Social Media Authentication Myths

Metadata capture versus the authentication of social media

Could you explain this to the judge in your case?

There is no more simplistic way to put this into words, so here it goes; just because you can capture the hash values of a social media post does not mean you have identified where or when an image was taken.  Period, end of story.  I have sat through presentations on this topic where the use of hash value collection software was used synonymously with geolocation and metadata collection in a way that the audience believed that such tools would prove when and where an image was taken once extracted from a social media platform.

Posts and images found on Facebook, Instagram, VSCO, SnapChat and for argument sake Twitter do not contain metadata related to the time, date, device or location of the images found on an individual’s profile.  There is no way through metadata to prove when an image was taken once it is posted to most social media platforms.  For this we must get more creative…

The values contained in the MD5 of SHA hashes that can be pulled from a social media post merely verifies when and where an image or post was captured by the person collecting it, namely the investigator.  Tools to extract this data have been around for many years, and a good number of law firms use platforms with integrations that include the ability to do this in-house.  As investigators, we too have a toolbox full of ways to capture the hash values from our internet profile investigations.  Having such abilities is valuable, and may, one day, become mandatory due to a newish federal court rule (902) regarding the self-authentication of digital evidence.  At this moment, local circuit and district courts have yet to adopt this rule and even more importantly are simply unaware of the position of the federal district court update.  For now, given the current landscape and the process a court rule must go through in order to be adopted at the local level, we are better served combining this “new” collection process with a tried and true method, which ultimately includes a affidavit from the investigator, testifying to the collection methods and practices used in the investigation.

If you or a colleague are interested in obtaining a template of the affidavits we have successfully submitted to the courts or a copy of what the Federal Court Rule 902 investigation report looks like, please let us know and we will happy to send you samples.  Furthermore, if your team is interested in training opportunities on the techniques used to collect social media and beyond the surface web internet evidence, we would be happy to provide such training and consultation.