CYFOR Blog

Digital forensics and social media investigations are now intrinsically linked

It emerged this week that Facebook had prior knowledge of the communication between Michael Adebowale, one of the killers of Fusilier Lee Rigby, and an associate in which he expressed his desire to kill a soldier. The social media platform Facebook is accused of failing to tell the security services of this vital piece of information which, it is suggested, would have alerted authorities to the threat.

A report by the Commons Intelligence and Security Committee, which did not name Facebook, revealed that the online exchange took place prior to the killing but only came to light after the May 2013 attack. The report did, however, identify that the information was hosted by “an internet company based in the United States.”

Facebook has since released a statement saying: “Like everyone else, we were horrified by the vicious murder of Fusilier Lee Rigby.

“We don’t comment on individual cases but Facebook’s policies are clear, we do not allow terrorist content on the site and take steps to prevent people from using our service for these purposes.”

The Challenge for Social Media Investigations

Aside from what Prime Minister David Cameron described as the social network’s “social responsibility to act”, the incident raises a number of questions concerning the increasingly important role that these social media channels play in cyber forensic investigations.

“Facebook and a host of other online platforms such as Twitter, YouTube and WhatsApp Messenger are becoming primary means of communication and an everyday feature of our lives. Their variety and functionality are changing relentlessly,” explains Keith Cottenden, Director and Head of Investigations at CYFOR Digital Forensics.

“The prevalence of social media in our lives means the sources of evidence available to investigators are rapidly expanding. But with that expanding evidentiary environment come unique pitfalls and challenges different from what investigators have dealt with in traditional digital forensics, not least knowing how to access this information in a forensically sound manner that can create a strong case.”

The digital investigator needs a different way of thinking with social media investigations. Under normal circumstances, Facebook, for example, allows an investigator the same level of access as any other user, i.e. a relatively unwelcome, uninvited guest trying to gather information on an account holder.

Mr Cottenden says: “You can look at pictures, posts, likes etc. but you cannot control the hardware where the physical evidence exists, as with a traditional digital forensics investigation. To further complicate matters, content posted on social media – and its associated meta-data – is constantly changing, being edited or deleted at any given time; then there is the fact that identities in social media tend towards anonymity, add this to the sheer volume of data and you have an incredibly dynamic and complex set of variables to contend with.”

There are an estimated 5 billion likes generated on Facebook and another 5 billion pieces of content shared daily.

Interactions on social media platforms, as recently seen in the case of Adebowale’s online comments, can also become the subject of criminal cyber investigations. However, with millions of posts every day, the challenge of the sheer scale and ubiquity of social media means that without the right technology and know-how, it can be a difficult task to monitor the Internet in search of comments or information from an individual or on a given subject.

Mr Cottenden adds: “Social media investigations are essentially of two types – tracking and analysing the temporal flow of data on the site or technology, or the static visualisation of one or more computer device for relevant information after the fact – a fact which needs to be recognised. It is not just about a potential conviction after an offence has been committed – it is also about preventing and neutralising any threats. It has emerged that UK security services tried to intensify their surveillance of Adebowale which could lead us to conclude that a lack of cooperation between social media companies and the UK security agencies may have resulted in a failure to neutralise that risk in this case.”

When considering social network data as an evidence source in digital forensics investigations, specialist skills and analytical tools are required to ensure this potentially highly relevant evidence is maximised and authenticated for admissibility.