Tracking Facebook o...
 
Notifications
Clear all

Tracking Facebook or other Social Media Posts

6 Posts
4 Users
0 Likes
1,346 Views
(@bchaseaz)
Posts: 13
Active Member
Topic starter
 

I am putting together a presentation for lawyers on social media forensics. So often one lawyer will just take a screen shot of an email, tweet, or Facebook post, and claim it was written by person X. I'm explaining why that is not valid and showing how easy it is to create fake accounts. As a lawyer, I am also going into the case law that says you need more than just a screen shot of a social media post to introduce it in evidence. You need some sort of additional evidence to link the post to the suspected individual.

I want to talk about tracking the IP address of the source to discover the true sender. I also want to talk about what artifacts may be found on a suspects computer or mobile device that could link them to the social media content in question.

I have several questions for those of you who have done this kind of work

1) For those who have obtained IP information from places like Facebook (either through search warrant or subpoena), what kind of information do you get back? Are you able to tell if the person logged in to Facebook via web or app? If app - do you get device information?

2) What kind of social media artifacts have you found on computers? Any good resources out there that discuss uncovering social media artifacts? So far, on the social media/email cases I have worked, I did not have a hard drive to examine.

3) Any success stories you can share about either identifying the true source of a social media post, or success stories about defending against the allegations that a social media post came from a given individual?

 
Posted : 05/05/2014 8:04 pm
(@a-nham)
Posts: 32
Eminent Member
 

I really don't think I have the credentials to answer question 1. However, IP, at least alone, cannot be used to correlate a person to a user account, in court (but you probably already know that better than me as a lawyer). However, I certainly do agree that IP is very useful, if not crucial, as an artifact for the bigger argument.

2. As far as computer artifacts go, this YouTube video is a pretty good resource for how and what type of artifacts remain from social messaging activities if you chose to file carve a hard drive.
https://www.youtube.com/watch?v=57RWdYhNvq8

3. From what I have seen so far in term other people's forensics research, it seems that most of the more forensic identifications of social media activities come from or end up either from physically acquired devices (such as hard drives or phone), probably through a warrant of the hard drive in real life, and then trying to rebuild the event with some software or direct interactions with the person's Facebook account (such as keeping tabs on his/her posts or seeing what groups he/she follows), probably through a warrant as well, unless it was public information.

 
Posted : 05/05/2014 10:41 pm
bshavers
(@bshavers)
Posts: 210
Estimable Member
 

An IP address is not a person.
A MAC address is not a person.
An email is not a person.
A posting on Facebook is not a person.
Etc…

You are right on the problems of attributing computer activity to a specific user. I wrote a book on the subject with your points in it (successful cases, investigative methods, etc…). http//winfe.wordpress.com/books/

Regarding your questions;
1) Facebook can give you more information than you can imagine, but it depends on what you need and what they retained.

2) Social media use litters the hard drive with data. Plenty to find if you have the host machine.

3) I have cases in my book about success stories with social media. Plenty to be found online too.

A posting by itself is never enough without additional corroborating evidence.

 
Posted : 06/05/2014 3:17 am
(@a-nham)
Posts: 32
Eminent Member
 

An IP address is not a person.
A MAC address is not a person.
An email is not a person.
A posting on Facebook is not a person.
Etc…

You are right on the problems of attributing computer activity to a specific user. I wrote a book on the subject with your points in it (successful cases, investigative methods, etc…). http//winfe.wordpress.com/books/

Seems like I just found a book that I need to go buy and read. Thanks, bshavers D

 
Posted : 06/05/2014 9:01 am
(@bchaseaz)
Posts: 13
Active Member
Topic starter
 

Thanks everyone for the posts. I am going to check out that book.

From a legal perspective, I want to point something out. The law in every jurisdiction on admissibility of online evidence varies. Some jurisdictions don't have any case law (like mine, in Arizona).

A common viewpoint right now is that a post/email from a specific user PLUS something else (IP address traced to users home, information specific to only that user, etc) is going to be enough to survive the initial authentication burden for the offering party.

Once the offering party has met the authentication threshold, the burden shifts to the opposing part to present evidence on why the other side's information is not sufficient to authenticate the evidence as being from the given individual.

For anyone who wants more information on the actual legal basis for entering evidence, I highly recommend the article "Authentication of Social Media Evidence" by Judge Paul Grimm.

As I am both an examiner and a lawyer, I tend to work with the people who hire me in drafting motions and arguments for courts. I always given them a copy of Judge Grimm's article, because he is considered one of the leading legal scholars in this area.

 
Posted : 07/05/2014 6:59 am
Bobbynyc
(@bobbynyc)
Posts: 22
Eminent Member
 

I will tell you at the end of the day it requires you to put the person behind the chair and behind the computer.

Sometimes data can be old and stale and it simply requires good interview techniques to have someone admit guilt..

Assuming we are talking Law Enforcement here.. A simple Subpoena is very helpful to tracking down a person.

EG

Subpoena facebook and get back IP for internet provider. Also get Email address associated with the account.

Subpoena email address provider to get IP addresses connecting to that email address.
Once that comes back you compare the IP addresses for the email address and the facebook IP connection log info.

Basically what you are doing is getting all the IP addresses together and then Subpoenaing all the internet providers on both lists.

As an example you might have an internet provider for the suspects home and work and even another family members home.

Once you get the IP results back from the providers, you would look to see which is a home address and which is a work and then other addresses.

So now you have someone going on facebook from home, work and other. The same for the email address attached to facebook.

While waiting for this you do searches online for the email address and see what else it might be attached to.

If the facebook is a fake name, what else is this fake name attached to on the internet.

Once you get back these responses you do background checks for the home residence, work and other.

Work wise you want to make sure this person is not the the I.T. person for the place of employment that might come up. Nothing worse than talking to your bad guy about him..

If another residence comes up, find out if this other residence is family or maybe boyfriend/girlfriend home. Check to see if these people are friends with your suspect on other social media sites..

See if this person has a linkedin page, etc..

If you are comfortable the subject is not the IT person. You go to them and their HR department and explain the circumstances and that you need to see if they have any outgoing logs. EG Websense.. and if they can get you logs related to your subject for the date and times listed on the previous Subpoena results that come back to them.

You need to isolate his/her machine as well. Some companies will just swap out the old machine with a new computer for you and give you the computer to image forensically.

For the incident in question you need to determine what location it happened from. Lets assume it is his home..

Once you have some info from his work computer. You go to his residence with search warrant in hand and take his computer. Copy down is router logs and get his current IP address..

Look to see if it is a secured network and what type..

Sometimes just showing someone Subpoena paperwork and explaining how the internet works is enough for them to confess.

Forensically on the work computer I would look for whatever the person connected to from the subpoena results.. If it was just his email account I would look for that email address. Even a unallocated fragment is good enough.

You would use this work info if the person was a bit resistant. Showing him or her that email fragment on his work computer once they say they have no clue is hard to fight.

Forensically with the home machines you would use some tools to obtain internet history and do keyword searches for facebook account along with email address.

If you also have connections going to another residence. Letting the subject know that you will be going to those residence is also sometimes enough. They usually are embarrassed enough now that they don't want everyone else to get involved, especially loved ones..

In the end the ability to get valid connection logs really does help out TONS..

 
Posted : 12/05/2014 11:54 pm
Share: