Chapter 4

The intersection between social media, crime, and digital forensics: #WhoDunIt?

Kathryn C. Seigfried-Spellar*
Sean C. Leshney**
*    Purdue University, IN, USA
**    Tippecanoe County Prosecutor’s Office, IN, USA

Abstract

This chapter opens with a discussion on the prevalence and different types of social media, such as social networking sites, blogs, virtual social worlds, collaborative projects, content communities, and virtual game worlds. Next, the authors review the potential evidentiary value that social media may have in criminal cases. Specifically, social media may yield digital evidence of the planning, commission, or aftermath of a crime. Finally, this chapter provides an overview on the location of social media evidence on the network and physical device, as well as the most common digital forensic tools that extract and analyze social media artifacts. Overall, not only are almost all criminal investigations involving at least one form of digital evidence, it is plausible that the majority of them will also involve a form of social media as well. Thus, it is necessary for law enforcement to stay up-to-date on the latest social media trends in order to identify the most effective tool for extracting and analyzing social media evidence.

Keywords

social media
digital forensics
crime
law enforcement
cybercrime

Introduction

Over 40% of the world’s population uses the Internet, and 74% of them use social networking sites (Duggan, Ellison, Lampe, Lenhart, & Madden, 2015). As of September 2015, the most popular social networking sites were Facebook, Twitter, LinkedIn, Pinterest, and Google Plus+ (ebizmba, 2015). In addition, 40% of mobile phone users sampled use social media sites on their phone, and 28% reported using social networking sites daily (Duggan et al., 2015). Social networking sites may be defined as “web-based services that allow an individual to construct a public or semipublic profile within a bounded system, articulate a list of other users with whom they share a connection, and view and traverse their list of connections and those made by others within the system” (Boyd & Ellison, 2008, p. 211). Social networking sites (SNS) allow users to maintain old relationships, while also connecting with new acquaintances or even strangers on the Internet. Although they are the most commonly used, social networking sites make up only a subset of social media.
According to Kaplan and Haenlein (2010), social media is a “group of Internet-based applications that build on the ideological and technological foundations of Web 2.0 [e.g., increased broadband availability and hardware capacity], and that allow the creation and exchange of User Generated Content” (p. 61). In order for data to be considered user-generated content, it must: (1) be published either on a publically accessible website or be available to a select group of people on a social networking site; (2) exhibit a certain level of creative effort; and (3) it needs to be created outside professional routines and practices (Organization for Economic Cooperation and Development [OECD], 2007). Based on these definitions, social media includes not only social networking sites (e.g., Facebook), but also blogs, virtual social worlds (e.g., Second Life), collaborative projects (e.g., Wikipedia), content communities (e.g., YouTube), and virtual game worlds (e.g., World of Warcraft; Kaplan & Haenlein, 2010). Overall, social media sites create an environment that allows users to communicate and share information with others who are either connected directly (member of site) or indirectly (e.g., friends of friends) within the network (Brunty & Helenek, 2013).
Thanks to the globalization of technology, traditional desktop computers are no longer needed to connect to social media. In fact, it is estimated that more than one-quarter of the world’s population will use smartphones in 2015 (eMarketer, 2014), and more than one billion will use a tablet (e.g., iPad; eMarketer, 2015). Mobile devices, such as smartphones and tablets, allow their users to download applications, known as “apps,” that perform certain tasks, such as communicating, gaming, or sharing content.
According to AppCrawlr (2015), the top free social media apps are Facebook, WhatsApp Messenger, Instagram, Facebook Messenger, and Line. On the Apple App Store alone, there are more than 1.5 million mobile apps available, and over 100 billion apps have been downloaded as of June 2015 (Statistica, 2015). In addition, some apps have an element of social media as a secondary function; for example, Waze is primarily a community-based traffic and navigation app, but it also allows users to send private messages or to other Waze users who are traveling nearby.
However, unlike traditional forms of social media, such as Facebook, some social media apps are providing its users with anonymity. These anonymous apps are growing in popularity because users can communicate and share content without creating a user profile. They were created initially in response to concerns over privacy and the presence of a digital footprint. For example, YikYak, Whisper, Sneeky, Cloaq, and Viper are all social media apps that allow users to post anonymous comments, photos, and/or videos (c.f., Roose, 2014). YikYak in particular has received national media attention due to several cases of students posting cyber threats (c.f., Raleigh, 2015; Seigfried-Spellar, Flores, & Griffith, 2015). In addition, some apps are providing confidentially, rather than anonymity, through encrypted, private messaging that prevents screenshots and deletes messages after they have been read (e.g., Confide). There will always be a demand for anonymous apps so long as society is concerned about privacy and its digital footprint; however, these apps still preserve data that are helpful to law enforcement (e.g., IP address, GPS).
Overall, over 40% of the world has access to the Internet, and the International Telecommunication Union (2013) reports that there are as many mobile cellular subscriptions as people in the world. Research also shows that more than half of Internet users have two or more accounts on different social media sites (e.g., Facebook and Twitter; Duggan et al., 2015). With technology becoming an integral part of society, it is no wonder that law enforcement is experiencing an increase in the number of cases involving digital evidence. Almost every type of criminal investigation (both cyber and traditional) involves some form of digital evidence (Clifford, 2006), and many of these cases involve more than one digital device (mobile phone, laptop; c.f., Holt, Bossler, & Seigfried-Spellar, 2015). In this digital era, law enforcement needs to be aware of the potential evidentiary value that social media may have in criminal cases.

Social media and crime

Prior to the boom of personal computers, traditional computer investigations were of the theft of computer components. However, computers now play either a target (e.g., hacking), tool (e.g., cyberbullying), or incidental (e.g., storage device for evidence) role in criminal investigations (c.f., Maras, 2012). In addition, traditional crimes committed through the use of computer technology are now referred to as “old crimes with new tricks,” such as cyberbullying, Internet child pornography use, and cyberterrorism. Brunty and Helenek (2013) outlined the different ways in which social media may be used by criminals: burglary, social engineering, phishing, malware, identity theft, cyberbullying, cyberstalking, exploitation, sexual assault, prostitution, organized crime, and cyberterrorism. Not only are social media sites used to commit crimes, criminals may leave a trail of digital evidence, including posts, short message service (sms) communications, photos, or geotaging, to name a few.
For example, the kidnap, rape, and murder of Kimberly Proctor in March 2010 was solved thanks to a digital trail of evidence left behind by the two teenage boys. According to Roberts (2011), “police investigating this case … gathered the digital equivalent of 1.4 billion pages of paper evidence, including Facebook and MSN messages, text messages and chat histories” (para. 7). In addition, one of the teenage boys confessed to murdering Kimberly Proctor while chatting with his online gamer girlfriend on World of Warcraft (Zetter, 2011). The murder of Kimberly Proctor was solved through the trail of digital evidence left on social media (e.g., social networking sites, virtual game worlds).
In addition, there are a number of cases where individuals have confessed to their crimes on social media; “it appears that the need for bravado is much greater than any concerns about getting caught” (Gross, 2013). Hannah Sabata was arrested after she posted a video on YouTube bragging that she had stolen a car and robbed a bank at gunpoint; she also flashed a large wad of cash in the video (Locker, 2012). In another example, a convicted violent felon, and Midwest King gang member, nicknamed “P Smurf,” posted a video of himself on Facebook shooting an AK-47. This video was forensically preserved by local law enforcement, and “P Smurf” was federally indicted in 2012 for gun charges.
Overall, social media may yield digital evidence of the planning, commission, or aftermath of a crime, which is why it is necessary for law enforcement to understand the value of collecting forensically sound evidence from social media.

Social media and digital forensics

Traditional computer forensics evolved into the field of digital forensics in response to the variety of digital devices, other than traditional computer hardware, that housed digital evidence. Computer forensics was no longer a term that accurately represented the various forms of digital evidence. Digital evidence is defined as information that is either transferred or stored via a computer (Casey, 2011), and digital evidence may be found on mobile devices, global positioning systems (GPS) devices, gaming systems, and networks, to name a few. Thus, digital forensics is an umbrella term that refers to the analysis of digital evidence, which includes network forensics (Internet traffic), computer forensics, mobile-device forensics (e.g., cell phone), and malware forensics (e.g., viruses; Casey, 2011). Regarding social media, digital evidence may be found on the physical device or on the network (Brunty & Helenek, 2013).

Social media evidence on the network

If the digital evidence is on the network (e.g., stored by the social media site), the data may be spread over many servers, providers, and users, which may require the use of big data analytics (Nelson, Phillips, & Steuart, 2015). If there is the potential for social media evidence, the first step for law enforcement is to send a preservation order to the Internet service provider (ISP) to prevent any changes to the data for 90 days until a court order to search warrant is issued (EC-Council, 2010). However, the preservation order must reference a specific account and time frame.
Next, law enforcement must submit a search warrant, court order, or subpoena to the social media provider in order to obtain any data records (EC-Council, 2010; Nelson et al., 2015). This process of requesting data from social media sites is so common that many of them now have legal guides available for law enforcement on their websites. In addition, the National Consortium for Justice Information and Statistics provides a searchable database of online ISPs and other online content providers so law enforcement can quickly identify the legal contact information and instructions for serving subpoenas, court orders, and search warrants. These instructions and guidelines are crucial in that social media providers may deny a request if it is missing the required language. Finally, some social media providers are starting to notify their subscribers that a legal request has been submitted, which could jeopardize a criminal investigation. In the United States, all preservation orders and data requests (e.g., court orders, search warrants) should instruct the ISPs or social media companies “not notify the subscribe as such disclosure may hinder the law enforcement investigation and/or obstruct justice” (c.f., 18 USC 2705b) (Fig. 4.1).
image
Figure 4.1 Example Preservation Letter to Twitter
Overall, understanding the process of requesting data is extremely important due to the increasing use of social media for law enforcement investigations. According to the International Association of Chiefs of Police (2014), 78.8% of law enforcement agencies in the United States claim that social media has helped them to solve crimes in their jurisdictions. Thus, the process for requesting data from social media providers requires careful attention when making a request in order to preserve forensically sound data.
Social media records will contain a wealth of information and potential digital evidence. First, the records will contain the IP address history, which are unique numbers that identify a computer on the Internet (c.f., Syngress, 2002), as well as phone numbers if requested. There are helpful tools available for locating information on an IP address. In addition, these requests may contain subscriber information, photos, messages, and videos.
Unfortunately, information obtained from ISPs or social media companies is not provided in a consistent standardized format, which makes it difficult to input the data into automated tools for analysis. Instead, it is common for law enforcement to examine the data in search of relevant evidence to the case. When the data are received from ISPs and social media companies, it is usually in a variety of file formats, such as text files, PDF files, CSV files, and Microsoft office documents, just to name a few. The information documented in these files is also displayed in different formats, such as dates, times, and phone numbers. To make this more complicated, the records may be stored in different time zones. Overall, the different file types and formats make it challenging to import the data into a central program that can be used to search or perform link analysis.

Social media evidence on the physical device

Digital evidence from social media use may be found on traditional desktop computers and laptops as well as mobile devices, such as tablets and smartphones. For traditional desktop computers and laptops, social media sites are accessed through an Internet browser (e.g., Safari, Internet Explorer), whereas social media may be accessed through apps or traditional Internet browsers depending upon the mobile device. First, these Internet browsers are great sources of potential digital evidence, including browsing history, searches, sites visited, and stored login and password information (c.f., Casey, 2011). In addition, these Internet browsers also maintain a “cache,” which is a repository for storing copies of previously visited websites that expedites the processing of information when reopening a site (c.f., Brown, 2006; Clancy, 2011). Social media artifacts are primarily located in the browser cache (c.f., Cusack & Son, 2012).
Along with cache files, social media posts may also contain embedded information, known as metadata, which is often defined as “data about data.” Metadata provides additional information about a file, such as when the file was created, last accessed or modified, its location, or name of the user account (c.f., Ball, 2005). There are three types of metadata: descriptive, structural, and administrative (Salama, Varadharajan, & Hitchens, 2012). According to Salama et al. (2012), metadata is capable of providing investigators with information to answer the main questions of: who, what, when, how, where, and why. For example, Salama et al. (2012) downloaded photos off of the Internet and were able to reveal information about the creator, and in some cases, the GPS coordinates by forensically analyzing the metadata.
A number of digital forensic tools are available to analyze social media artifacts from physical devices, although determining which tool is appropriate depends on the device (mobile phone vs. laptop) and operating system, and in some instances multiple tools may be needed to conduct a complete extraction. A few of the more common digital forensic tools are CelleBrite Physical Analyzer, Magnet Forensics’ Internet Evidence Finder (IEF), XRY Mobile Forensic Tool, Access Data’s Forensic Tool Kit (FTK), and Guidance Software’s EnCase.1
CelleBrite UFED with Physical Analyzer is one of the leading forensic tools for extracting information from smartphones. Being able to successfully extract all of the data possible from a physical device is only half the challenge; the second challenge is the forensic devices’ ability to effectively parse through the extracted data and display useful information to the forensic examiner. For a majority of mobile devices, social media apps store its configuration, user data, and history in SQLite databases. However, companies are constantly creating new apps and/or updating the functionality of their existing apps, so forensic tools, like Physical Analyzer, need to be constantly updated to correctly read the databases of the latest version of social media apps.
Internet Evidence Finder is a popular tool that recovers digital evidence from computers, smartphones, and tablets, including both existing cache and deleted data from Internet-related artifacts, such as web browsers (Google Chrome, Mozilla Firefox, Internet Explorer), chat programs (AIM, Yahoo Messenger), email (Gmail, Hotmail, Yahoo Mail), and torrent programs (Ares, Frostwire, eMule), to name a few (Murray, 2013). IEF also has a special feature called “chat threading,” which visually recreates the chat dialog as it would appear on the device (McQuaid, 2014). In addition, XRY Mobile Forensics Tool is specifically designed to extract data forensically from mobile devices, including smartphones, tablets, satellite navigation units, and multimedia (MSAB, 2015). According to MSAB (2015), XRY also has the “largest support for smartphone apps in the market.”
With any digital forensic investigation, EnCase and FTK are the two most commonly used tools by law enforcement. Encase is capable of acquiring data from a variety of digital devices, including smartphones/tablets, hard drives, and removable media. In addition, EnCase provides support for social networking sites, including Facebook and Twitter (Cusack & Son, 2012; Guidance Software, 2015). FTK is also capable of extracting data from computers hard drives, networks, removable devices, and mobile devices, as well as of decrypting files and cracking passwords (AccessData, 2015). In addition, FTK also has a data visualization tool that creates a timeline and visual depiction of social interactions (e.g., emails), as well as Internet and chat analysis capabilities (AccessData, 2015).

Summary

The future of digital forensics will depend on the ever-changing world of technology, but as it stands currently, there is a strong demand in the law enforcement community for social media forensics. Thanks to the globalization of technology, the number of social media users will continue to increase. For instance, there were 1.59 billion social network users in 2013, and this number is expected to increase to 2.44 billion by 2018. In addition, there was a significant increase in the number of multiplatform use from 42% in 2013 to 52% of online users in 2014 (PRC, 2015). In other words, online adults are more likely to use two or more social media sites. Thus, not only are almost all criminal investigations involving at least one form of digital evidence, when these cases involve social media, it is plausible that the majority of them will involve more than one form of social media as well. For example, The University of Alabama experienced a cyber threat on September 21, 2014 after someone by the username, Authur Pendragon, posted an ominous comment on a YouTube video (see Seigfried-Spellar et al., 2015). This threat fueled a fury of miscommunication, rumors, and panic that reached beyond The University of Alabama campus thanks to social media. The Authur Pendragon incident was a hot topic on social media sites/apps, including YouTube, Twitter, Facebook, YikYak, GroupMe, and Reddit. More specifically, the threat became a trending topic on Twitter with the hash tag, #Pray4Bama (Seigfried-Spellar et al., 2015).
The Authur Pendragon case is a perfect example of the complexity in potential social media evidence from both the network and physical device. Social media forensics is a relatively new area within digital forensics, as there are a limited number of digital forensic tools that specialize in social media artifacts (see Nelson et al., 2015). Therefore, it is necessary for law enforcement to stay up-to-date on the latest social media trends in order to identify the most effective tool for extracting and analyzing social media evidence. Although social media trends may change (e.g., MySpace, Facebook), potential evidence will always be stored on the network or physical device.

References

AccessData. (2015). Forensic Toolkit (FTK). Retrieved from http://accessdata.com.

AppCrawlr. (2015, September 18). 100+ Top Free Apps for Social Networking & Social Media. Retrieved from www.appcrawlr.com.

Ball, C. (2005). Metadata: Beyond data about data. Retrieved from www.craigball.com.

Boyd D, Ellison N. Social network sites: definition, history, and scholarship. Journal of Computer Mediated Communication. 2008;13:210230.

Brown C. Computer evidence: Collection and preservation. Hingham, MA: Thomson/Delmar; 2006.

Brunty J, Helenek K. Social media investigation for law enforcement. Waltham, MA: Elsevier Inc; 2013.

Casey E. Digital evidence and computer crime: Forensic science, computers, and the internet. 3rd ed. Waltham, MA: Academic Press; 2011.

Clancy TK. Cyber crime and digital evidence: Materials and cases. Albany, NY: Matthew Bender & Company; 2011.

Clifford RD, ed. Cybercrime: The investigation, prosecution, and defense of a computer-related crime. 2nd ed. Durham, NC: Carolina Academic Press; 2006.

Cusack, B., & Son, J. (2012, December). Evidence examination tools for social networks. Proceedings of the 10th Australian Digital Forensics Conference, Perth, Western Australia.

Duggan, M., Ellison, N. B., Lampe, C., Lenhart, A., & Madden, M. (2015). Social media update 2014. Pew Research Center. Retrieved from www.pewinternet.org.

ebizmba. (2015, September). Top 15 most popular social networking sites. Retrieved from www.ebizmba.com.

EC-Council. Computer forensics: Investigation procedures and response. Clifton Park, NY: Cengage Learning; 2010.

eMarketer. (2014, December 11). 2 billion consumers worldwide to get smart(phones) by 2016. Retrieved from www.emarketer.com.

eMarketer. (2015, January 8). Global usage doubled in past three years, but growth expected to slow. Retrieved from www.emarketer.com.

Gross, D. (2013, August 9). Why people share murder, rape on Facebook. CNN. Retrieved from www.cnn.com.

Guidance Software. (2015). EnCase Forensic v7 Overview. Retrieved from guidancesoftware.com.

Holt T, Bossler A, Seigfried-Spellar K. Cybercrime and digital forensics: An introduction. Abingdon, UK: Routledge; 2015.

International Association of Chiefs of Police. (2014). 2014 IACP Social Media Survey Results. Retrieved from http://www.iacpsocialmedia.org.

International Telecommunication Union. (2013, February). The world in 2013 ICT facts and figures. www.itu.int.

Kaplan AM, Haenlein M. Users of the world, unite! The challenges and opportunities of social media. Business Horizon. 2010;53:5968.

Locker, M. (2012, December 5). Watch: Woman brags about bank robbery on YouTube, Gets Arrested. Time. Retrieved from www.newsfeed.time.com.

Maras M. Computer forensics: Cybercriminals, laws, and evidence. Sudbury, MA: Jones and Bartlett Learning; 2012.

McQuaid, J. (2014, September 4). Recovering WhatsApp forensic artifacts. Retrieved from http://www.magnetforensics.com.

MSAB. (2015). What is XRY? Retrieved from http://www.msab.com.

Murray, N. (2013, July). Internet Evidence Finder Report. Patrick Leahy Center for Digital Investigation (LCDI). Retrieved from www.champlain.edu.

Nelson B, Phillips A, Steuart C. E-mail and social media investigations. In: Nelson B, ed. Guide to computer forensics and investigations: Processing digital evidence. Boston, MA: Cengage Learning; 2015:423456.

Organization for Economic Cooperation and Development. Participative web and user-created content: Web 2.0, wikis, and social networking. Paris: OECD; 2007.

Raleigh, L. (2015). Yik Yak Arrests – An Updated Timeline. Retrieved from Telapost: www.telapost.com.

Roberts, H. (2011, November 9). Teenage killer who tortured and suffocated classmate, 18, had left digital trail of sick plot and confessed on World of Warcraft. Retrieved from dailymail.co.uk.

Roose, K. (2014, June 13). The complete guide to anonymous apps. Retrieved from www.nymag.com.

Salama, U., Varadharajan, V., & Hitchens, M. (2012). Metadata based forensic analysis of information in the Web. Annual Symposium of Information Assurance & Secure Knowledge Management, Albanay, NY.

Seigfried-Spellar KC, Flores BM, Griffin DJ. Switzerland: Springer International Publishing; 2015.

Statistica. (2015). Apple App Store: number of downloads as of June 2015. Retrieved from www.statistica.com.

Syngress. Scene of the cybercrime: Computer forensics handbook. Rockland, MA: Syngress Publishing, Inc; 2002.

Zetter, K. (2011, November 3). Teen Murderer Undone by World of Warcraft Confession and Trail of Digital Evidence. Retrieved from wired.com.

1 Note. The authors do not endorse any of the digital forensic tools; these are merely the more commonly used digital forensic tools by law enforcement for examining social media artifacts.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.133.159.223