Digital Underground: Cyber Thugs, Police, and Virtual Investigations (5 of 8)

In Sacramento, California, investigators found a photograph online of $120 worth of food from Carl’s Jr. that was purchased with a credit card stolen in one of the burglaries.[1] The manager thought the order was suspicious and wrote down the car’s license plate number.[2] Another employee snapped a picture of the receipt from the order and posted it on Instagram.[3] The employee’s friend saw the picture of the receipt.[4]  Coincidentally, the friend realized she followed one of the suspects on Instagram after he posted a photo of the food.

Carl Jr. Instagram[5]

The order included “five $6 burgers, five orange creme shakes, three barbeque chicken quesadillas, one bacon Swiss chicken sandwich, two double western sandwiches, two orders of fried zucchini, six orders of cross-cut fries, two teriyaki burgers, with added bacon, two barbeque chicken sandwiches, with added bacon, five southwest chicken tacos, with added sour cream. The total came out to $119.95.”[6]

How does this evidence get admitted to court?

Let’s say an investigator goes to a social media site to find evidence against a person suspected of committing a crime. They search the person’s name and find their profile. The investigator confirms the suspect’s identity through Facebook. He sees pictures, status updates and check-in location that could prove that the suspect committed the crime.

The investigator takes the information to a judge. He gets a warrant for the suspect’s arrest. The investigator finds and arrests the suspect. The case goes to trial. In court, the prosecutor uses the screen shots of the suspect’s Facebook page to prove that the suspect committed the crime. The suspect is found guilty. The case is closed and everyone lives happily ever after. Right? Wrong!

Investigating criminal activity on a social media site is the easy part, getting the evidence admitted into court is trickier than you may think. Even if you could take your computer in the courtroom log on to Facebook and show the judge the information, it still wouldn’t work. There is no guarantee that the information will still be available on the person’s page by the time trial rolls around. More than likely, the investigator would print a screen shot of the information. Although that may work in a pinch to get started, in the new reality of social media evidence, it just isn’t enough.[7] When it comes to sleuthing social sites, a screenshot of a Facebook post doesn’t cut it.[8] You may need to establish relevance before you investigate a site, and you’ll need more than just a person’s posts—you’ll need the underlying metadata.[9]

Legal challenges regarding the authentication and preservation of social media evidence are becoming more commonplace.[10] Metadata is at the center of most legal challenges.[11] You may ask, what is metadata? Metadata is simply data about data. It is descriptive information about a particular data set, object, or resource, including how it is formatted, and when and by whom it was collected.[12]

Electronic, evidence like any other evidence must be authenticated and relevant before being admitted to the court. Under Federal Rules of Evidence:

Rule 901(a), a proponent of evidence at trial must offer “evidence sufficient to support a finding that the matter in question is what its proponent claims.” Unless uncontroverted and cooperative witness testimony is available, the proponent must rely on other means to establish a proper foundation. A party can authenticate electronically stored information (“ESI”) per Rule 901(b)(4) with circumstantial evidence that reflects the “contents, substance, internal patterns, or other distinctive characteristics” of the evidence. Many courts have applied Rule 901(b)(4) by ruling that metadata and file level hash values associated with ESI can be sufficient circumstantial evidence to establish its authenticity.[13]

Recently, a Georgia court used a two-part test to determine whether evidence from a social media site was admissible. The court explained that screen shots and printouts from social media sites must first be authenticated as accurately reflecting the content of the page and the image of the page on the computer at which the printout was made before they can be introduced into evidence.[14] Then, to be relevant and material to the case at hand, the printouts often will need to be further authenticated as having been posted by a particular source.”[15]

Social media data must be properly collected, preserved, searched, and produced in a manner that ensures that all available circumstantial evidence is available, including metadata.[16] Authenticity is easier to establish when social media is collected with a proper chain of custody and all associated metadata is preserved.[17]


The above picture details the type of metadata found on a Facebook page. Any one or combination of these fields can be key circumstantial data to authenticate a social media item, or constitute substantive evidence in and of itself.[19] (Twitter, LinkedIn, and other services’ postings have their own unique but generally comparable metadata.)[20]

Why is metadata important?

A screenshot of a Facebook photo or status update shows merely content, not underlying corroborating evidence.[21] “The metadata that lies “beneath” that photo or posting is crucial.”[22] Metadata can provide important information to establish the authenticity of a post, if it is properly collected and preserved.[23]

Metadata can mean the difference between winning and losing a case. A Connecticut court rejected Facebook evidence in the form of a simple printout for inadequate authentication.[24] In this case, the defendant was involved in a fight where two people were stabbed.[25] Subsequently, the defendant was arrested and charged with assault with a dangerous weapon.[26]

A witness testified that the defendant said, “if anyone messes with me tonight, I am going to stab them.”[27] Defense counsel sought to impeach the witness with printouts of Facebook messages. The defendant’s counsel argued that based on the defendant’s testimony and the witness’s identification of her user name, there was a sufficient foundation to admit the document for the jury’s consideration. The court did not agree.

The court noted that the party seeking to admit the social media data had the burden of offering detailed “circumstantial evidence that tends to authenticate” the unique medium of social media evidence.[28]

However, in a Texas case, a defendant was accused of murder. A witness found information related to the murder on Myspace.[29] The page contained “numerous photographs of defendant, page referenced victim’s death and music played at his funeral, page contained references to defendant’s gang, author complained about his electronic monitor, which was a condition of defendant’s house arrest while awaiting trial, author’s name corresponded to defendant’s name and nickname, and author’s e-mail address corresponded to defendant’s name.”[30] Prosecution had the witness identify the printouts as the profiles she had found on MySpace.[31] The prosecutor also offered into evidence the subscriber reports and accompanying affidavits subpoenaed from MySpace.[32] The court found that the content of postings on social-networking webpage was sufficient circumstantial evidence to establish that the defendant was the author of the webpage.[33]

Social media sites are valuable tools for law enforcement. As long as criminals keep bragging on their sites and posting incriminating pictures, police will be able find incriminating evidence and put criminals behind bars. They just have to remember to get all the evidence.

The next blog will discuss what happens when police refuse to investigate using social media sites.

[1] Tillie Fong, Instagram Photo Of $120 Carl’s Jr. Order Leads To 4 Burglary Arrests The Sacramento Bee (Published: Tuesday, Nov. 12, 2013 – 12:03 am Last Modified: Thursday, Nov. 14, 2013 – 1:02 pm)

[2] Id.

[3] Id.

[4] Id.

[5] Id.

[6] Id.

[7] Eli Rosenblatt, Social Media Investigations, Part 2: Peeling Back the Layers, Pursuit Magazine (October 17, 2013)

[8] Eli Rosenblatt, Social Media Investigations, Part 2: Peeling Back the Layers, Pursuit Magazine (October 17, 2013)

[9] Id.

[10] Id.

[11] Id.

[12] University Information Technology Services, Knowledge Database, Indiana University (October 04, 2013)

[13] JOHN PATZAKIS, Overcoming Potential Legal Challenges to the Authentication of Social Media Evidence (APRIL 2, 2012)

[14] In re L.P., A13A1063, 2013 WL 5452458 (Ga. Ct. App. 2013)

[15] In re L.P., A13A1063, 2013 WL 5452458 (Ga. Ct. App. 2013)

[16] Eli Rosenblatt, Social Media Investigations, Part 2: Peeling Back the Layers, Pursuit Magazine (October 17, 2013)

[17] Id.

[19] Eli Rosenblatt, Social Media Investigations, Part 2: Peeling Back the Layers, Pursuit Magazine (October 17, 2013)

[20] Id. Part 2

[21] Id.

[22] Id.

[23] Id.

[24] Id.

[25] State v. Eleck, 130 Conn. App. 632, 634, 23 A.3d 818, 819 (Conn. App. Ct. 2011)

[26] State v. Eleck, 130 Conn. App. 632, 634, 23 A.3d 818, 820 (Conn. App. Ct. 2011)

[27] Id at 821.

[28] Id.

[29] Tienda v. State, 358 S.W.3d 633 (Tex. Crim. App. 2012)

[30] Id.

[31] Id.

[32] Id.

[33] Id.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: