top of page

Obtaining Social Media Evidence

Some of us are old enough to remember Paul Simon’s “50 Ways to Leave Your Lover.” Well, those of us who are old enough to remember that one are probably the same people who do not realize there are several ways to obtain social media evidence from opposing and third parties. Not 50, but several. Let’s take a look at them.

Device Forensics

Substantial social media content will likely reside on the device, particularly a phone, used to access the social media account. Device forensics can yield not just the social media data, including login credentials and communications, but the existence of social media accounts you may not have known about previously. Exploring social media usage through device forensics may be the place to start when you are not completely sure which social media platforms are being used or what the user/account name is. While obtaining social media evidence via device forensics may not yield the greatest amount of social media data (depending on the platform and the device), extracting data from the user’s device is a natural starting point in many cases and provides a broad view of what exists and helps to “connect the dots” between social media activity and other activity (e.g., timelining events from different sources or following conversations that jump from platform to platform).

Cloud Extraction

Often, a user’s social media data can be obtained directly from the social media platform. Just as the user’s device gains access to the social media system so that the user can interact on the platform, an investigator can often obtain someone’s social media data directly from the social media provider. A direct cloud acquisition in this manner requires not only the proper tool, but also the user’s credentials and either the user’s permission or some sort of court process (i.e., a subpoena or court order). The natural inclination is to capture and download that account after the account credentials are obtained from the device. Simply having the credentials from the user’s device does not mean downloading the user’s entire social media account is permitted. The investigator will need to obtain the proper authorization (e.g., account owner permission, court order, etc.) to obtain the account data directly from the provider.

Obtaining account data from the cloud provider will yield a wealth of information. Often, every bit of active data relating to the account can be obtained this way, or it can be tailored to the time period or type of data needed. Once the data is obtained, various tools can be used to analyze it.

Request for Production

Whether or not it is advisable to ask the opposing party (or a third party) to obtain and produce their own social media data is an entire discussion. But technologically, this may be the easiest way to obtain social media data because hiccups can occur when using a forensic tool to gain access to a social media platform. The major social media platforms allow a user to log into their account and obtain a download of their own data. The download can generally be limited to a particular time period and often to particular types of data (e.g., direct/private messages, social media posts, media files, contacts, etc.). The rules in most jurisdictions include any data within the responding party’s control as part of the scope of discovery. It is hard to imagine circumstances in which data available to someone by logging in and clicking a few icons or checking a few boxes is not considered within the responding party’s control. After all, if bank statements are discoverable in a matter, then the responding party would certainly be required to log in to his/her online account and download the PDFs. Why would obtaining an export of social media be any different? But most people responding to discovery requests never seem to consider their social media data. Therefore, a request specifically seeking such data may be necessary and useful. Be sure to specify the form of production. Under most circumstances, active data rather than PDF images will be easier to analyze.

Live Capture

Several software products allow a subscriber to capture live, online social media data. In short, a subscriber logs in to the collection software, enters the user’s account name or handle, and the capture tool grabs the user’s publicly available social media data. Some tools even continue monitoring the account on an ongoing basis. Live capture is subject to the privacy settings implemented by the user, but does not implicate the same permission and authorization issues as the other methods of obtaining social media data. However, collecting social media data in this manner may require the person collecting to have an account on the social media platform—be careful with attorney ethical rules about misrepresenting your interests, such as creating a dummy or disguised social media account.

Law enforcement agencies can also obtain social media evidence via a warrant, but that option is not available to the rest of us.

However social media data is obtained, effective and efficient analysis of the data may require specialized tools and techniques to analyze it due to the volume and format of the data. And always, from the very beginning, think about how social media evidence will be authenticated.

17 views0 comments


bottom of page