Authentication of social media evidence can present significant challenges when you collect by screen shots, printouts or raw html feeds from an archive tool. This is just one reason why social media data must be properly collected, preserved, searched and produced in a manner consistent with best practices. When social media is collected with a proper chain of custody and all associated metadata is preserved, authenticity can be much easier to establish. As an example, the following are key metadata fields for individual Twitter items that provide important information to establish authenticity of the tweet, if properly collected and preserved:
Metadata Field | Description | ||||||||
created_at | UTC timestamp for tweet creation | ||||||||
user_id | The ID of the poster of a tweet | ||||||||
handle | User’s screen name (different from user name) | ||||||||
retweet_id | The post ID of a retweet | ||||||||
retweet_user | The username of the user who retweeted | ||||||||
Reply | Indicates if this tweet is a reply | ||||||||
direct_message | Indicates if this tweet is a direct message | ||||||||
Hashtags | List of all hashtags in the tweet | ||||||||
Description | Up to 160 characters describing the tweet | ||||||||
geo_enabled | If the user has enabled geo-location (optional) | ||||||||
Place | Geo-location from where user tweeted from | ||||||||
Coordinates | Geo-location coordinates where tweet sent | ||||||||
in_reply_to_user_id | unique id for the user that replied | ||||||||
profile_image_url | location to a user’s avatar file | ||||||||
recipient_id | unique id of direct message recipient | ||||||||
recipient_screen_name | display name of direct message sender | ||||||||
screen_name | display name for a user | ||||||||
sender_id | unique id of direct message sender | ||||||||
Source | application used to Tweet or direct message(i.e., from an iPhone or specific Twitter app) | ||||||||
time_zone | a user’s time zone | ||||||||
utc_offset | time between user’s time zone and UTC time | ||||||||
follow_request_sent | Indicates request to follow the user | ||||||||
Truncated | If the post is truncated due to excessive length | ||||||||
Any one or combination of these fields can be key circumstantial data to authenticate a single or group of social media items. US Federal Rule of Evidence 901(b)(4) provides that a party can authenticate electronically stored information (“ESI”) with circumstantial evidence that reflects the “contents, substance, internal patterns, or other distinctive characteristics” of the evidence. Many cases have applied Rule 901(b)(4) to metadata associated with emails and other ESI. But you will not get all this key metadata from a printout, screen capture, or even most compliance archive tools.
Facebook and Linkedin items have their own unique, but generally comparable. Here are some key metadata fields for each Facebook entry. These fields provide important evidence, investigation context and circumstantial evidence to establish authenticity, if properly collected and preserved. Facebook changes their APIs from time to time, so we will be reporting any such changes and updates when they occur:
Metadata Field | Description | ||||||||
Uri | Unified resource identifier of the subject item | ||||||||
fb_item_type | Identifies item as Wallitem, Newsitem, Photo, etc. | ||||||||
parent_itemnum | Parent item number-sub item are tracked to parent | ||||||||
thread_id | Unique identifier of a message thread | ||||||||
recipients | All recipients of a message listed by name | ||||||||
recipients_id | All recipients of a message listed by user id. | ||||||||
album_id | Unique id number of a photo or video item | ||||||||
post_id | Unique id number of a wall post | ||||||||
application | application used to post to Facebook(i.e, from an iPhone or social media client) | ||||||||
user_img | url where user profile image is located | ||||||||
user_id | Unique id of the poster/author of a Facebook item | ||||||||
account_id | unique id of a users account | ||||||||
user_name | display name of poster/author of a Facebook item | ||||||||
created_time | When a post or message was created | ||||||||
updated_time | When a post or message was revised/updated | ||||||||
To | Name of user whom a wall post is directed to | ||||||||
to_id | Unique id of user whom a wall post is directed to | ||||||||
Link | url of any included links | ||||||||
comments_num | Number of comments to a post | ||||||||
picture_url | url where picture is located | ||||||||
As mentioned earlier, you will not get all this key metadata from a printout, screen capture, or even most compliance archive tools. Best practices technology specifically designed to collect, preserve, search and produce social media for eDiscovery is required.
__________________________________________________________________________________
X1 Social Discovery is the first investigative solution specifically designed for the legal and investigative community to effectively addresses social media content. This solution establishes a defensible chain of custody through several functions. MD5 hash values of individual social media items are calculated upon capture and maintained through export. Automated logging and reports are generated. Key metadata unique to social media streams are captured through deep integration with APIs provided by the leading social media sites. This functionality is provided along with a very scalable workflow and instantaneous search results. Tens of thousands of social media items can be captured per hour and then quickly searched, reviewed and exported in support of a traditional investigative and eDiscovery process. The speed, scalability and ease of use of X1 Social Discovery coupled with its best-practices preservation and chain of custody data capabilities now provides legal and eDiscovery professionals the means to finally address the universe of social media evidence on a very routine basis.
X1 Discovery, Inc. delivers next generation eDiscovery for social media, cloud and the enterprise. Built upon the market leading X1 search solution, X1 Discovery provides a ground-breaking platform for social media eDiscovery and supports investigations of cloud-based data. Learn more at www.x1discovery.com
If a person copies data from a Word document into the comments field of, say Facebook, is the metadata/data “captured” in anyway on Facebook servers prior to being posted?
I want to know about twitter API (created_at) tweet posting