Social Mediafor Investigators

A presentation for #UKAFI2013.June 3-5, 2013. London, UK

Robert RullanRullan Global Consulting Group

Rullan Global Consulting Group

Robert RullanPresident / CEO

C. 408 475 3495

robrullan@rullanglobal.comfacebook.com/RullanGlobal

linkedin.com/in/robrullanTwitter: @fire4fx

Public Safety Officer - Sunnyvale DPS

Firefighter / Engineer

Police Officer

EMT

Fire Inspector / Fire Investigator

Crime Scene Investigator

B.A. - Political Science - University of Hawaii

M.A. - Government & Politics - St. John’s Univ.

M.F.S. - Forensics Science - National U. (in progress)

Certified Instructor - CA POST

Certified Fire Investigator I - CA OSFM

Certified Fire Prevention Officer - CA OSFM

CVFI , CFEI - National Assoc. Fire Investigators

Crime Scene Investigator - CA POST

really cool job!

Also introducing...Trusty sidekick (aka intern)

Rullan Global Consulting Group

Gabriel DensfordIntern

C. 408 476 8500

gdensford@rullanglobal.comfacebook.com/RullanGloballinkedin.com/in/gdensford

Twitter: @gdensford

Disclaimer

No legal advice; consult your legal team

Follow department / agency policies

Opinions are my own

IT department may disagree w/ much of this presentation

“It is not the strongest of the species that survive, nor the most intelligent, but the one most responsive to change.”

Charles Darwin

What is

Social Media?

Facebook

Twitter

Google+

MySpace

YouTube

LinkedIn

Mocospace

Orkut

Plaxo

Watford Observer

radio station

what else?

What is social media?

Socialnomics 2013

Social Media =

Open Source Intel

“Social media will be a valued source of information to the SIOC intelligence analyst because it will be both eyewitness and first response to the crisis. Social Media has evolved to be the first instance of communication about a crisis trumping traditional first responders, including journalists. Social Media is rivaling 911 in crisis response and reporting. Analysts will often use Social Media to receive the first tip off that a crisis has occurred, collect details of the crisis, and can even serve as evidence for investigation, thus, it is an integral part of intelligence operations.” FBI’s RFI - Feb. 2012

Valued source of info. to the intel analyst.

Eyewitness and first response to crisis.

First instance of communication at crisis.

Analysts use it as tip off that crisis has occurred.

Evidence for investigation.

The emergence of Temporary Social MediaThings have changed*

* again

“good old police work” with FB

connect with confidential informants

FB as a canvassing tool

FB as a tip line

FB as a press release

Other uses for FB

alibi

establish character of subject

communication

Human Trafficking

“Facebook Sex Trafficking: Social Network Used to Kidnap Indonesian Girls”. AP Oct 29, 2012, as reported in www.huffingtonpost.com

“Facebook, the human trafficking platform”. Jan. 20, 2011. www.wired.com

most popular social network - over 1 billion users.

profiles are available for personal and business use.

privacy settings can be customized

easy to use

Challenges of FBno identification required - anyone can sign up as anyone

legal compliance issues

evidence is often collected inappropriately

“I don’t do Facebook”.

Privacy settings

connecting

tagging

apps

posting

Safety concerns

personal computers

personal FB profiles

hackers

Downloading user’s profile

Consent - useful / preferred

Much easier than last time

Account settings,

Download copy of your FB data.

Download the archive, and start having fun!

Facebook LE portal

facebook.com/records

must have LE email address;

no need to resubmit requests;

can keep track of pending requests;

preservation letters, subpoena, court orders, search warrants

How much information?

Subpoena = basic subscriber records (name, length of service, cc info, email address, and recent login/logout IP address).

Court order = additional info, not including contents of communications, which may include message headers and IP addresses).

SW = stored contents (messages, photos, videos, wall posts, location info)

Twittermicroblog

limited characters

no ID required

limited privacy

great listening tool

Twitter termstweet - message

DM - direct message - user to user

RT - retweet - resending someone else’s original tweet

hashtag - # (pound sign) - used to track conversations

followers - able to get specific tweets

Twitter terms (cont’d)abt = aboutb/c = becauseBFN = bye for nowcld = coulddeets = detailsEMA - email addressF2F = face to faceIC = i see

ICYMI = in case you missed it

idk = i don’t knowkk = cool coolNTS = note to selfOH = overheardTMB = tweet me back

Geochirp.com

Trendsmap.com

Twittermap.appspot.com

Where are you?

Platforms

Platforms allow you to monitor several searches, usernames, accounts, profiles - simultaneously

www.tweetdeck.com

www.hootsuite.com

Googleeasily accessible

customize your search

advanced settings

specific / detailed searches

Google +

Reader

Calendar

Docs

Alerts

Translate

Blogs

Voice

There’s more to Google than meets the eye

Image searching

Google + Twitter

Twilert is your new best friend. www.twilert.com

Instagram

Photography based social network

Owned by Facebook

Independent privacy policy / TOS.

Mobile app

Limited privacy

Flickr

Photography based

Owned by Yahoo!

Limited privacy

Geolocation features

Searchable

LegalWhat are the challenges faced by legal professionals when dealing with current technology?

How do local (UK, EU) laws apply to international companies?

Is a company based in Taiwan responsible for what its users post? Must they comply with UK search warrants?

Legal casesit’s all about Federal Rules of Evidence

Connecticut v. Eleck Aug. ‘11Eleck was convicted on assault 1st degree.

Court excluded FB printout which would have impeached a witness against Eleck.

The issue was AUTHENTICATION of evidence.

Griffin v. State of Maryland. 2011

Convicted of homicide in 2005.

On girlfriend’s MySpace page the words written “snitches get stitches”.

The issue here was AUTHENTICITY.

New York v. Clevenstine Dec. 2009

Convicted of sexual acts with 2 minor females.

MySpace messages between suspect and victims entered as evidence.

Suspect claimed this was not properly admitted; not authenticated.

Claim denied, because:

victims testified that they had sent the messages;

forensic examination of hard drive indicated access to site, etc;

compliance officer from MySpace testified as to creation of messages, etc. = AUTHENTICATED.

Skype Records every call, every chat session, and SMS messages.

Skype Log Parser - RedWolf Computer Forensics

Windows XP - C:\Documents and Settings|<username>\Application data\Skype\<username>

Vista / Win 7 - C:\Users\<username>\AppData\Roaming\Skype\<skype-name>

Browser Forensics

Chrome History View - reads all history from Google Chrome.

Internet Evidence Finder - www.jadsoftware.com

Mandiant Web Historian -

Exif Viewer

Exiftool by Phil Harvey

able to read metadata in various different file types

You may find tool at: owl.phy.queensu.ca/~phil/exiftool

A Network for Professionals

“Try not to become a person of success, but a

person of value”

Albert Einstein

What is LinkedIn?

A business oriented social networking site.Unlike FB - no pictures.Resumes, CVs, etc.

I already have Facebook. Why do I need LinkedIn?You make connections, not necessarily “friends”.

It can be used to find jobs, people, and business opportunities.

You don’t post pictures (other than profile).

You post qualifications, skills,

What else?Professional groups - make connections with members of those groups.Post discussions in those groups, ask for resources, or invite like-minded professionals to your events.

Groups?Groups are created around various themes. For example:

alumni associations

veterans

geography

industry

You can create your own group!

More on groups...I’m connected to Tom on LinkedIn,

I see that he belongs to the group “Consultants Network”,

I check the group’s profile, because I may be interested in:

joining

investigating someone who may be into that interest

ConnectionsMost people will have connections visible to other connections.

You can check a person’s connections to see if you want to:

meet that person,

learn about that person,

investigate that person.

Connect - NetworkWe no longer have time to be on the phone all the time, catching up with people, asking about their lives;

We just want to know -

What can I do for you?

What can you do for me?

LinkedIn allows you to stay connected professionally with those who you care to stay connected with.

Real Life 21st Century InsuranceVehicle Fire Investigation classNYPD Arson & Explosion Squad

Investigative Determine suspect’s:

associates;

background;

level of education;

professional interests / accomplishments;

More investigative uses

Are there people in his old job / school / association who are willing to talk to you?

Is his background in insurance / accounting / investigation / security of any relevance to your investigation?

Preservation letters

Privacy policies

Contact information

Changes in the law

Changes in technology

Keys to success

Limits?Your creativity.

Your curiosity.

The type of crime.

The type of suspect.

Time.

By changing nothing,nothing changes.

Tony Robbins

Thank you for your time.

Please contact me at:

(408) 476 8500robrullan@rullanglobal.com

On Twitter: @fire4fx

Be safe out there.