Review: Digital Forensics Investigation for Social Networks

Emily C. Lennert, Candice Bridge, Ph.D

Category: Digital Evidence

Keywords: social network, digital, digital evidence, mobile device, personal computer, imaging, data, recovery Article to be reviewed:

1. Jang, Y.-J.; Kwak, J. “Digital forensics investigation methodology applicable for social network services.” Multimedia Tools and Applications. 2015, 74 (14), 5029–5040.

Additional references:

2. What is volatile data? http://www.computerforensicsspecialists.co.uk/blog/what-is-volatile-data (accessed Jul 1, 2016).

Disclaimer: The opinions expressed in this review are an interpretation of the research presented in the article. These opinions are those of the summation author and do not necessarily represent the position of the University of Central Florida or of the authors of the original article.

Summary: Social network services (SNSs), such as facebook or snapchat, are very commonly used in modern society, especially with the popularity of smartphones and mobile devices.1 SNSs contain valuable information and may provide evidence that is vital to a criminal investigation and subsequent trial. The authors of the article cite three specific cases in which SNS evidence was used. May 2011, an investigation revealed a deleted messenger application, (app), conversation between a man, suspected of murdering his wife, and his mistress. The record of the conversation was presented as circumstantial evidence. July 2012, suspects in a sexual assault of an unconscious victim were identified due to photos and videos discovered on several SNSs. April 2013, after the Boston Marathon terror attack, suspects were quickly identified through SNS information, such as pictures and videos, from individuals in the area of the attack. The suspects’ political ideology and motives for commission of the crime were also identified via SNS information.

SNSs harbor information such as user location, psychology, and personal network, as well as conversations, photographs, text posts, schedules, and more.1 The information from SNSs can also help investigators to identify living patterns and assess the user’s ideas and mental state. Services provided by SNSs are provided by real time data synchronization with the SNS servers, rather than by storing data on the device itself. The device stores minimal data of weak investigative value, such as usage logs, which track when an application is launched and for how long the application is used. In addition to the issue of server storage versus device storage, investigators are limited in what is easily accessible. Privacy settings, on either the server or the device, may interfere with the recovery of information. Additionally, SNSs are easily accessible via multiple devices, and may be modified by users other than the suspect. Web browsers, used to access the SNS, alone do not store sufficient evidence, and SNS records may be deleted from or altered on a mobile device prior to acquisition by investigators. Through appropriate digital forensic techniques, the SNS user’s conversations, friend list, and more may be recovered. The article discusses a digital investigation model designed for SNS application, which prevents damage and manipulation of evidence.

First, when a device is recovered, access to data storage of the SNSs should be blocked. This is comparable to using writing protection on a device to prevent data from being overwritten.1 SNSs used by the suspect must be identified and the suspect’s account information must be acquired. The SNSs that might have been used by the suspect should be understood and identified by the investigator. Then, the suspect’s device that will be investigated for SNS data must be classified as either a personal computer or mobile device. Personal computers access the SNSs through web browsers, while mobile devices use applications, apps; therefore, recovery methods of the data vary depending on the device. The device must be cut off from all networks to prevent modification of the SNS data, and the suspect’s SNS accounts should be suspended to conserve data. The devices must be imaged, which means an exact copy of the original data is made to protect the integrity of the original. Data collection will be performed on the imaged copy of the system that was saved on the forensic examiner’s computer. A real time data collection procedure is followed for personal computers; traces of SNS use are identified in the system memory using a memory analysis tool. Then, the memory of each web browser is imaged separately, which recovers volatile data, which is data that may be completely lost when a device is powered down.2 Volatile data is valuable because it cannot be modified by anyone in an SNS.1 This volatile data can then be used to search user profiles that the suspect had visited, as well as to analyze conversations between the suspect and other users and to access a timeline of SNS use. Mobile devices can be analyzed by recovering data from the application’s database files. Volatile data may be recovered from either type of device.

After outlining the data recovery methods, the authors discuss the advantages of their SNS investigation method. The authors believe that the systematic collection of digital evidence will provide an advantage to investigators.1 The authors note that the systemization of a SNS investigation process will eliminate the possibility of confusion in the investigation process as well as ensure a faster method that is appropriate for SNS evidence collection. The authors believe that the systematic collection of digital evidence will provide an advantage to investigators.

Scientific Highlights:

• This article presents a systematic digital investigation method for collecting and analyzing social network service data.
• Investigation of a personal computer requires imaging of the device memory as well as the memory of each web browser.
• Investigation of mobile devices requires imaging of the device and analysis of application databases.

Relevance: Social network services can be a valuable source of digital evidence; a digital forensic analysis method for social network services will aid investigators in uncovering evidence in a systematic and timely manner.

Potential conclusions: A systematic method of social network data recovery will provide investigators with the means of recovering evidence efficiently and without risking the integrity of the evidence collected.

Legal Brief: Digital forensics investigation for social networks

Steve Krejci

While many social networking sites (SNSs) are publicly viewable, Smallwood v. State shows that the state cannot simply search a person’s phone for SNS data incident to arrest. In most cases, the phone is separated from the arrestee fairly quickly, and that separation alone invalidates searching the phone for applicable data incident to arrest. However, Smallwood also discusses the strong privacy interests of the data on the phone and realizes that searching a phone is not comparable to searching containers found within a car upon arrest. Hence, an arrestee’s phone enjoys a greater level of privacy protection that first must be overcome before the phone can be searched for digital evidence. Smallwood v. State, 113 So. 3d 724, 738 (Fla. 2013).

The O’Leary case highlights how easily SNS postings can implicate criminal behavior. The issue in this case was whether a death threat was “sent” to the alleged victim as defined by Florida Statute § 836.10. The court held that the posting of the threat on the defendant’s personal page and the friend request sent to the victim was sufficient to show a prima facie case under § 836. 10, a second degree felony. O’Leary v. State, 109 So. 3d 874 (Fla. 1st DCA 2013).

The use of SNS is prolific throughout criminal prosecutions, but the Domville case shows other potential implications of SNS. In this case, defense counsel discovered the judge had friended the prosecutor assigned to this case. Defense moved to recuse the judge and that motion was denied. On appeal, this denial was overturned. This case discussed the elements necessary to implicate Judicial Conduct Canon 2B: 1) the judge must establish the social networking page; 2) the site must afford the judge the right to accept or reject friend requests: and 3) this action must be communicated to others. Additionally, this case discussed that the prosecutor did not actually influence the judge, it was the appearance of such a possibility that was the main issue. Domville v. State, 103 So. 3d 184, 185 (Fla. 4th DCA 2012).