Social Media Investigations & Forensics : OSINT

BA: As investigators our day to day work involves interrogating data to uncover facts critical to a case. In our work on legal matters and internal investigations we are seeing a definite rise in the number of times that social media accounts, and the devices that people use to access them, are brought into play. Why? The use of social media is flourishing, but also because there seems to be a growing crossover between business and personal data – for example, with workplace ‘bring your own device’ (BYOD) policies where people are using their own devices and using apps for both work and personal purposes.

As social media becomes more influential, businesses seem to be increasingly expecting employees to engage in these communications channels to promote their business. Not only does this blur the line between work and personal, it can create complications when social media feeds turn out to be useful evidence to help build a picture of what has happened in a matter which turns into an investigation.

Anny: There are also so many different social channels that people use to directly communicate with each other including private messaging tools such as Facebook Messenger, SnapChat, LinkedIn, and Instagram. This means that there are more communications channels to analyze but also more data sources to build up a fuller picture of what happened. It is relatively simple technically to capture, preserve and analyze these forms of communication for use in an investigation.

Many people think that chat apps such as WhatsApp are more secure and that these forms of communication cannot be accessed in an investigation because they are encrypted – this is not necessarily true; they can often be decrypted, and messages can often be recovered even if the user attempts to delete the chats.

BA: There’s also no doubt that social media can be hugely informative in a case. For example, data from social media apps such as Facebook has been used in cases to help prove that a person was in a particular location at a particular time. In cases involving collusion or corruption, we’ve been able to draw on publicly-available information from social media platforms to define or open up lines of inquiry. There is now wider recognition of the rich pickings available from social media when looking for evidence.

Anny: While it’s easy to tie activity down to a specific account, it can be difficult to narrow social media activity down to the most likely device used because there are so many different ways people can access their accounts – from using applications on our phones and iPads whilst on the move, to checking Instagram on a corporate computer during lunch. However, there are many digital forensic methods that can pull together information regarding location, time zones, and many other artefacts to work out the most likely device or rule out a device.

Anny: There are two questions here: firstly, has there been any unauthorized access to the account on another device (hacked)? This requires looking at all the devices and geographic locations that have had access to the device to see if any of these seem malicious in any way. For example, if we have a user from the US and we see access from Russia, it could indicate it’s malicious. By analyzing forensic evidence relating to the way the account was accessed, we can get insight into whether the account may have been hacked.

BA: Have their credentials been stolen and available to attackers on “data dump” site? Have they used passwords that might be guessed by people who know them or follow their social media feeds? There are numerous instances where people in high-profile positions are victims and personal information was leaked when personal details were exploited by attackers to “phish” them (for example, the 2014 scheme that targeted Jennifer Lawrence and other celebrities).

Anny: Secondly, who else could have accessed the account on an authorized device? The obvious answer would be the owner, but what about trusted friends who know their password? Did the owner leave their phone unlocked and unaccompanied? Did they log into someone else’s computer with their credentials and perhaps accidentally save their password on that computer?

If access has been made from an authorized device, proving who handled the device becomes more reliant on physical evidence such as fingerprints and CCTV which is obviously harder to find.

Courtesy: https://www.aon.com/cyber-solutions/thinking/social-media-forensic-new-trends-in-investigations/

Social media allows one to collect intelligence gathering from social media sites like Facebook, Twitter, Instagram etc. This type of intelligence gathering is one element of OSINT (Open- Source Intelligence). Open-source intelligence (OSINT) is data collected from publicly available sources to be used in an intelligence context using open-source software / tools or public intelligence tools.

OSINT is primarily used in national security, law enforcement, and business intelligence functions and is of value to analysts who use non-sensitive intelligence in answering classified, unclassified, or proprietary intelligence requirements across the various intelligence disciplines.

Social media intelligence (SMI or SOCMINT) refers to the collective tools and solutions that allow organizations to analyze conversations, respond to social signals and synthesize social data points into meaningful trends and analysis, based on the user's needs. Social media intelligence allows one to utilize intelligence gathering from social media sites, using both intrusive or non-intrusive means, from open and closed social networks.This type of intelligence gathering is one element of OSINT (Open- Source Intelligence).

This is practical course with up-to-date social network / media intelligence and investigations training that will provide you with the solid foundation on real-world knowledge and expertise you need to effectively conduct online investigations using free and open source tools.

Target Audience

This course is intended for anyone who wishes to be able to utilize advanced open source software and tools for finding intelligence on various social media platforms on the Internet. It will be of particular interest to those in the private and public sector investigations, private investigators, banks, compliance industry, financial institutions, corporate lawyers, insurance companies, investigative journalists, academia and those involved in intelligence collection fields.

Learning Objectives:

• Conduct basic and advanced social media investigations and intelligence gathering
• Understand Open Source Intelligence tools and How to utilize it
• Conduct Online Social Media Investigations and Intelligence Gathering
• How to Conduct Investigation on various Social Networks
• Social Networking Searching and Monitoring
• Advance Search Techniques for Social Media
• Understand and Investigate Criminal Groups on Social Media
• Understand the fundamentals of Social Network Intelligence
• Practice Open Source Tools taught via Case Studies
• Read Legal aspect of Open Source Intelligence
• and More...

Disclaimer:

Learner hereby undertake to use, practice and explore the tools, techniques, methods, illustrations, cases etc used/demonstrated in this course at their own risk. They declare and confirm that the tutor/trainer of this course is free from any obligation, risk, liabilities, penalties, legal actions and damages suffered or incurred directly or indirectly. You are solely responsible for your action and use of information provided in this course. 

Note: Some links may change over time (though adequate care is taken to update it regularly, but at times few open source tools might not work). Please notify the instructor in case you come across a link that is not working. Thank you!

Social Media Investigations & Forensics tutorial has five projects to be completed basis the instuction attached and must include below points: 

1. Provide general information on the subject of investigation
2. Specify the type of case and record the complaint summary
3. Document evidence and investigative evidence
4. Identify the disposition of the investigation and reach a conclusion
5. Create Summary Report of your finding