Digital Forensic Science – Social Media

In the first of a series of posts around digital technology and its impact on forensic science, we’re going to explore the digital world of social media, how criminals are using it and how the police and forensic scientists are using social media to catch and prosecute criminals.


Social media has introduced new ways of both committing and solving crimes into our increasingly digitised world. Services like Facebook, Twitter and Instagram create opportunities for criminal activity, but they also allow police services to scour publicly generated user information – posts, pictures, videos and personal information to help catch and prosecute criminals.

Using Social Media to Enable Fraud

Social media has featured in at least 61,000 crime reports to Action Fraud in the UK in 2020-2021, with losses of more than £120m recorded from fraud. More generally, computer misuse offences were up last year by 36% to 1.7m – mostly driven by the hacking of social media accounts and email.

Social media is also a deep pool of personal data. People feel safe to share personal details on social media platforms  which are designed to connect them with friends and family. However, without due care, personal data, such as name, phone number, address, and even your location can be stolen and used for identity theft or the creation of synthetic identities.

Some of the most common methods and techniques identified as part of this research to exploit the social media ecosystem and spread infections include:

  • Infected adverts – around 30-40% of social media malware arise from clicks on infected adverts. Notorious examples of this include adverts for Ray-Ban sunglasses or Nike shoes found on Instagram, Facebook and elsewhere, which deliver a virus when clicked.
  • Plug-ins and apps – this report found that at least 30% of social media infections arise from social media plug-ins that claim to provide additional functionality for victims. These include games, personality tests and more. The volume appears to vary significantly by platform. For example, at least 60% of infections on Facebook arise from malicious 3rd party apps downloaded from the site.
  • News posts, updates and photos from friends – receiving updates about what friends are doing or what is happening in the wider world has been an obvious ingredient of the appeal of social media. Cybercriminals have been quick to see how posts or updates from friends can be exploited to plant malware or to access personal data. The extensive use of friends’ and associates’ photographs across the Facebook platform has provided another risk. Cybercriminals have used photo tag notifications to persuade users to open an attachment, which then downloads malware.
  • Funny photographs and videos – another method of criminal persuasion utilises links to the ‘funny’ or amusing videos often found in social media posts. Around 15% of social media infections come from this method and in 2015, over 100,000 Facebook users were infected over the course of just three days in this way.
  • Drive-by downloads – these are malware downloads which can happen even when the user doesn’t actively open any files or install content. Even a seemingly innocuous action, like visiting a website recommended in a social media post can be risky if the website has been hijacked and contains a small piece of code which redirects the user to another address containing malware. The wide variety of content that can be accessed via social media platforms make users especially vulnerable to such attacks. Data obtained for this research from SANS shows that drive-by download attacks now represent one of the common methods used by cybercriminals to attack organisations, accounting for around 48% of attacks which exploit web-based vulnerabilities
  • Phishing and spear phishing – there has been a rise in ‘social network phishing’, where cybercriminals create fake social media pages for data harvesting. In 2018, 60% of social network phishing occurred via fake Facebook sites, 20% via fake sites for the Russian social media platform VKand around 13% via phony LinkedIn pages. Social media phishing has been on the increase and the capacity of hackers to persuade social media users to access infected links is greatly aided by spear phishing techniques, which use personalised details of posts and topics obtained from timelines to make the victim believe a connection is real. Recent research has suggested anything between a 30-60% success rate in persuading users to click on more personalised content.

Using Social Media for Traditional Crime

Social media offers criminals practically an indefinitely large pool of potential victims and data they can target. People are spending an increasing amount of time on social media websites. According to data from Statista, the average time per day that users spend on social networking platforms is 118 minutes. The global social media population is more than 2 billion people and with this amount of potential victims, it is hardly surprising that social media is attractive to criminals.

With users posting and sharing practically everything on social media, it is easy for criminals to collect data about a particular victim. 

The ease of communication and its instant nature facilitate the communication between criminals, making organised crime and group crime easier and less costly. Criminals can group themselves together around the need to commit criminal acts and pool their skills and knowledge. 

While facilitating organised crime, at the same time social media empowers individual offenders who can carry out complex and far-reaching offences which can be repeated infinite number of times – previously beyond their financial and organisational capabilities. This could be as simple as knowing when someone is going on holiday so that they can commit burglary or using collected personal data to defraud unsuspecting victims of their possessions, pensions or their homes.

Using Social Media to Investigate Crime

Almost any crime that is committed today gives rise to evidence in digital forms. Such evidence frequently includes communications – via a wide array of social media platforms and messaging applications – between or among suspects, witnesses and victims. The nature, volume and complexity of ‘social media evidence’ pose multiple challenges but also new opportunities for the investigative and prosecution process.

In criminal justice systems, information traditionally has been text and paper based, linear, impersonal and flowed in one direction across loosely coupled criminal justice agencies. Social media content, in contrast, is multi-media, digital, almost universal, emotional, and image dominated. It is therefore not surprising that social media has created both issues and opportunities for police and the criminal justice system. 

As social media platforms evolve, social media will continue to provide challenges and opportunities for the police and the criminal justice system, as well as change the way the public perceives and engages with issues of crime. However, calls for bans and restrictions to social media are unlikely to yield results; social media is here to stay, and we need to think outside the box if we wish to capitalise on its benefits, and prevent or minimise its negative effects in relation to crime and the criminal justice system.

The principal categories of information that investigators and prosecutors seek to obtain from social media platforms are:

  • Details of the subscriber to a particular account;
  • Content of any messages/photos/social media posts etc.
  • IP Login history and geolocation (the geographical location of an object, such as a mobile phone)

Once the request has been made to the relevant social media provider, it is a matter for that provider as to whether they supply the requested information. Their response will be based on that individual company’s privacy policy, not UK legislation.

The information able to be obtained varies from provider to provider and is subject to change at any time, depending on any changes to a provider’s policy. Information that is generally always obtainable is the information entered by an individual when setting up their account such as:

  • Name
  • Email address
  • Phone number
  • Address
  • Linked financial details e.g. Apple Pay

On some social media platforms, such as Twitter, Facebook and YouTube, it is possible to conduct ‘open source’ checks in the first instance to locate posts and their content, depending on the security settings an individual has placed on their account. Prosecutors may want to request that investigators start with such checks where appropriate before moving to more intrusive methods.

Other social media platforms, such as ‘Snapchat’ are deliberately designed so that its principal feature is that pictures and messages are usually only available for a short time before they become inaccessible to their recipients; in effect they are deleted from the recipient’s device unless the recipient chooses to save the message. This can be problematic for investigators and prosecutors and more often than not it is not possible to retrieve what was sent by either manually examining the device or subjecting it to a forensic examination.

Online Safety Bill

There is an obvious need to rethink the regulation of online communication. The UK government published the Draft Online Safety Bill in May this year, which aims to safeguard young people and clamp down on online abuse while protecting freedom of speech. It is currently undergoing pre-legislative scrutiny by a joint committee, which will report its recommendations by 10 December.

It places a “duty of care” on social media websites, search engines and other websites where users interact to protect people from dangerous content. If they fail to do so, companies face fines of up to £18m or 10 per cent of their annual turnover, plus access to their sites being blocked.

Companies will be grouped into either Category One or Category Two, with the first including social media giants and being subject to harsher rules – they will be expected to tackle both illegal content, such as terrorist propaganda and child abuse, and “legal but harmful” content, such as misinformation and cyberbullying. Adherence will be overseen by the regulator, Ofcom.

We will be watching progress of the bill closely to monitor its potential impact on the police and digital forensic science.

Find out more 

If you’d like to find out more about digital technology and the ways in which people are committing crime download our free whitepaper ‘The Future of Forensics Science’.

You’ll learn about new strategies, transformational activities and supporting regulatory frameworks that are being developed to ensure that criminals can be caught and prosecuted quickly.