Social Media Forensics: A Primer
A brief overview of the technical, legal, and practical issues in a social media investigation.
Individuals and organizations share massive amounts of information on social media both voluntarily and involuntarily. In some cases, this information can be the primary piece of evidence in a lawsuit or investigation: the selfie while holding contraband or the post disparaging one’s employer. More often, social media provides lots of small pieces of evidence that support or contradict other facts related to the case. This might include information about relationships, organizational affiliations, location, health conditions (or lack thereof), ideology, and more—all of it conveniently time-stamped and captured on the internet.
The data is available, but collecting this vast array of information in a way that is thorough, economical, and admissible as evidence is a technical challenge that usually requires a forensic examiner with specialized tools. Social media is a dynamic data source and is being continuously modified by the user, other users, and the company itself (e.g. Facebook or Twitter), along with the automated algorithms that govern these sites.
Although it can be difficult to capture this data, parties have the same duty to preserve social media data that they have for other types of electronically stored information (ESI) when they reasonably foresee that it may be relevant to litigation. Both counsel and client can be sanctioned for failure to preserve social media evidence.
Specialized hardware, software, and knowledge is required, so most collection or preservation efforts will require a digital forensics expert. In addition to the data that is visible directly on the site, an expert can often collect other data, such as private posts and metadata, that may not be accessible through the normal user interface.
After capturing the data, a social media forensics expert can also make the data more useful to an attorney or investigator, enabling comprehensive keyword searches and allowing for review of the data in a format that emulates the original post.