NZ Incident Response Bulletin – March 2021

Our Views:

This month’s theme is “Social Media Forensics”.

It is believed that, on average, each person now has around eight social media accounts and that there are at least 1.9 billion active users on Facebook alone each month. With millions of people globally posting and chatting on social networking sites, it is not surprising that these social networks have become a rich source of digital evidence. In some cases, social media may be the primary source of data available to unravel and understand an event. The importance of social media evidence was demonstrated recently in the “GameStop” trading controversy.  Reddit posts played a crucial role in uncovering the exact nature of how this event unfolded.

Social Media Forensics involves the identification and collection of digital evidence from social media platforms and the devices used to create or access such content, followed by the analysis of this data for use in civil or criminal investigations. Accordingly, your social media policy should include procedures for collecting digital evidence. You should also consult with your legal experts before attempting to collect any data that is associated with an individual’s personal network.

Why collect evidence from social media sources

Content and the associated log data posted to social media may:

  • Support evidence gathered from other sources such as text messages or emails
  • Identify employee misconduct
  • Help explain what has happened in any incident
  • Show who did what, when, and where
  • Indicate intent or state of mind
  • Establish connections between people
  • Assist in the construction of an event timeline

Challenges with social media forensics

Despite being a rich source of data, obtaining evidence from social media is not without challenges.

  • Social media companies often require a warrant to be issued that compels their cooperation when gathering evidence. A private company may submit a request for information; however, the social media company may not be obligated to provide this data. If the user has complied with the site’s “terms of use”, the social media company may also find themselves exposed should they hand over private data. Therefore, a lack of a warrant may hinder an investigation into matters where law enforcement involvement is not appropriate or desirable, such as an employment dispute. 
  • Social media content is volatile, and users may delete and modify previously posted content.
  • Social media content may synchronise between various physical devices, obscuring the original source.
  • The devices used to access social media sites are frequently updated, meaning evidence can be lost quickly.
  • All social media platforms publish terms and conditions, defining what information may be collected and used. Not complying with these in an investigation may lead to the evidence being inadmissible in court.
  • Social Media accounts may be falsified or taken over and used by an imposter, leading to authenticity concerns. The current state of the law around the admissibility of social media evidence is in flux, and Australasia has limited case law in this area. In the United States, current case law is divided between examples such as United States v. Vayner that impose a stringent approach to admissibility requiring unchallengeable proof of authenticity; and other decisions whereby social media evidence is admissible based upon reasonable facts.

Understanding these challenges and ensuring the social media evidence is handled with these in mind is crucial.

The Practicalities of Social Media Forensics

The most basic technique for collecting social media evidence is manual collection.  This involves simple activities such as visiting a website and taking screenshots of content or scrolling through a phone to view content. Whilst simple, manual evidence collection is not the most reliable or time-efficient method. Care must be taken that there is no opportunity for evidence to be changed or lost in the process of undertaking manual inspection. However, manual collection may be suitable under certain circumstances, such as when access to the device in question is fleeting or there are no other practical ways to retrieve the evidence based on security limitations or other similar challenges.

Advanced commercial forensic tools such as Nuix and Magnet Axiom allows the profiles and information from social networks to be collected and preserved in a forensically sound manner. Analysis of this data can answer many of the questions an investigator or lawyer will have relating to the use of social media accounts.

As more than 90% of social media users use their mobile device to access social networking platforms, smartphones are a vital source of potential evidence. Social media forensic tools offer the ability for the logical acquisition of social media evidence from smartphones. This process involves capturing a logical image of all the files on the phone and then analysing these for evidence of activities such as logging in, browsing, searching, and posting on social media networks. Data artefacts such as activity logs, archives, profile information, geo locations, friends and family, interests, active chat session participants, chat subjects and timestamps of activities may all be visible.

Many social media sites also have a method for users to obtain a copy of their account and activity, such as “Google Takeout’. These records can be downloaded and saved in an unalterable manner for use in an investigation.

Further Guidance

An inexperienced investigator may make mistakes when collecting critical evidence.  We recommend seeking a forensic expert and legal counsel’s advice in the gathering of social media evidence to ensure this is avoided.

Social media sites such as LinkedIn and Facebook will often truncate the display of comments and posts, whereas specialised forensic software is more likely to capture all of the available content.

We recommend businesses have a comprehensive Acceptable Use Policy outlining how an employee may use the company devices and network, including procedures relating to its collection.

We also recommend that employees are educated on the safe and sensible use of social media. This education should include advice on privacy settings, acceptable content for sharing, password protection and some real examples of the impact that social media evidence can have in legal proceedings.

In conclusion, whilst gathering social media evidence can be challenging, there are techniques available to identify and collect this data to support an investigation. Forensic experts have the skills, expertise, and experience to navigate the complications associated with social media evidence. We advise seeking advice on what may be possible and lawful to obtain and use in any investigation for the best outcome and preparing suitable policies and procedures for forensic readiness to ensure social media evidence is obtainable in the event of an investigation.

About the Bulletin:

The NZ Incident Response Bulletin is a monthly high-level executive summary containing some of the most important news articles that have been published on Forensic and Cyber Security matters during the last month. Also included are articles written by Incident Response Solutions, covering topical matters. Each article contains a brief summary and if possible, includes a linked reference on the web for detailed information. The purpose of this resource is to assist Executives in keeping up to date from a high-level perspective with a sample of the latest Forensic and Cyber Security news.

To subscribe or to submit a contribution for an upcoming Bulletin, please either visit https://incidentresponse.co.nz/bulletin or send an email to bulletin@incidentresponse.co.nz with the subject line either “Subscribe”, “Unsubscribe”, or if you think there is something worth reporting, “Contribution”, along with the Webpage or URL in the contents. Access our Privacy Policy.

This Bulletin is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Bulletin. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.