Social media adoption has increased exponentially over the past few years, already surpassing the mark of 4.7 billion users as of July 2022, according to DataReportal. Given the massive amount of data available, social media has become one the most fertile sources of information for background checks and intelligence gathering, as well as for various types of investigations, including criminal, regulatory, insurance and civil matters such as cyberbullying and defamation.

Social media is, however, a volatile and dynamic source of data. Posts, including photos, comments, memes and other potentially relevant information, can disappear in a matter of minutes—if not seconds—nullifying any chances of using them as probatory elements. There are websites and other online services that record historical data on the internet but, given the extreme volatility of social media, they just do not work well for these situations.

Different from the forensic imaging of a device, which preserves all of its data at a given point in time, preserving data directly from the servers of social media providers poses a much bigger challenge and involves search warrants, addressing the technical complexities of cloud-based environments and jurisdictional issues regarding data privacy. On the other hand, simply taking screenshots of the social media page or post containing the desired information will likely be contested in court.

Social media data preservation should be treated with the same rigor as data collection from computers, mobile devices and servers, even when conducting internal investigations, because the preserved data can potentially become evidence in litigation that was not foreseen at its start. Therefore, sound forensic methodologies and tools must be applied in these situations to ensure that preserved social media information (i) is identical to the source, (ii) is not altered and (iii) is traceable, leaving no room for questioning when the evidence is most needed.

However, forensically preserving and working with social media information from various providers and in so many data formats is a different challenge entirely. Social media is diverse, meaning that proper forensic collection and analysis not only requires state-of-the-art software but also significant knowledge and technical expertise. Although some forensic software is very robust in collecting and parsing information from devices, they still lack the capacity to perform similarly with social media given the vast volume of data it contains, which makes the human factor even more important.

The integration of social media analysis and digital forensics of devices can be key to identifying relevant evidence during an investigation. Digital forensics can uncover artifacts on smartphones such as passwords, photos, geolocation timestamps and other relevant metadata, unlocking new insights when cross-analyzed with information collected from social media. We have assisted our clients in numerous cases by integrating such data sources and performing communication analysis, for example, by building relationship diagrams in order to easily spot important relationships among parties. This enables fast decision-making and seamlessly defining an investigation path.

Social media forensics has become a powerful mechanism for gathering relevant evidence in investigations. However, the heterogeneity and disparate data sources still pose a significant challenge when parsing information and conducting analysis. This highlights the importance of applying proper forensic methodologies and tools as well as having accredited technical expertise and legal support to address pertinent ethical and data privacy matters. Still, the combination of social media analysis and digital forensics of devices can significantly increase the ability of an investigator to identify relevant correlations and strengthen findings.