Monday, December 23, 2013

Issues Gathering Information Using Geo-location Parameters

We have been out at conferences recently, and there is a major shift in the investigative world to harness the power of geo-location data. This data can provide valuable insight into the whereabouts and patterns of groups and individuals. It is also vital when gathering intelligence and evidence about major events. However, there are many issues analysts must consider when they are moving to a geo-location based system and conducting location-based investigations and monitoring.

Privacy Settings and Restrictions

No matter how great a tool is, it cannot circumvent privacy settings. These settings can be instituted at both the user and site level. Ultimately, many of these privacy settings are implemented to protect users from harm. These privacy settings may scrub geo-location data from posts and/or restrict the flow of location-based information to real-time streams. Previously, Foursquare allowed applications to pull user check-in data without permission. Within the last year, Foursquare removed this feature and now requires users to first grant permission to applications to pull check-in data. As social media sites and applications make changes like these to protect the privacy of individuals, it will become increasingly difficult to base searches and monitors on geo-location data.

Savvy Users

An example of a Facebook user who posted from his couch in Florida but tagged himself in Mali.

As we discussed last week, savvy social media users bring their own challenges to the table. These users can opt to remove geo-location information from their content at a few different levels. First, they can turn-off GPS tracking on their phones’ settings to prevent the device from acquiring their locations. Users can also opt to remove geotagging from their photos which will prevent the data from being embedded in the photos’ EXIF data. Users have another option to remove geo-location data from their posts at the application level. Any users who disable geo-location tagging will ultimately prevent locations from being embedded in metadata, meaning the posts cannot be searched using location-based means. In addition, users can enter false location data into their profiles and posts, creating inaccurate geo-location data.

Defining the Location

Every social media site and geo-location tool defines areas differently. One tool may use specific coordinates to map exact locations of posts. Another may use geofencing to draw a specific area or radius around an exact location. Both of these means are problematic. Depending on the quality of the geo-location data collected from the device, users’ locations can often be marked miles away from their exact location at the time of the post. Sometimes the data about their location is collected from a user’s profile, which means a person posting from St. Augustine, Florida who lives in New York City may show up as making the post from New York City.

A further problem with defining locations arises from the use of language. Some tools allow users to use words to describe their area of interest. For instance, if we used New York City, that might encompass anything within the areas of the Bronx, Queens, Brooklyn, Staten Island, or Manhattan. However, some tools will only pick up New York City and will not recognize that synonyms include NYC or Manhattan or that neighborhoods within New York City include areas such as Harlem and the Lower East Side. These differences can often exclude data points from your area of interest.

Conquering the Problem

Currently, there are many challenges investigators and analysts face when parsing through geo-location data. Many of these issues arise from technology. Until social media sites perfect the collection and dissemination of geo-location data, all tools will be deficient in displaying the information. Additionally, until developers code more comprehensive means to categorize and disseminate geotagged data in tools, the information we can extract from them will be limited. However, there are a few things we can do to make our lives easier.

Foremost, we can use the language of the person or event or topic of interest. For instance, if we are monitoring activity in a specific neighborhood, we can use slang terms for the area, area codes, street names, popular businesses in the area, and any other terms which may describe the region. This can capture data which is not reliant upon geotagged metadata. Another way to maximize the capture of geo-location data is to use a variety of tools. Since every tool has issues collecting and displaying the applicable geographic data, harnessing the power of a multitude of sources allows us to build a more comprehensive data set to analyze.

Thursday, December 12, 2013

Issues Investigating Savvy Social Media Users

As we discussed last week, some social media users strive to gain greater privacy with their communications online. While some users have been protecting their online communications for some time, there is currently a shift to a more private online existence happening in some demographic groups, mainly with teens and young adults. This can be seen in trends throughout Internet-based activity, whether it is a switch to private browsing using Tor, the increasing usage of mobile messaging applications, or backlashes against violations of privacy laws. These savvy social media users can prove to be a challenge for online researchers and analysts. By using privacy-centric platforms, privacy settings, and fake or obscured identities, users can problematize online research of their identities and patterns of behavior.

Privacy-centric Platforms

In many cases, it can be almost impossible to locate a subject’s information due to the sheer nature of the platform itself. Many mobile applications do not have a corresponding website, browser accessible profiles, or search-indexed content. Additionally, many of these apps do not push content to other social media platforms, which restricts outside access to hidden content. These apps often require users to be connected in order to access information. For analysts, this would require us to use the application and request a connection to the person of interest. As many investigations are done without the knowledge of the subject, this can be highly problematic and may cause the user to delete their information. When these situations arise, the most complete information can only be obtained by accessing the device itself or through the use of surreptitious techniques, such as shadow accounts and device cloning.

Privacy Settings

A major hurdle for all investigators is privacy settings. While each social media site is different, in many cases, users can leverage four types of settings to make locating their social media profiles and content more difficult. First, whether by design of the social media platforms themselves or user settings, many social media profiles are removed from search indexes. This makes broad searches more difficult to execute and requires investigators to dig deeper into each individual social media site. Second, some social media sites allow users to remove themselves from the internal search feature and from friend/connection lists unless the person searching for them is connected to them. This means you either need to establish a connection with the individual or find a static link on another location or social media site. Additionally, users can restrict access to their profiles as a whole and the content contained on it. Finally, users can also restrict how unconnected users see their content posted throughout the rest of the social media site. All of these privacy settings can increase the manual work necessary to locate relevant profiles and content.

Obscured and Fake Identities

To hide their online activities, a user may opt to either obscure their real identity or create a fake persona. Obscured identities can take many forms. Users can employ false names, nicknames, unique usernames, or misleading profile information to hide their true identity. They can also choose not to link social media profiles together and use photos which conceal their faces and are not used on any other site. Users can also opt to use fake personas online. By using a fake identity, many users can break the connection from their real identities. In addition to some of the methods used to obscure their identities, many of these users will create completely new identities that are disconnected from their real social networks. Often, they will also use a variety of other means (i.e. VPNs, proxies) to conceal their actual physical location and network connection to prevent doxing.

Making the Information Work for You

It is important to always understand the limitations of social media data and the challenges you will face during open source research. Every social media site and application has its own limitations either through design or the use of privacy settings by savvy social media users. Before you dive into your online investigations, it is important to learn as much as possible about your subject and take note of the issues you might face along the way. Each piece of data will help you find potential obscured or fake identities and better assess the corners of the Internet to explore to find your person of interest.

Monday, December 2, 2013

Trends in Social Media: The Rise of Mobile Messaging Apps

In the 1990s, social media was messaging based. Many people interacted with one another in chat rooms and through instant messaging services like AIM  and ICQ. While Geocities provided a place for people to build webpages, the extent of human interaction was usually rooted in guestbooks. Just like fashion, it was only a matter of time before we found ourselves back in the 1990s.

The Shift

Once parents and grandparents started heading for Facebook to keep up with their families, teens and young adults started scurrying to new social media outlets. Many of these platforms are mobile messaging applications which exist solely on handheld devices. Similar to instant and text messaging services, there are not social media profiles that family members and prospective employers can easily monitor from desktop and laptop computers. These sites provide safe havens for teens and young adults from the watchful eyes of outsiders. Currently, there are three major mobile messaging apps that dominate the field: Snapchat, Kik, and WhatsApp.


Snapchat is a photo and video messaging app that has become wildly popular amongst teens and young adults due to its “disappearing” messages, known as snaps. To create snaps, users manipulate photos and videos with built-in tools and send them to an exclusive group of friends. Unlike other photo sharing services like Instagram, where users have a profile and push content to other social media sites, snaps exist within the app itself. Snaps are only retained for a few seconds after being opened before they are removed from Snapchat’s servers and users’ mobile devices. (While there are some ways to extract this data using screenshots and forensic techniques, those methods are outside of the scope of this post.)


Kik is a mobile messaging service that incorporates group chat; photo, voice, and text messaging; and content sharing. Because of its wide array of content sharing options, most Kik users harness the power of Kik to replace traditional text messaging. Unlike many social media applications that allow users to push content to their other social media accounts, Kik only allows users to pull content into Kik from other sites and applications, such as YouTube and Twitter. This information is stored on mobile devices in a similar manner to text messages.


WhatsApp is a messaging app that works in a similar way to Kik. It allows users to have group chats and share video, photo, text, and location information. Whatsapp has become increasingly popular amongst mobile users, and some studies suggest it has even passed Facebook messenger in popularity. Just like Kik, the information resides in the application itself on a user’s mobile device.

The Trouble With Messaging Apps

One of the major issues arising out of the shift to mobile messaging technology is child safety. As teenagers have fled Facebook, parents have become less able to monitor their children’s behavior. This has led to new avenues for cyber bullying, spreading child pornography, and initiating connections that lead to sexual assault. It also proves a significant challenge for law enforcement, as they have a difficult time tracking activity on these applications.

Thursday, November 21, 2013

Social Media Platforms 101: Twitter

While Facebook may be the most popular social media site, Twitter is perhaps the most prolific social media site in the world. Content from Twitter is constantly quoted in news articles, has had a hand in the Arab Spring and other political demonstrations, and is growing in popularity amongst teens and other heavy users of mobile technology. In many ways, Twitter is one of the most important social media sites to peruse during the course of online research and investigations.

What is Twitter?

 A screenshot of Wil Wheaton’s (@wilw) Twitter profile

Twitter is a microblogging site which allows users to tweet text and links to pictures, videos, and other content in 140 characters or less. Each user’s Twitter experience is customizable, as they select to follow only the users that are of interest to them. The tweets from the followed users appear on the Twitter homepage. Additionally, each user has a Twitter profile in which users can see the user’s last 3200 tweets, followers, followings, and photos and videos.

Another important feature of Twitter is the hashtag. The hashtag was first used on Twitter by users to communicate with one another about a specific topic and is now used on a variety of other social media sites. By clicking on a hashtag, users can execute a real-time search across Twitter to find tweets containing the same hashtag. That search can be sorted by top tweets, all tweets, or tweets from known users. It can also be saved for later use.

What Can You Learn from Twitter?

A screenshot of the JFK trending topic

Twitter allows researchers and analysts to gather a wealth of information about any individual or topic of interest. More than half of all Twitter users leverage the site to access news coverage. Similarly, many users post live coverage of events occurring around them, and Twitter is testing a breaking news feature which allows them to alert users of breaking news in their area. By utilizing hashtags and trending topics, researchers can find information on almost anything of interest.

The amount of information Twitter contains about any given user is astonishing. Using advanced search techniques, you can read every tweet made by an individual user. These tweets can contain information regarding a person’s habits, interests, general disposition, social networks, and locations. Additionally, with the amount of social media applications that push content to Twitter, it makes it easy to quickly identify other social media accounts of a person of interest.

How Can You Use Information from Twitter?

How to leverage information from Twitter is entirely dependent upon the needs of your research or investigation. If you are monitoring topics or events using Twitter, you can use a variety of free and paid tools to identify and capture Tweets using keyword or location-based searches. Many of these tools have alert features built in which will tell you when there are new posts about your topic or area of interest. Similarly, you can also use free or paid tools to monitor and capture individual user’s information.

Ultimately, Twitter is an excellent starting point for any investigation. You can do broad based topic research to identify language patterns and influencers of topics and events of interest. Once you identify your users of interest, you can map out their social networks and movements to establish patterns of behavior and identify even more sources of information. In the future, we will be giving more in-depth tips on how to conduct these investigations in another social media platforms series.

Wednesday, October 30, 2013

Developing PRISM: V2 is Here

For the past few weeks, the PRISM team has been diligently working to test the new version of PRISM. We are proud to announce that, after months of development, we have finally released PRISM V2. As we discussed in an earlier post, Version 1 was originally developed for internal users. In order to test our features and gain valuable feedback from external users, we launched a Pilot Program with select law enforcement agencies across the US. They found bugs, identified workflow issues, gave valuable critiques, and made feature wish lists, which allowed us to greatly approve upon PRISM in V2. Here are some of the big changes to the tool.

Faster Workflow

As analysts and investigators, we need to be able to more efficiently work throughout a project. Previously, it was cumbersome to search for usernames, scrape data, and build out user profiles. Our analysts and Pilot Program users identified ways to expedite these processes. PRISM now has additional buttons to add profiles, add usernames, edit projects, and upload documents directly from the workbench. This allows users to spend less time clicking between areas of the tool and more time reviewing content.

Improved Exporting & Authentication

Before, PRISM only exported data into Microsoft Word formatted Rich Text (.rtf), Microsoft Excel XML format spreadsheet (.xlsx), and Comma-separated Value Plain Text (.csv) formats. As many of our users have additional needs, we expanded this selection to include Microsoft Access database (.accdb) and Adobe Portable Document Format (.pdf) files. All of these files include the MD5 hash values associated with each individual result for authentication purposes.

In addition, users can now download individual search results and native files to their computer in .pdf and Flash Video (.flv) formats. When these files are downloaded, a record of each download is created in an uneditable system log. This log can then be exported into .pdf format and will include information such as the hash value for the content downloaded and which specific result it came from. We added this feature to assist law enforcement agencies with evidence gathering and authentication.

Topic Monitoring

Previously, PRISM was designed as a case management system for individual profiles and groups of individuals. Over the course of testing, we discovered that both our analysts and Pilot Program users desired the ability to search in real-time across social media sites to find information about topics pertinent to their projects. In response, we built a topic monitor. Users now have the ability to search real-time content originating from Facebook, Google Plus, Instagram, Reddit, Twitter, and YouTube. All of these results can be highlighted to showcase important words, filtered down by word exclusion, and saved both within PRISM and locally on the user’s device.

Subscribing to PRISM

Now that PRISM V2 is released, subscriptions are available to all organizations. To learn more about PRISM or to get a demonstration, contact Blake Haase at

Wednesday, October 2, 2013

3 Key Takeaways from the SMILE Conference

It is fall, so it must be conference season. From September through October, members of the PRISM team will be in various locations across the country. Last week, three members of the PRISM team were in Omaha for the SMILE Conference. As we have a great relationship with law enforcement agencies, we thought it was pertinent to share some of the major takeaways from #smilecon.

Law Enforcement Agencies are Successfully Using Social Media

For those of you who are not familiar with SMILE, it is a conference at which law enforcement agencies network with one another and share best practices regarding the use of social media in law enforcement, from both a marketing and investigative perspective. It allows these agencies to learn new, innovative ways to harness the power of social media to build relationships with the community and combat crime. Throughout the conference, many speakers discussed how their agencies are successfully using social media to keep tabs on known offenders, curtail gang activity, monitor events, respond to disasters, and conduct undercover investigations. Officer Eric Draeger of the Milwaukee Police Department spoke about his department’s success doing a multitude of those things at once: They successfully use social media to disrupt gang activity and prevent incidents from occurring at large public gatherings.

Data Fusion is Imperative

As we wrote about from our experience at the i2 User Conference, agencies are integrating a variety of data sources into their process. With the proliferation of social media activity, law enforcement agencies now understand the fundamental need to incorporate social media data into their day-to-day operations. Social media records are now combined with traditional investigative data to conduct more thorough investigations. At SMILE, many agencies reported impressive results using social media information in their investigative processes.

Tools are a Must

In order to conduct social media monitoring and investigations, law enforcement agencies need tools. Nearly every presenter at SMILE was using some form of tool to assist them with the investigative process. The amount of readily available social media data is unfathomable and can be extremely overwhelming. Investigators and analysts must rely on tools to assist them with harvesting, processing, and analyzing social media data. Otherwise, they would be inundated with records and have difficulty making timely analyses.


Every time we go to a conference, we learn something new that allows us to improve our products and services for our clients. SMILE was no exception. We have been following trends of the use of social media, embracement of data fusion, and need for social media tools in law enforcement for some time now. It is one of the main reasons we developed PRISM. Both the i2 User Conference and SMILE reinforced our use of social media, data fusion, and PRISM in our investigative process.

Sunday, September 29, 2013

Building a Better Tool Chest: Browser Apps & Extensions

As an organization aiming to use the best tools possible, many of our analysts rely on the power of Google Chrome. Chrome is developer friendly and has a wide variety of free apps and extensions available for use in the Chrome Web Store, which allows us to increase performance even on the browser level. In order to increase efficiency, we rely heavily on tools to block ads, quickly screen images, and capture screenshots. Here are three tools that can help increase the performance of your workflow during online investigations.

Adblock Plus

A screenshot of a Google search with ads blocked via Adblock Plus

One of the major things we have to worry about in the Internet advertising era is the browser slowdown that occurs from ads. Adblock Plus is one of the best adblockers out there. It blocks ads on sites such as Google, Facebook, and YouTube. Instead of wasting time sitting through videos and waiting for pages to load, you can quickly and easily navigate the Internet using Adblock. It is important to note that in order to block all ads, you have to set your options in Adblock Plus by unchecking the box for “Allow some non-intrusive advertising.” (Not a Chrome user? Adblock Plus is available for a variety of browsers.)

Hover Zoom

A screenshot of a Google Image search while using Hover Zoom

Hover Zoom is one of our favorites because of its ability to save time. Traditionally, whenever photos appear on websites, you have to click into them to see a larger version of the photo. Hover Zoom skips this step in the workflow process. Once you hover over the photo with your cursor, a larger view of the image will appear. This tool is perfect for going through large batches of images on photo and social media sites. (Currently, Hover Zoom is only available for Google Chrome.)

A screenshot of PRISM being captured by Lightshot

We used to be ardent Awesome Screenshot users, but lately it has only worked sporadically. Recently, we discovered Lightshot as a viable alternative. Lightshot is user friendly and has great features built in for photo editing and exporting, as well as searching for similar images on Google. So far, it is proving to be the best alternative to our old standby. (Lightshot is available for a variety of operating systems and browsers.)

This list is in no way inclusive of all of the tools that can save you time during online research. In the past, we wrote about the Chrome extension Image Tools and its ability to assist with image searching and examining exif data. There are a variety of other extensions for Chrome that can assist you with first-language translation, secure browsing, cache clearing, rss reading, and more. Add-ons are not exclusive to Chrome. You can often find similar tools on Firefox and Internet Explorer. No matter which browser you use, you can help ensure you are working efficiently just by building out a better browser.

Saturday, September 21, 2013

Social Media Platforms 101: Reddit

At the i2 User Conference we realized that people have started gaining a better appreciation for comprehensive societal knowledge. There is no website in the United States that can provide domestic cultural knowledge on a greater level than reddit.

What Is Reddit?

Reddit is a social media platform that allows redditors (users) to share content with one another. The structure and the language patterns of reddit are similar to that of a traditional online forum. Redditors customize their reddit experience by subscribing to subreddits (essentially subforums) about topics of interest. The content is shared on reddit as links and text (“self”) posts on subreddits, and redditors upvote and downvote content based upon their personal preferences. These votes influence what individual users see on their reddit front (feed/homepage).

What Can You Learn From Reddit?

Unlike more traditional social media sites such as Facebook or LinkedIn, reddit is not typically a site in which you learn about an individual user. Most redditors are anonymous and make it difficult to ascertain their true identity. Reddit is typically used more to share and identify online content. There are four major types of information redditors can access: breaking news, general cultural trends, topical knowledge, and subculture familiarity.

Many times, we have identified breaking events on reddit before they hit major news outlets, which allowed us to have better situational awareness than if we had relied on traditional news media. Reddit also provides us with an abundance of cultural memes on the Internet; this allows our investigators and analysts to more accurately discern the meaning of social media posts made by persons of interest.

One of the best things about reddit is that there is a subreddit for almost anything, which allows us to learn about almost any topic or subculture of interest. Want to know more about or ask questions to law enforcement officers? Subscribe to ProtectAndServe. Interested in video footage of combat? Check out CombatFootage. Need to know more about marijuana users and production? Visit Trees (not to be confused with MarijuanaEnthusiasts which is actually about trees). There is very little limit to what you can learn from reddit.

How Can You Use Information Found on Reddit?

Fundamentally, reddit makes you a better investigator by providing you with the general cultural knowledge you need to complete almost any task. No matter who or what the subject is at hand, you can learn more about it. Often, subreddits will even identify external websites associated with the content found in the subreddit. From learning about a person of interest’s subcultural groups and language patterns to keeping up with changes in information technology, reddit can provide a great starting point for your research.

About CES PRISM Blog

My photo
The CES PRISM blog is the place where CES shares the newest developments in social media sites and tools, data analytics, eDiscovery, investigations, and intelligence. We will also share workflow tips and tricks, case studies, and the developmental progress of our open source social media research and analysis tool, PRISM. Our goal is to open a dialogue with the community which allows all of us to learn together.