection is “friendly” (i.e., they know it is being done and can provide credentials) this is not an issue. Otherwise, some social media use can be derived by a forensics search of the internet history on their computer or a forensics collection of their cell phone or other mobile devices. From there, determining usernames for their social media profiles is another area of difficulty.
Type of Searching
One of the key aspects of social media collection is whether it is being collected using the actual user credentials or searching only the public-facing material from a social media site. Less information is available from public-facing searches, but getting the user credentials can be a stumbling block depending on the case. With credentialed searching, each tool has its own set of guidelines about how it can be collected; some have their own built in tool that (Facebook, Google) will let you export information and others require you to use a third party approach (Instagram, Twitter).
What Do Collection Results Look Like?
The reports provided by social media collection tools are often comprehensive, which has advantages and disadvantages. One of the benefits of performing a social media collection is the ability to search large swathes of information from a platform which may not be easily accomplished within the platform itself (ie, Twitter). Indeed, in a recent case, it was used to find evidence that an employee had undergone a safety training course, which was a key point in their involvement in an on-the-job accident. Simply searching their feed had proven to be very difficult, but using the collection tool, performing the search and inputting those results into a review tool provided photographs and evidence of the employee's tweets while at the training.
The disadvantage of such comprehensive reports is finding key information – making them searchable and usable. Know that the reports that come from these collection tools are large and may require assistance to interpret and search. Loading this information into a review tool may be the best option.
Forensics Value
In some cases, it may not be possible to collect using a forensics tool. Certain browsers have plugins that will scroll the page and save it as an image, a pdf or as a raw HTML. While not ideal, these tools do show what someone saw at that particular time. It is critical to put these results into some kind of forensics container to be secured and to have someone independently verify the content of a page.
If at all possible, using forensics tools is recommended in order to prevent alteration of data (intentionally or otherwise). Social media and webpages are easily altered prior to collection using simple free tools and examples of this abound on the internet.
Conclusion
Social media provides incredible insight into user activity but there are challenges to collecting, preserving, investigating, and interpreting this information. Using forensically sound tools and techniques is critical for information intended to be used in litigation.
