With the increasing usage of social networks and the emerge of cloud computing, digital forensics faces novel research problems and challenges. The number of users of these services increases steadily, with e.g. Facebook currently claiming to have 800 million users. While traditional forensics relies on the physical acquisition of hardware and the usage of hashsums to ensure evidence reliability, this approach does not scale to cloud services and their use of distributed datacenters. With the lack of standardized forensics APIs as well as unified processes for service operators, isolated solutions are still in widespread use. Another important aspect of forensics is the proper visualization of data due to the vast amount of available data.
It is hard to visualize gathered social networking data in a way that can answer common questions of interest on a first sight, so that people without technical background can understand it. This has been shown for example in the case of the consolidated.db from Apple’s iPhone: the file contained geolocation information which has been already outlined in 2010. However, the consolidated.db problem got widespread attention with the release of the iPhone Tracker software in April 2011, which visualized the collected data. Due to the iPhone Tracker software, Apple finally had to review and change their data collection process.
Social networks like Facebook, Twitter, Foursquare and Google Buzz can be a treasure trove for forensics investigations. The expanding ocean of data in those networks is irresistible to investigators.
A simple investigation might view just the publicly-available text and images posted on a suspect’s social page. Deeper investigations may require the investigator to acquire special authority. In an internal corporate investigation, that authority might come in the form of consent from a company employee who has the right to access a page. Or, in a civil lawsuit or certain government investigations, the authority might come in the form of a search warrant. In a criminal investigation, it might be a search warrant.
A sophisticated investigation will examine more than just the data appearing on the face of social web page. It might, say, go for the cache of data collected at 33Across to ascertain who might be involved with a Medicare fraud scheme.
As an investigation team seeks authority such as a search warrant, it will be prudent to address privacy concerns. Here are example steps to reduce privacy risks:
- Deliberate in writing about the privacy risks, how they can be minimized and why they are justified taking in the case at hand.
- Consult a third party expert (or panel of experts) on how to proceed with the investigation in a way that respects privacy.
- Mask personally-identifying information from individual researchers.
- Secure data against use or disclosure beyond the investigation.
- Be transparent to the extent consistent with the mission of the investigation. Modern society rewards openness and transparency. Investigation teams do themselves a favor when they publicize their techniques and open them to scrutiny.
- Document all efforts to protect privacy.
While social networks vary in features and architecture, we identify the following generic data sources to be of interest in forensic examinations on social networks
- The social footprint: What is the social graph of the user, with whom is he or she connected (“friend”)?
- Communications pattern: How is the network used for communicating, what method is used, and with whom is the user communicating?
- Pictures and videos: What pictures and videos were uploaded by the user, on which other peoples pictures is he or she tagged?
- Times of activity: When is a specific user connected to the social network, when exactly did a specific activity of interest took place?
- Apps: What apps is the user using, what is their purpose, and what information can be inferred in the social context?