July 01 2014
The Facebook social network has become a cultural phenomenon, with well over a billion users. With this proliferation, Facebook evidence has inevitably become involved in a large number of legal matters, leading to a need for expert advice from a Digital Forensic Investigator.
Most frequently, we are instructed in cases where the main issue is the production of disputed messages sent on Facebook, in which one party denies sending such messages. An investigation in these circumstances can take one of two approaches: examining the Facebook accounts themselves; or full forensic examination of the computers (or other devices) apparently used to send or receive the messages.
The first fact to establish is whether the message was actually sent from the account alleged, as Facebook allows anyone to set up an account in any name. A Digital Forensic Investigator can analyse the sent messages and extract the ID number unique to every account to identify an impostor. If the messages have since been deleted Facebook state that they are beyond recovery, in which case the investigation can switch to the device itself.
Once we have established the accounts involved, examination of the Facebook logs is the next step. These contain all the information that Facebook holds about an account, and can be downloaded from a user’s account directly. All that is required is the username and password. Such logs are in a format that can be easily manipulated after download, so it is important that they are produced in an auditable fashion. Unfortunately, the logs are not simple to interpret; instead of each user action being individually recorded with a time and IP Address, multiple sources of information must be analysed and cross-referenced and a picture of what could have happened drawn up. The scope for misinterpretation is great. Analysis of the logs can, however, establish the IP Address in use at the time the disputed message was sent. This can be used, with an appropriate Court order, to find out the physical location of the Internet connection from which the message was sent. We have had cases where this type of investigation has shown that a message allegedly sent by the defendant to the complainant was actually sent from the complainant’s own house.
Information about IP Addresses is usually only held by an Internet Service Provider for a period of one year. This means that, in more serious cases, by time the case comes to Court the address information may have been lost. Whilst general information can still be gained from the logs, such as the ISP in use at the time, it is not specific enough to pinpoint where the message was sent from. It is here that an examination of all parties’ equipment can be useful. Forensic analysis of hard drives can potentially recover Facebook conversations from many years ago, long after they had been deleted from Facebook. Forensic analysis can be used to show that a specific computer was used to send the disputed message and, in addition, analysis of surrounding activity may also be able to assist in identifying the user of the computer at that time. This is the only way in which deleted Facebook activity can be recovered and it can be highly important when the only evidence in a case is someone’s recollection of a Facebook conversation, with no proof that it actually took place.
Facebook analysis is a complex area, requiring the skills of a forensic scientist, not only to interpret the information, but to help you formulate an appropriate strategy for approaching the evidence in your case. If you have any questions regarding Facebook, or digital evidence in general, our Digital department would be happy to discuss this with you.
(Update: Facebook rebranded to Meta in 2022)
Author
Ross Donnelly
BSc (Hons), CFCE, CAWFE, ICMDE