How should investigators record fast-changing online evidence, such as social media?
Case in point: The Mercer County (New Jersey) Prosecutor's office followed hundreds of street gang affiliates on Myspace. How did it do that economically? Instead of using seasoned, highly-trained police investigators, it commissioned a team of mere interns. The interns, acting as undercover agents, "friended" target gang affiliates. One fake profile maintained by the interns attracted 180 "friends."
Free, Easy-to-Use Tools
Here's another demonstration, which emphasizes low cost, easy-to-use tools. The tools are
- screencast-o-matic, a free, Java-based, open-source tool for recording what you see on your screen, and
- Microsoft's free Skydrive file storage service.
Picture this hypothetical setting. The county sheriff's office needs an efficient way to capture what is happening on a dynamic blog. Information on the blog at this minute could be changed or deleted a minute later. The sheriff's office has no special equipment, but it does have two investigators who need to remain anonymous. They will be identified by numbers. Their voices will be recorded by microphone, but not their faces by webcam.
See video: http://www.youtube.com/watch?v=_6xEkVjYnqw
Two Witnesses Are Better Than One
The resulting screencast video is a unified package of evidence that captures the interaction of the web better than a mere sceenshot does.
The two investigators corroborate the video and corroborate each other. Each investigator signs the video with the unique sounds of his voice. Each speaks the date and time with his unique, identifying voice.
The involvement of two investigator witnesses makes the Sheriff's Office less dependent on any single person to testify as to the authenticity of the video later, such as in court. Witnesses like interns can come and go.
Depending on the use of the video, an authority (such as a judge in a parole hearing) might rely on the video, signed by two witnesses, without requiring direct testimony from either of the witnesses on the video's authenticity.
Cloud Time Stamp
To further corroborate the date, the video is loaded onto Microsoft's Skydrive. Skydrive (a third party cloud service) shows the time that the video was last modified.
See Skydrive screenshot.
Thus, if the video, dated by the witness voices as October 10, were uploaded on October 10 but then replaced October 25, there would be a mismatch of dates, suggesting that the video in Skydrive is not the one originally created by the investigators.
To further corroborate the date, the investigators could give the video to colleagues, who could store the video in their own time-stamped, cloud-based file-storage accounts.
Auditors and Whistleblowers
The techniques demonstrated here could be applied outside law enforcement. They might be used by auditors, journalists, whistleblowers, public watchdogs, school administrators or private investigators.
Is this video absolutely unassailable as legal evidence? No. The two investigators could have colluded to make all of this up. But collusion is not easy.
It is rare for legal evidence to be perfect. This video is reasonably good.
What do you think?
Mr. Wright teaches the law of data security and investigations at the SANS Institute.
[This post is general public discussion and not legal advice for any particular situation. If you need legal advice, you should consult your lawyer.]