SANS Digital Forensics and Incident Response Blog

Digital Forensics and Social Media

Privacy | Transparency

Social networks like Facebook, Twitter, Foursquare and Google Buzz can be a treasure trove for forensics investigations. The expanding ocean of data in those networks is irresistible to investigators.

Marketers are already exploiting social data to analyze associations among consumers. A startup named 33Across looks at relationships among social media users to ascertain who, for example, would be a good prospect for viewing an ad on costume jewelry. If Jane is a good prospect, then some of her friends — or maybe just people who circulate in the same social group — might be too. 33Across uses tools like tracking cookies to follow relationships.

Just as this style of data gathering and analysis can help marketing, it can help law enforcement or dispute resolution. Police have already learned that drug dealers socialize online with other drug ring members, and street gangsters network with their cohorts.

A simple investigation might view just the publicly-available text and images posted on a suspect's social page. Deeper investigations may require the investigator to acquire special authority. In an internal corporate investigation, that authority might come in the form of consent from a company employee who has the right to access a page. Or, in a civil lawsuit or certain government investigations, the authority might come in the form of a subpoena. In a criminal investigation, it might be a search warrant.

A sophisticated investigation will examine more than just the data appearing on the face of social web page. It might, say, go for the cache of data collected at 33Across to ascertain who might be involved with a Medicare fraud scheme.

As an investigation team seeks authority such as a subpoena or search warrant, it will be prudent to address privacy concerns. Here are example steps to reduce privacy risks:

1. Deliberate in writing about the privacy risks, how they can be minimized and why they are justified taking in the case at hand.

2. Consult a third party expert (or panel of experts) on how to proceed with the investigation in a way that respects privacy.

3. Mask personally-identifying information from individual researchers.

4. Secure data against use or disclosure beyond the investigation.

5. Be transparent to the extent consistent with the mission of the investigation. Modern society rewards openness and transparency. Investigation teams do themselves a favor when they publicize their techniques and open them to scrutiny.

6. Document all efforts to protect privacy.

—Benjamin Wright, Esq.

Mr. Wright teaches security and investigations law at the SANS Institute.


Posted February 28, 2011 at 7:28 PM | Permalink | Reply


I suggest readers to look into Facebook's relationship with DARPA it can be quite interesting as it correlates with your post. It's kind of crazy. Or perhaps the documentary "We Live in Public"