Legal Investigation in Social Media: How to Do It; How Not to Do It - PowerPoint PPT Presentation


PPT – Legal Investigation in Social Media: How to Do It; How Not to Do It PowerPoint presentation | free to view - id: 523cbb-NzNmN


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

Legal Investigation in Social Media: How to Do It; How Not to Do It


Legal Investigation in Social Media: How to Do It; How Not to Do It. Benjamin Wright, Attorney. SANS Institute: Law of Data Security & Investigations – PowerPoint PPT presentation

Number of Views:650
Avg rating:3.0/5.0
Slides: 38
Provided by: ncsbnOrg1


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Legal Investigation in Social Media: How to Do It; How Not to Do It

Legal Investigation in Social Media How to Do
It How Not to Do It
  • Benjamin Wright, Attorney
  • SANS Institute Law of Data Security
  • Investigations
  • This is not legal advice.

  • How to record evidence
  • Admissibility and authentication of evidence
  • Risks in collecting evidence
  • Methods for managing risks
  • The power of a preservation letter
  • General principles for guiding social media

  • Regulatory investigators gather evidence via
    social media
  • Welfare cheat foiled by Facebook
  • Based on Facebook videos, Hawaiian Humane Society
    issues citations prosecutor to press charges

Many Social Networks
  • Facebook, Twitter and LinkedIn are just a part of
    the topic
  • Many new social networks, like Google Plus,
    Quora, Instagram, Groupon, Pinterest, Touristlink
  • Thousands of blogs and special interest forums

Different from Traditional Digital Forensics
  • Traditional investigator has access to hardware
    that holds data
  • In web, cloud or social media investigation,
    investigator typically does not have direct
    access to hardware on which original data are
  • The data can change from minute to minute
  • Format of service changes from month to month
  • Service provider may or may not cooperate

Rely on Witness Testimony
  • Ultimately, court looks to someone to testify
    about what happened how it looked at a point in
  • Two witnesses are better than one
  • Printout most common form of social media
    investigative record
  • But printouts can be awkward and can miss a lot

  • Captures the look, the words, the images, the
    interactivity and inter-relationships from one
    page and link to the next
  • Captures webcam narration by witness which can
    be compelling to judge and jury
  • Free, open-source tool
  • Other products like Camtasia

(No Transcript)
Many Posts and Demos of Screencast Evidence
  • http// - live chat
  • http// - web activity
  • http// - online financial trades
  • http// - undercover police in
    social media
  • I welcome your comments, questions and criticism!

Screencast Script
  • Create a unified package of evidence, integrating
    pages, links and testimony
  • Investigator as eyewitness -- recorded by audio
    or webcam
  • Script of the investigator
  • His identity, purpose authority
  • Time and date
  • His statement of signature, taking responsibility
    for what he sees

The Power of an AffidavitPaper, Audio, Video or
Other File
  • I, Jane Doe, hereby affirm that I collected the
    following evidence in the way described. Sign,
    date, notarize
  • Prevents Jane Does memory from wandering
  • Jane Doe may not work for, or cooperate with, you
    two years from now
  • Webcam signature is pretty convincing

Corroborate Date and Time
  • State date and time in record/affidavit then
  • Send record by enterprise email to multiple
    people (timestamp), or
  • Store the record on enterprise sharepoint, which
    shows audit trail with time, or
  • Upload record to a third party service like
    Microsoft skydrive, which records date

Undercover Cops Example
  • Two witnesses
  • Record voice but no video
  • Mercer County prosecutors office, New Jersey
    gang investigation
  • http//

(No Transcript)
Investigative/Recording Tools
  • Vere Software
  • X1 Discovery
  • Hashbot
  • Iterasi web archiving service
  • Others
  • Each works differently
  • Regardless, an affidavit from a witness is

Hook into APIs Collect Meta Data
(No Transcript)
Consider Terms of Service
  • Platform application developers and operators
  • Post privacy policy
  • "You will delete all data you receive from us
    concerning a user if the user asks you to do so,
    and will provide a mechanism for users to make
    such a request. ... You will make it easy for
    users to remove or disconnect from your

General Facebook Terms
  • http//
  • If you collect information from users, you will
    obtain their consent, make it clear you (and not
    Facebook) are the one collecting their
    information, and post a privacy policy explaining
    what information you collect and how you will use

  • Does this mean no one can, without consent, copy
    something from Facebook for purposes of an
  • I think not.
  • Making limited copies is generally accepted
  • But the principle of proportionality is

  • The scale of data collection matters
  • A broad, general principle from privacy and
    e-discovery law is that the collecting and
    management of data should be proportionate to
    the case (considering risks, costs, urgency and
    so on)
  • See blog articles http// and

Admission of Evidence
  • Social media evidence is very commonly admitted
    into legal proceedings
  • Varying degrees of formality in proceedings
  • However, some criminal cases show skeptical
  • Criminal cases have
  • higher standard of proof

Authenticate Myspace
  • Griffin v. Maryland, No. 74 (Maryland Apr. 28,
    2011) - In murder trial, questions arise why a
    witness gives conflicting testimony. Prosecution
    tries to show defendants girlfriend threatened
    witness through Myspace. Court Myspace
    evidence insufficiently authenticated. An
    imposter could have posted the message.

Addressing the Authentication Issue Law
Enforcement Search Warrants
  • Can collect details from the service provider
    like IP address, time, application, mobile
    carrier and more
  • These details can help with authentication
  • Zachary Wolff, Twitter To log or not to log Is
    that the question? http//

Alternative Ways to Authenticate Evidence
  • Interact with the user (if permitted)
  • Gather corroborating detail about user
    statements, activities and timeline
  • Corroborating details can be collected from
    multiple sources (Facebook, Twitter, special
    interest forums, games, phone, witnesses and so

Risks Ethical Limitations
  • New York State Bar Ethics Opinion 843
    (9/10/2010) NY City Bar Formal Opinion 2010-2
    San Diego County Bar Opinion 2011-2
  • Lawyers may view public postings of adversaries
  • May not friend an adversary represented by a
  • May not use deception to friend someone

No Trespassing Sign?
  • Pietrylo v. Hillstone Restaurant Group
  • Private Myspace forum talk about all the
    crap/drama/and gossip occurring in our workplace,
    without having to worry about outside eyes prying
  • Management got password fired employees
  • Jury company must pay back wages and punitive

Lessons from the Hillstone Case
  • Exercise restraint and discretion
  • Watch out for and evaluate claims of privacy
  • Careful with passwords that dont belong to you

Managing RiskRestraint and Proportionality
  • Canada Privacy Commissioner (PIPEDA Case Summary
    2009-019) employer may investigate if employee
    had violated employment contract
  • Principle have a logical, evidence-based
    justification for getting sensitive information
  • Predicate evidence justifies getting more
    evidence, but only what is necessary
  • This principle is consistent with discovery
    principles in civil litigation

Managing RiskInterview the Subject First?
  • A formal HR interview or deposition puts pressure
    on subject to tell the truth
  • Yes, subject could delete data, but
  • Deletion of data itself is evidence of wrongdoing
    that could hang the subject
  • Deleting data is harder than it looks because
    copies are spread everywhere

Power of a Preservation Letter
  • Letter puts adversary on notice not to destroy
  • Focuses the adversarys attention electronic
    evidence and all the steps that might be
    necessary to preserve
  • http//

Legal Steps to Access Non-Public Data
  • Consent of the user
  • E-discovery demand to user
  • Informal request to social network
  • Subpoena to social network
  • Search warrant for law enforcement
  • Find the data in an alternative, public location

Informal Request
  • Very commonly service providers especially
    smaller ones will cooperate with requests from
  • Fugitive plays World of Warcraft
  • Howard County, Indiana, Sheriff sends polite
    letter to operator of game
  • Service provider reveals IP address, which leads
    to fugitive in Canada http//

Civil Subpoenas for Content
  • Big service providers tend to resist
  • Smaller service providers may be more cooperative
  • Crispin v. Christian Audigier, Inc.
  • Civil subpoena to FB and Myspace quashed
  • Content protected under Stored Communications Act
  • May be difference between private messages and
    wall postings

Alternative Locations for Evidence
  • Notices and copies to email or phone SMS (text)
  • Replication at other sites (my Facebook and
    LinkedIn repeat my tweets)
  • Sharing by friends
  • Cache on computer

General Principles for Investigators
  • Keep thorough, signed, time-stamped records
  • Record your justification
  • Keep the methods and evidence capture
    proportionate and within the scope of the
  • User consent (employment application or terms of
    employment) reduces risk
  • Be creative to find the data

Blog benjaminwright.usGoogle Plus
  • This presentation is not legal advice for any
    particular situation. If you need legal advice,
    you should consult the lawyer who advises you or
    your organization. Use this material at your own
    risk. Anyone may reuse or reproduce it.