Social Media Forensics

Social media is simultaneously the crime scene, the evidence vault, and the communication channel in most modern cybercrimes. This chapter covers the major crime categories that use social media, how to gather intelligence from public profiles, and the correct procedure for preserving evidence before it disappears.

13.1Cyberbullying & Online Harassment

Cyberbullying is repeated digital aggression — insults, threats, humiliation — directed at an individual through any digital channel, including social media, messaging apps, online games, or email. The repetition and intentionality distinguish it from a single rude comment.

Forms of online harassment:

• Direct harassment — abusive messages, threats, or insults sent directly to the victim via DM, email, or comment.
• Outing — exposing the victim's private information or intimate photos online without their consent.
• Exclusion — deliberately removing or blocking the victim from online groups to cause social harm.
• Impersonation — creating fake accounts in the victim's name to spread false information or damage their reputation.
• Doxxing — publishing the victim's private real-world information (home address, workplace, family members' names) to enable or encourage offline harm.
• Cyberstalking — the persistent, covert form covered separately in Section 13.3.

Indian legal provisions:

Evidence to collect:

• Screenshots that show the full URL in the browser address bar, a visible timestamp, and the perpetrator's profile identifier (username/handle).
• Screen recordings of dynamic content (Stories, live chats) that cannot be captured as a static screenshot.
• Phone numbers or social media usernames of perpetrators.
• IP address logs obtained through the platform's Law Enforcement Portal (LEP).
• Device extraction logs showing the victim's device received the offending messages.

Platform evidence requests. Major platforms — Meta (Facebook, Instagram, WhatsApp), Twitter/X — each maintain a Law Enforcement Portal through which Indian law enforcement can submit emergency disclosure requests. For non-emergency cases, Indian agencies follow the Mutual Legal Assistance Treaty (MLAT) process or submit via the platform's standard law enforcement request channel. Emergency requests (for situations involving imminent risk to life) are processed within hours; standard requests take days to weeks.

13.2Online Grooming & Child Exploitation

Online grooming is the process by which an offender builds trust and emotional closeness with a child — or with the child's family — online, with the ultimate intent to exploit them sexually. The process is gradual and deliberate.

Phases of online grooming:

1. Targeting — the offender selects a vulnerable child (lonely, looking for attention, active on gaming or social platforms).
2. Gaining trust — presents as a peer or a helpful older figure; shows interest in the child's hobbies.
3. Filling needs — provides gifts, attention, compliments, or emotional support that the child craves.
4. Isolation — encourages the child to keep the relationship secret; drives wedges between the child and parents.
5. Desensitisation — gradually introduces sexual topics, images, or requests, normalising them.
6. Maintaining control — uses threats, shame, or blackmail to prevent the child from reporting.

Platforms commonly exploited: Online games (Fortnite, Roblox, BGMI — minors spend extended time and chat freely), Instagram DMs, Snapchat (disappearing messages), Discord, WhatsApp.

CSAM (Child Sexual Abuse Material). The production, distribution, and possession of CSAM is criminalised under the POCSO Act 2012, Sections 13–15:

• §13 — use of child for sexual gratification (including using a child in production of such material)
• §14 — punishment for using a child for pornographic purposes (up to 5 years, enhanced for repeat offenders)
• §15 — storage or possession of CSAM (even viewing online is an offence if the viewer does not report)

Any digital storage, sharing, or deliberate viewing of CSAM is an offence regardless of the child's nationality or the platform's country of origin.

Investigative approach:

• OSINT analysis of suspect's public social media accounts and gaming profiles.
• Regulated undercover operations (plain clothes officers, authorised by appropriate authority).
• Chat log analysis: platform DMs, in-game chat transcripts, email threads.
• Device forensics: full physical extraction of suspect's device; PhotoDNA hash matching against known CSAM databases.

Evidence:

• Chat logs from platform server logs (all messages, including deleted ones if within retention window).
• Profile creation details: registration IP address, email address, registration timestamp.
• File metadata on images shared: device model, GPS, timestamp embedded in EXIF.
• Hash matches: comparing files on the suspect's device against NCMEC (National Center for Missing and Exploited Children) database hashes.

13.3Cyberstalking

Cyberstalking is the persistent monitoring, following, or harassing of a person online — typically one-sided and escalating toward offline threats or physical contact. It differs from cyberbullying in being more covert (the victim often does not know the extent of the monitoring), more prolonged, and frequently carried out by someone known to the victim (ex-partner, rejected acquaintance).

Techniques used by stalkers:

• Monitoring the victim's public posts for location clues embedded in photos (street signs, identifiable buildings, utility poles visible in the background).
• Creating fake accounts to circumvent blocks — after the victim blocks the stalker, the stalker creates a new account to continue monitoring.
• Stalkerware — GPS tracking apps or remote access tools installed covertly on the victim's phone without their knowledge or consent. These apps hide their icon and silently transmit location, messages, and call logs to the stalker.
• Reverse image search (TinEye, Google Lens) to find the victim's other online accounts using a photo from one known account.
• Reading GPS metadata in photos the victim posts publicly — if the victim's phone has location tagging enabled, every uploaded photo carries exact coordinates in its EXIF data.

Evidence collection — advise the victim to:

1. Do NOT immediately block the perpetrator — on some platforms, blocking deletes the message history visible to the victim. Screenshot everything first.
2. Enable and export account activity logs (login history, device list) from the platform settings.
3. Report to the platform and record the report reference number.
4. File an FIR at the cybercrime cell with all collected evidence.

OSINT the stalker uses against the victim. Attackers can infer a victim's home location from background details in photos, determine their daily schedule from regular posting times, and identify their employer from LinkedIn. Forensic examiners can retrace this inference chain to demonstrate to court exactly what information the stalker collected and how.

Counter-forensics (victim safety advice):

• Audit privacy settings on all platforms; restrict posts to friends only.
• Disable location tagging in the phone's camera app.
• Use a separate phone number for apps that require it.
• Enable two-factor authentication on all accounts.
• Document every incident with a screenshot, timestamp, and a brief written description of what happened — this becomes the timeline of evidence.

Tools for evidence capture:

• GoFullPage (browser extension) — captures a complete scrollable page as a single image, including content below the fold.
• web.archive.org (Wayback Machine) — submit a URL to create a timestamped public snapshot; the URL of the archived version is itself citable evidence.
• EXIF viewers (exiftool, Jeffrey's Exif Viewer) — extract and display all metadata embedded in images posted by the suspect.

13.4OSINT & Intelligence Gathering

OSINT (Open Source Intelligence) is the collection and analysis of information that is publicly available — legally accessible without any covert action, hacking, or legal process. It forms the initial phase of almost every social media investigation because it is fast, free, and admissible.

Primary OSINT sources:

• Social media profiles — full name, profile photo, declared workplace, list of connections, location tags on posts, check-ins at venues, tagged photos posted by others.
• Google search operators — site-specific searches narrow results. For example: site:twitter.com "john doe" finds all indexed Twitter mentions; intitle:"john doe" site:linkedin.com finds LinkedIn profiles matching that name.
• WHOIS records — domain registration details (registrant name, organisation, email, registrar, registration date). Often anonymised but sometimes reveals the suspect's real email or address from older registrations.
• Public court records and news archives — prior cases, published judgments, news articles naming the suspect.
• Reverse image search — TinEye or Google Lens finds other online locations where the same or similar image has been published, revealing other accounts owned by the same person.

Username enumeration. If a suspect uses the same username across multiple platforms, all their accounts can be linked by searching for that username. Tools like Sherlock and Maigret automatically check hundreds of platforms for a given username and return a list of matches with profile URLs. This single step often reveals the suspect's gaming accounts, dating profiles, and niche forum accounts — contexts they believed were separate from their known identity.

Image EXIF metadata. Cameras and smartphones embed structured metadata inside every image file — GPS coordinates, device model, software version, and timestamp. The exiftool command-line utility reads this data from any image. Forensically: a photo posted as "taken somewhere" may contain exact GPS coordinates in its EXIF. If the suspect posted the photo from their device without stripping the metadata, the GPS coordinates are evidence of where they were at that moment.

Google dorking. Advanced Google search operators to find specific exposed information:

• "target@gmail.com" -site:targetdomain.com — finds where this email address appears online, outside of the target's own domain.
• filetype:pdf "confidential" site:company.com — finds accidentally exposed PDF documents on a corporate website.
• "target name" filetype:xls OR filetype:csv — finds spreadsheets that may contain the person's data.

OSINT toolset:

13.5Preserving Social Media Evidence

Social media content can be edited or deleted at any time by the user or taken down by the platform. Once deleted, recovery requires emergency legal process — and even then, some content is permanently gone after platform retention windows expire. The first examiner on the case must prioritise preservation before any analysis.

Collection methods, ranked by admissibility strength:

1. Screenshots. The simplest and fastest method. Requirements for admissible screenshots:

• The full URL must be visible in the browser address bar.
• The timestamp must be visible (either from the post or from the browser clock).
• The profile identifier (username, handle, or account URL) must be visible.
• Take two images: one full-page capture, one close-up of the URL bar.
• Immediately compute and record the MD5 and SHA-256 hash of each screenshot file.

2. Web archives (Wayback Machine). Submit the URL to web.archive.org immediately. The Wayback Machine creates a publicly accessible, timestamped snapshot of the page at that moment. The URL of the archived version (https://web.archive.org/web/[timestamp]/[original URL]) is itself admissible evidence because it is a third-party timestamped record. Works well for public posts; cannot archive private content.

3. Forensic web capture tools:

• HTTrack — downloads a complete offline copy of a website with all linked assets.
• Hunchly (Chrome extension) — logs every page visited during an investigation, automatically timestamping and hashing each page capture. Produces a session log that can be exported and submitted as evidence.
• Belkasoft Evidence Center — acquires social media accounts during device extraction, correlating platform data with device artifacts.

4. Platform legal process. The highest-quality evidence comes from the platform itself. Through the Law Enforcement Portal or MLAT process, investigators can request:

• Server-side IP logs (registration IP, session IPs, timestamp of each access).
• Account creation details and verification records.
• Message content, including deleted messages within the platform's retention window.
• Recovery of deleted posts.

Hash and document every file. Every file collected gets an MD5 and SHA-256 hash computed at the moment of collection. Record in the seizure log: hash value, collection timestamp, source URL, collection tool used, and examiner's name and badge number. This is the chain-of-custody requirement for electronic evidence.

Admissibility under Indian law. Under Section 63 of the Bharatiya Sakshya Adhiniyam (BSA) 2023, electronic records require a certificate from a responsible official confirming the record's authenticity and the system's proper operation. Screenshots alone can be challenged if there is no corroborating server-side record. Best practice: obtain both screenshots AND platform records via legal process, and obtain the Section 63 certificate from the appropriate official.