X
December 2018 Tech Tip - Social Media & Internet Evidence: Authentication and Foundation

by Joseph Jones

With billions of social media users and an estimated 82% of U.S. citizens actively engaging in social media use, chances are good that the parties involved in your case are on social media. Whether it’s the primary parties, the witnesses, or their friends and family, someone is likely sharing information that is of interest to your case. In this article, we are going to explore not how to find the content (which can be a very interesting conversation in itself), but rather the need for both authentication and forensic preservation of online content.

Numerous cases have come out across the United States where “print screens” or other printouts from a social media profile have been excluded as evidence. One such case was United States v. Vayner, 769 F.3d 125 (2d Cir. 2014), wherein the trial court allowed a printout from a VK (the Russian equivalent of Facebook) account into evidence; which decision was later overturned by the appeals court. The ruling indicated that even though the account in question had the subject’s name and picture, the presenting party could not verify that the subject was the owner of the account or if the subject had made the posts in question. For those unfamiliar with the way social media works, creating an account only takes minutes and the social media platforms make very minimal efforts to verify information given; so someone can easily create an account, use photos that aren’t theirs, and paint an inaccurate picture that they want others to see. While this article will not address the recent scandals involving Facebook and the presidential election, it is a good reminder that these types of conversations about authenticity are important. This is important for two reasons: First, just like with any other rule of evidence, proper procedure must be followed to preserve and authenticate; if not, you have chaos. Second, fake profiles, misinformation, and bad actors are prevalent on the internet.

To authenticate a social media account, I recommend first finding the account using a method which strongly ties it to the subject. The most preferable methods include linking it to a known phone number, email address, or user handle. From there, you’re going to need to look for at least three to five points of additional information, which the courts have termed “specific indicia” contained within the account, that help establish that the person portrayed is in fact the person in control of the account. These are pieces of information posted by the subject or to their account that only they would know. References to high school reunions, events attended, church groups, etc. are all great examples. In addition, look for things such as well wishes on their known birthday, being tagged in photos, and having real interactions with people online. Likewise, you’ll want to ensure that the subject’s friends or connections line up with their known relatives and associates, and that they aren’t all from Russia or India (unless that fits with your subject’s social circle).

Once the account has been authenticated and content is found that is of interest to the case, it needs to be forensically preserved. It’s important to understand that social media content is very fluid, meaning what’s there today may not be there tomorrow, or if it is, it may be significantly changed. If you find something of interest, preserve it immediately. The idea of forensic preservation involves two steps: First, preserving the content as it appeared on the date found (i.e., the image or post), and second, preserving the metadata associated with that content. Metadata are the computer codes that sit behind and make up the content. It includes the who/what/where of the post and is an essential element of authenticating. One of the most important pieces of metadata that needs to be captured from a social media account is the User ID. The User ID is unique to each account and cannot be changed. So, although a person may change the display name from Joe Jones to Frank Smith, the user ID can be tracked to verify it’s all coming from the same person.

Along with preserving the metadata, the content also needs to be “hashed,” which essentially means creating a digital fingerprint for that content to ensure its validity. This is both a court requirement and a best practice; it can be used to verify that the evidence has not been tampered with. A new federal rule recently went into effect that says presenting the post along with the hash value makes it self-authenticating, removing the necessity for expert testimony for the purposes of authentication. Fed. R. Evid. 902(14).

There are multiple ways to forensically preserve content, but all involve using specialized software. X1 Social Discovery and Hunchly are some of the industry leaders, but before investing, be aware that they are not user-friendly for the occasional user. Other services are available that, for a fee, will capture online content for you, but can create issues if in-person authentication becomes necessary for laying foundation or other reasons not covered under Federal Rule of Evidence 902(14). Any competent social media or cyber investigator will have a solution to handle the metadata extraction as part of their standard investigation or will refer you to someone who does. No cases are one-size-fits-all, and the unique needs of your case will dictate the best solution to employ.

To be clear, this topic is a new and developing area of the law. There are certainly still many attorneys getting away with “print screens” and various other methods to authenticate content that do not involve going through the whole process discussed herein, and their cases end up just fine. That being said, as case law evolves and legal professionals become more educated, outdated practices will continue to go the way of Radio Shack and Blockbuster. By taking the steps described above, you have the opportunity to be ahead of the curve. Please take care not to have social media evidence tossed out at trial because the opposing counsel was two steps ahead.

Joseph Jones is a licensed Private Investigator and the Vice President of Bosco Legal Services, Inc. Joseph is a Certified Social Media Intelligence Expert, a Certified Expert in Cyber Investigations, and holds multiple certifications in Open Source and Cyber Intelligence. He can be reached at joe@boscolegal.org.