Social Media Evidence Collection: API, Direct, Indirect and OSINT

A social media account holds far more than the public timeline. The examiner's first job is to map the artefact surface against the visibility tiers, because the collection method that applies to each is different.

The visibility tier determines the legal pathway. Public content is acquired without authorisation (OSINT). Friends-only or mutual-follow content is acquired with the subject's consent or via an indirect path (a mutual contact's account viewing the content within the scope of the warrant). Private content (DMs) sits on the device or requires a production order to the provider. Provider-only content (login IPs, account creation metadata, security event logs) requires a BNSS Section 91 production order, an IT Act Section 69 direction for interception, or for foreign platforms an MLAT request in parallel with the platform's Law Enforcement Request System (LERS).

A practical note about story-class content. Instagram and Facebook stories disappear from the public surface after 24 hours but persist in the user's own archive and on Meta's servers under the data retention policy. WhatsApp status follows a similar window. The acquisition discipline is to preserve immediately on victim notification, because the provider-side retention for non-account-holders is shorter than the user-archive window.

The four standard collection methods cover the field. Each has a typical use case, a tool family and a legal posture under Indian procedure.

Direct collection without login is the default for any FIR that names a public-tier account. The investigator opens the profile in an isolated browser (Hunchly running), captures every page (URL, full DOM, screenshot, hash), archives via Wayback Machine and archive.today, and exports the captured pages to the case dossier. Hunchly is the Indian state cyber-cell standard for OSINT chain of custody because every page capture is automatically SHA-256 hashed, time-stamped and packaged with the case ID.

Direct collection with login is the path when the target account is the subject's own (seized device, voluntary unlock or BNSS Section 105 search warrant) or when the victim's account is being preserved. Cookie acquisition from a seized device lets the examiner authenticate as the user without forcing a password reset that the attacker would notice. The platform's data-export ('Download your information' on Meta, 'Download your data' on X) yields the account-only artefacts in a structured archive. The chain of custody must record how the credentials or session cookie were obtained.

API-based collection is the structured path. The X v2 API yields tweets, replies, follower lists, user lookups and DMs (with the right scopes) under paid tiers. The Meta Graph API requires app review for most non-public scopes; the older Public Feed and Keyword Insights APIs that historically supported research are deprecated. LinkedIn's API is largely closed; investigators rely on direct collection with login. Tweepy is the Python wrapper for the X API; snscrape historically scraped Twitter without API access but is constrained by current X policy.

Indirect collection is the path when the target account is locked. The mutual contact's view (with their cooperation and consent), the tagged-content cluster across other accounts, the common-group membership and the public mentions of the target on other accounts all yield evidence without touching the locked account. Maltego is the link-analysis workhorse: entities (account, email, phone, domain) and transforms (run a query on each entity to find related entities) build a graph that the IO can pivot through. Sherlock takes a username and queries 400+ platforms for matching profiles in seconds.

OSINT for social media runs on a small set of category leaders. The examiner does not need every tool; one from each category gets the job done.

The reference workflow stacks these tools in order. SpiderFoot runs the first-pass sweep against the target identity (name, email, phone, username) to gather every public reference. Sherlock checks the username across 200+ platforms to find cross-platform accounts. theHarvester adds the email-and-subdomain corpus. Maltego ingests the SpiderFoot and Sherlock outputs as entities and runs transforms to expand the graph (related accounts, registered domains, breach corpus matches). Hunchly captures every page touched in the investigation, building the case dossier with hash and timestamp on each capture. ExifTool extracts metadata from any images or documents recovered. Shodan and Censys map the infrastructure side when phishing kits or malicious hosting are part of the case.

The Indian state cyber cells maintain Maltego Classic or Maltego CE licences for link analysis and Hunchly site licences for case management. The procurement template treats both as core OSINT tools alongside the disk-imaging hardware. SpiderFoot HX is the hosted variant some units use for cloud-side scanning.

1. Define the target entity set
   Names, usernames, email addresses, phone numbers, known account URLs. Capture the entity set in writing at the start of the case.
2. First-pass sweep with SpiderFoot or theHarvester
   Run a 200-module sweep on the target identity. Export findings as a CSV ingestible into Maltego.
3. Username enumeration with Sherlock
   Run Sherlock against each known username. Capture the hit list; visit each hit through Hunchly so the page is preserved.
4. Link analysis in Maltego
   Import the entity set; run transforms (Have I Been Pwned, breach corpus lookups, WHOIS, social media graph) to expand connections.
5. Per-account direct capture via Hunchly
   Open each target profile through Hunchly. Every page is hashed, timestamped and added to the dossier with the case ID.
6. Metadata extraction on recovered images and documents
   Run ExifTool on downloaded images. Note EXIF GPS, camera make/model, timestamp, software, thumbnail. Cross-reference document metadata (Word author, PDF producer) for attribution.
7. Generate the Hunchly case report and BSA Section 63 certificate
   Hunchly exports the case dossier with hashes and an evidence index. Sign the BSA Section 63 certificate over the dossier file for production at trial.

When a user uploads a photo or document to a social media platform, much of the embedded metadata travels with the file unless the platform strips it on ingest. The examiner's task is to extract whatever the platform retained and, more productively, to locate the off-platform copies that carry the complete metadata set.

Most major social media platforms strip EXIF from uploaded images for privacy reasons. The forensic implication is that an EXIF-rich image found in a victim's WhatsApp media folder, or in an attached email, or in a cloud backup retains the GPS coordinates that the public Instagram upload of the same image does not. The off-platform copy is therefore evidentiarily richer than the on-platform copy.

ExifTool is the unified tool. A single command (exiftool -GPSLatitude -GPSLongitude -DateTimeOriginal -Make -Model file.jpg) yields the relevant fields. ExifPilot is the GUI variant for examiners who prefer a windowed workflow. Jeffrey's Image Metadata Viewer is a quick web-based reader for triage.

Geolocation pivots beyond EXIF.

1. Geotagged posts
   Instagram location pages, X tweet location (where enabled), Facebook check-ins. Open the platform's location page for the tagged place; the post will appear in the public feed for that place.
2. Snap Map
   Snapchat's public-tier location feed shows submissions to 'Our Story' on a world map. Useful for events and breaking incidents.
3. Strava heat map
   Strava's public global heat map exposed the locations of US and allied military bases in 2018 when service members ran routes that lit up otherwise-classified perimeters. The cautionary tale applies broadly: any aggregate fitness data leaks individual location.
4. Background-derived geolocation
   Landmark recognition in photos. The 2018 Bellingcat investigations into MH17 and Syria established the technique: identify the photo's location from architectural and geographic landmarks visible in the background.
5. Wi-Fi BSSID lookup
   If a photo's EXIF or metadata captures nearby Wi-Fi BSSIDs (some Android cameras and IoT devices do), services like WiGLE map BSSIDs to physical locations.
6. IP-derived approximation
   Login IP from the provider subpoena, geo-resolved to city. Approximate, not precise, but corroborative.

The Strava 2018 incident illustrates a broader principle: aggregate, anonymised data still locates individuals when the underlying population is small. The investigator should expect that fitness apps, ride-share apps and food-delivery apps carry the same risk pattern, and that subpoena to those providers (BNSS Section 91) is part of the toolkit when a target's physical location at a given hour is the question.

When a target realises an investigation is under way, post deletion, tweet editing, and DM clearing are immediate responses. Five complementary recovery paths address this.

The Wayback Machine is the default first move for any public-tier deletion. The investigator pastes the profile URL into web.archive.org and checks for snapshots. The archive URL itself (https://web.archive.org/web/YYYYMMDDHHMMSS/https://...) is the citable evidence; the snapshot date is the timestamp at which the page held the content shown. For pages not previously crawled, archive.today lets the investigator trigger a snapshot at the moment of observation, before the target deletes.

Google's cache (previously available at cache:URL or via the search-result cached link) was deprecated by Google in February 2024. Some Bing cached pages remain available. archive.today is the surviving on-demand alternative.

Provider-side retention varies. Meta retains deleted content in a recovery queue for 30 days for the account holder and longer for the provider's abuse-review functions; X has historically retained deleted content for up to 30 days during its deletion process, with server copies potentially persisting for up to 90 days; WhatsApp's content is end-to-end encrypted and provider-side recovery is generally not available (metadata is available). A preservation request to the platform's Nodal Contact Person (for SSMIs under the Intermediary Guidelines 2021) is the immediate action; the formal production order under BNSS Section 91 follows.

The notification cache is an underused source. iOS Notification Centre and Android's notification log retain the preview text of social media DMs and post mentions for a window that depends on the OS version (typically the most recent 48-72 hours of notifications, longer for some message types). When the target has deleted the DM but the recipient's device still has the notification cached, the cache is a primary evidence source. Cellebrite, Oxygen Detective and Magnet AXIOM all parse the notification stores.

Edit history is platform-specific. X Premium allows editing a post for 60 minutes; the platform exposes the edit chain to viewers. Reddit's edit history is accessible to logged-in users. Threads inherits Instagram's edit semantics. Where the edit chain is exposed, capture it via Hunchly before the platform's window closes.

Social media evidence reaches the trial court through the same admissibility framework as all electronic records: BSA 2023 Section 63, which replaced IEA Section 65B. The certificate format and the case-law line that interprets it define the qualification standard.

The Indian case-law evolution on electronic-record admissibility runs through three landmark judgements. In Anvar P V v P K Basheer (2014) the Supreme Court held that Section 65B (now BSA Section 63) is a mandatory pre-condition to admissibility of any secondary electronic evidence, and that oral evidence about the contents of an electronic record cannot substitute for the certificate. In Shafhi Mohammad v State of Himachal Pradesh (2018) a two-judge bench appeared to relax the requirement when the certificate could not reasonably be procured; that relaxation was overruled. In Arjun Pandit Rao Khotkar v Kailash Kushanrao Gorantyal (2020) a three-judge bench restored Anvar P V in full: the certificate is mandatory; the party seeking admission must produce it; failure is fatal. BSA 2023 Section 63 codifies the Anvar / Arjun Khotkar position.

The certificate's content (under BSA Section 63(4)) identifies the electronic record, describes the way it was produced (including the device, the software and the imaging method), states the conditions under which the device operated (the device was used regularly and was operating properly during the relevant period; the information stored is regularly fed in the ordinary course of activities), and is signed by a person occupying a responsible official position in relation to the operation of the relevant device. For social media evidence the 'device' includes the imaging workstation and any platform-side records produced under BNSS Section 91.

1. Capture the page with URL visible
   Browser address bar visible in screenshot. Hunchly does this automatically; manual capture requires a full-page screenshot tool that captures the chrome.
2. Hash the captured artefact
   SHA-256 over the captured page bundle (HTML, screenshot, MHTML or PDF). Record the hash in the chain of custody.
3. Cross-reference with provider records
   Where available, match the captured content against the provider's API or production-order response. Note the Message-ID / post-ID / tweet-ID for cross-reference.
4. Image the device side if applicable
   Where the captured content sits on a seized device (notification cache, app database, browser cache), image the device under BNSS Section 105 search warrant procedure.
5. Draft the BSA Section 63 certificate
   Certificate identifies the device, describes the imaging method (Hunchly version, browser version, OS, network position), states the working-condition language and the regular-feed language, and is signed by the responsible official (senior FSL analyst or IO with the requisite designation).
6. Annex to charge sheet under BNSS Section 193
   The FSL report, the captured exhibits with hashes, the platform's production-order response (if any) and the Section 63 certificate together form the annexure to the charge sheet.
7. Lead expert evidence at trial
   Examiner deposes under BSA Section 39 (expert opinion). Cross-examination typically targets the chain of custody, the imaging method and the certificate's signatory authority.

The Indian context anchor for foreign-platform subpoena is the Sushant Singh Rajput investigation, in which the Mumbai Police and later the CBI sought records from Twitter (now X) and Instagram for posts and DMs of multiple parties. The cooperative request channel ran through Meta's and X's Law Enforcement Request Systems in parallel with formal MLAT requests via the MHA. Bombay High Court orders on Twitter content takedown during the same period set out the procedural template for high-profile takedown applications.

The cross-link for the substantive admissibility doctrine sits with Bharatiya Sakshya Adhiniyam 2023 Section 63; the BNS 2023 cyber and BSA 2023 electronic evidence topic covers the wider statutory frame.