Social media has fundamentally changed the way information is shared and accessed. As a result, these channels are playing an increasingly important role in cyber forensic investigations.
“Social media has become an extension of our everyday lives and a primary means of communication and connection. From Facebook and Twitter to SnapChat and blogs – the number of social platforms and their functionality is constantly changing,” explains Danny Myburgh, MD of leading local digital forensic lab, Cyanre.
Myburgh continues, “The ubiquity of social media and digital technology in our lives means the sources of evidence available to investigators are rapidly expanding. Knowing how to correctly access this information can be invaluable in creating a strong case – but it also has some unique pitfalls and challenges.”
Beyond providing evidence on the background of a suspect, subject, potential employee or business partner, social media can also become the subject of cyber investigations. “Comments made on social platforms – whether public or seemingly private – can have a serious impact on an employer or organisation and have to be handled very seriously,” says Myburgh.
The availability of information on social media doesn’t make an investigator’s job any easier though. While social networks may cooperate in some investigations, this is not always the case. Myburgh adds, “Without the right technology and know-how, it can be an extremely laborious task to troll the Internet in search of comments or information on an individual.”
According to Myburgh, apart from the shear volume of information available and a tendency toward anonymity, one of the most serious challenges posed by social media is the issue of jurisdiction. Traditional cyber forensics would involve an investigator extracting data from a piece of hardware – like the hard drive of a computer or a mobile phone – which they physically had in their possession.
“The state of the hardware could be preserved for authenticity throughout an investigation and the parameters for data extraction were clearly defined. However, when it comes to extracting evidence from third-party social media platforms, the situation is completely different,” says Myburgh.
Evidence posted online or on a social network can change rapidly and could be deleted or changed at any time. As a result, investigators need to constantly update their methods for data collection and preservation to ensure authenticity.
Myburgh warns that it isn’t always as simple as updating one’s methods though. He explains, “The Internet surpasses geographic boundaries so the laws of foreign countries may apply to an investigation. The majority of social media sites are hosted offshore, so investigators have to guard against illegally accessing information that may appear easily accessible but which they are actually not authorised to access.”
Certain information belongs to the owner of the site and not to the user. While an individual or organisation can own information posted on social media channels and can give authorisation to an investigator to access it, the investigator could still not be authorised to access vital associated information – such as who accessed the data and which IP addresses were used.
“Investigators have to ensure they adhere to the terms and conditions of each platform when collecting a user’s information. Any information gathered unethically or inappropriately can be deemed inadmissible in court. It’s always advisable to bring in expert investigators who know exactly how to successfully conduct investigations in this environment,” concludes Myburgh.
Cyanre’s digital forensic experts are trained to use leading-edge hardware and software to conduct investigations to the highest internationally accepted standards. In the Forensic Lab’s ten-year history, it has not lost a single case in which its experts have testified.