The Changing Role of Investigators

May 28, 2013 0 Comments Bloggies by Graham Penrose

Investigative methods when collecting evidence from social media vary substantially from traditional digital forensic techniques creating new legal and procedural challenges. Mobile devices and texting, free communication and file sharing solutions and social networks make it easier than ever for people to share information and express opinions. As the digital world evolves, so must the way investigations are conducted. Sources of evidence are growing rapidly. Collecting and authenticating evidence during a digital investigation can prove to be a difficult task. For those with a clear understanding of how to leverage advances in technology and the wealth of information available online, the evidence collected during these investigations can help create a solid case. Investigations involving social networks are a very new topic. With new applications, links, techniques, and roadblocks discovered daily, social networks are rapidly progressing. Facebook, Twitter, and LinkedIn are just a part of the landscape. There are also many new social networks like Google Plus, Quora, Instagram, Groupon, Pinterest, and Foursquare; as well as thousands of blogs and special interest forums that exist.

With this wealth of information there are also many new issues which are different from what investigators have dealt with in traditional digital forensics. Previously, digital evidence was extracted from a piece of hardware in the possession of the investigator, such as a computer hard drive or the flash memory on a smartphone. The terms and conditions for dealing with this technology were understood by investigators. If someone challenged how investigators did their work, a third party could easily corroborate the findings by reviewing the same hard drive. That is not the case with social media.

Today you might go to Facebook, for example, as an investigator. You are a relatively unwelcome, uninvited guest trying to gather information on someone Facebook considers to be a “good customer.” You can look at pictures and dialogue but you can’t control the hardware where the physical evidence exists (Facebook does). Social media providers like Facebook are unlikely to turn over this evidence to an investigator (though in some circumstances social media providers are more cooperative with investigators). Further complicating matters, the evidence posted online is changing rapidly; information may be updated or deleted at any moment in time.

In today’s world of social media, investigators are taking on a new role; they are becoming a form of eyewitness. As the eyewitness, an investigator observes evidence that might not be visible to any other available investigator. The investigator is wise to create a record of what he or she sees at any particular point in time, including print outs of screenshots. Screenshots, combined with written eyewitness reports, are commonly used today to record what an investigator observes in social media. However, the process of making screenshots and written reports is less than perfect. Pulling together 25 pages of screenshots off a Facebook wall, creating a report, and detailing each screenshot is time consuming. Ultimately a court or legal authority like a jury will look to you as the eyewitness, to determine what happened and whether they believe you or not. As with any eyewitness testimony, two corroborating witnesses are much better than one. Therefore if you can get a second person involved you can improve the credibility of the evidence being collected for presentation in the courtroom.

Additionally, screencast video recording technology can be very useful in substantiating eyewitness testimony. Several free or low-cost screencast tools are available such as screencast-o-matic, a free Java-based, open-source tool for recording what you see on your screen, and Microsoft’s Skydrive free file storage service. When investigators need an efficient way to capture what is happening on a dynamic blog or Facebook wall these solutions can come in handy. Screencasts enable investigators (as eyewitnesses) to capture exactly what they see on their screen in real-time, including content on a Facebook wall, Twitter page, or other social media outlet. Each item of text, image, sound, and interactivity is captured via video, recorded exactly as the investigator sees it. A second smaller window can be configured to appear on the screencast record to show (via the investigator's webcam and microphone) the investigator narrating what he is doing and seeing each step along the way. From an eyewitness perspective, a screencast video testimonial can be powerful evidence.

Additional investigative tools enable investigators to hook into the APIs on Facebook and other sites to collect meta data. Meta data can include all the information normal users don’t see on a Facebook wall or blog entry such as time stamps, IP addresses, and other sensitive information. The amount of data some of these tools collect in just a matter of minutes is impressive. While all of this information gathered from social media sites is extremely useful to investigators and attorneys, one can’t help but wonder about the privacy implications associated with collecting tremendous quantities of information off of someone’s Facebook wall, for example.

There are a host of contract terms out there that traditional digital forensic investigators are not aware of nor have they considered. For example, to use Facebook, as with most social media sites, you must agree to their contract. Included within the contract is a term which states you must post a privacy policy if you are using a special application to access API information. However, Facebook doesn’t specify where the policy must be posted. Additionally, Facebook states within its terms that if you collect data on a user you must first receive the user’s consent.

By now you may be wondering whether or not public information off of Facebook and other social media outlets may be abstracted and submitted as evidence. The short answer is yes, it can. Many investigations today include evidence collected off of social media sites without advanced consent. This evidence is often admissible and used successfully in trials. So far, the experience has been that privacy and ethical issues have normally caused a problem in only the most extreme social media investigations. For example, while there may be justification for gathering some information available on social media, compiling information dating back seven or ten years that is irrelevant to an investigation is not justifiable. Investigators must familiarize themselves with the concept of proportionality; it is a way of saying “be reasonable” under these circumstances.

The field of social media investigation is very complex. If the means by which you gather evidence is unethical, it may not be admissible. In the brand new world of social media, it is important that investigators exercise an element of restraint and discretion. Ask yourself if you really need to go into a forum posing as someone else or are there other ways to investigate alleged wrongdoing without exposing yourself to potentially violating a site’s terms or conditions. An investigator should also bear in mind that the laws of foreign countries may apply to their investigation. While you may not need to register with a data protection authority in the United States, if you are looking at postings from someone’s friend over in France you may be required to register under the terms of the French Data Protection authority before gathering information. European or other privacy laws may apply. Be aware of the laws relevant to any country your investigation reaches.

While social media can prove extremely helpful in gathering evidence for a case, investigators must be very cautious when allowing others such as clients to gather evidence for them. Ask a lot of questions about the evidence before you start looking at it. Make sure the person gathering the evidence did not break laws like computer crime or eavesdropping laws before moving forward. Otherwise the evidence could be contaminated.

REFERENCE & ACKNOWLEDGEMENT: FORENSIC MAGAZINE:,3; Attorney Benjamin Wright teaches the law of data security and investigations for the SANS Institute. He maintains blogs accessible from For a full bio and information regarding Wright’s course, which is available via simulcast, visit