Monday, December 23, 2013

Issues Gathering Information Using Geo-location Parameters

We have been out at conferences recently, and there is a major shift in the investigative world to harness the power of geo-location data. This data can provide valuable insight into the whereabouts and patterns of groups and individuals. It is also vital when gathering intelligence and evidence about major events. However, there are many issues analysts must consider when they are moving to a geo-location based system and conducting location-based investigations and monitoring.

Privacy Settings and Restrictions

No matter how great a tool is, it cannot circumvent privacy settings. These settings can be instituted at both the user and site level. Ultimately, many of these privacy settings are implemented to protect users from harm. These privacy settings may scrub geo-location data from posts and/or restrict the flow of location-based information to real-time streams. Previously, Foursquare allowed applications to pull user check-in data without permission. Within the last year, Foursquare removed this feature and now requires users to first grant permission to applications to pull check-in data. As social media sites and applications make changes like these to protect the privacy of individuals, it will become increasingly difficult to base searches and monitors on geo-location data.

Savvy Users

An example of a Facebook user who posted from his couch in Florida but tagged himself in Mali.

As we discussed last week, savvy social media users bring their own challenges to the table. These users can opt to remove geo-location information from their content at a few different levels. First, they can turn-off GPS tracking on their phones’ settings to prevent the device from acquiring their locations. Users can also opt to remove geotagging from their photos which will prevent the data from being embedded in the photos’ EXIF data. Users have another option to remove geo-location data from their posts at the application level. Any users who disable geo-location tagging will ultimately prevent locations from being embedded in metadata, meaning the posts cannot be searched using location-based means. In addition, users can enter false location data into their profiles and posts, creating inaccurate geo-location data.

Defining the Location

Every social media site and geo-location tool defines areas differently. One tool may use specific coordinates to map exact locations of posts. Another may use geofencing to draw a specific area or radius around an exact location. Both of these means are problematic. Depending on the quality of the geo-location data collected from the device, users’ locations can often be marked miles away from their exact location at the time of the post. Sometimes the data about their location is collected from a user’s profile, which means a person posting from St. Augustine, Florida who lives in New York City may show up as making the post from New York City.

A further problem with defining locations arises from the use of language. Some tools allow users to use words to describe their area of interest. For instance, if we used New York City, that might encompass anything within the areas of the Bronx, Queens, Brooklyn, Staten Island, or Manhattan. However, some tools will only pick up New York City and will not recognize that synonyms include NYC or Manhattan or that neighborhoods within New York City include areas such as Harlem and the Lower East Side. These differences can often exclude data points from your area of interest.

Conquering the Problem

Currently, there are many challenges investigators and analysts face when parsing through geo-location data. Many of these issues arise from technology. Until social media sites perfect the collection and dissemination of geo-location data, all tools will be deficient in displaying the information. Additionally, until developers code more comprehensive means to categorize and disseminate geotagged data in tools, the information we can extract from them will be limited. However, there are a few things we can do to make our lives easier.

Foremost, we can use the language of the person or event or topic of interest. For instance, if we are monitoring activity in a specific neighborhood, we can use slang terms for the area, area codes, street names, popular businesses in the area, and any other terms which may describe the region. This can capture data which is not reliant upon geotagged metadata. Another way to maximize the capture of geo-location data is to use a variety of tools. Since every tool has issues collecting and displaying the applicable geographic data, harnessing the power of a multitude of sources allows us to build a more comprehensive data set to analyze.

Thursday, December 12, 2013

Issues Investigating Savvy Social Media Users

As we discussed last week, some social media users strive to gain greater privacy with their communications online. While some users have been protecting their online communications for some time, there is currently a shift to a more private online existence happening in some demographic groups, mainly with teens and young adults. This can be seen in trends throughout Internet-based activity, whether it is a switch to private browsing using Tor, the increasing usage of mobile messaging applications, or backlashes against violations of privacy laws. These savvy social media users can prove to be a challenge for online researchers and analysts. By using privacy-centric platforms, privacy settings, and fake or obscured identities, users can problematize online research of their identities and patterns of behavior.

Privacy-centric Platforms

In many cases, it can be almost impossible to locate a subject’s information due to the sheer nature of the platform itself. Many mobile applications do not have a corresponding website, browser accessible profiles, or search-indexed content. Additionally, many of these apps do not push content to other social media platforms, which restricts outside access to hidden content. These apps often require users to be connected in order to access information. For analysts, this would require us to use the application and request a connection to the person of interest. As many investigations are done without the knowledge of the subject, this can be highly problematic and may cause the user to delete their information. When these situations arise, the most complete information can only be obtained by accessing the device itself or through the use of surreptitious techniques, such as shadow accounts and device cloning.

Privacy Settings

A major hurdle for all investigators is privacy settings. While each social media site is different, in many cases, users can leverage four types of settings to make locating their social media profiles and content more difficult. First, whether by design of the social media platforms themselves or user settings, many social media profiles are removed from search indexes. This makes broad searches more difficult to execute and requires investigators to dig deeper into each individual social media site. Second, some social media sites allow users to remove themselves from the internal search feature and from friend/connection lists unless the person searching for them is connected to them. This means you either need to establish a connection with the individual or find a static link on another location or social media site. Additionally, users can restrict access to their profiles as a whole and the content contained on it. Finally, users can also restrict how unconnected users see their content posted throughout the rest of the social media site. All of these privacy settings can increase the manual work necessary to locate relevant profiles and content.

Obscured and Fake Identities

To hide their online activities, a user may opt to either obscure their real identity or create a fake persona. Obscured identities can take many forms. Users can employ false names, nicknames, unique usernames, or misleading profile information to hide their true identity. They can also choose not to link social media profiles together and use photos which conceal their faces and are not used on any other site. Users can also opt to use fake personas online. By using a fake identity, many users can break the connection from their real identities. In addition to some of the methods used to obscure their identities, many of these users will create completely new identities that are disconnected from their real social networks. Often, they will also use a variety of other means (i.e. VPNs, proxies) to conceal their actual physical location and network connection to prevent doxing.

Making the Information Work for You

It is important to always understand the limitations of social media data and the challenges you will face during open source research. Every social media site and application has its own limitations either through design or the use of privacy settings by savvy social media users. Before you dive into your online investigations, it is important to learn as much as possible about your subject and take note of the issues you might face along the way. Each piece of data will help you find potential obscured or fake identities and better assess the corners of the Internet to explore to find your person of interest.

Monday, December 2, 2013

Trends in Social Media: The Rise of Mobile Messaging Apps

In the 1990s, social media was messaging based. Many people interacted with one another in chat rooms and through instant messaging services like AIM  and ICQ. While Geocities provided a place for people to build webpages, the extent of human interaction was usually rooted in guestbooks. Just like fashion, it was only a matter of time before we found ourselves back in the 1990s.

The Shift

Once parents and grandparents started heading for Facebook to keep up with their families, teens and young adults started scurrying to new social media outlets. Many of these platforms are mobile messaging applications which exist solely on handheld devices. Similar to instant and text messaging services, there are not social media profiles that family members and prospective employers can easily monitor from desktop and laptop computers. These sites provide safe havens for teens and young adults from the watchful eyes of outsiders. Currently, there are three major mobile messaging apps that dominate the field: Snapchat, Kik, and WhatsApp.


Snapchat is a photo and video messaging app that has become wildly popular amongst teens and young adults due to its “disappearing” messages, known as snaps. To create snaps, users manipulate photos and videos with built-in tools and send them to an exclusive group of friends. Unlike other photo sharing services like Instagram, where users have a profile and push content to other social media sites, snaps exist within the app itself. Snaps are only retained for a few seconds after being opened before they are removed from Snapchat’s servers and users’ mobile devices. (While there are some ways to extract this data using screenshots and forensic techniques, those methods are outside of the scope of this post.)


Kik is a mobile messaging service that incorporates group chat; photo, voice, and text messaging; and content sharing. Because of its wide array of content sharing options, most Kik users harness the power of Kik to replace traditional text messaging. Unlike many social media applications that allow users to push content to their other social media accounts, Kik only allows users to pull content into Kik from other sites and applications, such as YouTube and Twitter. This information is stored on mobile devices in a similar manner to text messages.


WhatsApp is a messaging app that works in a similar way to Kik. It allows users to have group chats and share video, photo, text, and location information. Whatsapp has become increasingly popular amongst mobile users, and some studies suggest it has even passed Facebook messenger in popularity. Just like Kik, the information resides in the application itself on a user’s mobile device.

The Trouble With Messaging Apps

One of the major issues arising out of the shift to mobile messaging technology is child safety. As teenagers have fled Facebook, parents have become less able to monitor their children’s behavior. This has led to new avenues for cyber bullying, spreading child pornography, and initiating connections that lead to sexual assault. It also proves a significant challenge for law enforcement, as they have a difficult time tracking activity on these applications.

About CES PRISM Blog

My photo
The CES PRISM blog is the place where CES shares the newest developments in social media sites and tools, data analytics, eDiscovery, investigations, and intelligence. We will also share workflow tips and tricks, case studies, and the developmental progress of our open source social media research and analysis tool, PRISM. Our goal is to open a dialogue with the community which allows all of us to learn together.