The use of social media has spread through many aspects of society, allowing millions of individuals, corporate as well as government entities to leverage the opportunities it affords. These opportunities often end up being exploited by a small percentage of the user community who use it for objectionable or unlawful activities; for example, trolling, cyber bullying, grooming, luring. In some cases, these unlawful activities result in investigations where swift retrieval of critical evidence required in order to save a life.

This paper presents a proof of concept (PoC) framework for social media user attribution. The framework aims to provide digital evidence that can be used to substantiate user activity in live triage investigations. This paper highlights the use of live triage as a viable technique for the investigation of social media activity, contextualizing user activity and attributing actions to users. It discusses the reliability of artefacts other than the communications content as a means of drawing inferences about user social media activity, taking into account the proportionality and relevance of such evidence.


7safe. (2014). The ACPO Good Practice Guide for Managers of e-Crime investigation. www.7safe.com

ACPO. (2012). Good Practice Guide for Digital Evidence. http://library.college.police.uk/docs/acpo/digital-evidence-2012.pdf

Arshad, H., Jantan, A., & Omolara, E. (2019). Evidence collection and forensics on social networks: Research challenges and directions. Digital Investigation, 28, 126–138.

Ballenthin, W. (2019). python-evtx. https://github.com/williballenthin/python-evtx

Bancel, J.-R. (2015). Chromagnon (SNSS Branch). https://github.com/JRBANCEL/Chromagnon/tree/SNSS

Bashir, M. S., & Khan, M. N. A. (2013). Triage in Live Digital Forensic Analysis. The International Journal of Forensic Computer Science, 1, 35–44. https://doi.org/10.5769/J201301005

Basis Technology. (2020). Free Autopsy Training. https://www.autopsy.com/support/training/covid-19-free-autopsy-training/

Bello, M., & DiBlasio, N. (2013). Twitter: The new face of crime. http://www.usatoday.com/story/news/nation/2013/09/29/twitter-crime-dark-side/2875745/

Benson, R. (2019). Hindsight. https://github.com/obsidianforensics/hindsight

Blumenbach, T. (2015). mozlz4a.py. https://gist.github.com/Tblue/62ff47bef7f894e92ed5

Cambridge University Press. (2019). Cambridge Dictionary [Online]. http://dictionary.cambridge.org/

Cantrell, G., & Dampier, D. A. (2012). Implementing the Automated Phases of the Partially-automated Digital Triage Process Model. Journal of Digital Forensics, Security and Law, 7(4), Article 4. https://commons.erau.edu/jdfsl/vol7/iss4/5/

Cantrell, G., Dampier, D., Dandass, Y. S., Niu, N., & Bogen, C. (2012). Research toward a Partially-Automated, and Crime Specific Digital Triage Process Model. Computer and Information Science, 5(2), Article 2. https://doi.org/10.5539/cis.v5n2p29

Carrier, B. (2020). Autopsy 4.15.0. https://github.com/sleuthkit/autopsy/releases/

Casey, E. (2013). Triage in digital forensics. Digital Investigation, 10, 85–86.

Casey, E. (2004). Digital evidence and computer crime: Forensic Science, Computers and the Internet. Elsevier Academic Press, 215.

Casey, E. (2011). Digital Evidence and Computer Crime, Forensic Science, Computers and the Internet(Third Edition). Elsevier Inc.

Cusack, B., & Son, J. (2012). Evidence Examination Tools for Social Networks. 10th Australian Digital Forensics Conference, 33–40. https://doi.org/10.4225/75/57b3afc1fb861

Dance, F. E. X. (1967). Towards a Theory of Human Communication (In Human Communication Theory: Original Essays). Holt, Rinehart and Winston, New York.

David, A., Morris, S., & Appleby-Thomas, G. (2020). A Two-Stage Model for Social Network Investigations in Digital Forensics. Journal of Digital Forensics, Security and Law, 15(1), Article 1. https://commons.erau.edu/jdfsl/vol15/iss2/1

DFRWS. (2001). A Road Map for Digital Forensic Research: DFRWS Technical Report (DTR – T001–01; Number DTR - T001-01, pp. 1–42). DFRWS: Digital Forensic Research Workshop.

Garfinkel, S. L. (2013). Digital media triage with bulk data analysis and bulk_extractor. Computers & Security, 32, 56–72. https://doi.org/10.1016/J.COSE.2012.09.011

Gielen, M., & Bolzoni, D. (2014). Prioritizing Computer Forensics Using Triage Techniques. https://essay.utwente.nl/65671/1/Gielen_MA_EWI.pdf

Haroon, S., & Carter, H. (2010). Facebook security measures criticised after Ashleigh Hall murder. http://www.theguardian.com/uk/2010/mar/09/ukcrime-facebook

Hitchcock, B., Le-Khac, N.-A., & Scanlon, M. (2016). Tiered forensic methodology model for Digital Field Triage by non-digital evidence specialists. Digital Investigation, 16(Supplement), S75–S85. https://doi.org/10.1016/j.diin.2016.01.010

Hubert, K. (2014). Evidence Collection From Social Media Sites. SANS Institute Information Security Reading Room. https://www.sans.org/reading-room/whitepapers/legal/evidence-collection-social-media-sites-35647

Jusas, V., Birvinskas, D., & Gahramanov, E. (2017). Methods and Tools of Digital Triage in Forensic Context: Survey and Future Directions. Multidisciplinary Digital Publishing Institute (MDPI), 9(4), 49. https://doi.org/10.3390/sym9040049

Littlejohn, S. W. (1992). Theories of Human Communication (p. 417). Wadsworth Pub. Co.

Marcella, A. J., & Menendez, D. (2007). Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crime (Second Edition). CRC PRESS - TAYLOR AND FRANCIS.

McKemmish, R. (2008). When is Digital Evidence Forensically Sound? Advances in Digital Forensics, IV, 3–15.

Montasari, R. (2016). Formal Two Stage Triage Process Model (FTSTPM) for Digital Forensic Practice. International Journal of Computer Science and Security (IJCSS), 10(2), 69–87. https://pure.hud.ac.uk/en/publications/formal-two-stage-triage-process-model-ftstpm-for-digital-forensic

Moore, K. (2014). Social media ‘at least half’ of calls passed to front-line police. https://www.bbc.co.uk/news/uk-27949674

Mukasey, M. B., Sedgwick, J. L., & Hagy, D. W. (2008). Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition. U.S. Department of Justice (National Institute of Justice). https://www.ncjrs.gov/pdffiles1/nij/187736.pdf

Parsonage, H. (2009). Computer Forensics Case Assessment and Triage. http://computerforensics.parsonage.co.uk/triage/ComputerForensicsCaseAssessmentAndTriageDiscussionPaper.pdf

Robertson-Steel, I. (2006). Evolution of triage systems. Emergency Medicine Journal, 23(2), 154–155. https://doi.org/doi:10.1136/emj.2005.030270

Rogers, M. K., Goldman, J., Mislan, R., Wedge, T., & Debrota, S. (2006). Computer Forensics Field Triage Process Model. Journal of Digital Forensics, Security and Law, 1(2), Article 2. https://doi.org/10.15394/jdfsl.2006.1004

Roussev, V., & Quates, C. (2012). Content triage with similarity digests: The M57 case study. Digital Investigation, 9, S60–S68. https://doi.org/10.1016/j.diin.2012.05.012

Russinovich, M. (2016). PsTools Suite Windows Sysinternals | Microsoft Docs. https://docs.microsoft.com/en-us/sysinternals/downloads/pstools

Russinovich, M. (2018). Process Monitor - Windows Sysinternals | Microsoft Docs. https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

Select Committee on Communications. (2014). CHAPTER 2: SOCIAL MEDIA AND THE LAW. House of Lords. https://publications.parliament.uk/pa/ld201415/ldselect/ldcomuni/37/3702.htm

Shaw, U., Das, D., & Mehdi, S. P. (2016). Social Network Forensics: Survey and Challenges. International Journal of Computer Science and Information Security (IJCSIS), 14(11), 310–316.

Sommer, P. (1999). Intrusion Detection Systems as Evidence. Computer Networks, 31(23–24), 2477–2487.

TWGECSI. (2001). Technical Working Group Electronic Crime Scene Investigation - Electronic Crime Scene Investigation: A Guide for First Responders.

Twitter Help Center. (2019). New user FAQs. https://help.twitter.com/en/new-user-faq

Wiles, J., & Reyes, A. (2007). Incident Response: Live Forensics and Investigations. In The Best Damn Cybercrime and Digital Forensics Book Period (pp. 89–109). Syngress.

WinPython. (2019). winpython. https://github.com/winpython/winpython

Zimmerman, E. (2019). Prefetch Explorer Command Line - PECmd version https://github.com/EricZimmerman/PECmd





To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.