This paper proposes a two-stage model for identifying and contextualizing features from artefacts created as a result of social networking activity. This technique can be useful in digital investigations and is based on understanding and the deconstruction of the processes that take place prior to, during and after user activity; this includes corroborating artefacts. Digital Investigations are becoming more complex due to factors such as, the volume of data to be examined; different data formats; a wide range of sources for digital evidence; the volatility of data and the limitations of some of the standard digital forensic tools. This paper highlights the need for an approach that enables digital investigators to prioritize social network artefacts to be further analysed; determine social connections in the context of an investigation e.g. a user’s social relationships, how recovered artefacts came to be, and how they can successfully be used as evidence in court.


  1. ACPO. (2012). Good Practice Guide for Digital Evidence. Retrieved from http://library.college.police.uk/docs/acpo/digital-evidence-2012.pdf (Version: 5.0)
  2. Agency. (2015). Five internet trolls a day convicted in UK as figures show ten-fold increase. Retrieved from https://www.telegraph.co.uk/news/uknews/law-and-order/11627180/Five-internet-trolls-a-day-convicted-in-UK-as-figures-show-ten-fold-increase.html
  3. Arshad, H., Jantan, A., & Omolara, E. (2019). Evidence collection and forensics on social networks: Research challenges and directions. Digital Investigation, 28 , 126 - 138.
  4. BBC. (2010). BBC News – Facebook murderer to serve at least 35 years (No. 6/27/2010). Retrieved from http://news.bbc.co.uk/1/hi/england/wear/8555221.stm
  5. BBC News. (2012). Huge rise in social media 'crimes'. Retrieved from https://www.bbc.co.uk/news/uk-20851797
  6. Bello, M., & DiBlasio, N. (2013). Twitter: The new face of crime. USA Today. Retrieved from http://www.usatoday.com/story/news/nation/2013/09/29/twitter-crime-dark-side/2875745/
  7. Berners-Lee, T., Masinter, L., & McCahill, M. (1994). Uniform Resource Locators (URL) - RFC 1738. Retrieved from http://www.ietf.org/rfc/rfc1738.txt
  8. Bowcott, O., Carter, H., & Clifton, H. (2011). Facebook riot calls earn men four-year jail terms amid sentencing outcry. Retrieved from https://www.theguardian.com/uk/2011/aug/16/facebook-riot-calls-men-jailed
  9. Cambridge University Press. (2019). Cambridge Dictionary [Online]. Retrieved from http://dictionary.cambridge.org
  10. Carvey, H. (2018). RegRipper. Retrieved from https://github.com/keydet89/RegRipper2.8
  11. Case, A., & Marziale, L. (n.d.). RegistryDecoder. Retrieved from http://www.infosecisland.com/blogview/17867-Open-Source-Registry-Decoder-11-Tool-Released.html
  12. Casey, E. (2002). Error, Uncertainty, and Loss in Digital Evidence. International Journal of Digital Evidence, 1 (2).
  13. Casey, E. (2005). Computer Crime and Digital Evidence: Forensic Science, Computers and the Internet. In Encyclopedia of Forensic and Legal Medicine. Oxford: Elsevier. doi: https://doi.org/10.1016/B0-12-369399-3/00062-8
  14. Casey, E. (2011). Digital Evidence and Computer Crime, Forensic Science, Computers and the Internet. In (Third Edition ed., chap. 1: Foundations of Digital Forensics). Elsevier Inc.
  15. Chisum, W. J., & Turvey, B. E. (2000). Evidence Dynamics: Locard's Exchange Principle & Crime Reconstruction. Journal of Behavioural Profiling, 1 (1).
  16. Chisum, W. J., & Turvey, B. E. (2007). A History of Crime Reconstruction. In Crime Reconstruction. Elsevier.
  17. Crown Prosecution Service (CPS). (2018). Guidelines on prosecuting cases involving communications sent via social media. Retrieved from https://www.cps.gov.uk/legal-guidance/social-media-guidelines-prosecuting-cases-involving-communications-sent-social-media
  18. Cusack, B., & Son, J. (2012). Evidence Examination Tools for Social Networks. In 10th australian digital forensics conference (pp. 33-40). SRI Security Research Institute, Edith Cowan University, Perth, Western Australia. doi: https://doi.org/10.4225/75/57b3afc1fb861
  19. DB4S Project. (n.d.). DB Browser for SQLite. Retrieved 2019-02-24, from http://sqlitebrowser.org
  20. Garfinkel, S. L. (2006). Forensic Feature Extraction and Cross-Drive Analysis. Digital Investigation, 3S, 71-81. Retrieved from http://citeseerx.ist.psu.edu/viewdoc/download?doi=
  21. Garfinkel, S. L. (2013). Digital media triage with bulk data analysis and bulk extractor. Computers & Security, 32 , 56-72. Retrieved from ttps://www.sciencedirect.com/science/article/pii/S0167404812001472 doi: https://doi.org/10.1016/J.COSE.2012.09.011
  22. Google Developers. (2018). Measurement Protocol Parameter Reference |Analytics Measurement Protocol | Google Developers. Retrieved 2019-03-04, from https://developers.google.com/analytics/devguides/collection/protocol/v1/parameters
  23. Haroon, S., & Carter, H. (2010). Facebook security measures criticised after Ashleigh Hall murder. The Guardian. Retrieved from http://www.theguardian.com/uk/2010/mar/09/ukcrime-facebook
  24. Huber, M., Mulazzani, M., Leithner, M., Schrittwieser, S., Wondracek, G., & Weippl, E. (2011). Social Snapshots: Digital Forensics for Online Social Networks. In Proceedings of the 27th annual computer security applications conference (pp. 113-122). New York, NY, USA: ACM. doi: https://doi.org/10.1145/2076732.2076748
  25. Jang, Y. J., & Kwak, J. (2015). Digital forensics investigation methodology applicable for social network services. Springer Series in Multimedia Tools Appl, 74 , 5029-5040. Retrieved from https://link.springer.com/content/pdf/10.1007%2Fs11042-014-2061-8.pdf doi: https://doi.org/10.1007/s11042-014-2061-8
  26. Jonsson, P. (2011). 'Flash robs': How Twitter is being twisted for criminal gain [VIDEO]. The Christian Science Monitor. Retrieved from http://www.csmonitor.com/USA/2011/0803/Flash-robs-How-Twitter-is-being-twisted-for-criminal-gain-VIDEO
  27. Keyvanpour, M., Moradi, M., & Hasanzadeh, F. (2014, 01). Digital forensics 2.0: A review on social networks forensics. Studies in Computational Intelligence, 555 , 17-46. doi: https://doi.org/10.1007/978-3-319-05885-6-2
  28. Mabuto, E. K., & Venter, H. S. (2012). User-generated digital forensic evidence in graphic design applications. In Proceedings title: 2012 international conference on cyber security, cyber warfare and digital forensic (cybersec) (pp. 195{200). IEEE. Retrieved from http://ieeexplore.ieee.org/document/6246107/ doi: https://doi.org/10.1109/CyberSec.2012.6246107
  29. McGuire, M. (2019a). Into The Web of Profit: Social Media Platforms and the Cybercrime Economy. Bromium. Retrieved from https://www.bromium.com/wp-content/uploads/2019/02/Bromium-Web-of-Profit-Social-Platforms-Infographic.pdf
  30. McGuire, M. (2019b). Social Media Platforms and The Cybercrime Economy: The next chapter of Into The Web of Profit. Bromium.
  31. McKemmish, R. (2008). When is Digital Evidence Forensically Sound? Advances in Digital Forensics, IV , 3-15.
  32. Moore, K. (2014). Social media 'at least half ' of calls passed to front-line police. BBC News. Retrieved from https://www.bbc.co.uk/news/uk-27949674
  33. Murr, M. (2007). The admissibility vs. weight of digital evidence | Forensic Computing. Retrieved 2019-04-14, from https://forensicblog.org/the-admissibility-vs-weight-of-digital-evidence/
  34. NirSoft. (2018a). FullEventLogView.Retrieved from https://www.nirsoft.net/utils/full event log view.html
  35. NirSoft. (2018b). MZCacheView. Retrieved from https://www.nirsoft.net/utils/mozilla cache viewer.html
  36. Oh, J., Lee, S., & Lee, S. (2011). Advanced evidence collection and analysis of web browser activity. Digital Investigation, 8, Supplem(0), S62-S70. Retrieved from http://www.sciencedirect.com/science/article/pii/S1742287611000326 doi: https://doi.org/10.1016/j.diin.2011.05.008
  37. Osborne, B. (2010). Twitter sees more active users, but also attracts more criminal activity.
  38. Geek Website. Retrieved from http://www.geek.com/news/twitter-sees-more-active-users-but-also-attracts-more-criminal-activity-1130461/
  39. Powell, A., & Haynes, C. (2019). Social Media Data in Digital Forensics Investigations. Digital Forensic Education, 281-303.
  40. Press Association. (2014). Peter Nunn jailed for abusive tweets to MP Stella Creasy. Retrieved from https://www.theguardian.com/uk-news/2014/sep/29/peter-nunn-jailed-abusive-tweets-mp-stella-creasy
  41. Rankin, B. (2010). Send in the 'Twitter squad': Police forces may need dedicated to cope with rising social media crime. Mirror News. Retrieved from http://www.mirror.co.uk/news/technology-science/technology/rocketing-crime-complaints-involving-social-1507527
  42. Richards, J. (2007). Sex offenders can use social sites, say police - Times Online (Vol. 2010).
  43. Select Committee on Communications. (2014). CHAPTER 2: SOCIAL MEDIA AND THE LAW. Retrieved from https://publications.parliament.uk/pa/ld201415/ldselect/ldcomuni/37/3702.htm
  44. Shaw, U., Das, D., & Mehdi, S. P. (2016). Social Network Forensics: Survey and Challenges. International Journal of Computer Science and Information Security (IJCSIS), 14 (11), 310-316.
  45. Sommer, P. (1999). Intrusion Detection Systems as Evidence. Computer Networks, 31 (23 -24), 2477-2487.
  46. Taylor, M., Haggerty, J., Gresty, D., Almond, P., & Berry, T. (2014). Forensic investigation of social networking applications. Digital Investigation, 11 , 9-16.
  47. Telerik. (2018). Fiddler - Free Web Debugging Proxy - Telerik. Retrieved from https://www.telerik.com/fiddler
  48. Ultimate IT Security. (2014). Windows Security Log Encyclopedia. Retrieved 2019-01-18, from https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx
  49. Woan, M. (2013). PrefetchForensics. GitHub. Retrieved from https://github.com/woanware/woanware.github.io/blob/master/downloads/PrefetchForensics.v.1.0.4.zip
  50. Wood, C. (2018). WhatsApp photo drug dealer caught by 'groundbreaking' work. BBC News. Retrieved from https://www.bbc.co.uk/news/uk-wales-43711477
  51. X-Ways Software Technology, AG. (2018). WinHex. WinHex: Computer Forensics & Data Recovery Software, Hex Editor & Disk Editor. Retrieved from https://www.x-ways.net/winhex/
  52. Zainudin, N. M., Merabti, M., & Llewellyn-Jones, D. (2011). Online social networks as supporting evidence: A digital forensic investigation model and its application design. In 2011 international conference on research and innovation in information systems (pp. 1-6). doi: https://doi.org/10.1109/ICRIIS.2011.6125728



To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.