Social media forens...
 
Notifications
Clear all

Social media forensic collections

12 Posts
9 Users
0 Likes
750 Views
(@jonathan)
Posts: 878
Prominent Member
Topic starter
 

I'd like to ask what tools/ methodologies people are using for admissible collection of data from social media services when you have possession of the subject's log in credentials.

Any feedback most appreciated.

 
Posted : 18/05/2014 2:30 pm
(@ludlowboy)
Posts: 71
Trusted Member
 

AFENTIS had a tool that was available on this website. The link was-

http//www.forensicfocus.com/Downloads/d_op=viewdownloaddetails/lid=161/

I have not used it myself but it may give you what you need.

 
Posted : 19/05/2014 12:01 am
(@braveheart)
Posts: 31
Eminent Member
 

I'd like to ask what tools/ methodologies people are using for admissible collection of data from social media services when you have possession of the subject's log in credentials.

Any feedback most appreciated.

Hello Jonathan,

Option 1 - Image the subject's digital devices and run IEF (Internet Evidence Finder).

Option 2 - Use preservation and search warrant and request social media services to release the required data and this should include any deleted or amended data.

Option 3 - Use the settings options available in social media services, such as facebook for example and ask the subject to download data.

More options might be available as well depending on circumstances and case, and the type of data that is actually required and its importance in connecting it to the case.

BH.

 
Posted : 19/05/2014 2:00 am
(@braveheart)
Posts: 31
Eminent Member
 

An article by Attorney Benjamin Wright who teaches at SANS . . . .

http//www.forensicmag.com/articles/2012/12/social-media-and-changing-role-investigators

 
Posted : 19/05/2014 2:54 am
(@jonathan)
Posts: 878
Prominent Member
Topic starter
 

Thank you ludlowboy and Braveheart - your option 3 appears to be the a reasonable method.

Jonathan

 
Posted : 19/05/2014 1:22 pm
 lars
(@lars)
Posts: 31
Eminent Member
 

Thank you ludlowboy and Braveheart - your option 3 appears to be the a reasonable method.

If you are going that route, I'd suggest that you either ask the subject to give you the download link or observe them downloading it and then preserve the archive immediately. For most of the popular services (e.g. Facebook & Twitter), the download is a zip archive containing files most people would be able to tamper with if they wanted to before re-zipping and providing them to you.

Another option for credentialed access is X1 Social Discovery. At $1499, it's not cheap, but it works well.

Cheers,
Lars

 
Posted : 19/05/2014 9:47 pm
(@jonathan)
Posts: 878
Prominent Member
Topic starter
 

Thanks Lars, good points.

X1 Social Discovery looks good, will have a play with the trial version.

 
Posted : 20/05/2014 9:09 pm
(@nico248)
Posts: 1
New Member
 

Hello,
If your intesrested, i have publish a freemind for digital forensic investigations
https://omnia-projetcs.googlecode.com/svn/trunk/OFD/Digital_forensic_helper_ENG.mm

Bests regards,

 
Posted : 20/05/2014 11:43 pm
(@thepm)
Posts: 253
Reputable Member
 

In my testing last year, I found that X1 Social Discovery did a great job of collecting and indexing data from social media sites, but it was clearly behind when it came to reporting. I reported this to X1 and their response was that they were not focusing on reporting since this was at it's base an e-discovery product and they were relying on an external software to do the reporting… I have not tested since, but according to their release notes, there weren't any major overhaul of their reporting engine.

 
Posted : 21/05/2014 12:38 am
(@afentis_forensics)
Posts: 47
Eminent Member
 

keep in mind the excellent guidance from Judge Grimms on social media evidence and authentication of records. essential reading.

we have released the toolkits we developed for many popular social media platforms - http//afentis.com/forensic-software/ - free licences to law enforcement or you might want to join the beta team in exchange for a free licence.

Kind regards,
Ross @afentis

 
Posted : 21/05/2014 1:39 am
Page 1 / 2
Share: