Tuesday, 7 January 2014

Facebook Evidence

Facebook Evidence concerns records and materials from the Facebook social networking service that allows users to interact with other Internet users, sharing media and messages.

A user is able to contact other individuals by adding them to their ‘friends list’, which enables them to be able to write on other friends’ walls (i.e. a space for public commentary) and leave tags on photographs.  Users are also able to communicate by sending instant messages which can sometimes be stored on the user’s machine and messages, similar to emails.  Such Facebook evidence can be crucial in terms of showing relations or patterns of contact between parties.

The owner of the account is able to adjust privacy settings so as to restrict what information is publically accessible and what details may be viewed only by friends.  Much like conventional email  correspondence, sent and received messages are unable to be edited and are stored on the Facebook™ servers in their original format until deleted by the user of an account.  This material is the basis for facebook evidence.

Facebook Evidence and Data Retention
Correspondence made via Facebook™, including media files uploaded to the website or shared, are stored permanently on the respective account.

It is necessary for the user to manually select items of correspondence or specific files for deletion in order to have them removed from the account.  Alternatively, a user may close their entire account in order to have all correspondence or media files erased.  Facebook evidence includes deleted data files or accounts are no longer available to members of the public, online friends or the original account owner; however, all of this content remains archived by Facebook™ for a period of ninety (90) days .

Facebook™ recommends that investigators contact their organization as soon as a requirement for account information is known.  This way current accounts, erased content, and related Facebook evidence can be preserved for a further ninety (90) days, to allow adequate time for service of legal applications.

Lawful Disclosure of Facebook Evidence Records
The Facebook™ unit responsible for managing requests for account information and related Facebook evidence, the unit is titled the ‘Security Department and Custodian of Records’:


The following three types of requests can be made:

  • Preservation Requests - following notification of a specific User ID, Username or e-mail address, existing account records and erased archive material will be preserved for ninety (90)days.
  • Formal Legal Requests - records will be provided pursuant to formal compulsory legal process issued under US law.
  • Emergency Requests - where there is a credible risk of bodily harm or death, immediate assistance will be provided to investigating authorities, even in the absence of legal process/orders.  It should be noted that whilst the above references state that formal legal facebook evidence requests “issued under US law”, in the experience of the author the Facebook™ organization will readily assist any request for information from any lawful authority or country, as long as supported by their respective legal process.

Whilst internal procedures vary between Police forces, this position may be verified by contacting the relevant Hi-Tech Crime Unit (HTCU) and/or Single Point of contact (SPoC)  for clarification on their approach to securing disclosure of facebook evidence, account information and related records.  Subject to receiving a lawful request for information, Facebook™ can provide the following records:

•    Basic Subscriber Information
Previously referred to as ‘neoselect’ , these records will include the User Identification Number, account email address, time/date of account creation, associated telephone number(s), and time/date of logins for the past 72hours.

•    Expanded Subscriber Content
Previously referred to as ‘neoprint’, these records will include all profile contact information, status updates, files/photographs that have been shared, messages posted on other individual’s walls, listings of friends and group memberships, and event reminders.

•    User Photographs
Previously referred to as ‘photoprint’, this will include all photographic media uploaded by the account holder as well as photographs from third parties which have been tagged as featuring the account holder.

•    Messaging Correspondence
Incoming (received), outgoing (sent), and draft email equivalent communications.

•    Internet Logs
Commonly referred to as ‘IP’ logs, this content will assist in demonstrating the time/date that a user account was accessed as well as provide enough information to trace the physical address of the computing device used to make the account access.

The above Facebook evidence records will generally be served via email in the form of Adobe Portable Document Format (PDF), so that the content cannot be easily modified.

For further guidance, independent advice, or to request a free licence for the specialist eDiscovery toolkit Facebook Forensic Software, contact Afentis Forensics

Sunday, 13 October 2013

social media and madeleine mccann

The disappearance of Madeleine McCann remains unresolved. The 3-year-old went missing from a holiday apartment in Praia da Luz in 2007. Since 2011 thirty Metropolitan Police Officers, headed by Detective Chief Inspector Andy Heywood, have been trawling through thousands of witness statements and documents at the cost of £5 million, hoping to unearth a vital clue that will resolve the case.

Last week we learned that phone records could hold the key, but let’s consider the role of social media. First, some clarity… Social media refers to the means of interactions among people in which they create, share, and exchange information and ideas in virtual communities and networks. Since 2007 the role of social media in both personal and professional circles has grown from strength to strength. Let’s take a look at three popular services –

Facebook™ is a networking service launched in February 2004 and provides a social media platform for over one billion active users. It is used for both personal and professional networking, with an increasing number of organisations using it as an important part of their outreach strategy to interact with customers. Half a petabyte of new content – from messaging to media – is uploaded every single day - equivalent to about 110,000 DVDs worth of data, so one can imagine the difficulties faced in harvesting and processing such information.

Tumblr™ is a micro-blogging platform and social networking website owned by Yahoo! The service allows users to upload text posts, images, video, quotes, or links to form a short-form blog (web log). Tumblr™ hosts over 110 million blogs and 80 million new posts are created every day.

Twitter™ is another microblogging service but primarily geared towards short text based "tweets" which are limited to 140 characters. The service is used to provide swift/concise updates, and has been popularised through the adoption by celebrities. Tweets can now include links to images or multi-media content. Nearly 400 million new tweets are posted online every single day.

How can this help with the investigation into the disappearance of Madeleine McCann?

Firstly the authorities could consider a complex data mining operation to look at historical social media records and potentially identify either clues or witnesses.

So where to begin?

Text based searches would be the obvious approach, to seek out content based on keywords. The degree of coverage of this incident in the international media would suggest that the keyword parameters would have to be carefully constructed so as to limit results to that which may be potentially relevant (e.g. instances where ‘mccann’, ‘evidence’, and ‘police’ occurred in the same message or sequence of messages). The potential for a huge number of false positives is of course the concern, but these could be limited by applying date range filters or mining only across accounts registered to users in Portugal (at the risk of missing tourists).

Most social media posts – from the humble tweet to a photograph uploaded to Facebook – can include location information. This is commonly known as a geotag and may be applied to the content by the camera device or the social media service. Such tags take the form of latitude/longitude co-ordinates – in the case of the Praia de Luz, this would be 37.0972° N, 8.7434° W. Combing through current or old social media records for such tags would help identify people who have been in the relevant area. Combine this with a filter for the date range of late April / early May 2007, and the results would suggest people in the right area at the right time to potentially assist with the investigation. It may be that these are parties who need to be excluded from the current investigation or perhaps they witnessed something they considered innocuous but could be vital in the wider context of the investigation.

Note: Law enforcement labs and members of prosecuting authorities are welcome to request free licences to the following toolkits: www.facebookforensics.com, www.tumblrinvestigator.com and www.twitterinvestigator.com

Thursday, 10 October 2013

Madeline McCann - forensics, big data, crimewatch

Madeleine McCann, aged 3, disappeared from a holiday villa in the Portuguese resort of Praia da Luz on the evening of the 3rd May 3 2007. Despite one of the largest publicity campaigns and worldwide searches in history, she remains missing. Her parents, Gerry and Kate, have led a campaign to find their daughter, refusing to give up hope.

In 2011, Prime Minister David Cameron, ordered a fresh review of the original Portuguese police investigation and drafted in thirty Scotland Yard detectives to help sift through the vast volumes of information and witness statements. So far, just over half of the forty thousand pieces of information collected by the Portuguese authorities have been assessed, but progress is being advised as being positive.

Now there have been similar stories in the press over the years, but what makes this one so interesting is its renewed focus on digital forensics. Investigators believe telecommunication records could hold the key to solving the case and are focussing their search on thousands of mobile phones, thought to belong to people who were in Praia da Luz in the days leading up to, during, and after Madeleine's disappearance.

Detective Chief Inspector Andy Redwood, who's leading the inquiry, says officers are trawling through a 'substantial amount of data' and have so far identified 41 persons of interest. With around three thousand people living in the Algarve holiday resort, and thousands more visiting during the holiday season, this task is neither straightforward nor complete. This exemplifies ‘big data’ and the complexities of effectively data mining to find those crucial (digital) needles in the haystack.

In fact, DCI Redwood admits his team have been unable to attribute (link to a named individual) a 'large number' of mobile numbers, largely due to the fact that six years have now passed and a considerable number were bought on a 'pay-as-you-go' basis. This reflects an increasingly common practice for individuals travelling overseas to buy a cheap PAYG SIM from a local vending machine or shop, so as to avoid roaming charges and benefit from local call/data rates.

Call Data Records, sometimes referred to as ‘billing records’, will show the timing, volume and patterns of communications activity. The numbers dialled, the duration of voice calls, numbers that have been sent text messages, and instances of access to voicemail. The content of the spoken conversations or the typed details of a specific text message, will not be available, but the broader picture of activity can still be important.

Then there's the issue of tracking down the thousands of holidaymakers that were in the Algarve resort where Madeleine McCann was staying when she vanished. Scotland Yard have already made contact with thirty one police forces across the world to help them piece together the records and make contact with the owners of foreign mobiles.

A powerful investigative technique is being applied to mobiles of interest – Cell Site Analysis. The intention is to identify mobile devices that engaged telephone masts in and around the Algarve holiday resort on the days surrounding the incident. The users of these devices can then be tracked down and interviewed – one of the owners may prove to have seen/heard something that could take the investigation in a whole new direction.

Crimewatch will be airing a special on the Madeline McCann investigation this evening – with exclusive interviews, fresh evidence, and a scene reconstruction.

We would welcome the thoughts of other practitioners and experts in this field on the forensic evidence in this case and other avenues of investigation that could be explored.

** Note: Afentis Forensics have had an involvement in this investigation and whilst open debate and discussion is encouraged, please could comments keep in mind the sensitivity and emotive nature of the matter.
Animated Social Gadget - Blogger And Wordpress Tips