This is the 2nd installment of our 4 part series about Social Media/Online Investigations (SMI). In the first article, we discussed the importance of conducting Social Media and Internet Investigations, and how to find ac-counts online. This article will focus on the basics of authentication and how to lay the foundation for internet based evidence.
The first concept to understand is that anything found online with relevance to your case is evidence and needs to be treated as such. Once a piece of content is identified that is relevant to a case, it needs to be forensically preserved. Numerous cases have come out across the United States where “print screens” or other printouts from a social media profile have been excluded as evidence. One such case was United States v. Vayner, 2014 wl 4942227 (Oct. 3, 2014 2d Cir.), wherein the trial court allowed a printout from a VK (The Russian equivalent to Facebook) account into evidence; which decision was later over turned by the appeals court. The ruling indicated that even though the account in question had the subject’s name and picture, the presenting party could not verify that the subject was the owner of the account or if the subject had made the posts in question. Forensic preservation includes capturing not only the images, but also extracting the metadata (computer code) associated with that particular piece of evidence and creating a hash (digital fingerprint) for it. This step is going to require use of specialized software.
To authenticate a social media account, I recommend first finding the account using a method which strongly ties it to the subject. The most preferable methods are linking it to a known phone number, email address, or user handle. From there, you’re going to need to look for at least 3-5 points of additional information which the courts have termed “specific indicia” contained within the account, that help establish that the per-son portrayed is in fact the person in control of the account. These are pieces of information posted by the subject or to their account that only they would know. References to high school reunions, events attended, church groups, etc. are all great examples. From there, take the forensically preserved item and review the metadata to confirm that the posts actually came from the person indicated at the time/date in question.
If the evidence is going to be used at trial, the foundation will have to be properly laid. This is another reason why forensic preservation is so important, because if the content has been forensically preserved, most of the information needed for foundation is easily accessible. The content contained in the metadata that will need to be used will be: Web address, date/time posted, account user ID, and exactly what the content looked like at the time of capture. Other information needed will be who captured the content, exactly when they captured it, and some assurances that the content wasn’t altered (hash value). Keep in mind that the person capturing the content needs to be eligible to testify in court; so attorneys need to be careful about conducting their own research or having their staff do it. It’s important to understand that Social Media and online content is very fluid and what’s there today may not be there tomorrow, or if it is, it may be significantly changed. If you find something of interest, preserve it immediately because if you don’t, it may be gone the next time you think about it, or you might run into foundational issues.
Stay tuned for the next installment on how to locate content on the surface web and deep web! In the meantime, if you have any questions or if you would like to set up a training for your firm, visit us at https://www.boscolegal.org.
*This series was originally published in the San Bernardino County Bar Bulletin*