Part 3 / 6

Social Media Investigation

🕑 90-120 minutes 📖 Intermediate Level 📋 Module 3

Introduction

Social media has become an integral part of our lives, and therefore it is often connected to cyber crimes as well. From cyber stalking to defamation to fraud, social media platforms are used in many crimes. As a cyber crime investigator, it is important to know how to investigate social media profiles and collect evidence from them.

📚 Learning Objectives

After this part, you will be able to use OSINT techniques for social media investigation, analyze profiles, understand social media artifacts, and collect evidence from Facebook, Instagram, and WhatsApp.

OSINT Techniques

OSINT (Open Source Intelligence) is publicly available information that can be collected and analyzed. In social media investigation, OSINT techniques are very useful.

What is OSINT?

OSINT refers to the collection and analysis of information from publicly available sources. This may include:

  • Social media posts and profiles
  • Publicly available websites and forums
  • Public records and databases
  • News articles and publications
  • Images and videos on the internet

OSINT Tools for Social Media

🔍

Username Search Tools

Namechk, KnowEm, Sherlock - Search for a username across multiple platforms.

📷

Image Analysis

Google Reverse Image Search, TinEye, Yandex - Find the origin and usage of images.

📍

Geo-Location Tools

Google Earth, Mapillary, SunCalc - Determine location from images.

📈

Archive Tools

Wayback Machine, Archive.today - View deleted or modified content.

Ethical Considerations

While using OSINT techniques, always ensure that you are not violating any privacy laws or terms of service. Use OSINT only for legitimate investigative purposes and document everything properly.

Profile Analysis

Social media profile analysis is a key part of cyber crime investigation. Here you learn what information can be gathered from a profile.

Information to Collect from a Profile

CategoryInformation
Basic InformationName, Username, Profile Picture, Bio, Location
Contact DetailsEmail, Phone Number, Website
Activity PatternsPosting Time, Frequency, Active Hours
ConnectionsFriends, Followers, Following, Groups
ContentPosts, Photos, Videos, Stories, Comments
MetadataAccount Creation Date, Last Active, Device Used
Behavioral PatternsInterests, Language, Writing Style

Fake Profile Identification

It is important to identify fake profiles in investigations. Signs of a fake profile include:

  • Stock Photos: Profile picture from image libraries or stolen from others
  • Sparse Activity: Very few posts or inconsistent activity
  • New Account: Created very recently
  • Few Connections: Very few friends/followers or mostly fake accounts
  • Generic Content: Copied content or generic posts
  • Inconsistent Information: Mismatched age, location, or details
💡 Profile Analysis Technique

Use reverse image search on the profile picture. If the same picture appears on multiple profiles with different names, the profile is likely fake. Also check for EXIF data on uploaded images if metadata is available.

Social Media Artifacts

Social media artifacts are the digital traces left by social media applications on devices. These are crucial for mobile forensics.

Types of Artifacts

💾

Database Files

SQLite databases that store messages, contacts, and settings. Often contain deleted data that can be recovered.

🖼

Media Cache

Cached images, videos, and voice messages. Often remain even after messages are deleted.

📋

Log Files

Application logs that record activities, errors, and timestamps.

🔑

Preferences Files

User settings and preferences that may contain account information.

Common Artifact Locations (Android)

WhatsApp: /data/data/com.whatsapp/databases/msgstore.db /data/data/com.whatsapp/databases/wa.db /sdcard/WhatsApp/Media/ Facebook: /data/data/com.facebook.katana/databases/ /data/data/com.facebook.orca/databases/ (Messenger) Instagram: /data/data/com.instagram.android/databases/ /data/data/com.instagram.android/cache/

Platform-Specific Investigation

Facebook Investigation

Data Available from Facebook

  • Profile information, friends list, groups
  • Posts, photos, videos, stories
  • Messages (Messenger)
  • Login history and IP addresses
  • Ad preferences and activity
  • Check-ins and location history

Requesting Data from Facebook

For law enforcement, Facebook provides a dedicated portal: facebook.com/records. In India, requests can be made through MLAT or direct law enforcement request. Facebook preserves data for 90 days upon valid request.

📷
Instagram Investigation

Data Available from Instagram

  • Profile details, followers, following
  • Posts, stories, reels, IGTV
  • Direct Messages
  • Comments and likes
  • Search history and explore activity
  • Login activity and devices

Investigation Techniques

Instagram user IDs can be found from page source. Stories disappear after 24 hours but can be preserved by following the account or through legal requests. Instagram is owned by Meta, so the same legal request process as Facebook applies.

💬
WhatsApp Investigation

Data Available from WhatsApp

  • Phone number, profile name, status
  • Messages (if device accessible)
  • Call logs
  • Media files (photos, videos, audio)
  • Group membership and admin details
  • Last seen and online status

Key Investigation Points

WhatsApp has end-to-end encryption, so message content cannot be requested from WhatsApp servers. However, the following can be obtained:

  • Subscriber information (name, phone number)
  • Account creation timestamp
  • Last connection time
  • IP address logs
  • Blocked users list
WhatsApp Backup Importance

WhatsApp backups (Google Drive/iCloud) are not end-to-end encrypted by default. These backups can be valuable sources of message content if proper legal process is followed to obtain them from cloud providers.

Evidence Preservation

In social media investigation, evidence preservation is very important because content can be deleted or modified at any time.

Preservation Techniques

  • Screenshots: Take screenshots with visible timestamp and URL
  • Video Recording: Record screen while viewing evidence
  • Web Archive: Save pages to Wayback Machine or Archive.today
  • Legal Preservation Request: Send preservation request to platform
  • Hashing: Create hash of downloaded evidence files
  • Metadata Preservation: Save complete page source with metadata

Documentation Requirements

ItemDescription
Date and TimeWhen evidence was collected
URLComplete URL of the content
Username/Profile IDUnique identifier of the account
Investigator DetailsWho collected the evidence
Tool UsedMethod/tool used for collection
Hash ValueCryptographic hash of evidence files
💡 Best Practice

Always use two independent methods to preserve evidence. For example, take a screenshot AND save the page to web archive. This provides redundancy and strengthens the evidentiary value.

📚 Key Points
  • OSINT is open source intelligence that can be collected from publicly available sources
  • Profile analysis helps in identifying fake profiles and understanding subject behavior
  • Social media artifacts (databases, cache, logs) are valuable for mobile forensics
  • Each platform has its own data types and legal request processes
  • WhatsApp is end-to-end encrypted but backups and metadata can be obtained
  • Evidence preservation must be done immediately as content can be deleted
  • Always document evidence collection with timestamps, URLs, and hashes
Previous: Email Forensics Next: CDR and IPDR Analysis