How to Run Social Media Investigations

Key Takeaways

  • People use social media platforms to post all types of content online such as photos, videos, text messages, and geo-location data.
  • Social media investigations based on OSINT give you access to unique information.
  • A manual investigation is very time consuming and requires a good understanding of all social media platforms and its characteristics.
  • Our Data Fusion Platform already includes various social media platforms. It is constantly extended with new integrations.
  • The Federated Search includes a lot of different functionality, which increases the efficiency of your social media investigations.

In our previous white paper on open-source intelligence, we introduced the term OSINT and talked about how important and powerful it is for your investigations. 

 

To mention it again: many estimates show that 90 percent of useful information collected by intelligence services comes from public sources, so-called OSINT sources.

 

Social media intelligence (SOCMINT) is a powerful subcategory of OSINT. 

 

SOCMINT refers to information that comes exclusively from social media platforms. Resources available on social media sites can be either public (e.g. public posts on Facebook, LinkedIn, or Twitter tweets) or private  (e.g., private messages on Facebook or posts shared with friends). As private information is not accessible without permission, it is not our focus for today.

 

In this white paper, we introduce you to the term SOCMINT and show you some basic ways of collecting information from well-known platforms. You will get an overview of global and local social media platforms that are of interest to your social media investigations. We will finish the white paper with a discussion if the proposed ways are efficient and feasible and will show what we do to eliminate some of the disadvantages.

 

The goal of this white paper is not to show you all possibilities but to give you a more generic overview. 

Why are Social Media Investigations of High Value?

There are decisive advantages of SOCMINT compared to other OSINT strategies:

 

  1. Social media is much faster when it comes to information distribution compared to traditional newspapers. At Traversals, we followed the rumors on Twitter that Kim Jong Un had died, while not even the classic Yellow Press pushed the information to the news ticker. Even if this information is not confirmed or reliable at all, it gives you at least an indication of what is going on.
  2. Many users are very liberal with their published information on social media. There have been many insurance fraudsters who could be exposed through their posts on Facebook.
  3. Anyone can post on social media. While this makes reliability checking more difficult, it ensures that there is plenty of material.
  4. In areas where press coverage is limited, there is a good chance to get at least information from social media. For example, the Mexican press reduced reporting on drug cartel fightings, while citizens are still publishing on social media. 

It can be argued that information on social media is even closer to the action.

 

You should remember the downing of MH17 in 2014. Bellingcat published an article with a detailed MH17 analysis. The authors used a lot of Twitter tweets and linked images to reconstruct what might have happened.

 

Regardless of whether you are investigating insurance fraud or conducting other analyses: Keep an eye on social media. 

 

They often give a broader view of what is happening as shown in our article on Covid-19 in Yemen. Good friends of ours, use SOCMINT to enhance their cyber threat intelligence capabilities.

What kind of information can be collected?

The information available on social media sites can be divided into two groups:

 

  1. The original content itself, such as Facebook posts or images/videos.
  2. The metadata associated with the content, such as image EXIF metadata, the date/time, and geo-location info of the posted content. You should keep in mind that EXIF information might get removed by the social media platforms.

 

However, before we start with some examples, it is important to understand the different types of social media platforms.

The Various Types of Social Media Platforms

There are hundreds of social media platforms, and new ones are launched every week. Many Internet users refer to any social media platform as a social networking site. 

 

Although this is not wrong, we should distinguish between the two terms. The social media platform is the main category and can be grouped into the following subcategories:

 

  1. Social networking (Facebook, LinkedIn)
  2. Microblogging (Twitter, Tumblr, Weibo)
  3. Photo sharing (Instagram , Flicker)
  4. Video sharing (YouTube)
  5. Blogs (WordPress ,Blogger)
  6. Forums (Reddit)
  7. Social gaming (KamaGames ,Zynga)
  8. Social bookmarking (Atavi , Pinterest)

 

The services mentioned enjoy varying degrees of popularity. Russian and Asian people use other social media platforms than Americans or Europeans.

 

One of the first news about Kim Jong Un’s Dead was spread through Weibo on April 24th, 2020. Only after that did the news spread like wildfire on Twitter.

 

For this article, we will limit our examples to Facebook and Twitter. However, we will also mention other national social media sites that are popular within their societies.

Basic Facebook Investigations

Facebook is the most popular social networking site with the largest active user base on Earth. According to Statista, Facebook has currently more than 2.5 billion active users worldwide. You will have a lot of material for your social media investigations.

 

Until 2019, Facebook offered an advanced semantic search engine to locate anything within its database by using natural English language phrases and keywords. It was an amazing search technology.

 

On June 6th, 2019, Facebook removed its Graph Search options, resulting in frustration for the OSINT community using it to search for specific information among the huge amount of public data available on Facebook.

 

Nevertheless, Facebook did not remove this functionality entirely from its system. Indeed, it makes it hidden as the user can still manually build Graph queries to search within the Facebook repository. This requires JSON and Base64 encoding and manipulating Facebook search URL to work as expected. For everyone interested in it, we can recommend the great graph article posted on Osintcurio.us.

 

After removing the Graph Search functionality, Facebook has improved its keyword search. We at Traversals strongly advise you to begin using it for your basic social media investigations. 

 

In many instances, it returns accurate results and you can refine returned search results using different filters, as shown in the following figure.

We used the Facebook keyword search to get more information on Frente Oliver Sinisterra being a FARC dissident group in Colombia. You can use the additional filters to refine your returned results.
We used the Facebook keyword search to get more information on Frente Oliver Sinisterra being a FARC dissident group in Colombia. As highlighted in red, you can use the additional filters to refine your returned results.

Basic Twitter Investigations

Twitter has a simple search functionality located on the upper side of the screen. You can use it to run some basic searches against the Twitter database.

 

As shown in our article on data leakage detection,  Google Dorks can help you to refine your search. A similar strategy can be applied to Twitter by using its search operators. These allow you to run deep-dive searches and to get closer to the needle in the haystack.

 

The best place to begin your Twitter search is to go to the Twitter Advanced Search which allows you to tailor search results to specific date ranges, people, and more.

Examples for Advanced Twitter Searches

In the following, we will explain the operators with some practical examples.

 

A list of all Twitter search operators.
A list of all Twitter search operators.

 

Keep in mind that single search operators can be incorporated with other criteria to create more advanced search queries and to find related tweets more precisely.

 

Here you can see a shortlist of examples focusing on Covid19:

 

  • The negation operator is used to exclude specific keywords or phrases from search results, for example, virus–computer.
  • To search for hashtags use the # operator followed by the search keyword, for example, #COVID19.
  • To search for tweets sent up to a specific date, use the until operator, for example COVID19 until:2020-05-11. This will return all tweets containing COVID19 and sent until date May 11th, 2020.
  • Use the images keyword to return tweets that contain an image within it, for example COVID19 Filter:images. This will return all tweets that contain the keyword COVID19 and have an image embedded within them.
  • To return tweets from verified users only (verified accounts have a blue checkmark near their names), use the verified operator, for example COVID19 Filter:verified.
  • To limit Twitter results to a specific language, use the lang operator, for example COVID19 lang:en. This will return all tweets containing COVID19 in the English language only. To see a list of Twitter-supported language codes, go to developer resources.
Twitter results only from verified authors.
Twitter results only from verified authors.

 

Please note that you can combine more than one Twitter search operator to conduct a more precise search. For example, type “COVID19” from:WHO -Filter:replies lang:en to get only the tweets containing the exact phrase OSINT from the user World Health Organization (WHO) that are not replies to other users and in the English language only.

Other Social Media Platforms

There are hundreds of active social media sites in the world today. Many of them are popular in their societies and target non-English users. The following drawing shows more social media sites that must also be considered when conducting social media investigations.

 

Social media platforms for SOCMINT.
Social media platforms for SOCMINT.

 

There are other country-specific social media services that are not listed:

  • Draugiem.lv is a social networking website in Latvia.
  • Skyrock.com is a microblogging website in France.
  • Mixi.jp is a social networking website in Japan.
  • Hetena is social bookmarking service in Japan.
  • Facenama is a social networking website in Iran.
  • Taringa is a social networking website in Latin America.

The Downside of a Manual SOCMINT Analysis

You got a fast overview of basic social media investigations. As you could see, it is extremely important to define a context using additional filters and operators. In practical use, this results in several difficulties that are often not mentioned when dealing with SOCMINT:

 

  • Similar to OSINT, the quality of SOCMINT really depends on the quality of the keywords used for filtering. Too generic keywords will result in unspecific results.
  • You are limited by your language skills. Even if you can define a target language for Twitter queries, you will not get convincing results, if your keyword has the wrong language.
  • You need to know all social media platforms of interest and monitor those in parallel to stay updated on certain topics
  • You have to understand the terms and conditions for all social media platforms when it comes to legal aspects.

Do you feel confident now and do you think that this is efficient?

How can we assist you?

We presented a shortlist of social media platforms for your investigations. You have to ask yourself whether you have enough knowledge and personnel to run SOCMINT investigations and to follow the  best practices.

 

At Traversals, we constantly try to give you more capabilities. Our Federated Search provides one powerful interface to the above-mentioned services. It is not necessary to call the services separately which would be very inefficient, as explained in our blog post and includes machine translation for both keywords and results. In our Data Fusion Platform, we spent a lot of effort on automating most of the procedures to increase efficiency.

 

It can be said that our SaaS-based Data Fusion Platform is self-learning in order to provide analysts with the best possible support. After doing some assisted searches against various social media platforms, you can automate the collection process to always get the latest information.

Key Takeaways

  • People use social media platforms to post all types of content online such as photos, videos, text messages, and geo-location data.
  • Social media investigations based on OSINT give you access to unique information.
  • A manual investigation is very time consuming and requires a good understanding of all social media platforms and its characteristics.
  • Our Data Fusion Platform already includes various social media platforms. It is constantly extended with new integrations.
  • The Federated Search includes a lot of different functionality, which increases the efficiency of your social media investigations.

Copyright © 2024, Traversals Analytics and Intelligence GmbH. All Rights Reserved.