1. Program Studi Teknik Informatika
Fakultas Teknik – Universitas Surabaya
Social Media Forensics
2. Program Studi Teknik Informatika
Fakultas Teknik – Universitas Surabaya
Social Media Evidence: What you put on
Facebook or Instagram or Twitter or Youtube?
8. Facebook Produces Evidence
• Party Admissions – What Facebook data?
– Posts, E-mail, Friends
• State of Mind – What Facebook data?
– Status Updates
• Witness Credibility - What Facebook data?
– Posts, E-mail, Places, Friends, Contact Info
• Witness Character - What Facebook data?
– Photos, Videos, Likes, Apps
9. Why is Facebook the New Confessional?
• Speed and breadth amplify communication velocity
• Insecure communication
– Privacy controls constantly changing and often misunderstood
– Risk of impersonation by fake profiles – e.g. defamation
• Rapid, short and snappy communication
– Not reviewed, nor proofread; often grossly inaccurate
– Lacking context and precise meaning
– Interpretation often left to reader
• Lack of control over content – often ‘goes viral’
• Tacitly encourages candor as key social behavior
– Evidence often surprisingly relevant, incriminating, and powerful for
impeachment
10. “Frictionless Sharing” – Oversharing
Automatic, Passive, Real-Time Updates
• Logging into web sites with Facebook identity can trigger automatic
sharing on Facebook of activity on external sites:
– Yahoo! News, Washington Post, The Guardian
– Spotify, Rhapsody
– Netflix, Hulu
13. Social Media – Law Enforcement
• “As a prosecutor, the first thing I do when I get a case is to Google
the victim, the suspect, and all the material witnesses. I run them all
through Facebook, MySpace, Twitter, Youtube, and see what I might
get. I also do a ‘Google image search’’ and see what pops up.
Sometimes there’s nothing, but other times I get the goods –
pictures, status updates, and better yet, blogs and articles they’ve
written.”
– A former deputy district attorney for Los Angeles County
• “You find out about people you never would have known”
– Dean Johnston, California Bureau of Narcotics Enforcement
14. Social Media Evidence
• What is Social Media Forensics?
• The application of computer investigation and analysis techniques to
gather information evidence from online sources, suitable for
presentation in a court of law.
15. Social Media Evidence
• Collection Methods:
– Screen scrape/ screen capture
– Manual documentation
– Open source tools (HTTrack)
– Commercial tool (X1)
– Web service (Pagefreezer)
– Forensics recovery
– Content subpoena
16. Social Media Case Investigations
• Analysis
• Information Bases
• Online Preservation and Collection
• Admissibility
17. Social Media - Discovery
• Electronically stored information (ESI) is data that is created,
altered, communicated and stored in digital form.
• What ESI available for review?
• Evidence strategies – computer and mobile devices
• Request for evidence
18. What ESI can we get for review?
content Pushed content metada
Friends, friends of friends,
connections, followers, etc.
E-mail notifications with
metadata
Site names
Status updates,
relationship status, etc.
RSS Feeds with Metadata Date/Time Stamps
Email, chat, text messages,
friend request, pokes, etc.
Uniform Resource Locators
(URLs)
Timeline (profile) – name,
picture, gender, contact,
birthday, etc.
Geoloaction information
(Check-ins)
Wall, posts, comments,
tags, etc.
IP Logs
Likes, reads, views, listens,
etc.
Login/Logout logs
Networks, groups, events,
etc.
Photos, videos, Audio,
Music, tags
Apps, App Data, Games
19. Evidence Strategies - Computer
• If target’s evidence is insufficient
– Social media evidence is missing
– Evidence destruction is suspected
• Should look outside Facebook
– E-mail notifications
– RSS containing content & time stamps pushed out by social media site
• Move for warrant/court order for computer forensics analysis of
opposition hard drives
• Recorver social media evidence
• What evidence? What will it look like?
21. Social Media Evidence
• Anatomy Twitter Tweet
– RT = re-tweet
– @xxxxx = a twitter user name
– #xxxxx = hashtag, a subject or reference identifier
– Htttp://xxx = a link, usually shortened to fit in tweet
– Max character for tweet?
– Twitter Feeds
25. Social Media Evidence- Example
• Target Profile
• Profile (Timeline) information (e.g. contact information, interest, groups)
• Wall (timeline) posts and content that posted into profile (timeline)
• Photos and videos uploaded to account
• Friend list
• Notes created
• Events to which having RSVP
• Sent and received messages
• Any comments on Wall (timeline) posts, photos, and other profile content.
26. Evidence Elements
• IP addreses: any IP addresses that stored who accessed to account
• Login info: a list of logins that have stored
• Logout info: the ip address from which logged out
• Pending friend request: friend request that an account sent but have not accepted or rejected.
• Account status changes: dates when an account was reactivated, deactivated, disabled or
deleted.
• Poke info: information about the pokes exchanged
• Events info: events that accepted, declined, and responded maybe to by an account
• Other profile (timeline) info: the mobile phone numbers that added to an account
• City & hometown
• Family members
• Relationsship info (names and statuses)
• A list of the language that added to an account
• A history of any changes that have made to the name profile.