Embed Size (px)
Citation preview
Social Mediafor Investigators
A presentation for #UKAFI2013.June 3-5, 2013. London, UK
Robert RullanRullan Global Consulting Group
Rullan Global Consulting Group
Robert RullanPresident / CEO
C. 408 475 3495
[email protected]/RullanGlobal
linkedin.com/in/robrullanTwitter: @fire4fx
Public Safety Officer - Sunnyvale DPS
Firefighter / Engineer
Police Officer
EMT
Fire Inspector / Fire Investigator
Crime Scene Investigator
B.A. - Political Science - University of Hawaii
M.A. - Government & Politics - St. John’s Univ.
M.F.S. - Forensics Science - National U. (in progress)
Certified Instructor - CA POST
Certified Fire Investigator I - CA OSFM
Certified Fire Prevention Officer - CA OSFM
CVFI , CFEI - National Assoc. Fire Investigators
Crime Scene Investigator - CA POST
really cool job!
Also introducing...Trusty sidekick (aka intern)
Rullan Global Consulting Group
Gabriel DensfordIntern
C. 408 476 8500
[email protected]/RullanGloballinkedin.com/in/gdensford
Twitter: @gdensford
Disclaimer
No legal advice; consult your legal team
Follow department / agency policies
Opinions are my own
IT department may disagree w/ much of this presentation
“It is not the strongest of the species that survive, nor the most intelligent, but the one most responsive to change.”
Charles Darwin
What is
Social Media?
Google+
MySpace
YouTube
Mocospace
Orkut
Plaxo
Watford Observer
radio station
what else?
What is social media?
Socialnomics 2013
Social Media =
Open Source Intel
“Social media will be a valued source of information to the SIOC intelligence analyst because it will be both eyewitness and first response to the crisis. Social Media has evolved to be the first instance of communication about a crisis trumping traditional first responders, including journalists. Social Media is rivaling 911 in crisis response and reporting. Analysts will often use Social Media to receive the first tip off that a crisis has occurred, collect details of the crisis, and can even serve as evidence for investigation, thus, it is an integral part of intelligence operations.” FBI’s RFI - Feb. 2012
Valued source of info. to the intel analyst.
Eyewitness and first response to crisis.
First instance of communication at crisis.
Analysts use it as tip off that crisis has occurred.
Evidence for investigation.
The emergence of Temporary Social MediaThings have changed*
* again
“good old police work” with FB
connect with confidential informants
FB as a canvassing tool
FB as a tip line
FB as a press release
Other uses for FB
alibi
establish character of subject
communication
Human Trafficking
“Facebook Sex Trafficking: Social Network Used to Kidnap Indonesian Girls”. AP Oct 29, 2012, as reported in www.huffingtonpost.com
“Facebook, the human trafficking platform”. Jan. 20, 2011. www.wired.com
most popular social network - over 1 billion users.
profiles are available for personal and business use.
privacy settings can be customized
easy to use
Challenges of FBno identification required - anyone can sign up as anyone
legal compliance issues
evidence is often collected inappropriately
“I don’t do Facebook”.
Privacy settings
connecting
tagging
apps
posting
Safety concerns
personal computers
personal FB profiles
hackers
Downloading user’s profile
Consent - useful / preferred
Much easier than last time
Account settings,
Download copy of your FB data.
Download the archive, and start having fun!
Facebook LE portal
facebook.com/records
must have LE email address;
no need to resubmit requests;
can keep track of pending requests;
preservation letters, subpoena, court orders, search warrants
How much information?
Subpoena = basic subscriber records (name, length of service, cc info, email address, and recent login/logout IP address).
Court order = additional info, not including contents of communications, which may include message headers and IP addresses).
SW = stored contents (messages, photos, videos, wall posts, location info)
Twittermicroblog
limited characters
no ID required
limited privacy
great listening tool
Twitter termstweet - message
DM - direct message - user to user
RT - retweet - resending someone else’s original tweet
hashtag - # (pound sign) - used to track conversations
followers - able to get specific tweets
Twitter terms (cont’d)abt = aboutb/c = becauseBFN = bye for nowcld = coulddeets = detailsEMA - email addressF2F = face to faceIC = i see
ICYMI = in case you missed it
idk = i don’t knowkk = cool coolNTS = note to selfOH = overheardTMB = tweet me back
Geochirp.com
Trendsmap.com
Twittermap.appspot.com
Where are you?
Platforms
Platforms allow you to monitor several searches, usernames, accounts, profiles - simultaneously
www.tweetdeck.com
www.hootsuite.com
Googleeasily accessible
customize your search
advanced settings
specific / detailed searches
Google +
Reader
Calendar
Docs
Alerts
Translate
Blogs
Voice
There’s more to Google than meets the eye
Image searching
Google + Twitter
Twilert is your new best friend. www.twilert.com
Photography based social network
Owned by Facebook
Independent privacy policy / TOS.
Mobile app
Limited privacy
Flickr
Photography based
Owned by Yahoo!
Limited privacy
Geolocation features
Searchable
LegalWhat are the challenges faced by legal professionals when dealing with current technology?
How do local (UK, EU) laws apply to international companies?
Is a company based in Taiwan responsible for what its users post? Must they comply with UK search warrants?
Legal casesit’s all about Federal Rules of Evidence
Connecticut v. Eleck Aug. ‘11Eleck was convicted on assault 1st degree.
Court excluded FB printout which would have impeached a witness against Eleck.
The issue was AUTHENTICATION of evidence.
Griffin v. State of Maryland. 2011
Convicted of homicide in 2005.
On girlfriend’s MySpace page the words written “snitches get stitches”.
The issue here was AUTHENTICITY.
New York v. Clevenstine Dec. 2009
Convicted of sexual acts with 2 minor females.
MySpace messages between suspect and victims entered as evidence.
Suspect claimed this was not properly admitted; not authenticated.
Claim denied, because:
victims testified that they had sent the messages;
forensic examination of hard drive indicated access to site, etc;
compliance officer from MySpace testified as to creation of messages, etc. = AUTHENTICATED.
Skype Records every call, every chat session, and SMS messages.
Skype Log Parser - RedWolf Computer Forensics
Windows XP - C:\Documents and Settings|<username>\Application data\Skype\<username>
Vista / Win 7 - C:\Users\<username>\AppData\Roaming\Skype\<skype-name>
Browser Forensics
Chrome History View - reads all history from Google Chrome.
Internet Evidence Finder - www.jadsoftware.com
Mandiant Web Historian -
Exif Viewer
Exiftool by Phil Harvey
able to read metadata in various different file types
You may find tool at: owl.phy.queensu.ca/~phil/exiftool
A Network for Professionals
“Try not to become a person of success, but a
person of value”
Albert Einstein
What is LinkedIn?
A business oriented social networking site.Unlike FB - no pictures.Resumes, CVs, etc.
I already have Facebook. Why do I need LinkedIn?You make connections, not necessarily “friends”.
It can be used to find jobs, people, and business opportunities.
You don’t post pictures (other than profile).
You post qualifications, skills,
What else?Professional groups - make connections with members of those groups.Post discussions in those groups, ask for resources, or invite like-minded professionals to your events.
Groups?Groups are created around various themes. For example:
alumni associations
veterans
geography
industry
You can create your own group!
More on groups...I’m connected to Tom on LinkedIn,
I see that he belongs to the group “Consultants Network”,
I check the group’s profile, because I may be interested in:
joining
investigating someone who may be into that interest
ConnectionsMost people will have connections visible to other connections.
You can check a person’s connections to see if you want to:
meet that person,
learn about that person,
investigate that person.
Connect - NetworkWe no longer have time to be on the phone all the time, catching up with people, asking about their lives;
We just want to know -
What can I do for you?
What can you do for me?
LinkedIn allows you to stay connected professionally with those who you care to stay connected with.
Real Life 21st Century InsuranceVehicle Fire Investigation classNYPD Arson & Explosion Squad
Investigative Determine suspect’s:
associates;
background;
level of education;
professional interests / accomplishments;
More investigative uses
Are there people in his old job / school / association who are willing to talk to you?
Is his background in insurance / accounting / investigation / security of any relevance to your investigation?
Preservation letters
Privacy policies
Contact information
Changes in the law
Changes in technology
Keys to success
Limits?Your creativity.
Your curiosity.
The type of crime.
The type of suspect.
Time.
By changing nothing,nothing changes.
Tony Robbins
Thank you for your time.
Please contact me at:
(408) 476 [email protected]
On Twitter: @fire4fx
Be safe out there.
