Introduction

Digital forensics is yet another information security-related specialty that is in high demand these days, and there is a sensible reason for it: With the quite obvious rise in technology usage during the last couple decades, coupled with the omnipresence of the Internet, came an overwhelming number of computer threats and crimes that need to be investigated.

While solving computer crimes sounds like (and it actually is!) a great career path, before you venture into it, you should take a moment to understand why this is one of the fields with the highest level of experience required. As a scientific practice, computer forensics goes well beyond what you may have seen in the somewhat entertaining (and highly unrealistic) TV shows such as CSI Cyber. A real forensics professional will not only be able to find, preserve, and analyze evidence, but must also do so in a manner that avoids contamination and ensures that the results can be presented in a court of law without the risk of being dismissed based on the violation of forensics best practices (e.g., chain of custody).

Where Does Evidence Typically Reside on Social Media?

A key point to understand is the fact that forensics happens where the data is. One great example is social network forensics and it really makes sense: The growth of social networks during the last decade has being astonishing, to say the least. Aside from the well-established brands such as Facebook, LinkedIn, Twitter, Instagram, and YouTube, there are over 200 social networking sites, all active, full of all kinds of people, from introverts who only desire a small digital presence to social predators and people with oversharing tendencies. Facebook alone has over 1 billion users that (among other information) post over 350 million photos each day. Social networks have a great impact on society, including providing entertainment, generating information, facilitating communication, and influence. All this while also generating lots and lots of evidence.

This evidence has been used in several cases, such as in 2009, when Daniel Knight Hyden became the first person prosecuted for his posts on Twitter, to more recent cases, such as when a couple was arrested in Ohio after allegedly robbing a bank and posting images with the stolen cash on Facebook.

Social network forensics is nothing more than the application of computer investigation and analysis techniques, such as collecting information from online sources (e.g., Facebook, Twitter, LinkedIn and any other form of social network, no matter its size) and subsequently storing, analyzing, and preserving it as evidence that may have to be presented in a court of law. Sometime investigators have time due to lack of information during an investigation, but that is not the case here. For social network forensics, there is usually plenty of data to collect, but the problem is knowing how to do it. It is no simple task knowing where to find it, the best way to sort what may actually be useful, and how to properly collect and preserve information from a live environment that you have little to no control over. The work is not limited to major social media outlets, it is also possible to recover information from online services, blogs, company or personal websites, forums, and even government web sites that may be connected to social networks or provide similar functions. Basically, from the investigator point of view, social network forensics will be a question of finding where the evidence lies and collecting it without violating any law. But this is not as simple as you may think.

Evidence collection may be done manually (which may be quite time-consuming) using simple techniques, such as visiting a website and taking a screenshot, or aided by open source tools (e.g., HTTrack), or even commercial solutions. It is also important to understand that an investigator will be dealing with live content, so another great option is using services that content archiving (e.g., websites, blog, and social media archiving) so information cannot be altered or tampered.

How do Terms of Service (ToS) Typically Affect Forensics?

Yet another point that can affect e-discovery/forensics efforts is the terms of service agreement. This does not apply only to the users of the social network in question, but most of the time, the terms of service include limitations on what may be collected and manipulated. This may affect investigations, whether criminal, civil, private, or corporate, since a violation of terms of service may be used to discredit evidence. An experienced investigator will know that this is one of the first points to check before gathering information. Usually the terms of service tend to favor the service provider, but they may also restrain what an outside investigator can effectively do. For instance, Facebook makes it quite clear on its terms:

  • You will not collect content or user information, or access Facebook, using automated means (such as bots, robots, spiders, or scrapers) without our prior permission.
  • If you are collecting user information, you must: obtain their consent, make it clear that it is you (not Facebook) who is collecting the information, and post a privacy policy explaining what information will be collected and how it will be used.

In other words, an investigator gathering information from Facebook must have prior permission to use automated or even manual tools and must also inform the investigated party (by means of a privacy policy) that they are being investigated. It is not hard to see how this could affect an investigation that requires a high level of stealth. Even for a criminal investigation, it is important to understand that if you violate the terms of service, the offender’s defense may try to use this as an opportunity to discredit whatever you may have collected, so the safest approach is to have a deep understanding, from the legal standpoint, on how the terms of service may affect your investigation.

Computer Forensics Training

What Jurisdictional Issues Can Arise in These Types of Cases?

Another quite common challenge for social network forensics comes from jurisdictional issues. The Internet may not care about traditional geographic boundaries, but the law sure does. A constant concern during an investigation over social media or any other form of information published online is the fact that it is quite hard to know when another state’s or even country’s laws must be obeyed. For example, if the data you are collecting is stored in Texas, a digital investigator must first be a fully licensed private investigator. Even if another state does not have a similar requirement, whenever an investigation extends via social media into Texas jurisdiction, it is mandatory. A similar scenario is a requirement in Connecticut mandating that any public identifiers collected electronically must be safeguarded. So if you are working on a case on LinkedIn or Facebook and, by pure chance, find a student ID or any other form of   identifiable information, security controls must be in place to protect the individual’s identity.

Conclusion

Performing social network forensics is a task that should be done by experienced professionals but, due to the current cybersecurity skill gap, it provides both a challenge and an opportunity. If you are a client looking for an expert, you may find that experienced professionals are in high demand and are quite expensive, and that is where the opportunity lies. If you are an IT or cybersecurity professional, digital forensics is a great field to advance your career into, provided you have the necessary knowledge, and this is where the InfoSec institute can help you.

In addition to providing several freely available resources, created by experts in the field, our Computer Forensics Boot Camp delivers the best training for the CCFE certification examination by teaching the necessary skills to investigate computer threats and computer crime. Using InfoSec’s Boot Camp accelerated learning methodology, in the short period of five days, students will gain an in-depth knowledge of critical techniques and information about identifying, preserving, extracting, analyzing, and reporting computer forensic evidence through the use of the most popular computer forensic tools.

As far as career advancing enablement in computer forensics goes, nothing beats being prepared for the foremost industry recognized computer forensic certification: the IACRB Certified Computer Forensics Examiner (CCFE). Our Computer Forensics Boot Camp ensures that you have the necessary skills to recognize the overwhelming number of computer threats and investigate computer crime. What you get is first-hand experience, delivered by experts in the field, about the challenges of computer forensics, a walk through the process of forensic analysis and examination, and a deep understanding of differences in evidence locations and examination techniques on Windows and Linux computers.

There is no time to waste; cybercrime goes on 24 hours a day, and you are one simple step away from being ready for new business opportunities. From legal and ethical principles, to how the investigation process is completed, from basic forensic science to digital/application forensics for both hybrid and emerging technologies, InfoSec Institute’s Computer Forensics Boot Camp can make sure you are on the right side of the investigation.

Be Safe

Section Guide

Claudio
Dodt

View more articles from Claudio

You'll leave InfoSec Institute's Computer Forensics course with 3 industry certifications!

Section Guide

Claudio
Dodt

View more articles from Claudio