In the dawn of the digital age, social media was identified as a key source of evidence in digital investigations. While social media evidence has many benefits for criminal investigations, it can also be hugely beneficial to the corporate sector for internal investigations, employee background checks or risk management/mitigation. With the world now at your fingertips, social media has completely transformed the way we communicate and consequently, the way forensic analysts conduct investigations.
We caught up with Rick Yeomans, Cyber Incident Response specialist at IntaForensics, to discuss how social media evidence capture and usage analysis can be built into a digital investigation, and how innovative approaches can be utilised when a digital device has not been seized.
How can social media be used in digital forensic investigations?
“The world is your oyster! The main criteria, although it is not always mandatory, is to have a device from which you can extract information from. A typical example is a smartphone with all of the social media applications such as Facebook, Twitter, Instagram and more.
“That said, it’s not always possible to take possession of a device, so there has to be other means of conducting your analysis. This is typically true for cases of the ‘he said she said’ types of arguments where the police have been called to a minor disturbance.”
“It doesn’t warrant seizing a device in this instance, but the police officer on the ground may elect to take some screenshots of a mobile phone for example. Technically it is digital evidence but how valid that would be in a court of law, should the case progress that far, is open to debate. It is still digital evidence nonetheless; despite the fact we haven’t obtained the actual device.”
In what types of cases are digital forensics and social media evidence used?
“I worked on an investigation some years ago concerning the dating app Grindr. We didn’t have any devices at our disposal at all, the investigation merely revolved around how Grindr worked as an application. We were trying to work out whether the users use of the app fitted the version of events provided to us.
“The defendant we were representing was accused of inappropriately touching a minor, but it turned out that the victim was attempting to extort money from the defendant so it wasn’t quite so clear cut. There were no devices to analyse, but we had to look at how Grindr worked to support the defence case. Despite the lack of physical evidence, we were still able to prove the case from our analysis. It consisted of myself and some colleagues using Grindr to figure out how it worked and the implications it had for the sequence of events put forward by the Prosecution and Defence cases.
“This case just goes to show that we don’t always require a physical device to extract from in order to obtain the information we need.”
Is it considerably more difficult when you don’t have a physical device in front of you?
“It depends which way you look at it. It could be considered easier because what you are putting forward is purely theoretical and leaves little room for interpretation or critique. The findings are based upon our experience and we are not reliant upon the interpretation of third parties.”
“It can be thought of as easier to look at how a piece of software operates as opposed to analysing a physical or logical extraction of the data from a device. With a physical or logical extraction from a mobile device you could miss a vital piece of data and the next train of thought could be ‘well, what else could we potentially have missed?”
“With a physical or logical extraction you have to remember that it’s real data that you’re dealing with, so you have to be mindful of where it goes and what you are doing with it in a legal sense.”
What information can be recovered with digital forensics?
“The actual extraction process can itself sometimes cause issues, such as whether or not the data is password protected or if the device is broken. If a device is broken, our internal investigators can often conduct repairs before data extraction takes place, but this can in turn open up further legal issues and challenges regarding whether forensically sound process has been used.
“Ultimately, once we can access the data, we generate a report to analyse what information is present before us. Technology has come a long way and you may be surprised to hear how much data is now available for analysis.
“We can look at conversations and this includes information that has been recovered from social media such as WhatsApp. This is often of value to the case when we’re conducting our investigations for clients.
“In some cases, we may also be given access to cell tower and location information which may be of relevance to a case. It could tell you where a device has been and where a person may have been travelling within a local vicinity. However, Cell Site Analysis doesn’t hold up particularly well in isolation and you always need another piece of evidence to corroborate it. Location data from smartphones has its own accuracy issues with how accurate it can be, although it may include GPS locations, it also relies upon cell tower, cell site and Wi-Fi networks – all of which have varying degrees of accuracy that can be associated with them.
“It also depends upon who you are working for. If you’re working for the prosecution, they will be seeking information that is as accurate as possible, whereas for defence work, anything to introduce an element of doubt as to the accuracy of the evidence will be useful. It is therefore vital that IntaForensics remain impartial and provide evidence that is properly explained to allow either side to draw their conclusions.”
“Location information is often of some interest, particularly if you’re presented with a specific sequence of events or travel over a wide area. However, content from conversations and chat messages may provide useful evidence to corroborate the location data.”
What are some of the lesser-known aspects of digital forensics?
“The software that we use can also highlight images that it comes across, extracting them and presenting them to us in a gallery view rather like viewing the results of an image search in Google.
“The “real” images would typically be gathered in the camera roll of the device, but the pictures that you’re seeing when you are looking at your camera roll are thumbnail images that the device has generated – they are smaller representations as opposed to the original images.
“If you delete the “real” image, it may disappear from your camera roll, but it is possibly only the entry in the database that controls your camera roll that has been deleted. What this means ultimately is that the thumbnail image may still exist.
“If the image subsequently became important in legal proceedings, we may be able to say that, although we didn’t find the original image, we did find the thumbnail file which is an indication that the picture may have been there at some stage on the given device.
“Then we can start looking at other things such as log entries for the record of a picture being sent or received on a particular date. This is the case for pictures that are received via emails, MMS messages, SMS messages and so forth.
“In the context of searched items on a device, if we were seeking evidence of a person looking for drugs paraphernalia, the searched items could provide you with a list of relevant search terms entered by the user. As such, digital forensics can regularly be a rich and lucrative form of information.”
What are the legal and ethical issues associated with this type of investigation?
“When working on civil cases in particular the expert may be restricted to what they can and can’t look for. There is also Legal and Professional Privilege material to take into consideration as well.
“At the point of extracting information from a phone or an image from a computer, we can’t usually be too selective. We have to extract the data as an evidence file or container file that contains everything that could have possibly been pulled from the device.
“What we will disclose can be limited by the interested parties. If it’s a civil case that we’re working on it will have been legally agreed before disclosure, and it should be sanitised before it gets disclosed in public court.
“With criminal cases, data devices are covered by RIPA and other legislation. One of the RIPA clauses is proportionality, so one might argue that looking through messages when you are looking for images in particular could be outside the bounds of proportionality – but generally, at this time, this doesn’t feature as much in criminal cases as it does in private cases.
“Although if you considered yourself a victim then there could be things on your device that you don’t want exposed in the public sphere. However, the defence could argue that they have the right to view the content as well, so it’s quite complicated and such issues can often rear their ugly head.”
Can evidence ever really be deleted?
“It really depends on a few different factors. If you have deleted something, it depends upon what device it is, whether or not it is an encrypted device… in which case if it’s an encrypted device and you have deleted a large image, the chances are it’s irretrievable. But we may be able to recover something relevant, you just never know until you start looking.
“We might get lucky and still retrieve the thumbnail image even if the main image has been deleted. Going back to what we discussed previously, what has been deleted may only be the database entry that referred to that image, but there’s a possibility that we can still retrieve the image itself, or a thumbnail representation.
“Over time as you use the device, new data overrides other existing data, the longer this process goes on the higher the chance of the deleted data being totally irrecoverable.”
“Generally speaking, it depends on the type of device, the use it has been put to and how long it has been since the data was deleted. That being said, sometimes we do get some fantastic results from our investigations.”
IntaForensics provides a comprehensive range of digital forensic services to support criminal investigations and civil litigation.
Our investigators and social media experts have a vast amount of knowledge around digital media investigations involving social media applications and are able to provide expert advice in this complex area. We boast a team of 50 cyber security and digital forensic experts and a growing market presence.
Quality underpins everything we do and we are proud to be UKAS 17025:2017 accredited and ISO/IEC 27001:2013, ISO 9001:2015 and ISO 14001:2015 certified.
To find out more about our services Tel: 02477 717 780 to speak with a member of our team or fill-in our online contact form.