Are you overwhelmed by the number of artifacts found for social media?
Social media is constantly changing. Staying on top of these changes and new developments is time-consuming and sometimes even challenging.
To ease the burden on you, we have provided some quick details below for your reference on social media artifacts
Where can I get social media data from?
The data that can be captured will vary based on the tool that is used. Some of the NO options in the device are because it is simply not stored on the local device. The data above is based on the E3 Forensic Platform. Some of the data at a MAYBE option is based on changes that happened with the App itself and how the data is authenticated and almost all tools will have an issue. The availability of the data has a risk of changing daily based on how updates to the Apps go.
Mobile Device Collection
Mobile device capture requires the use of specialized tools. In the examples below the videos go through the logical imaging process with the E3 Forensic Platform. Data is produced and can be reviewed. Based on the chart data will change mostly based on where it is located in the firmware of the mobile, not the tool.
This quick tutorial will show the process an iPhone goes through to be able to capture social media data from a device. If you would like a one-on-one demonstration you can book time here.
This quick tutorial will show the process an Android goes through to be able to capture social media data from a device. If you would like a one-on-one demonstration you can book time here.
Cloud Data Collection
Cloud data collection is the area where you will see the largest variety of issues. Key systems can change at any time and when that happens your cloud collection will fail. The best way to collect from the cloud is with a VPN and a Proxy server. This is not tool-dependent, it just gives the best options to ensure that an IP address does not block you from a collection. The following tutorials show two different methods to work with data not resident on a device.
Cloud Data collection is with known keys or authentication tokens.
OSINT collection uses an investigations account to collect data.
Compliance Data Collection
Compliance data is information that can be generated on an account based on a request for information. Compliance data originated because of the changes in security policies. With those shifts, the ability for someone to request their information became part of the process for compliance.
Facebook & Instagram
Step 1. Go to Account and select Settings & Privacy
Step 2. Go to the Privacy Center
Step 3. Go to the Manage you Accounts at the bottom of the Privacy Center. With any of the Meta social platforms, you can access all the accounts in a single request. Accessing through the Facebook options is the preferred method.
Step 4. Select the Your information and permissions options. If there are multiple accounts in Meta they will both be displayed.
Step 5. Select what you want to do with the data. You can do a live preview option, but typically we recommend maximizing the consent and select to Download your information.
Step 5.5 You will be asked if you want to download or transfer the information. Select download and that you want the current activity. Scheduled can be done when a case is going to continue, and you can automate the collection of the archive in intervals.
Step 6. This is where you can select individual or multiple accounts. It is important to ask the person granting consent if all their accounts are listed.
Step 7. How much information to collect? This will depend on what is granted with consent and the scope of your collection.
Step 8. What do you want to do with the information? We recommend that you transfer it to a destination so it can be treated like any other potential evidence.
Step 9. The destination options will come up. With you already working with access see what fits best for the person granting consent. They will have to provide you with access again to this area to capture the file(s).
Step 10. You will need to grant access to Meta to save the data to the storage. In this case, it was Google Drive. Once you have granted access you can continue to the next step.
Step 11. You will start the transfer as the next step. The email account associated with the Facebook account will also receive a notice that the data is available to download once it is completed.
Step 12. Authenticate the account. It is important that you keep the person granting consent for the entire process so they can authenticate at these final steps.
Step 13. Download the information.
Step 14. Once the data is collected you will need to get access to Google Drive to download the information. That data can then be moved to the processing steps.
Facebook & Instagram Processing
Step 1. Open your tool, in this case the E3 Forensic Platform. Go to the menu to add evidence. Select the download that was collected from the request.
Step 2. Once the data is in the tool you can see the large quantity of information that is available. Most of the data that is collected in the compliance archive is not captured from either the mobile device or the cloud acquisition.
It is why it is some important to capture from all the available data sources when doing an investigation. It is better to have overlap than to miss information.
Step 3. Jump into the data. One of the reasons investigators use full platforms for investigations is the power analysis functions they have. From carving the data, searching, OCR (Optical Character Recognition), and reporting you can quickly see everything in the case together.
Do you have questions about social media investigations?