Social Media Investigations, Part 2: Peeling Back the Layers

When it comes to sleuthing social sites, getting a screenshot of a Facebook post doesn’t cut it. In some cases, you may need to establish relevance before you investigate a site, and you’ll need more than just a person’s posts—you’ll need the underlying metadata.

Eli Rosenblatt explores recent case law and defines some best practices for collecting, authenticating, and preserving social media evidence in civil and criminal cases.

Investigators: Working on backgrounds in a case, you’ve no doubt come across some interesting or potentially damaging information on Facebook or another network. No doubt your boss or client instructs you to “grab a screenshot of that witness’ Facebook wall.” Well, that may work in a pinch to get you started, but in the new reality of social media evidence, it just isn’t enough.

In our last installment we looked at how extensive social media has become and how it’s no longer sufficient to just look for evidence on Facebook or Twitter. As much as possible, we need to start with our target, and work our way out to discover other services they might use. We also reviewed some general best practices. But now it’s time to go even deeper, to explore aspects which few investigators, attorneys, or other professionals have had a chance to fully grasp.

Social Media Evidence and the Law

Legal challenges regarding the authentication and preservation of social media evidence are becoming more commonplace. In a recent article and white paper, e-discovery experts illuminated these challenges in all their gory details, but we’ll highlight some of the more important ones that investigators should be aware of here. Note that metadata (which e-discovery and data storage nerds call “a little love letter to the future”) is central to many of these cases.

1. Failure to Authenticate

In a heavily discussed Connecticut case, State vs. Eleck, the court rejected Facebook evidence in the form of a simple printout for inadequate authentication. The court noted that it was incumbent on the party seeking to admit the social media data to offer detailed “circumstantial evidence that tends to authenticate” the unique medium of social media evidence.

2. Authenticate or Perish

In another case which highlighted the need for proper authentication, the Texas appellate court noted in its Rene v. State decision that the prosecution offered minimal circumstantial evidence to establish the authenticity of the MySpace pages and no evidence to demonstrate that the photos were not altered.

3. Metadata Matters

In the Dallas, Texas gang-related murder trial State vs. Tienda, the drive-by suspect and defendant Ronnie Tienda posted a number of incriminating posts on his MySpace page. The prosecution succeeded in getting the court to admit printouts of Ronnie Tienda’s MySpace page over the defendant’s objections, laying a foundation through various pieces of circumstantial evidence.

Among this key evidence were relevant metadata fields along with other corroborating information. Despite having won at trial and on appeal, the prosecution faced an uphill battle. The case illustrates how relying on simple printouts of social media site pages would not have succeeded in getting the court to admit crucial evidence. Instead, to reliably succeed in cases involving Facebook, MySpace, Twitter, or other sites, the parties producing social media evidence need to ensure that supporting metadata and other key circumstantial evidence is properly and comprehensively collected.

4. Collect and Catalogue

A New York case, Richards v Hertz Corp., was filed last year that represents the tip of a huge iceberg. That iceberg is made up of tons of cases (including a very similar case that garnered attention, Loporcaro v. City of New York et al.) that underscore the importance of having tools for collecting, indexing, searching, preserving, and authenticating social media evidence. In Richards v Hertz, the plaintiff claimed that her injuries from an auto collision impaired her ability to participate in sporting activities and caused her to suffer pain that was exacerbated in cold weather.

The defense investigated the plaintiff’s online presence, and what did they find? Yes, publicly available Facebook images “depicting [plaintiff] on skis in the snow,” and subsequently served a discovery demand requesting all her status reports, email, photos, and videos posted on her account since the date of the collision.

iceberg

5. Preserving Virtual Evidence

A case in Virginia last year highlighted the importance of properly preserving social media evidence. In Bland v. Roberts, one of the most important elements of the case was whether or not subjects had “liked” a particular post. With this and other similar cases, we’ve seen that something as small and innocuous-seeming as liking a Facebook entry can be an important piece of evidence in a wide variety of litigation and investigation scenarios.

6. Establishing Relevance

The importance of collecting and preserving social media in a native, scalable, and searchable format was also underlined last year in a decision by Federal District Court in Michigan (Tompkins v. Detroit Metropolitan Airport). The court ruled that while social media is clearly discoverable, there must be some showing of relevance before the court moves to compel full production of a litigant’s Facebook account.

The plaintiff suffered a slip-and-fall and later claimed back and other injuries.  She sued her employer, who sought full access to her Facebook account in the course of discovery. In their ruling, the court noted that while “material posted on a ‘private’ Facebook page…is generally not privileged, nor is it protected by common law or civil law notions of privacy,” an opposing party does not “have a generalized right to rummage at will through information that Plaintiff has limited from public view. [T]here must be a threshold showing that the requested information is reasonably calculated to lead to the discovery of admissible evidence.”

However, far from completely closing the door on full disclosure of social media accounts, the court noted: “If the Plaintiff’s public Facebook page contained pictures of her playing golf or riding horseback, Defendant might have a stronger argument for delving into the non-public section of her account. But based on what has been provided to this Court, Defendant has not made a sufficient predicate showing that the material it seeks is reasonably calculated to lead to the discovery of admissible evidence.”

photo by Matthew Roth
photo by Matthew Roth
7. When Facebook Is Discoverable

A products liability case last year from Nevada, Thompson v. Autoliv, was another personal injury claim where the claimant’s public Facebook postings contradicted her assertion she’d suffered a serious injury. The defendant sought a court order compelling the plaintiff “to produce complete and un-redacted copies of [her] Facebook and other social networking site accounts.”

The defense based its motion on the plaintiff’s publicly available Facebook wall posts and photographs that contradicted her claims of serious injury (and which the plaintiff changed her privacy settings to conceal shortly thereafter). The court found the plaintiff’s Facebook account discoverable and compelled its production.

Chains of Custody and Metadata in Social Media Evidence Collection

A number of these examples were civil, but of course as we’ve learned, social media evidence plays an essential role in an overwhelming number of criminal cases as well. In November of last year, eDiscovery experts compiled some of the best examples of these, and wrote an article highlighting the ways that 5 representative cases further showed the importance of social media in the courts.

So, to properly address these authentication and preservation challenges, social media data must be properly collected, preserved, searched, and produced in a manner that’s consistent with best practices so that all available circumstantial evidence is available, including metadata. When social media is collected with a proper chain of custody and all associated metadata is preserved, authenticity is much easier to establish.

When you look at (or take a screenshot of) a Facebook photo or status update, what you are getting is merely content, not underlying corroborating evidence. The metadata that lies “beneath” that photo or posting is crucial. Looking in detail at all of the available metadata fields is beyond our scope here, but some of the key ones include the obvious necessary items such as user name, posting date, time, ID, and recipients.

Beyond this, however, there are many others that can be tracked such as:

[list type=”check”]

  • The unique ID of the message thread which that posting belongs to;
  • URLs of any included links within the posting;
  • The platform and applications that were used to create the posting;
  • The number of comments posted in relation to this posting.

[/list]

 

Taken together (and compared to other evidence, be it digital or non-digital), these forms of metadata can provide important information to establish the authenticity of a post, if they are properly collected and preserved. Any one or combination of these fields can be key circumstantial data to authenticate a social media item, or constitute substantive evidence in and of itself. (Twitter, LinkedIn, and other services’ postings have their own unique but generally comparable metadata.)

drill bits

Techniques, Tools, and Terminology

So, why do we want to use special tools or techniques when collecting social media data? The short answer is this: When you are doing screenshots, you are not collecting all the juicy bits under the surface, or the “digital fingerprints.”

In addition to collection of all such key metadata, it is important that MD5 hash values of each social media item are automatically generated at the time of their collection. (For those of you who might not know that term, hash values are the long string of numbers that uniquely identifies an item of digital content).

It’s also important to generate unique case information that will support a proper chain of custody. Unfortunately, many ad hoc measures currently used to collect social media for use in court do not meet these requirements. Screen capture tools and many archive services, when they capture social media items, just don’t collect most available metadata or generate hash values for individual social media items.

Working with a professional who can ensure that social media evidence will be handled according to these best practices is essential. Here are a few important factors to consider when choosing a provider to work with:

[list type=”check”]

  • Reliability of authentication: Does the provider have the right tools and knowledge to capture and index all the needed social media evidence in a way that will maintain crucial metadata, identifiers, or other digital “fingerprints” (doing so in a “read-only” way, without risk of altering the original information or raising the awareness of the posting subject)?
  • Speed: How quickly can the provider search for relevant terms and return needed reports?
  • Scalability: Can the provider accurately and reliably handle searches that range from one simple term on the page of a single subject all the way to dozens of complex strings amongst tens of thousands of social media postings strewn across the various sites of dozens or hundreds of witnesses?

[/list]

 

In Summary:

Traditional capture techniques, such as logging in with a fake or one-off account and taking screenshots, may suffice for an initial look (though as we discussed last time, tread carefully here). But given this new landscape, a comprehensive analysis and deeper integration are necessary in most of today’s civil and criminal cases.

Many of you have had at at least one mega-case where the volume of emails, documents, photos, and spreadsheets threatens to overwhelm you. Some of you may work only mega-cases like this. (My heart goes out to your families.) But you no doubt use some excellent software and/or databases (such as Casemap, iConnect, Relativity, Equivio, or others, or even well-developed Excel files) to help your team manage this mountain of information.

The trouble is that until recently, there have not been adequate tools for systematically capturing and integrating social media data into a team’s workflow. Fortunately, tools are now being developed that are specifically designed to effectively address this proliferation of social media content from sites such as Facebook, Twitter, LinkedIn, YouTube and more. If your firm is in need of such tools, contact a social media investigations professional to learn how they can help you navigate the new social media landscape and get the hidden information you need.

 

Read Social Media Investigations, Part 1: Down the Rabbit Hole 

 

About the Author:

Rosenblatt headshotEli Rosenblatt is an investigator, CFE, and forensics expert in Portland, Oregon. He owns Eli Rosenblatt Investigations and Core Service, LLC and has, quite possibly, the best-designed business card in all the world.