Wednesday, January 22, 2014

Social Media Update: Facebook, Tumblr, and Vine

Recently, social media sites have been making changes to their platforms that are favorable to online researchers. Facebook is making changes to the system which will make it easier to locate users’ timelines. Tumblr has made it easier for users to tag one another and search for tagged content. Also, Vine has implemented a web-based interface with user profiles. All of these changes will assist online researchers in more efficiently gathering information on persons of interest.


Screenshot of the warning users see when logging into Facebook

In December 2012, Facebook announced it was going to retire the “Who can look up my timeline by name?” setting using a phase out approach. In October 2013, Facebook reminded the public that this change would be implemented soon. This month, Facebook has ramped up their alerts about the change on both the site and via email. However, they do not have a date for expected full implementation.

This change is very important to follow for online research and analysis. Current restrictions often force us to look at related parties’ Facebook accounts or scrape the link from another site in order to locate individuals who have removed themselves from Graph Search. Once this privacy setting is fully removed, investigations on Facebook will be streamlined. We will be able to locate all users via the Graph Search interface.


Screenshot of Tumblr search results for Game of Thrones language creator dedalvs

On January 14, the Tumblr staff added a post telling users that they should start tagging other users in their posts. Previously, users would communicate by using tags for topics. The search functionality topics worked well, but the search functionality for other blogs/users was limited. Tumblr has recently upgraded their search features to include a user friendly interface and search filters. Now, researchers can search for content related to the user of interest by taking advantage of the usernames embedded in the post.


Screenshot of Batdad’s Vine profile

On January 3, Vine announced the addition of Vine on the Web. Previously, users were restricted to finding content for Vine users on the mobile application or by finding links to vines embedded in other social media sites. During the creation of Vine on the Web, Vine added online profiles for each user. Profiles list profile information and show the users’ vines and revines (reposts). These profiles will now allow analysts to examine Vine content in one place instead of piecing it together using data fusion techniques.

The Future

Social media is a dynamic system and will never stop changing. Keeping up with these developments is necessary to success in the long run. As investigators, our time is precious. Even the smallest alterations to the social media landscape can present us with new challenges, and this information is vital for us to fine tune our best practices.

Monday, December 23, 2013

Issues Gathering Information Using Geo-location Parameters

We have been out at conferences recently, and there is a major shift in the investigative world to harness the power of geo-location data. This data can provide valuable insight into the whereabouts and patterns of groups and individuals. It is also vital when gathering intelligence and evidence about major events. However, there are many issues analysts must consider when they are moving to a geo-location based system and conducting location-based investigations and monitoring.

Privacy Settings and Restrictions

No matter how great a tool is, it cannot circumvent privacy settings. These settings can be instituted at both the user and site level. Ultimately, many of these privacy settings are implemented to protect users from harm. These privacy settings may scrub geo-location data from posts and/or restrict the flow of location-based information to real-time streams. Previously, Foursquare allowed applications to pull user check-in data without permission. Within the last year, Foursquare removed this feature and now requires users to first grant permission to applications to pull check-in data. As social media sites and applications make changes like these to protect the privacy of individuals, it will become increasingly difficult to base searches and monitors on geo-location data.

Savvy Users

An example of a Facebook user who posted from his couch in Florida but tagged himself in Mali.

As we discussed last week, savvy social media users bring their own challenges to the table. These users can opt to remove geo-location information from their content at a few different levels. First, they can turn-off GPS tracking on their phones’ settings to prevent the device from acquiring their locations. Users can also opt to remove geotagging from their photos which will prevent the data from being embedded in the photos’ EXIF data. Users have another option to remove geo-location data from their posts at the application level. Any users who disable geo-location tagging will ultimately prevent locations from being embedded in metadata, meaning the posts cannot be searched using location-based means. In addition, users can enter false location data into their profiles and posts, creating inaccurate geo-location data.

Defining the Location

Every social media site and geo-location tool defines areas differently. One tool may use specific coordinates to map exact locations of posts. Another may use geofencing to draw a specific area or radius around an exact location. Both of these means are problematic. Depending on the quality of the geo-location data collected from the device, users’ locations can often be marked miles away from their exact location at the time of the post. Sometimes the data about their location is collected from a user’s profile, which means a person posting from St. Augustine, Florida who lives in New York City may show up as making the post from New York City.

A further problem with defining locations arises from the use of language. Some tools allow users to use words to describe their area of interest. For instance, if we used New York City, that might encompass anything within the areas of the Bronx, Queens, Brooklyn, Staten Island, or Manhattan. However, some tools will only pick up New York City and will not recognize that synonyms include NYC or Manhattan or that neighborhoods within New York City include areas such as Harlem and the Lower East Side. These differences can often exclude data points from your area of interest.

Conquering the Problem

Currently, there are many challenges investigators and analysts face when parsing through geo-location data. Many of these issues arise from technology. Until social media sites perfect the collection and dissemination of geo-location data, all tools will be deficient in displaying the information. Additionally, until developers code more comprehensive means to categorize and disseminate geotagged data in tools, the information we can extract from them will be limited. However, there are a few things we can do to make our lives easier.

Foremost, we can use the language of the person or event or topic of interest. For instance, if we are monitoring activity in a specific neighborhood, we can use slang terms for the area, area codes, street names, popular businesses in the area, and any other terms which may describe the region. This can capture data which is not reliant upon geotagged metadata. Another way to maximize the capture of geo-location data is to use a variety of tools. Since every tool has issues collecting and displaying the applicable geographic data, harnessing the power of a multitude of sources allows us to build a more comprehensive data set to analyze.

Thursday, December 12, 2013

Issues Investigating Savvy Social Media Users

As we discussed last week, some social media users strive to gain greater privacy with their communications online. While some users have been protecting their online communications for some time, there is currently a shift to a more private online existence happening in some demographic groups, mainly with teens and young adults. This can be seen in trends throughout Internet-based activity, whether it is a switch to private browsing using Tor, the increasing usage of mobile messaging applications, or backlashes against violations of privacy laws. These savvy social media users can prove to be a challenge for online researchers and analysts. By using privacy-centric platforms, privacy settings, and fake or obscured identities, users can problematize online research of their identities and patterns of behavior.

Privacy-centric Platforms

In many cases, it can be almost impossible to locate a subject’s information due to the sheer nature of the platform itself. Many mobile applications do not have a corresponding website, browser accessible profiles, or search-indexed content. Additionally, many of these apps do not push content to other social media platforms, which restricts outside access to hidden content. These apps often require users to be connected in order to access information. For analysts, this would require us to use the application and request a connection to the person of interest. As many investigations are done without the knowledge of the subject, this can be highly problematic and may cause the user to delete their information. When these situations arise, the most complete information can only be obtained by accessing the device itself or through the use of surreptitious techniques, such as shadow accounts and device cloning.

Privacy Settings

A major hurdle for all investigators is privacy settings. While each social media site is different, in many cases, users can leverage four types of settings to make locating their social media profiles and content more difficult. First, whether by design of the social media platforms themselves or user settings, many social media profiles are removed from search indexes. This makes broad searches more difficult to execute and requires investigators to dig deeper into each individual social media site. Second, some social media sites allow users to remove themselves from the internal search feature and from friend/connection lists unless the person searching for them is connected to them. This means you either need to establish a connection with the individual or find a static link on another location or social media site. Additionally, users can restrict access to their profiles as a whole and the content contained on it. Finally, users can also restrict how unconnected users see their content posted throughout the rest of the social media site. All of these privacy settings can increase the manual work necessary to locate relevant profiles and content.

Obscured and Fake Identities

To hide their online activities, a user may opt to either obscure their real identity or create a fake persona. Obscured identities can take many forms. Users can employ false names, nicknames, unique usernames, or misleading profile information to hide their true identity. They can also choose not to link social media profiles together and use photos which conceal their faces and are not used on any other site. Users can also opt to use fake personas online. By using a fake identity, many users can break the connection from their real identities. In addition to some of the methods used to obscure their identities, many of these users will create completely new identities that are disconnected from their real social networks. Often, they will also use a variety of other means (i.e. VPNs, proxies) to conceal their actual physical location and network connection to prevent doxing.

Making the Information Work for You

It is important to always understand the limitations of social media data and the challenges you will face during open source research. Every social media site and application has its own limitations either through design or the use of privacy settings by savvy social media users. Before you dive into your online investigations, it is important to learn as much as possible about your subject and take note of the issues you might face along the way. Each piece of data will help you find potential obscured or fake identities and better assess the corners of the Internet to explore to find your person of interest.

Monday, December 2, 2013

Trends in Social Media: The Rise of Mobile Messaging Apps

In the 1990s, social media was messaging based. Many people interacted with one another in chat rooms and through instant messaging services like AIM  and ICQ. While Geocities provided a place for people to build webpages, the extent of human interaction was usually rooted in guestbooks. Just like fashion, it was only a matter of time before we found ourselves back in the 1990s.

The Shift

Once parents and grandparents started heading for Facebook to keep up with their families, teens and young adults started scurrying to new social media outlets. Many of these platforms are mobile messaging applications which exist solely on handheld devices. Similar to instant and text messaging services, there are not social media profiles that family members and prospective employers can easily monitor from desktop and laptop computers. These sites provide safe havens for teens and young adults from the watchful eyes of outsiders. Currently, there are three major mobile messaging apps that dominate the field: Snapchat, Kik, and WhatsApp.


Snapchat is a photo and video messaging app that has become wildly popular amongst teens and young adults due to its “disappearing” messages, known as snaps. To create snaps, users manipulate photos and videos with built-in tools and send them to an exclusive group of friends. Unlike other photo sharing services like Instagram, where users have a profile and push content to other social media sites, snaps exist within the app itself. Snaps are only retained for a few seconds after being opened before they are removed from Snapchat’s servers and users’ mobile devices. (While there are some ways to extract this data using screenshots and forensic techniques, those methods are outside of the scope of this post.)


Kik is a mobile messaging service that incorporates group chat; photo, voice, and text messaging; and content sharing. Because of its wide array of content sharing options, most Kik users harness the power of Kik to replace traditional text messaging. Unlike many social media applications that allow users to push content to their other social media accounts, Kik only allows users to pull content into Kik from other sites and applications, such as YouTube and Twitter. This information is stored on mobile devices in a similar manner to text messages.


WhatsApp is a messaging app that works in a similar way to Kik. It allows users to have group chats and share video, photo, text, and location information. Whatsapp has become increasingly popular amongst mobile users, and some studies suggest it has even passed Facebook messenger in popularity. Just like Kik, the information resides in the application itself on a user’s mobile device.

The Trouble With Messaging Apps

One of the major issues arising out of the shift to mobile messaging technology is child safety. As teenagers have fled Facebook, parents have become less able to monitor their children’s behavior. This has led to new avenues for cyber bullying, spreading child pornography, and initiating connections that lead to sexual assault. It also proves a significant challenge for law enforcement, as they have a difficult time tracking activity on these applications.

Thursday, November 21, 2013

Social Media Platforms 101: Twitter

While Facebook may be the most popular social media site, Twitter is perhaps the most prolific social media site in the world. Content from Twitter is constantly quoted in news articles, has had a hand in the Arab Spring and other political demonstrations, and is growing in popularity amongst teens and other heavy users of mobile technology. In many ways, Twitter is one of the most important social media sites to peruse during the course of online research and investigations.

What is Twitter?

 A screenshot of Wil Wheaton’s (@wilw) Twitter profile

Twitter is a microblogging site which allows users to tweet text and links to pictures, videos, and other content in 140 characters or less. Each user’s Twitter experience is customizable, as they select to follow only the users that are of interest to them. The tweets from the followed users appear on the Twitter homepage. Additionally, each user has a Twitter profile in which users can see the user’s last 3200 tweets, followers, followings, and photos and videos.

Another important feature of Twitter is the hashtag. The hashtag was first used on Twitter by users to communicate with one another about a specific topic and is now used on a variety of other social media sites. By clicking on a hashtag, users can execute a real-time search across Twitter to find tweets containing the same hashtag. That search can be sorted by top tweets, all tweets, or tweets from known users. It can also be saved for later use.

What Can You Learn from Twitter?

A screenshot of the JFK trending topic

Twitter allows researchers and analysts to gather a wealth of information about any individual or topic of interest. More than half of all Twitter users leverage the site to access news coverage. Similarly, many users post live coverage of events occurring around them, and Twitter is testing a breaking news feature which allows them to alert users of breaking news in their area. By utilizing hashtags and trending topics, researchers can find information on almost anything of interest.

The amount of information Twitter contains about any given user is astonishing. Using advanced search techniques, you can read every tweet made by an individual user. These tweets can contain information regarding a person’s habits, interests, general disposition, social networks, and locations. Additionally, with the amount of social media applications that push content to Twitter, it makes it easy to quickly identify other social media accounts of a person of interest.

How Can You Use Information from Twitter?

How to leverage information from Twitter is entirely dependent upon the needs of your research or investigation. If you are monitoring topics or events using Twitter, you can use a variety of free and paid tools to identify and capture Tweets using keyword or location-based searches. Many of these tools have alert features built in which will tell you when there are new posts about your topic or area of interest. Similarly, you can also use free or paid tools to monitor and capture individual user’s information.

Ultimately, Twitter is an excellent starting point for any investigation. You can do broad based topic research to identify language patterns and influencers of topics and events of interest. Once you identify your users of interest, you can map out their social networks and movements to establish patterns of behavior and identify even more sources of information. In the future, we will be giving more in-depth tips on how to conduct these investigations in another social media platforms series.

Wednesday, October 30, 2013

Developing PRISM: V2 is Here

For the past few weeks, the PRISM team has been diligently working to test the new version of PRISM. We are proud to announce that, after months of development, we have finally released PRISM V2. As we discussed in an earlier post, Version 1 was originally developed for internal users. In order to test our features and gain valuable feedback from external users, we launched a Pilot Program with select law enforcement agencies across the US. They found bugs, identified workflow issues, gave valuable critiques, and made feature wish lists, which allowed us to greatly approve upon PRISM in V2. Here are some of the big changes to the tool.

Faster Workflow

As analysts and investigators, we need to be able to more efficiently work throughout a project. Previously, it was cumbersome to search for usernames, scrape data, and build out user profiles. Our analysts and Pilot Program users identified ways to expedite these processes. PRISM now has additional buttons to add profiles, add usernames, edit projects, and upload documents directly from the workbench. This allows users to spend less time clicking between areas of the tool and more time reviewing content.

Improved Exporting & Authentication

Before, PRISM only exported data into Microsoft Word formatted Rich Text (.rtf), Microsoft Excel XML format spreadsheet (.xlsx), and Comma-separated Value Plain Text (.csv) formats. As many of our users have additional needs, we expanded this selection to include Microsoft Access database (.accdb) and Adobe Portable Document Format (.pdf) files. All of these files include the MD5 hash values associated with each individual result for authentication purposes.

In addition, users can now download individual search results and native files to their computer in .pdf and Flash Video (.flv) formats. When these files are downloaded, a record of each download is created in an uneditable system log. This log can then be exported into .pdf format and will include information such as the hash value for the content downloaded and which specific result it came from. We added this feature to assist law enforcement agencies with evidence gathering and authentication.

Topic Monitoring

Previously, PRISM was designed as a case management system for individual profiles and groups of individuals. Over the course of testing, we discovered that both our analysts and Pilot Program users desired the ability to search in real-time across social media sites to find information about topics pertinent to their projects. In response, we built a topic monitor. Users now have the ability to search real-time content originating from Facebook, Google Plus, Instagram, Reddit, Twitter, and YouTube. All of these results can be highlighted to showcase important words, filtered down by word exclusion, and saved both within PRISM and locally on the user’s device.

Subscribing to PRISM

Now that PRISM V2 is released, subscriptions are available to all organizations. To learn more about PRISM or to get a demonstration, contact Blake Haase at

Wednesday, October 2, 2013

3 Key Takeaways from the SMILE Conference

It is fall, so it must be conference season. From September through October, members of the PRISM team will be in various locations across the country. Last week, three members of the PRISM team were in Omaha for the SMILE Conference. As we have a great relationship with law enforcement agencies, we thought it was pertinent to share some of the major takeaways from #smilecon.

Law Enforcement Agencies are Successfully Using Social Media

For those of you who are not familiar with SMILE, it is a conference at which law enforcement agencies network with one another and share best practices regarding the use of social media in law enforcement, from both a marketing and investigative perspective. It allows these agencies to learn new, innovative ways to harness the power of social media to build relationships with the community and combat crime. Throughout the conference, many speakers discussed how their agencies are successfully using social media to keep tabs on known offenders, curtail gang activity, monitor events, respond to disasters, and conduct undercover investigations. Officer Eric Draeger of the Milwaukee Police Department spoke about his department’s success doing a multitude of those things at once: They successfully use social media to disrupt gang activity and prevent incidents from occurring at large public gatherings.

Data Fusion is Imperative

As we wrote about from our experience at the i2 User Conference, agencies are integrating a variety of data sources into their process. With the proliferation of social media activity, law enforcement agencies now understand the fundamental need to incorporate social media data into their day-to-day operations. Social media records are now combined with traditional investigative data to conduct more thorough investigations. At SMILE, many agencies reported impressive results using social media information in their investigative processes.

Tools are a Must

In order to conduct social media monitoring and investigations, law enforcement agencies need tools. Nearly every presenter at SMILE was using some form of tool to assist them with the investigative process. The amount of readily available social media data is unfathomable and can be extremely overwhelming. Investigators and analysts must rely on tools to assist them with harvesting, processing, and analyzing social media data. Otherwise, they would be inundated with records and have difficulty making timely analyses.


Every time we go to a conference, we learn something new that allows us to improve our products and services for our clients. SMILE was no exception. We have been following trends of the use of social media, embracement of data fusion, and need for social media tools in law enforcement for some time now. It is one of the main reasons we developed PRISM. Both the i2 User Conference and SMILE reinforced our use of social media, data fusion, and PRISM in our investigative process.

About CES PRISM Blog

My photo
The CES PRISM blog is the place where CES shares the newest developments in social media sites and tools, data analytics, eDiscovery, investigations, and intelligence. We will also share workflow tips and tricks, case studies, and the developmental progress of our open source social media research and analysis tool, PRISM. Our goal is to open a dialogue with the community which allows all of us to learn together.