Social network forensics and evidence recovery approaches

Social Network Forensics: Approach to Social Network Evidence Recovery

The introduction of social networking sites in recent years caused an explosion in interest and these sites now attract hundreds of millions of users from around the world. Likewise, blogs and wikis are increasingly popular Web 2.0 venues that can evolve into formal communities of interest, providing significant knowledge-sharing and learning opportunities. Used appropriately, these venues therefore represent a valuable resource. Unfortunately, because a majority of the users of these sites are young people, they also tend to attract online predators and others who would exploit these sites, making the use of effective forensic tools an important and timely enterprise.

Introduction

It would seem that the introduction of social networking sites tapped into a long-repressed desire to be able to communicate with other like-minded individuals in a convenient and reasonably safe fashion, a desire that has manifest in young people in particular. For instance, according to Van Tassel (2006), "The popularity of social network sites demonstrates the power of user-created content. Social networking sites are mainly populated by young people in their teens and twenties" (p. 181). There is also a higher level of content oversight provided in most social networking sites compared to other Web 2.0 venues such as blogs and wikis. In this regard, Van Tassel adds that, "User-generated content destinations require some administration. The procedures and rules for posting material must be clear, prominently displayed and strongly enforced, usually by paid moderators. Sites for the general public must often guard against pornography and offensive graphics and language" (p. 181). Notwithstanding their potential for misuse in these and other ways, it is clear that social networking sites are going to continue to increase in popularity, at least for the foreseeable future. Indeed, these venues are being used by people of all ages and walks of life to keep in contact with others and share their thoughts on all of the issues that confront humankind today. In fact, it is reasonable to suggest that a forum or club or other social networking site already exists concerning virtually any interest, and in the unlikely event there is not one, it is a simple matter to start one. When social networking sites and other Web 2.0 venues are exploited for identity theft, fraud or sexual predation, there is a need for effective forensics tools that can be used to identify the perpetrator(s) and collect the evidence needed for prosecution, a need that directly relates to the purpose of the proposed study which is discussed further below.

Purpose of the research

The purpose of the proposed study is to conduct research concerning social media forensic tools that can be used to develop crucial evidence from social networking sites such as Twitter, LinkedIn, MySpace, Facebook, YouTube, FourSquare and other Web 2.0 venues. Besides social networking sites, such venues also include so-called blogs (a contraction of "weblogs") and "wikis, the study will demonstrate how to approach the evidence-collection process in these venues by using forensic software applications such as EnCE and Internet Evidence Finder v. 4.0. These forensic tools will be evaluated and compared through an analysis of the sample testing data that results from their use in different Web 2.0 venues. Other purposes of the proposed study include developing relevant recommendations for the use of these forensic tools, as well as the professional ethical responsibilities that are involved in their use in these settings.

Literature/Past Research Review

At the most basic level, social networking sites are simply online forums in which users come together at their convenience to share information (in the form of digital text, graphics, links and so forth), empirical observations, or sometimes just to chat. A useful definition of social networking sites provided by Carter, Foulger and Ewbank states that these are "interactive websites designed to build online communities for individuals who have something in common -- an interest in a hobby, a topic, or an organization -- and a simple desire to communicate across physical boundaries with other interested people" (2008, p. 682). While social networking sites typically feature the ability to post information for others to view permanently, there are also sites that feature chat rooms and other forums where posts may be quickly deleted. Nevertheless, this information still leaves a record. In this regard, Carter and his colleagues note that, "These sites are not unlike the old-fashioned 'party line' telephones, but they leave a more permanent record of the conversations" (2008, p. 682). The type of forensics data that is generated in a social networking site is impressive. For example, Carter et al. add that, "Most social networking sites include the ability to conduct live chats, send e-mails, upload videos, maintain a blog or discussion group, and share files. Users can also post links to pictures, music, and video, all of which have the potential to create a virtual identity" (2008, p. 682).

One of the more compelling features of social networking sites is their ease of use. Registering is a simple and straightforward affair involving little more than creating an account and a user profile. Once these steps are completed, the site is open ground for exploration, posting of user-generated content and the creation of countless online relationships with others who share similar interests and views (Carter et al., 2008). Most larger social networking sites such as Facebook provide their users with various privacy setting levels that allow only certain people access to user pages. In this regard, Carter and her associates report that, "A mutual relationship between users called 'friending' links profiles together, creating the backbone of the website's social network. If the profile is set to private, then only 'friends' can view the entire page" (2008, p. 682). Other sites use similar features to restrict who is allowed access to user-generated content and for viewing an individual's profile (Carter et al., 2008. Beyond these minimal requirements, social networking sites are wide open in terms of content, limited only by the agreed upon protocols and manners established for the venue. Not surprisingly, by July 2006, there were already more than 140 different social networking sites available on the World Wide Web with hundreds of million users (Anklam, 2007). Today, it is clear that social networking sites are growing in popularity and breadth of content, making the need for sophisticated forensics tools that can document evidence of online criminal activities in these venues all the more important. The approach to be used by the proposed study in identifying the most effective tool for this purpose is described below.

Research Design / Methodology

According to Guidance Software, "The computer is an infallible witness; it cannot lie. Digital evidence contains an unfiltered account of a suspect's activities, recorded in his or her direct words and actions. This type of evidence can provide the pivotal data investigators need to turn an open investigation into an open and shut case" (EnCase Forensic for Law Enforcement, 2011, p. 2). As a result, the identification of the most effective forensics software applications that can capture this type of evidence from social networking sites represents an important initiative for law enforcement agencies seeking to maximize their return on software investments (these applications are not cheap at around $10,000). Therefore, the research design for this study will consist of a comparison of the effectiveness of two mainstream forensic software applications, Guidance Software's EnCase computer forensic software and JADSoftware's Internet Evidence Finder v.4.0 using an analytical comparison methodology as described briefly below.

EnCase:

One of the most well-recognized forensics software applications currently in use is EnCase Forensic which has, as the name implies, been specifically designed fro forensics practitioners. According to the vendor's promotional literature, EnCase is "the industry-standard computer investigation solution [for] forensic practitioners who need to conduct efficient, forensically sounds data collection and investigations using a repeatable and defensible process. The proven, powerful, and trusted EnCase® Forensic solution, lets examiners acquire data from a wide variety of devices, unearth potential evidence with disk level forensic analysis, and craft comprehensive reports on their findings, all while maintaining the integrity of their evidence" (EnCase study guide, 2011, p. 1). The EnCase forensics platform is illustrated in Figure 1 below.

Figure 1. EnCase Forensics Platform

Source: EnCase Forensic for Law Enforcement (2011)

http://www.guidancesoftware.com/WorkArea/linkit.aspx?LinkIdentifier=ID&ItemID=674

Internet Evidence Finder v4 -- Standard Edition

This software application can search hard drives or files for artifacts generated in an online venue; its data recovery tool, like the EnCase tool, has also been specifically designed for digital forensics examiners; however, its design is also straightforward and intuitive to use, making training requirements minimal (Internet Evidence Finder v4 -- Standard Edition, 2011). According to the vendor's promotional literature, "IEF v4 searches the selected drive, folder (and sub-folders, optionally), or file (memory dumps, pagefile.sys, hiberfil.sys, etc.) for Internet artifacts. A case folder is created containing the recovered artifacts and the results are viewed through the IEF v4 Report Viewer where reports can be created and data exported to various formats" (Internet Evidence Finder v4 -- Standard Edition, 2011, para. 3). A sample screenshot from JADSoftware's Internet Evidence Finder application is shown in Figure 2 below.

Figure 2. Sample screenshot of Internet Evidence Finder Interface

Source: JAD Software at http://www.jadsoftware.com/go/wp-content/themes/jadsoftv2 / images/iefv4-1.png

Moreover, IEF v4 also has some useful features for social networking site applications, including:

1. Facebook live chat search has been updated to locate additional chat (including damaged fragments); the vendor adds that messages sent and received using the Facebook live chat feature. Information found with the message can include the Facebook profile ID used to send/receive the message, the from/to names and ID's, and the date/time (in UTC) that the message was sent; however, there are a few different formats of Facebook chat and not all formats include all this data).

2. Facebook unicode text is now converted.

3. Facebook page fragments: Facebook related web pages, including but not limited to the Inbox page, emails, photo galleries, groups, and so on. Most recovered items will be fragments and not the complete page, but attempts are made to recover the entire page and filter out false positives. A header is added to the fragment to aid in viewing the page in its original format.