SANS Digital Forensics and Incident Response Blog

Undercover Agents Record Social Media Evidence

How should investigators record fast-changing online evidence, such as social media?

Case in point: The Mercer County (New Jersey) Prosecutor's office followed hundreds of street gang affiliates on Myspace. How did it do that economically? Instead of using seasoned, highly-trained police investigators, it commissioned a team of mere interns. The interns, acting as undercover agents, "friended" target gang affiliates. One fake profile maintained by the interns attracted 180 "friends."

Collecting evidence from that much online activity can be daunting. Several tools exist, and I've previously published demonstrations using webcams and downloaded software.

Free, Easy-to-Use Tools

Here's another demonstration, which emphasizes low cost, easy-to-use tools. The tools are

  • screencast-o-matic, a free, Java-based, open-source tool for recording what you see on your screen, and
  • Microsoft's free Skydrive file storage service.

Picture this hypothetical setting. The county sheriff's office needs an efficient way to capture what is happening on a dynamic blog. Information on the blog at this minute could be changed or deleted a minute later. The sheriff's office has no special equipment, but it does have two investigators who need to remain anonymous. They will be identified by numbers. Their voices will be recorded by microphone, but not their faces by webcam.

See video: http://www.youtube.com/watch?v=_6xEkVjYnqw

Two Witnesses Are Better Than One

The resulting screencast video is a unified package of evidence that captures the interaction of the web better than a mere sceenshot does.

The two investigators corroborate the video and corroborate each other. Each investigator signs the video with the unique sounds of his voice. Each speaks the date and time with his unique, identifying voice.

The involvement of two investigator witnesses makes the Sheriff's Office less dependent on any single person to testify as to the authenticity of the video later, such as in court. Witnesses like interns can come and go.

Depending on the use of the video, an authority (such as a judge in a parole hearing) might rely on the video, signed by two witnesses, without requiring direct testimony from either of the witnesses on the video's authenticity.

Cloud Time Stamp

To further corroborate the date, the video is loaded onto Microsoft's Skydrive. Skydrive (a third party cloud service) shows the time that the video was last modified.

See Skydrive screenshot.

Thus, if the video, dated by the witness voices as October 10, were uploaded on October 10 but then replaced October 25, there would be a mismatch of dates, suggesting that the video in Skydrive is not the one originally created by the investigators.

To further corroborate the date, the investigators could give the video to colleagues, who could store the video in their own time-stamped, cloud-based file-storage accounts.

Auditors and Whistleblowers

The techniques demonstrated here could be applied outside law enforcement. They might be used by auditors, journalists, whistleblowers, public watchdogs, school administrators or private investigators.

Is this video absolutely unassailable as legal evidence? No. The two investigators could have colluded to make all of this up. But collusion is not easy.

It is rare for legal evidence to be perfect. This video is reasonably good.

What do you think?

—Benjamin Wright

Mr. Wright teaches the law of data security and investigations at the SANS Institute.

[This post is general public discussion and not legal advice for any particular situation. If you need legal advice, you should consult your lawyer.]

6 Comments

Posted October 24, 2011 at 11:38 AM | Permalink | Reply

sandor

like the idea,
in a different form not using screen o matic software is already being used by some people in law enforcement in the Netherlands to film each action they do on the internet.
but if you do not have the tools this looks like a good way to work.

Posted October 24, 2011 at 9:16 PM | Permalink | Reply

Benjamin Wright

@sandor Do you know which software the Dutch police are using? ''"Ben

Posted October 24, 2011 at 9:22 PM | Permalink | Reply

denis

why not use HashBot (www.hashbot.com) ?
It allows you to acquire online resource (page source, images, etc ''), giving to investigator time-stamp, server response, hash of the resource acquired, ip of investigator host, etc''.

Posted October 26, 2011 at 7:39 PM | Permalink | Reply

Benjamin Wright

@denis There is nothing wrong with using HashBot in addition to the video I demonstrate here. Courts prefer that a human take responsibility for evidence and vouch for it. That's why, in the video, the two investigator's sign the video with their voices.
If the investigators use HashBot in addition to the video, they could sign the HashBot data. http://legal-beagle.typepad.com/wrights_legal_beagle/2010/10/video-authentication.html ''"Ben

Posted October 29, 2011 at 1:53 PM | Permalink | Reply

Gianni Amato

Ok Benjamin, but the video can be manipulated and created ad hoc. Hashbot serves only to maintain the status over time (signatures) of the document, while the user keeps the data

Posted November 3, 2011 at 4:27 PM | Permalink | Reply

Benjamin Wright

@Gianni Amato Yes, witnesses can create false evidence and lie about the source of the evidence. Witnesses can make false videos, and they can make up false data that purports to come from Hashbot. But that does not mean that all evidence authenticated by human witnesses is worthless.
I don't believe the video and the HashBot-gathered evidence are mutually exclusive. They can complement each other.
One of the virtues of the video is that it shows interaction; it visually shows layman like judges how the web page worked.
I do believe courts prefer evidence that a witness will take responsibility for. In the video, the two witnesses directly take responsibility for the video. They legally sign the video with their voices. If they are lying, the witnesses can be punished for perjury.
Who will take similar responsibility for HashBot-collected evidence?
''"Ben