E-Discovery, Forensics 101, Legal, Software

Key Twitter and Facebook Metadata Fields Forensic Investigators Need to be Aware of

Authentication of social media evidence can present significant challenges when you collect by screen shots, printouts or raw html feeds from an archive tool. This is just one reason why social media data must be properly collected, preserved, searched and produced in a manner consistent with best practices. When social media is collected with a proper chain of custody and all associated metadata is preserved, authenticity can be much easier to establish. As an example, the following are key metadata fields for individual Twitter items that provide important information to establish authenticity of the tweet, if properly collected and preserved:

Metadata Field Description
created_at UTC timestamp for tweet creation
user_id The ID of the poster of a tweet
handle User’s screen name (different from user name)
retweet_id The post ID of a retweet
retweet_user The username of the user who retweeted
Reply Indicates if this tweet is a reply
direct_message Indicates if this tweet is a direct message
Hashtags List of all hashtags in the tweet
Description Up to 160 characters describing the tweet
geo_enabled If the user has enabled geo-location (optional)
Place Geo-location from where user tweeted from
Coordinates Geo-location coordinates where tweet sent
in_reply_to_user_id unique id for the user that replied
profile_image_url location to a user’s avatar file
recipient_id unique id of direct message recipient
recipient_screen_name display name of direct message sender
screen_name display name for a user
sender_id unique id of direct message sender
Source application used to Tweet or direct message(i.e., from an iPhone or specific Twitter app)
time_zone a user’s time zone
utc_offset time between user’s time zone and UTC time
follow_request_sent Indicates request to follow the user
Truncated If the post is truncated due to excessive length

Any one or combination of these fields can be key circumstantial data to authenticate a single or group of social media items. US Federal Rule of Evidence 901(b)(4) provides that a party can authenticate electronically stored information (“ESI”) with circumstantial evidence that reflects the “contents, substance, internal patterns, or other distinctive characteristics” of the evidence. Many cases have applied Rule 901(b)(4) to metadata associated with emails and other ESI. But you will not get all this key metadata from a printout, screen capture, or even most compliance archive tools.

Facebook and Linkedin items have their own unique, but generally comparable.  Here are some key metadata fields for each Facebook entry. These fields provide important evidence, investigation context and circumstantial evidence to establish authenticity, if properly collected and preserved. Facebook changes their APIs from time to time, so we will be reporting any such changes and updates when they occur:

Metadata Field Description
Uri Unified resource identifier of the subject item
fb_item_type Identifies item as Wallitem, Newsitem, Photo, etc.
parent_itemnum Parent item number-sub item are tracked to parent
thread_id Unique identifier of a message thread
recipients All recipients of a message listed by name
recipients_id All recipients of a message listed by user id.
album_id Unique id number of a photo or video item
post_id Unique id number of a wall post
application application used to post to Facebook(i.e, from an iPhone or social media client)
user_img url where user profile image is located
user_id Unique id of the poster/author of a Facebook item
account_id unique id of a users account
user_name display name of poster/author of a Facebook item
created_time When a post or message was created
updated_time When a post or message was revised/updated
To Name of user whom a wall post is directed to
to_id Unique id of user whom a wall post is directed to
Link url of any included links
comments_num Number of comments to a post
picture_url url where picture is located

As mentioned earlier, you will not get all this key metadata from a printout, screen capture, or even most compliance archive tools. Best practices technology specifically designed to collect, preserve, search and produce social media for eDiscovery is required.

__________________________________________________________________________________

X1 Social Discovery is the first investigative solution specifically designed for the legal and investigative community to effectively addresses social media content.  This solution establishes a defensible chain of custody through several functions. MD5 hash values of individual social media items are calculated upon capture and maintained through export. Automated logging and reports are generated. Key metadata unique to social media streams are captured through deep integration with APIs provided by the leading social media sites. This functionality is provided along with a very scalable workflow and instantaneous search results. Tens of thousands of social media items can be captured per hour and then quickly searched, reviewed and exported in support of a traditional investigative and eDiscovery process. The speed, scalability and ease of use of X1 Social Discovery coupled with its best-practices preservation and chain of custody data capabilities now provides legal and eDiscovery professionals the means to finally address the universe of social media evidence on a very routine basis.

X1 Discovery, Inc. delivers next generation eDiscovery for social media, cloud and the enterprise. Built upon the market leading X1 search solution, X1 Discovery provides a ground-breaking platform for social media eDiscovery and supports investigations of cloud-based data. Learn more at http://www.x1discovery.com 

Discussion

4 thoughts on “Key Twitter and Facebook Metadata Fields Forensic Investigators Need to be Aware of

  1. If a person copies data from a Word document into the comments field of, say Facebook, is the metadata/data “captured” in anyway on Facebook servers prior to being posted?

    Posted by Alan Hall | July 11, 2012, 10:40 pm

Trackbacks/Pingbacks

  1. Pingback: Key Twitter and Facebook Metadata Fields Forensic Investigators Need to be Aware of « Yury Chemerkin - April 28, 2012

  2. Pingback: 2012년 04월 디지털포렌식 뉴스레터 | FORENSIC INSIGHT - May 2, 2012

  3. Pingback: Authenticating Internet Web Pages as Evidence: a New Approach « Forensic Focus – Articles - July 13, 2012

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 657 other followers

%d bloggers like this: