Chapter 7: Open-source sites and Facebook

Graeme Edwards

Main Body

Chapter 7: Open-source sites and Facebook

Open-source evidence is that which can be obtained freely online and is not protected by passwords or other restrictions. It is visible to an inquiry and is available to be viewed and copied without the requirement for a search warrant or other legal instrument in many jurisdictions. Even though social media data is freely available, it can be seen as being as valuable a source of evidence as that located within the crime scene.

Numerous websites provide a wide range of information that may be useful to an investigator depending on their circumstances. These may range from social media accounts such as Facebook to knowing what the weather conditions were at a certain location which may be useful in a historical homicide investigation. There are many suppliers of specialist courses providing training in this field; such is the value and availability of open-source data.

In this chapter, we will provide a brief snapshot of examples of the many forms of open-source material available. The evidence you obtain may lead to more formal inquiries being undertaken such as the service of court documents on a social media provider to obtain an extension of the valuable data you have located through open-source inquiries.

The data on open-source sites may be volatile, and the subject may have provided false information when registering for a site or using it. Then again, the information could be true and verifiable. Beware of the trap of always thinking the person you are investigating would have taken or not taken a particular course of action because of your own personal reaction and hypothetical response to the situation. It can be seen as overthinking the actions of a suspect. People make mistakes in the online environment, and the person you are investigating may have unknowingly left valuable information available online.

This chapter references many sources of open-source evidence. The names and web addresses of these sites may change, and new and more informative sites may become available. When seeking online evidence, consider using the services of trained professionals who know and understand this environment and any legal considerartions. The investigator who does not understand the tradecraft of open-source research may leave evidence of their investigations which may be picked up by a suspect, alerting them that they are under investigation.

The tradecraft of online investigations is not necessarily a straightforward process. Specialist investigation courses and books from trained industry professionals are available for those investigators seeking an introduction to this subject, and one such book worth looking at is “Open-Source Intelligence Techniques” by Michael Bazzell.^[1]

One further point worth noting is being careful about the data you upload onto open-source sites. This is particularly relevant to sites that read email headers as you do not know what happens to the data once it is uploaded. Before using any site, it is worth looking at the End User Licensing Agreement (EULA) and understanding the terms and conditions of use, especially regarding the privacy of the data you upload. Sensitive data may not be appropriate to upload to an external online party for analysis.

Each section shall provide an introduction to the topic and a discussion as to how it may assist the investigator. Then the variety of evidence available will be discussed, listing sources of evidence worth looking at. Web sites are identified that may be of value to you, and no representation is made regarding these sites other than they may be of value to you.

An individual wondering how much of their personal life is resident on open-source websites may find there are many features of their lives that they thought were private have been uploaded. This includes location data from check-in sites or training data gathered from fitness devices.

It is the responsibility of the person seeking and obtaining the open source information to ensure their actions are legal in the jurisdictions in which they operate as well as that where the data resides. Be prepared to make inquiries as well as seek legal advice when there is any doubt as to the legality of your activities.

The following section will detail a selection of categories of open-source websites and the evidence an investigator may locate.

Open-source sites

Business records

The internet is full of business records showing everything from the date of the establishment of a business, to who are the officeholders as well as all the details that may be accessed from annual returns. Depending upon the laws of the jurisdiction in which you are operating, financial records may be accessible.

Cryptocurrencies

Cryptocurrencies are the pathway many criminals, cyber and otherwise use as their method of financing their enterprise. Cryptocurrencies are designed to be very complex for investigators to navigate and seek attribution. Sites such as Blockchain.com ^[3] may show all the transactions involving a wallet.

Dark web

The dark web is a portion of the internet where specific applications are required to visit. Criminals use the dark web and associated applications such as The Onion Router (TOR)^[4] browser as it provides a higher level of operational security and reduces the instances of being identified, significantly more difficult.

Criminal markets operate where a wide range of criminal goods and services are traded. Outside of the marketplaces, individual vendors on the dark web trade criminal goods and services.

To investigate the dark web requires a more advanced level of tradecraft than a general internet user has. It is recommended to use the services of an investigator who has had specialist training and has learnt the tradecraft of safely navigating the dark web and seeking evidence.

Dashboards

A dashboard provides a clear representation of multiple sources of data. An example of a dashboard is Hoot Suite. This site allows you to open multiple online accounts and view them in an easy-to-view format.

Dashboards are a helpful way of conveniently viewing multitudes of online data.

Domain name and WHOIS searches.

To link an owner to a domain name, a WHOIS search is of assistance. Unfortunately, there is no verification process for the content placed on the registration details, meaning it is common to find false information as to the account owner. Also, services exist where the details of the account owner are hidden and cannot be accessed by open-source inquiries.

A Domain Name Search (DNS) will provide information that may be of assistance including locating the DNS or email server. It may also identify Internet Protocol addresses the DNS is linked to.

Email addresses

Email addresses may be valuable in identifying a direction for further inquiries. They may also provide the name of the provider of the account where follow-up inquiries may be made.

Email addresses are often the unique identifier to many social media and other online accounts. Searches of email addresses can provide a schedule of all the online sites where that email address is linked.

An email address may be a primary identifier or a recovery address. Both can lead the investigator to further inquiries.

Emulation

An emulator allows a person to represent they are using a different device than the one which they are actually using. For example, a person using a desktop computer may have reason to make online inquiries where their digital fingerprints show they are operating a mobile device.

Forums

Forums are very valuable as people often make comments in these spaces that they would not normally make. This is because they believe they are anonymous and there will be no attribution or consequences to their comment.

People also use identifiers on forums such as usernames which they keep across many online platforms they operate, as well as incorporating the username into an email address. Sometimes, their forum identifier is the same as their email identifier.

Geolocation

Identifying the location of a person can be of great assistance to an investigator. Online maps that overlay data provided can be useful to locate the physical address of an individual. The accuracy of the data may be very precise or provide a close approximation of the location.

Image searches

Services such as Google Reverse Image ^[5] and Tin Eye ^[6] allow a user to upload an image that can be searched across databases to see where on the internet that image can be located. For example, online relationship fraudsters provide images to their victims that they have taken from online accounts to represent themselves. A reverse image search often locates that image as being used by fraudsters, providing victims with the knowledge they are speaking to a fraudster.

Internet Protocol address searches

An Internet Protocol (IP) address search tells an investigator who the Internet Service Provider is for follow-up inquiries to be made. This is the first step in identifying whose user account and IP address is being used by a suspect.

Language Translation

These provide a basic form of communication and understanding of a language the investigator is unfamiliar with. Due to the many nuances of the many languages in the world, it provides a workable translation however would not be relied upon as a definitive interpretation or as evidence in court where an accurate translation is required.

As a word of warning, be careful about uploading any sensitive communications onto a third-party service as once uploaded, you may have no control over how the communication is used by the service.

Maps

Provide a particularly useful understanding of a location. For example, when planning a search warrant on an address, understanding the neighbourhood provides methods of approach to the scene, avenues of possible escape by the suspect and other areas of interest. The investigator may make a physical reconnaissance of the address to corroborate the accuracy of the map.

Maps can also have GPS data uploaded where a route of travel can be visually represented.

Metadata

Metadata is commonly known as data about data. The metadata tells a lot about the document, spreadsheet or image including creation time, number of times it has been accessed, by whom etc. Metadata provides corroboration as to the authenticity of a document, spreadsheet or image.

In the online environment, the metadata of an email header may clearly identify the pathway the email has travelled from sender to receiver.

News

There are numerous online news websites, and many are not behind a paywall. News aggregators link prominent stories from many sites which the proprietor of the aggregator sites considers may be of interest to their readers. The news site Drudge Report ^[7] is one of the most popular news aggregators sites online which includes general and political news.

Open-Source Intelligent toolkits

These are sites that contain a wide range of Open-Source Intelligence (OSINT) websites that may be of benefit to the user. These would be a valuable place to start inquiries as they contain many sources that may be helpful in finding a wide range of data to advance an investigation.

People finder

There are many examples of people finder websites, with many being focused on the United States. However, new sites are appearing regularly, and they become a central repository of different forms of data about people including current and former residential addresses.

Photographic analysis

Data can be hidden within a photograph, and this is called stenography. It is a way of effectively hiding an image in clear view even if it requires an application to remove the hidden image.

Photographs submitted to an online environment may also contain data such as GPS coordinates such as where the image was taken, when and the type of camera used.

Relationship profiles

Online dating sites contain a lot of information about individuals as they seek a partner. A detailed online relationship profile will include details about the person’s past, present and the type of person they seek to meet. It will also include personal details about the individual including age, location, and personality.

In the hands of a fraudster, this is valuable information to build a social engineering fraud targeted to what they perceive as the human vulnerabilities in the profile such as hopes for a better future.

To the investigator, this profile may provide images of a person they are investigating regarding an unrelated matter as well as details about their life that were previously unknown.

Search engines

There are many search engines available not counting the most obvious ones being Google, Yahoo and Bing. Some are of value to different geographical regions where residents adopt different search engines apart from Google.

Search engines operate as per the coding and web scraping of individual organisations, subsequently, they may not always produce the same results. A comparison of Google vs Bing shows that there may be slightly different results among these prominent search engines when the same search term is entered. This does not indicate any fault with the search engines, it highlights the value of using different search engines to advance your online inquiries where different results may be identified.

Telephone numbers

Telephone numbers are useful for linking people to events. They can also be used to link a number to an online account where the phone number is used as an identifier, account recovery or verification used in 2Factor Authentication.

Usernames

People use specific identifiers across the many online sites to which they belong. Some people use the same identifier across all the sites they travel to, and others will use a unique username for each site they attend. This decision is unique to each user.

A username may be based on a name, event or object relevant to an individual. Alternatively, some are computer-generated by a site or options are offered. A username may be the same as the identifier in an email address.

The username/identifier located on a site tells you something about the user. If you locate a distinctive name, it may be able to be linked to a suspect where that name has a specific relevance. A useful investigative strategy is to conduct a search on a username across many social media sites to see where that identifier appears.

The investigator may find this useful as it allows them to identify more information about the suspect, including potentially their real identity. Of note, however, the investigator still needs to confirm the identifiers across all the sites that belong to the same person.

Videos

Sites such as YouTube present videos generated by users for viewing by others. YouTube is also a legitimate location of open-source investigation where a person’s behaviour and lifestyle can be viewed. A fraudster may place videos or images of their lifestyle on Facebook or Instagram which the investigator can compare to their legitimate income. Videos can also provide information about a person of interest regarding their appearance, contacts and previously visited locations.

Web page resources

Web page resources may include resources to image a web page/site, metrics about the web traffic on a site, archive websites in their state at a specific time or conduct an analysis of the structure of a website. The legality of any action depends on the laws in your jurisdiction, and this should be kept in mind when conducting any form of online inquiry including copying websites.

Web site imaging

This involves taking a complete copy of a website including its underlying coding. An investigator may find this exercise useful when attempting to investigate a scam website, for example where multiple sites are operated by the scammer using the exact same code and formatting, providing evidence they are created by the same person or group.

An image and examination of the code may also identify unique comments in the coding structure which tells the programmer the reason for the block of code’s existence. These comments may be identified as unique to an individual and depending on the circumstances of the case, assist in identifying or linking an individual to a website.

Analyzing the amount of web traffic to a site can give the investigator an indication of how popular a site has been and may provide statistics on how many people have visited a site. In a fraud case, a suspect may try and minimize their culpability by explaining their fraudulent website had next to no web traffic so they did not have the opportunity to defraud many people, but website analytics may paint an entirely different picture.

Obtaining an image of a previous version of a website is useful to see how a site has developed. It also can present names and contacts of the site who were previously unknown. This data may also show details of when a specific site first appeared online and representations made on the products and services page. Further, it may show the qualifications and experiences of the people represented on the site.

Website analysis can be useful in an active investigation. One example of its value is setting up an automatic alert that advises when aspects of a website change, alerting the investigator to the potential of obtaining new information.

Facebook data collection

Social media is the collective term for platforms where members provide content about their personal and professional lives to share with selected others and/or everyone. A social media company provides the platform and all required applications to make the site as user-friendly to the user as possible. People share numerous aspects of their lives online, often without being aware of the volume and personal nature of the information.

As the majority of social media platforms are free, the cost associated with providing the service is generated in other ways such as advertising and the sale of user data within the boundaries of the End User License Agreement the user agrees to when they join the platform. Operating a social media platform such as Facebook does not come cheap, and the money to operate it and make a profit comes from these sources.

Social media platforms are a network for persons to share information and where corporate entities record as much data as they can to profile their clients and tailor content for them using highly guarded algorithms. There is a multitude of data available online to advance investigations should you have the knowledge and skills to do so.

Due to the prominence of Facebook amongst social media sites, it is worth providing an analysis of the data they collect from users as an example of how this may be used by an investigator should they be able to gain lawful and ethical access to this data. Other social media sites collect data on their users, and this is examined in more detail in Chapter 6 relating to apps on mobile devices.

Facebook, owned by Meta, has provided an extensive list of all the data they collect from users in their Privacy Policy.^[8].

Facebook user data collection examples include:^[9],^[10],^[11],^[12],^[13]

Advertisements you interact with.
Address book.
Apps and their features used and your interaction with them.
Audio.
Camera roll.
Clicks.
Comments.
Connection and download speed.
Contacts details.
Content you interact with.
Cookie details.
Device you are using to access Meta products.
Device language.
Email address.
Family device Id’s.
Friends.
Followers and what they do on Meta products.
GPS locations.
Groups.
Hashtags you use.
Identifiers including device Id’s, mobile advertising Id’s, or Id’s from games, apps or accounts you use.
Information about other devices that are nearby or on your network.
Internet Protocol address.
Messages sent (non-encrypted).
Metadata about content and messages subject to local legislation.
Network capability.
Network connection details.
Phone number.
Posts.
Photos.
Purchases or other transactions you make including credit card information.
Signals from your device including GPS, Bluetooth signals, nearby Wi-Fi access points, beacons and cell towers.
Software you are using to access Meta products.
Time, frequency and duration of your activities on Meta products.
Time zone.
Voice enabled features.
Websites you visit.
What you are doing on your device including whether the app is foreground and the mouse is moving.
What you do on their products.
Wi-Fi hotspots you connect to using Meta products.

Meta also receives information from partners and other third parties including:^[14],^[15]

- - Ads you interact with.
  - Advertising device ID.
  - Apps used.
  - Cookie data.
  - Content viewed.
  - Demographics.
  - Device information.
  - Education level.
  - Email address.
  - Games played.
  - How you use partners’ products and services.
  - Logging into an app using Facebook.
  - Opening an application.
  - Purchases (non-Meta).
  - Purchases and transactions of Meta products using non-Meta checkout experiences.
  - Searches on site.
  - Shopping basket details.
  - Websites visited.

Facebook shares information gathered from their corporate entities such as Instagram, Messenger, Facebook Portal Products, Shops, Marketplace, Spark AR, Meta Business Tools, Meta Audience Network, Facebook View, Meta Pay and Meta Checkout experiences. WhatsApp and Novi are other Meta entities.^[16]

A user or investigator with legal authority may access the account of a Facebook user to access data within the profile. This will include the data that has been listed above as well as user-generated content such as messages and posts. How this advances your investigation will depend on the circumstances of the matter you are investigating.

Facebook advises that there are multiple categories of data available in your Facebook settings that are remotely viewed and accessed by the account owner.^[17] The downloaded file is very comprehensive and will most likely contain data the account holder was unaware of being stored. Of note, the account must be lawfully accessed to gain access to this data or sought through a legal instrument such as a search warrant.

Facebook lists these categories as:^[18]

- - Your activity on Facebook.
  - Personal information.
  - Connections.
  - Logged information.
  - Security and login information.
  - Apps and websites off Facebook.
  - Preferences.
  - Advertisement information.

There is a quantity of data within each section, and it is of benefit to the investigator to understand what this is and be able to apply it to their investigation.

Facebook provides users with a very helpful option where they can download their activity whilst on the site. A long-time user of Facebook may be surprised to see the volumes of data collected. An investigator who has lawful access to a person’s FB site and is able to download the data, may find that it provides evidence of facts in the investigation. The information downloaded follows the headings listed above and contains many subheadings with more information.

Facebook Activity Data

Facebook advises that information is available to users^[19] and is set out under the following data subheadings.

Downloaded Data

Your activity across Facebook

Saved items and collections.

A list of the posts you’ve saved and your activity within collections.

Voting

Location and preferences in Town Hall and the Voting Information Centre.

Voting location.
Voting reminders.

Messages

Messages you’ve exchanged with other people on Messenger.

Auto-fill information.
Secret conversations.

Posts

Posts you’ve shared on Facebook, posts that are hidden from your timeline and polls you’ve created.

Pages

Your Pages, Pages that you’ve liked or recommended, followed or unfollowed.

Pages and profiles that you follow.
Pages you’ve liked.

Polls

Polls that you’ve created and participated in.

Events

Your responses to events and a list of the events that you’ve created.

Facebook Gaming

Your Facebook Gaming profile and games you’ve played.

Your Page or group’s badges.

Your places

A list of places you’ve created.

Facebook payments

A history of payments that you’ve made through Facebook.

Payment history.

Facebook Marketplace

Items that you’ve sold, your Marketplace profile, your commute info and seller information.

Your transaction survey information.

Comments and reactions

Comments you’ve posted and posts and comments that you’ve liked or reacted to.

Likes and reactions.

Stories

Photos and videos you’ve shared to your story.

Bug Bounty

Your researcher data from the Bug Bounty programme.

Short videos

Your activity with short videos on Facebook.

Fundraisers

Fundraisers that you’ve created, joined or donated to.

Your fundraiser donation information.

Groups

Groups you belong to, groups you manage, and your posts and comments within the groups that you belong to.

Your answers to membership questions.
Your group membership activity.

Your problem reports.

Information that you’ve provided to report a problem.

Reviews

Reviews you’ve added about businesses and items.

Meta Spark

A list of your activity on Meta Spark.

Navigation bar

A menu that includes shortcuts to things such as notifications or groups.

Navigation bar activity.

Notes

Notes that you’ve published or drafted.

Shops

Information about your shopping activity on Facebook.

Shopping.

Information about your shopping activity on Facebook.

Other activity

Other information and activity from different areas of Facebook.

Your recently followed history.

Personal information

Facebook Portal

Info associated with your Portal, such as favourites and photos on Superframe.

Profile information.

Your contact information, information in your profile’s “About” section, your life events, hobbies and music:

Profile update history.
Profile information.
Time zone.

Facebook Assistant

Info associated with your Facebook Assistant, such as contact pronunciations and relationships.

Facebook Accounts Centre

Control settings for connected experiences such as logging in and sharing stories and posts across Messenger, Facebook and Instagram.

Accounts Centre.

Other personal information

Other information that you’ve provided.

Connections

Friends

Your friends on Facebook, friend requests, friends you see more and see less.

People you may know.

Followers

People that you follow and people who follow you.

Who you’ve followed.

Supervision

Activity about accounts you supervise or that supervise your account.

Logged information

Your topics

A collection of topics determined by your activity on Facebook that is used to create recommendations for you in different areas of Facebook, such as Home and Video.

Location

Information related to your location.

Primary public location.
Primary location.

Music recommendations

Song recommendations on Facebook based on genres of music that you’ve interacted with.

Search

A history of your searches on Facebook.

Your search history.

Facebook News

Information about your activity and preferences for Facebook News.

Your locations.

Notifications

A history of your notifications on Facebook.

Notifications.

Your interactions on Facebook

A history of your interactions on Facebook.

Recently viewed.
Recently visited.

Activity messages

A history of your interaction’s messages on Facebook.

Privacy Checkup.

When you last started and finished a Privacy Checkup topic.

Bonuses

Information about bonus opportunities you’ve participated in.

Professional dashboard

Information about your activity on a professional dashboard.

Other logged information

Other information that Facebook logs about your activity.

Advertisement interests.

Security and login information

Technical information and logged activity related to your account.

Account recoveries without password changes.
Account activity.
Browser cookies.
Information about your last login.
IP address activity.
Logins and logouts.
Login protection data.
Your recent account recovery successes.
Record details.
When you’re logged in.
Your Facebook activity history.

Apps and websites off Facebook

Apps that you own and activity that we receive from apps and websites off Facebook.

Your activity off-Meta technologies settings.
Your activity off Meta technologies.

Feed

Actions you’ve taken to customise your Feed.

Controls.

Memories

Preferences and information from your past memories.

Your activity.

Preferences

Actions that you’ve taken to customise your experience on Facebook.

Language and locale.
Reels preferences.
Your device push settings.
Your watch settings.

Advertisement information

Your interactions with ads and advertisers on Facebook.

Ad preferences.
Advertisers using your activity or information.
Other categories used to reach you.

It is to be noted that users generate content and there is no guarantee it is true or can be relied upon by the investigator. Many users create false profiles for reasons that suit them. It is the nature of the social media registrations that a user may provide true details about themselves, or entirely fake. In some instances, you may find the original data is correct, however, it may have been changed to fake details during the life of the account. In the latter instance, retrieving the original data will be of great benefit and can show the change in the use of the account from legitimate to other motives. It may also be interesting to see the time a suspect changed their account details and whether this has any relevance to your investigation.

The following section describes examples of the data Facebook collects about its members. The content and headings of data recorded in this section are expected to change over time, however, this list can be used as a guideline as to what information may be sought when investigating a Facebook profile and what an address may mean to an investigation. The location of this data within the profile may also change over time, but be aware, it is likely to exist.

In the examples below, we note where the data is accessible from the categories within the Activity Log within the web profile, the downloaded profile data facility or both.

In these examples, there is a brief description of what that activity does followed by a generic description of how that data may be of assistance to the investigator. You will note some of the headings differ from the above list. The relevance of each section will depend upon the circumstances of the investigation; however, it is worth reviewing this section in its entirety to get a general understanding of the wide range of data a Facebook profile may provide the investigator.

Please note, that the following Facebook data list is not exhaustive and provides examples only.

About Me: This can be found in the Activity Log and Downloaded Info. When a user sets up an account, they provide a basic outline of who they are such as education, interests, employment etc. This data will change over time and is useful to gain a basic understanding of the person.

Account Status History: This feature provides a schedule of the times a user has deactivated, disabled, deleted or reactivated their Facebook account.

Active sessions: This section stores all the data when a person uses their Facebook account including Internet Protocol address, cookie details, date, time and any information stored about the browser used. This is very valuable information for the investigator as it may link a user to a specific activity.

Address: Schedule of addresses provided by an account user. If this information has been provided by a user, it may provide a link from the account holder to a specific address within a defined range of dates.

Ads viewed: Provides a list of ads a user has viewed whilst on Facebook. This provides a list of what a user may be interested in and any goods they may have purchased.

Ads clicked on: Provides a list of ads a user has clicked on whilst on Facebook. As with ads viewed, this provides a list of what a user may be interested in and any goods they may have purchased.

Ad topics: Facebook uses the likes, interests, and timeline data to assess what ads a user may be interested in. An investigator may find this useful to help build a profile on their person of interest.

Advertising Id: A mobile device has a specific advertising identifier that is used to track browsing preferences across multiple websites a user visits. The ad identifier can be reset by a user meaning the tracking functionality is reduced. However, Facebook records all the ad identifiers. The identifier is used to show ads that may be determined to be most relevant to the user within the apps on their mobile device. As with previous examples of ads, this function helps show what items are likely to be of interest to a user based on browsing habits.

Alternate name: This may be any name that a person may make up. An investigator may find this useful to identify a suspect’s aliases, or nickname. In turn, this name may be a useful starting point to locate other profiles online this user may be associated with using that name.

Apps: This provides a schedule of all the apps the person has added. The investigator may find this useful to identify a list of specific apps such as encrypted communication apps or leads to unknown bank accounts.

Articles: A list of articles a user has viewed. This provides an insight into what a person is interested in.

Chat: Conversation history through Facebook. The investigator may find this useful in understanding the timeline and nature of a relationship between Facebook content. It may also provide evidence of the crime.

Chat Rules: Acknowledgement that the user accepts the terms and conditions of using the Facebook chat facility.

Check-ins: This can be found in the Activity Log and Downloaded Info. People like to check in to locations when they arrive to let people know where they are. To the investigator, this is useful to know places of interest to the account holder and when they were there.

Comments: Instances where the account owner has made comments about a post.

Connections: This can be found in the Activity Log. A connection is different to friends.

Contacts details: Including name, phone number and email address if imported from a device.

Credit cards: These can be found in Account Settings. Identifiable when a person has made a purchase on Facebook. This may be useful when identifying new bank or credit accounts a suspect has.

Currency: Currency used in Facebook’s payments facility. This may provide an understanding of the geographic location of the target.

Current City: City where the user states they are resident.

Date of Birth: This is linked to the About section in the Activity Log.

Dating: Facebook has a dating section. Each time a user attends to this section, it is recorded.

Education: Information about the education and qualifications of the account holder. This may provide new lines of inquiry at the academic institute the user alleges they have attended.

Emails: Email addresses. These show a connection to individuals. They may also be directly related to the account holder and online searches of these addresses can be linked to new lines of inquiry.

Email Address Verification: When a person needs to verify their account with Facebook, it may be by email. These addresses can be seen as being of significance to the account holder and worthy of further examination. The chapter on open-source investigations contains detailed lines of inquiry that can be operated using email addresses.

Events: This can be found in the Activity Log. An event is a scheduled event that has been promoted on Facebook. An example of an event may be a protest march. A user may be invited to an event or join the event stating they intend or may attend.

Event contacts you’ve blocked: This involves blocking individuals or groups who have sent the user invitations to events. This may be useful in identifying relationships (or the lack of) between people and groups.

Event interactions: The events section of Facebook lists events people may wish to attend. This section shows the events pages the user has shown interest in and can be used to identify the issues a person is interested in.

Facebook live videos: Videos can be watched live, and this section records what videos a user has decided to watch in real-time.

Facebook watch topics for recommendations: Topics Facebook believes will be of interest to the account holder. These topics originate from a person’s history on Facebook and provide the investigator with an insight into the material a person views on the site and has interacted with.

Facial Recognition Data: Facebook identifies a person through the photos they are tagged in. Using the mathematical algorithms derived from these images, they locate other images of an identified individual on other users’ posts in which the individual was not tagged. This is a very powerful piece of technology for an investigator as a suspect may not be aware they are on another person’s Facebook page, and this provides evidence of their associations, both personal and by location.

Family: Identified family of an individual. This identifies potential new lines of inquiry in identifying a suspect’s associates.

Favourite quotes: A person may have a favourite quote they regularly use, and this may be listed in the About section of their profile. In some instances, this may be a quote they use in daily life or a tattoo they have. These clues may be used to link a person to a Facebook identity created in a covert name.

Followers: This is a list of people who are following the user. This data helps see if a person is interested in the activity of another, even if they are not accepted as friends.

Following: This can be found in the Activity Log. Following a person or another page means the user has an interest in the individual, business, organization, or group. It is of interest to them to the degree they want to be kept up to date with what is happening on their Facebook page.

Friends: This is a list of people the user is friends with. This information is useful for building relationships between people as well as confirming suspected relationships between people. (

Friend Requests: This list shows the list of fried requests received and sent by the user. It also includes the requests that have been seen but not accepted by the other person. A sent friend request shows an action to create a relationship with another and can be useful when the user denies knowing another or having ever made contact with them.

Friends you see less: This information is where a user has decided they wish to see less activity from a friend. This may be used to identify the closeness of a relationship between people or a change in status.

Fundraisers: Fundraiser events recently viewed by the user. This identifies a level of interest in the fundraising event that they may have later attended.

Gender: Identifies the gender the person has identified themselves to be.

Groups: Users can join groups of interest, and this can show subjects of interest. An investigator may, for example, be interviewing a person about hacking which the user denies having any knowledge of. However, their Facebook shows them to be a member of several groups who discuss this topic.

Group interactions: Interactions show a level of engagement between a user and a group they are a member of. Using the previous example, the user who denied having an interest in hacking may be seen as being an active member of the hacking groups they are engaged with, showing an active interest in the subject.

Groups visited: These are the most recent groups a person has joined.

Hometown: This shows the hometown a person states they originate from. Like much of the information on a Facebook profile, this may not necessarily be true, however, many people do display the correct information.

Id: Users may present their identification to Facebook to confirm their identity and a copy of the identification document may be obtained by the user. This may be valuable information to the investigator as it is a strong link between a suspect and an account.

Instant games: Allows users to play online games through Facebook instead of downloading apps from the Apple or Google stores. Like these platforms, users have the option for in-app purchasers.

IP address activity: This displays the most recent Internet Protocol (IP) addresses users have accessed Facebook from. This may be valuable to link a person to activity originating from a suspect IP address.

IP Address message activity: Message activity from a specified IP address. This may be useful in confirming a message originated from a location of interest to the investigation.

IP address payment activity: Payment may be made through the Facebook platform. This information may be useful to the investigator to link payments to users as well as IP locations connected through a specific Wi-Fi location.

Language settings: Identifies the history of the languages the person chooses to communicate through.

Last location: The device on which the Facebook app is being used may identify the most recent location of a person. This may be useful to try and narrow down a person’s physical presence or where they were recently located. A missing persons investigation may find this information useful or an investigator trying to link a person to a place of interest.

Likes on others’ posts: This can be found in the Activity Log. A like is a user providing recognition of a post, comment or image posted on another’s Facebook page. It is of interest to the investigator as the user has made an effort to recognize something of interest on another page that they personally like or support.

Likes on your site: This can be found in the Activity Log. This is a list of posts on the user’s site from others who have recognized something they have appreciated on the site of the user account you are reviewing. It is of value to identify associates and see what their interests are.

Likes on other sites: This can be found in the Activity Log. Many other sites such as Pinterest, Instagram and Tripadvisor provide login capability using Facebook credentials. The benefit to the user is not requiring another password and simple sign-on capability if the user’s Facebook password is stored on the browser. To the investigator, this provides a link between sites visited and of relevance to the person and their Facebook profile. It also shows areas of interest to the user, including locations and activities. When a user signs into another site with Facebook, they share information with the new site obtaining personal information such as the user’s name and email address. Facebook allows the amount of data to be restricted by the user.

Locale: This identifies the language the person has decided to communicate with on Facebook. Whereas under the language settings, it may show several languages a person communicates through, in the locale, it identifies the language currently being used.

Logins: The IP address as well as the date and time associated with logins to the Facebook account can show the frequency of use of the Facebook account. This may be used to link the activity of a user to Facebook activity and link a user to the location of the IP address.

Logouts: As per previous, this records the times a person has logged out of their Facebook account. Many users do not log out of their accounts and keep a permanent connection.

Marketplace categories: A user may show interest in specific items within the marketplace. This is interesting information to link a person to those items should they be of interest to an investigation.

Marketplace interactions: Records when a user has progressed from visiting a marketplace category and shows more interest in the items.

Marketplace services: Within each category, there may be many items that a user may be interested in viewing. As per the previous sections, this may show a user has moved from looking at a category of items to showing more interest and perhaps attempting to purchase goods.

Menu items: A schedule of areas within Facebook the user has recently accessed through the main menu. This shows areas of recent interest to the account owner.

Messages: Messages a user has sent and received through Messenger. This may be very useful to the investigator as it shows records of conversations with contacts that may be relevant to a matter under investigation. Messenger also shows stronger links between friends and examples of regularity of contact.

Messenger contacts you’ve blocked: Contacts blocked from sending messages on Messenger.

Name: This is the name the user has given themselves on their Facebook profile. As with much profile data on Facebook, there is no guarantee that this is accurate.

Name changes: Records a history of different names a person has given their Facebook account. This will be valuable in showing different identities a person has used which may lead to other areas of inquiry. It may also reveal the true identity of an account where the name has been changed several times.

News feed topics for recommendations: Topics of interest to the user that Facebook has profiled. This generates the material Facebook shows to the user. This is useful to identify topics the account user may have been viewing and showing interest in.

News topics for recommendations: As per the previous, news topics are presented by Facebook based on previous user engagement.

Notes: This can be found in the Activity Log. Notes provide an opportunity for a user to write small articles of interest in a form similar to what you would see in a blog post. Notes indicate users’ areas of interest and allow them to express their thoughts. To the investigator, it allows the opportunity to examine topics of interest to the user and their thoughts regarding it including length and frequency of post.

Page visits: This records the pages a user has recently visited. An investigator can use this information to identify what a user has been viewing recently and compare it against other data within the Facebook profile as well as external information relevant to the investigation.

Pages you admin: Users can be administrators of a page. This not only shows a strong link between them and the page, but they are taking direct action in the maintenance of the page.

Pages recommended: These are Facebook pages the account user has recommended to others. Recommendations provide value to the investigator as the link between the person of interest and the page is stronger than one that is merely viewed.

Pending friend requests: These are requests received or sent which have not been actioned.

People: Facebook stores data on the people the account user has most recently interacted with. The investigator may see this as evidence of a relationship (business/personal) between people and it may be useful data when an account user states a person is a Facebook friend, however, they never interact with them.

People viewed: Shows accounts viewed in response to friend suggestions.

Phone numbers: As a part of the account registration process, Facebook seeks phone numbers to assist in validating the legitimacy of the person registering as well as using the phone number as an account recovery feature. An investigator will always be interested in locating new phone numbers of persons of interest, especially when one has been confirmed to be linked to a specific person of interest.

Photos: Along with friend lists and messages, photos that a user has uploaded are of great interest to investigators as they present people and activities the account holder has been involved with and may also provide the locations of these activities.

Photo metadata: Another area of importance is gaining the details of the device used to take a photo. Valuable information such as GPS location, camera brand and model as well as the date and time of the photo being taken may be important evidence to the investigator.

Platforms: Identifies whether a user has logged into Facebook using a web app or browser. Many people use different devices to log into social media.

Posts by you: This can be found in the Activity Log. These are items posted by an account user including comments, photos, videos and status updates. To the investigator, it links the user to locations and activities including other persons within the photos or videos.

Posts by others: This can be found in the Activity Log. Posts can be made on a user’s timeline by the account holder and friends. Friends can be restricted. To the investigator, it can be used alongside seeing a person’s friends the relationship between people and their common interests.

Posts to others: This can be found in the Activity Log. As with posts by others, if a user is friends with another, they may be able to post on their timeline. It can also be used to identify the relationship between others and the level of personal connectivity.

Previously removed contacts: Friends removed but who have since been accepted as friends again.

Primary location: Facebook records data showing the site from which they believe a person is interacting with Facebook. This data may be accurate or affected by a user using a Virtual Private Network. (

Privacy settings: This can be found in Privacy Settings. This allows a user to decide what others see about their account including posts, contact details or friends. To the investigator, it shows the degree of security awareness of the account owner.

Profile visits: This highlights people the account holder has viewed, although not necessarily sent a friend request to or interacted with in any way. An investigator may use this information to obtain an understanding of the profile of people the account holder looks up, or whether they have been looking for specific individuals.

Recent activities: This can be found in the Activity Log. This shows a chronological schedule of interaction between a user and their profile such as posts, photos, videos and connections made. It shows photos the user has been tagged into by other people. This information is very valuable to the investigator as it is the recency of their activity and the order in which they have interacted with their profile.

Recent activities: Actions taken recently on the Facebook site. There are many ways a person can interact with Facebook, and the most recent actions of a user may be linked to a matter under investigation. This may link a person not only to an event but also to the most recent occurrence of the event.

Recently visited: Videos recently viewed by the account owner.

Registration date: This shows the date the Facebook account was opened. It can be linked to the history of the account name used to show who was the original person opening the account and when this occurred.

Registration date: This can be found in Access your information. This shows the date the user joined Facebook.

Removed friends: This can be found in the Activity Log. This section shows previous friends removed by the user. This can identify a breakdown in a relationship between a user and the discarded friend which can lead to an inquiry with that person as to the circumstances of the breakdown in a relationship. Depending on the nature of the matter under investigation, former friends from an offline relationship may be prepared to provide significant background information on a person under investigation should the breakdown in the friendship be serious enough.

Searches: This can be found in the Activity Log. This section shows the persons, places and organisations the user has searched for. This is a very valuable piece of evidence as it shows the person has actively attempted to locate a person or location even if they deny any knowledge or attempt to contact. Many users would be unaware that their search history is stored in their activity logs.

Secret conversations: Records the usage of the secret Facebook Conversations Messenger service. This service is encrypted in communication.

Secret conversations that have been recorded: This shows when a user has recorded a secret conversation in Messenger. The nature of this conversation may be relevant to an investigation, especially when the content is legally inappropriate.

See first: These relate to the pages and profiles the user has decided they want to view first. This is a manual setting identifying the user has a particular interest in these profiles and pages.

See less: Alternatively, a user can decide if there are specific profiles and pages they wish to remain linked to but are less interested in the content regularly being presented in them.

Shares: This can be found in the Activity Log. When a user sees a post on their wall, they may choose to share it on their timeline. This shows a definite level of interest in the subject and will show up in their recent activities.

Shows: Provides a schedule of videos the user watches. This can present the investigator with valuable information as to topics the user is interested in which may be related to the investigation being conducted.

Spoken languages: Details of what languages the user states in their profile that they can speak. It does not indicate the level of fluency in the language.

Status updates: This information is presented in the “What’s on your mind” section of a user’s page. It provides an insight into what a user may be thinking about or what is relevant to them at that specific time.

Status updates: This can be found in the Activity Log. A user may type whatever they want in the status update. It is usually a small comment about what may be relevant to them at that point in time. An investigator may find this useful by matching a person’s status update against an activity they undertake at the time. It also helps to paint a picture of a person’s personality, and possibly mood at a specific point in time.

Time spent on site: Amount of time a person has spent watching on Facebook and associated products.

Time viewed: As per the previous category, this shows how much of a video a user has watched.

Time zone: A user nominates a time zone they are in. Facebook records this from the connection details. An account holder may use a Virtual Private Network to create their account so this information may indicate the location of a user but cannot be relied upon 100%.

Vanity URL: This can be located in the web page URL. The Uniform Resource Locator (URL) is the address where a web page can be located. Each Facebook page has a unique identifier to the profile in the URL which is the person’s Facebook account number. A user may change the URL to a personalized one, similar to a person changing the registration plate on their motor vehicle to a personal plate.

Videos: These can be located in the Activity Log. These are videos the account holder has posted onto their timeline. An investigator may find this useful as it shows aspects of the account holder’s personality and personal interests. It can also link them to specific topics.

Videos: This section records details of the videos a user has uploaded. This information may be linked to a user’s personal computer or mobile device, providing a strong personal link between them and a video of interest.

Work: Employment details the account user has provided.

Your Facebook activity: This provides a schedule of the times a user has accessed Facebook. This is potentially very valuable information for an investigator as it shows their relationship with the site, frequency of use and in some cases, may be evidence of their use of the site at a specific point in time.

Your pinned posts: Posts may be pinned to the timeline of a user, so it maintains prominence on their page. This provides evidence of the relevance of a specific topic to a person.

It is worth repeating that these headings and details may be current when you conduct an examination, or Facebook may have modified them.

Having reviewed this data, it provides a clear understanding of how the person uses their Facebook account. It may also provide an understanding of the individual and their personality depending on the amount and timeliness of data available.

Key Takeaways

Open-source evidence, especially social media, has the potential to advance any investigation. With the wide variety of data that people place online about their lives, an SM platform provides insight into the person or entity being investigated. Organisations use social media to promote themselves and their people providing an insight into organisational structures, services and their relationships.

Government databases provide factual information from reputable sources to direct inquiries and strengthen other forms of evidence. As this chapter has shown, there are many openly available sources to make inquiries into people, locations, and history.

The investigator will identify numerous more open-source sites as they are constantly being created by a multitude of users. The individual who is concerned about their privacy will note that many innocent social media posts or location check-ins provide data about who they are as an individual and what this book refers to as their personality DNA. Once this data has been provided to technology, it cannot be permanently deleted.

Scenario

We know Sledge is a big fan of social media. Having an active and successful lifestyle projects his self-value and success. Although he does not flaunt his criminal occupation online, he has a very extravagant lifestyle for someone without a job listed on their social media profiles. His customers know his occupation, and that he is successful.

There is a history of social media contact between Sledge and Alex. Also, social media analysis provides an insight into their personal networks whether this be business or personal. Examples of information from social media and open-source sites include:

1: Photos. Photos presented are available in a timeline in which they were posted, although this may not be representative of the actual timeline of when the photos were taken. Metadata of the dates, times, and GPS locations where the photos were taken would be useful, however, these details may be removed by the provider such as Facebook prior to publication.

2: Contacts. Viewing their social media accounts provides photos to view and this identifies places and other people of relevance to them both. Identifying contacts in common is useful to identify the social or professional circles or interests of both.

3: Communities: Identifying communities and groups both are interested in. As both are involved in the drug trade, there may be communities of interest to both.

4: Messages. Social media services provide private message options. These will need to be accessed using the account owner’s user credentials.

5: Internet Protocol connections: Search warrants served on the social media providers may produce numerous instances of connections to the service. This may include remote locations unknown to investigators around the time of the offence.

6: GPS locators: Social media providers may store the GPS locations of users. This may be recorded through tracer beacons on their application.

7: Cryptocurrency: Surprisingly, neither possessed a cryptocurrency account as known to the investigators. Sledge could not understand it and wanted his assets in cash so he could spend it, not hide it. Alex had tried Bitcoin but lost a lot of money in market fluctuations. If either did, their cryptocurrency transactions could be monitored online through currency websites such as Blockchain Explorer.

8: Email addresses: These may be searched online to identify sites both Sledge and Alex are linked to. One or both may belong to multiple social media accounts which were previously unknown to investigators. This may provide further information about their personality and contacts. It may also identify further evidence of links between the two of them, building a case of a long-standing personal as well as professional relationship.

An example would be do they both belong to online forums relating to criminal activity where they are active participants in discussions.

9: Reverse image searches may also be used to identify further identifiers in their background. This will be especially relevant to identifying personal links between them as well as identifying other contacts. Photographs may contain GPS coordinates or identifiable landmarks to assist in identifying where an image was taken.

10: Identifying a username may be helpful. These are sometimes very personal to the individual, and they use the same username across multiple social media, messaging or email accounts.

11: Devices used to access social media. This may identify further mobile devices which investigators were unaware of.

12: Content interacted with shows the personality of the account holder. Identifying the content both Sledge and Alex interact with shows their personal interests and possible further lines of inquiry into their personalities and backgrounds. Hashtags incorporated into communication also provide indicators of this information.

13: Messages: The content and recipient of messages tell its own story linking people, their views and attitudes at that time.

14: Phone numbers used to register to sites may uncover unknown numbers available for further inquiries.

15: Purchases made online links to bank accounts. Analysis of bank accounts provides details of a person’s life, choices, activities and locations at certain times.

These are examples only. The extensive use of social media and open-source information is limited only by the understanding of the investigator and the circumstances of the investigation.

Bazzell, M. (2023). OSINT Techniques: Resources for Uncovering Online Information. IntelTechniques. https://inteltechniques.com/book1.html ↵
Internet Archive. (n.d). https://help.archive.org/ ↵
Blockchain. (n.d.) https://www.blockchain.com/explorer ↵
Tor Project. (n.d.) https://www.torproject.org/about/history/ ↵
Google images. (n.d.) https://images.google.com/ ↵
TinEye. (2024). Reverse Image Search. https://tineye.com/ ↵
The Drudge Report. (2019). https://www.drudgereport.com/ ↵
Meta Privacy Policy. Effective from 27 December 2023.https://www.facebook.com/privacy/policy ↵
Your activity and information that you provide. https://www.facebook.com/privacy/policy/?subpage=1.subpage.1-YourActivityAndInformation ↵
Friends, followers, and other connections. https://www.facebook.com/privacy/policy/?subpage=1.subpage.2-FriendsFollowersAndOther ↵
App, browser and device information https://www.facebook.com/privacy/policy/?subpage=1.subpage.3-AppBrowserAndDevice ↵
What information do we collect? https://www.facebook.com/privacy/policy/?section_id=1-WhatInformationDoWe ↵
Information about the network that you connect your device to and your internet connection. https://www.facebook.com/privacy/policy?annotations[0]=1.ex.28-InformationAboutTheNetwork&subpage=1.subpage.3-AppBrowserAndDevice ↵
Review you off-Facebook activity https://www.facebook.com/help/2207256696182627?ref=faq&helpref=faq_content ↵
Information from partners, vendors, and other third parties. https://www.facebook.com/privacy/policy/?subpage=1.subpage.4-InformationFromPartnersVendors ↵
How do Meta companies work together? https://www.facebook.com/privacy/policy ↵
Learn what categories of data are available in your Facebook settings. https://www.facebook.com/help/accessyourdata ↵
Ibid. ↵
Your activity and information that you provide. https://www.facebook.com/privacy/policy/?subpage=1.subpage.1-YourActivityAndInformation ↵

Licence

Icon for the Creative Commons Attribution-NonCommercial 4.0 International License