Trending Topics

A guide to accessing social media data for investigations

Discover the technical processes to access critical social media information, from IP tracking to data preservation and legal requests

Social media apps for cops

Pixabay

Social media has a vital role in the lives of many citizens. According to Statista, “as of January 2024, there were 5.35 billon internet users worldwide, which amounted to 66.2% of the global population. Of this total, 5.04 billion, or 62.3% of the world’s population, were social media users.” [1] Furthermore, and even more astonishing, the Pew Research Center reports that 67% of U.S. adults ages 18-29, 75% of adults ages 30-49 and 58% of adults age 65 and above use Facebook.” [2]

As social media use continues to grow exponentially, law enforcement agencies are leveraging these platforms not only for public engagement but also for investigations, offering powerful tools to track, monitor, and gather critical intelligence. These platforms provide officers with real-time access to a wealth of information that can be vital in solving cases and preventing crimes.

This article delves into the technical aspects of how law enforcement agencies utilize social media for investigations, including the tracking of IP addresses, data preservation requests, the collection of subscriber information, and the use of court orders to access critical digital evidence, illustrating the detailed processes that enable officers to gather vital intelligence in modern policing.

Connection from a device to a network

Accessing social media applications requires an active data or internet connection. These connections can be achieved through utilizing a mobile device or computer, which has an active data connection, which either connects to a cellular phone tower, Wi-Fi, or a hardwired internet connection. When a mobile device connects with a mobile phone provider’s cellular network, the mobile devices internet protocol (IP) address, a numerical label assigned to every device connected to a cellular network, is recorded by the mobile phone provider to identify the device on the network. The same applies equally to when a computer or device access a Wi-Fi network. The data or internet providers not only record the IP address, but they also record the date, time and location of the connection.

After a device establishes a connection, either to a mobile network or Wi-Fi, the assigned IP address can either be an IPv4 address, which is shorter in length and allows for 4.2 billion unique addresses, or an IPv6 address, which is longer in length and allows for trillions of unique addresses.

IPv4 addresses are expressed in four sets of numbers, which are separated by periods (e.g., 146.132.2.6) and IPv6 addresses are expressed in eight groups of hexadecimal numbers, which are separated by colons, with each group containing four hexadecimal digits (e.g., 2016:0af6:32b9:78t6:2367:9a3v:5298:2364).

Typically, IPv4 addresses are dynamic and IPv6 addresses are static. The date and time of connection are just as important as the IP address. This information is critical; especially when the IP address is dynamic (changing). If the IP address is dynamic, this indicates the address could have been assigned to several devices over a period of time. Obtaining the date and time, including seconds, is imperative.

Social media accounts and available data

When one establishes a social media account, there is a process one must follow to activate the account. Each account requires a first and last name, username, email address, verified phone number and password. It is possible to use a fictitious name; however, you are required to provide a valid email address and/or phone number, which is validated by the social media platform. The social media platform will also record the IP address, date and time to establish the account and additional IP addresses, along with the date and time utilized to access the account.

Furthermore, the social media platforms store all activity for the account, which includes likes, friends, deleted friends, friend requests, about me information, account status history (deactivation, reactivation, disabled or deleted), active sessions (sessions including date, time, device information, IP address, and browser information), applications accessed, chat or messenger data including content of messages, places you check in, credit card information, events, linked accounts, photos, photos metadata, posts, and videos.

Preservation

Many social media accounts are accessed through a mobile device, which provides the account holder instant access to delete, alter, or remove data from the account or to delete the account in its entirely.

Upon determining data contained within a social media account is pertinent to an investigation, a preservation request should immediately be sent to the social media platform. Account preservation requests are based on an account identifier, such as a username, UR, phone number, or email address.

The preservation request asks the social media platform to preserve a copy of the customer account data while law enforcement prepares a valid legal request. A preservation request is a simple letter addressed to the social media platform, which includes account identifiers, a specific date and time range to preserve, the specific data to be preserved, and list U.S. law 18 U.S.C. § 2703(f) in the request.

Normally, a preservation request preserves the data for 90 days. Instagram accounts utilize the username. Beware, the user can always change the username, but they never can change the user ID for their account. You can search the username through https://fameswap.com/tool-instagram-user-id to determine the User ID. These preservation requests shall be served up on the provider through fax or email, and the officer should confirm receipt with the provider.

Non-disclosure

When serving legal process to social media platforms, a key aspect to keep in mind is that social media companies notify their subscribers of any legal processing concerning their accounts. To address this issue, law enforcement can request a non-disclosure order from a judge. Additionally, law enforcement can request that the affidavit of the legal process be sealed. A non-disclosure order commands the social media platform not to disclose the existence of the search warrant, court order, or the existence of the investigation to the subscriber, or any other person, unless or until otherwise ordered by the court. The court will also order the affidavit and application sealed.

Legal process

State laws will dictate the type of legal process that is required to obtain records from social media platforms. In most cases, a search warrant or court order is required. A search warrant can be approved by a magisterial judge; however, if you are requesting a non-disclosure order or sealed search warrant, they must be approved by a Common Pleas or trial level judge. Court orders must be approved by a Common Pleas or trial level judge and are normally submitted with an application, affidavit and order.

Within your affidavits, you must specify which evidence or data you are searching for, why this data is within the records of the platform, and how and why this data is essential and connected to your investigation. You must include a paragraph requesting a non-disclosure order and the reason it is required. An example is that through your training and experience, you know the social media platform will notify the target subscriber of the legal process, which through this disclosure will jeopardize the investigation or provide the subscriber with time to destroy evidence within their account.

Furthermore, law enforcement normally seeks a sealed search warrant with a non-disclosure order. A sealed order authorizes law enforcement to serve the face page of the search warrant or court order only.

Normally, law enforcement is required to serve the search warrant or court order in its entirety. This ensures that no one outside of law enforcement is entitled to the contents of the affidavit. Keep in mind, a non-disclosure order is not indefinite. Such orders normally expire 60 days after they are approved. To extend the sealed order, law enforcement must submit a new search warrant or court order.

These requirements and policies may differ from jurisdiction to jurisdiction.

Case study

In August 2020, a shooting homicide occurred that had minimal leads and no information as to the identity of the perpetrator. Officers responded to the report of shots fired and discovered a male victim suffering from multiple gunshot wounds. Despite medical intervention, the victim succumbed to his injuries and was pronounced dead at the scene. Detectives located a critical piece of evidence….the victim’s mobile phone.

Preliminary review of video surveillance identified a suspect vehicle. Further review revealed that this vehicle was captured in close proximity to the victim’s residence. Additionally, the vehicle was spotted departing the crime scene.

Detectives were able to gain access to the victim’s mobile phone and observed his social media account, which was opened on the device. They were able to uncover recent messages that shed light on potential motives for the homicide. Detectives immediately drafted a preservation request to safeguard the data until a court order could be obtained. These messages disclosed the social media name of an individual who the victim had been in contact with. Subsequently, detectives executed a court order, accompanied by a non-disclosure order, on the social media platform, seeking pertinent information from both the victim’s and suspects accounts including:

  • Subscriber information
  • Email account utilized to open the account
  • Verified phone number and additional phone numbers
  • Activation and Deactivation dates
  • IP addresses utilized to open the account and utilized for messages in reference to the homicide
  • Profile photograph

Based on this data, detectives established the account was deactivated on the day after the homicide. Furthermore, detectives identified a suspect through this data, which corresponded to the suspect’s driver’s license photograph. IP address details provided detectives with probable cause to pursue search warrants for both mobile and residential service providers. Subsequently, additional probable cause was established, enabling detectives to obtain search warrants for:

  • Mobile phone call detail records
  • Mobile phone cloud data
  • Email account records

By executing further search warrants, detectives established a direct connection between the suspect, his phone, his residence, and his social media account. Additionally, analysis of the suspect’s phone records yielded information confirming his presence at the crime scene. Subsequently, the suspect provided a statement and was charged with criminal homicide.

References

1. Petrosyan A. (January 31, 2024.) Number of internet and social media users worldwide as of January 2024. Statista.

2. Pew Research Center. (January 31, 2024) Social media fact sheet.

Matthew Rowles is a 24-year law enforcement veteran presently serving as a detective sergeant for a municipal police department in Pennsylvania. Matt served five years as a patrol officer, 14 years as a detective and is in his third year as a detective sergeant.

Matt is trained in all the traditional investigative procedures and techniques, with expertise in the use of technology to advance challenging criminal investigations. In 2008, after recognizing the evolving shift in investigative practice, with the use of cell phones and similar electronic devices, he began training and obtained a certification in mobile phone forensics and technology.

Matt holds an AS in Administration of Justice, a BS in Criminal Justice Forensics, and is enrolled in MS Homeland Security/Emergency Management program with an expected graduation in spring 2025. Matt is certified as a Cellebrite Certified Operator (CCO), Certified Physical Analyst (CCPA), Gray Key Operator and class “A” certified to utilize electronic surveillance equipment. Matt is a court-recognized expert in mobile phone technology and forensics. Contact him here.