Facebook, Twitter, Gmail, YouTube and the New Era of Social Media Forensics

 

By Joe Bartling, Bartling Forensic LLC

Lately, many of our forensic cases include a social media and/or social networking component and its easy to see why.   Many organizations, including corporations, Government agencies, non-profits, and medium and small businesses now allow some use of social media in the workplace, and some allow BYOD (Bring Your Own Device) in the workplace.  The “always-on”, 24-hour availability expected in many environments now enables a mix of personal and business use of social media, including legitimate business use on social media, such as on Twitter, LinkedIn, FaceBook, and YouTube.

But most companies’ “Acceptable Use” policies for their computers and networks have lagged behind.  According to these policies, many organizations still prohibit use of company-owned electronic devices for personal purposes, even though a large percentage of individuals in the organization are doing just that, checking their personal email on their company phone, checking in on Facebook, and sending out and forwarding tweets all day long.

Update your firm’s “Acceptable Use” policy!

Our advice for these organizations is to assess the reality of what’s going on in the organization and with company resources, and UPDATE THE COMPANY’S “ACCEPTABLE USE” POLICY to reflect CURRENT desired behavior, and specifically prohibit undesired behavior and communicate the policy to the staff.

Once litigation or an investigation begins, it is too late to “roll back the clock” on your policies and practices.

The highly-publicized Hillary Clinton E-Mail fiasco is a bright and recent example of this.  All employees should be aware of the “acceptable use” of both government and personal devices in the workplace, and clear delineation should be made between the two.  The practices within the organization should both reflect the policy and system controls should be implemented to identify non-compliance with the policy.

Communicate and implement the new policy with effective practices and IT controls

Make sure everyone knows what the policy is, and has signed on to the policy.  IT controls should be put into practice that identify misuses of the organization’s resources contrary to the new policy.

Misuse of resources can lead to excessive risk for your organization

When your staff engages on social media or on personal business with your organization’s resources, it unnecessarily exposes your corporate network infrastructure to the public.  IP addresses, server names, employee names, locations and activities can be collected for analysis by anyone desiring that information.  Hackers can use this information to hone their attacks on your company’s data, customers, or trade secrets exposing your organization to excessive risk.

There is no such thing as a “secret server”!

In addition to email addresses, IP addresses, employee names, and communications being compromised, precise geographical locations can be determined.  Social media activity emanating from a particular location can be captured.  As an example, we recently set up a Twitter surveillance using a “geo-fence” technique around a particular hotel to capture tweets emanating from the hotel and its environs during a conference.    The photo above demonstrates what we captured.

Of course, we can drill down to each of these tweets and access all of the content of these tweets, including who and what device sent them, received them, mentions, hashtags, links, etc.

Social media activity bypasses your corporate firewall

It is important to understand that your staff’s activity generates activity that results in data that can be captured by others.  In the event of litigation, investigation, or in highly competitive situations, you may want to assess your firm’s exposure to this type of “leak”.

Social media activity can be forensically collected

In the event of litigation or investigation, most social media activity can be forensically collected as evidence.  In the case of a litigation hold, specific accounts can be monitored and collected with credentials.  For example, if your executives or staff members subject to litigation hold tweet, post to Facebook, or engage on LinkedIn, or InstaGram, their account and activity can be collected on an ongoing basis with their permission and credentials.  Much of this activity is not available after a certain time period, so time is of the essence in order to obtain these electronic records.  If your firm is under an obligation to retain and hold these communications, it is better to retain a forensic firm such as Bartling Forensic LLC to obtain these.  You will not be able to access these services at a later date and reliably collect social media data.

What about GMail, YouTube, InstaGram, and Tumblr?

Sometimes, case evidence is on other platforms, including GMail, YouTube, InstaGram, and Tumblr.  Custodians may use or have used personal accounts that include relevant electronic documents to your investigation or case.   If the items are available publicly, Bartling Forensic LLC can obtain these from the public sites.  However, if the activity is in private groups, or in private messages, we can obtain this information through the use of a “credentialed” account.  For example, if your staff member used a private GMail account, and transmitted relevant information via that account, we can access that information by using a temporary username and password given to us by the custodian or through legal counsel, providing that we have permission to access that information.  Bartling Forensic LLC does not access “non-public” social media information without permission of the information’s owner.

Social network and link analysis

One of the unique features of social media networks is that they maintain a relationship between the user and their network connections.  In Facebook, this would be considered “friend” or “followers”, in Twitter, “followers” and “following” provide this information.  In LinkedIn, individuals are “connections” and associated with “companies” and geographical locations.  “Likes”, “repeats”, “shares”, and “tags” all indicate relationships between accounts. Membership in groups, use of hashtags, or other content included and the relationships can be tracked and analyzed.

Data is neither good nor evil

It may seem a bit creepy that all this data is out there and can be used for analysis.  Information and data can be used for good or evil, its just data.  Public information is just that, public.  There is no expectation of privacy when people do activity in a public sphere.

The future: analyzing the data from the “Internet of Things”

The information available to us for analysis is expanding exponentially.  We use forensic data analytics of people and things to collect and analyze data for legal proceedings, but its is also available to help us be more productive and efficient in our daily activity whether for business or pleasure.  Technology that tells us when our pizza will be delivered and how many calories we consume when we eat it is just the beginning of the connected world.

0 Comment

Leave a Comment

Your email address will not be published.