How AXIOM Cloud Can Help Save Time Investigating Instagram
Instagram is so popular that it’s safe to say at some point, an investigation will lead you to uncovering potential evidence from it. In this blog, we’ll take a conventional investigation that I conducted and compare and contrast how it would work with or without Magnet AXIOM Cloud.
Instagram’s Requirements for Law Enforcement
In the not-so-distant past, investigators needed to have victims download their own user profile and account information, per Instagram’s Law Enforcement portal instructions:
If law enforcement seeks information about an Instagram user who has provided consent for the official to access or obtain the user’s account information, the user should be directed to obtain that information on their own from their account. For account content, such as messages, photos and videos, users can access Instagram’s “Download Your Information” feature from their account settings.
This is the procedure my law enforcement agency followed the first time we were contacted by a concerned parent, who had discovered direct messages from an unknown individual on her young teenage son’s phone.
While a subsequent consent search revealed hundreds of conversations in private messages that went back several months, the victim didn’t recall how long the individual had been following him on social media, nor had he met him. To learn more, we needed the full profile.
The Stories Instagram Evidence Can Tell
The collection available via software download contains information such as pictures and other media exchanged in direct messages. In addition, individual .json files provide information such as searches, comments, connections, and messages.
Having this information is a great first step. However, using the information to tell a story that can be explained in court is another. Opening the raw .json files in a tool such as Notepad++ returns results like these:
After the solicitor prosecuting our case filed formal charges on an individual in his early twenties, I wanted to provide context to the story for non-technical stakeholders, including my solicitor, as well as the jurors who would be asked to decide the defendant’s guilt or innocence.
I spent hours taking detailed pictures of the phone. These pictures showed hundreds of messages exchanged between the defendant and suspect, in an effort to provide as much detail as possible for court. The defendant provided a written statement that confessed to speaking with the victim for months, requesting sexually explicit images throughout the discussions. The jury handed down a guilty verdict to close the case.
Telling Instagram’s Story with AXIOM Cloud
Today, we would handle this investigation much differently. After receiving written consent from the victim / victim’s family, I would utilize Magnet AXIOM Cloud to acquire the account information directly from Instagram. Because this approach requires the victim’s login credentials, I recommend including this information as a requirement on the consent form.
Note: It’s important to be prepared for two-factor authentication when acquiring cloud data. More often than not you will still need access to the victim / defendant’s phone for verification even if they’ve already provided their account password. Instagram does in fact allow users to set up two-factor authentication with the option to either provide a text message with a one time use code or with the use of a third-party code generator (Google Authenticator or Duo Mobile). If the phone has been placed in airplane mode or there are connectivity issues your last option is the use of recovery codes which Instagram allows users who are logged into the app to access under the Settings > Two-Factor authentication tabs. Instagram suggest users copy the codes to a note or screen shot the codes for future use, so there’s always a chance the codes can be located elsewhere on the device. An example of what the recovery codes look like can be seen below.
Once these credentials are authenticated, the examiner will be prompted to determine the date range and services to acquire. For Instagram, AXIOM Cloud will acquire both Instagram Posts and Instagram Direct Message data, as seen below.
Guided by AXIOM’s artifacts-first approach, we can see Identifiers under the Refined Results Tab on the left. Identifiers are great for examining users this account has interacted with. The Identifiers column view also provides context as to the services where that identification was made, so in the example below we can see the account “dante_grimes” had a Direct Message interaction with this account holder.
Under the Cloud tab, you’ll see your Instagram artifact data with the Post and Direct Message information. In the image below, we can view when the image was taken, the text that went along with the post, the like and comment count, and the users who liked this particular post.
Moving on to the next artifact found under the Cloud tab, we have Instagram Direct Messages. For messages, I prefer to switch from AXIOM’s Column View to Conversation View so that I can streamline and thread the conversations we’ve acquired.
In the details pane under Preview, AXIOM also provides a graphical representation of what that conversation would have looked like on the device. Providing this view to non-technical stakeholders and jurors makes for quick interpretations of the data being represented, versus having to decipher a spreadsheet view of messages. Having testified with the use of a chat view many times now, I can’t emphasize enough the power in providing evidence that makes sense to everyone involved.
Lastly, with the help of Magnet.AI (Artificial Intelligence (AI) built directly into AXIOM), we can quickly identify chats with luring, or sexual conversations, as well as images that contain drugs, weapons, and nudity.
A Few Final Thoughts on Working with Instagram and AXIOM
Identifiers, Conversation View, and AI-powered contextual content analysis all save time in ways we might not recognize up front. From my perspective, the painstaking process I went through to paint the picture that the defendant was grooming the victim—from casually liking and commenting on each post, to more direct discussions via direct messages—would have taken mere seconds using AXIOM Cloud.
Keep in mind, though, that prior to using AXIOM, you will still need to ensure that you’re in full compliance with providers’ current data retention and user information requests policies and procedures. The process, unless exigent circumstances are a factor, will take time to be complete. However, the worst-case scenario is that you’ll fail to follow proper procedures and the information you need won’t be provided, causing the process to start over.
For more information on obtaining subscriber records from Instagram make sure to bookmark this page! Pay special note to the Notification and Account Preservation sections on Instagram’s Law Enforcement information page as well.
Originally posted here: https://www.magnetforensics.com/blog/how-axiom-cloud-can-help-save-time-investigating-instagram/