Tag Archives: evidence

February 21, 2013 · 1:35 PM

Live Social Media Evidence Capture from Today’s Vegas Strip Shooting

Unfortunately, a tragic event transpired this morning in Las Vegas leaving three people dead and at least three others injured after a shooting and fiery six-vehicle crash along the Strip. According to reports, at about 4:20 a.m. someone in an SUV opened fire into a Maserati that had stopped at a light. The Maserati moved into the intersection at Flamingo Road and collided with a taxi, starting a chain of crashes that involved four other vehicles. Our thoughts and prayers are with the victims and their families.

Given the criminal investigation and civil liability implications of this event, we wanted to demonstrate the new important capabilities of X1 Social Discovery to immediately identify, preserve and display geolocated Tweets (and often Instagram posts) at or near the scene immediately before, during and after the incident. X1 Social Discovery is now able to map a given location, such as a city block or even a full metropolitan area, and search the entire public Twitter feed to identify any geolocated tweets that have been made in the past three days (sometimes longer) within that designated area, as well as to capture any new tweets within that area going forward. As illustrated below, this capability is extremely useful for law enforcement, corporate security and civil litigators.

When we learned of the Vegas incident, we mapped the general area of the strip  and within seconds, all the recent Tweets from the past several hours were populated within the grid and collected within X1 Social Discovery.

Accident 4

From there, we were able to sort those tweets within the interface and identify some key Tweets made immediately after the incident, such as this post:

Accident 5

Accident 2

We are able to sort and identity the exact time (in GMT) of the posts in question as well as associated metadata.

Accident 3

Here is another post below. Both this example and the one above contain notable intel in the comments, suggesting the possible identity of one of the victims, as well as a reference to another posted picture on Instagram. This reflects the utility of X1 Social Discovery’s ability to collect not just the social media post, but the comments thereto in real-time.

Accident 1

This feature can also be employed proactively, to map an area around a school, an embassy, an oil drilling facility overseas, or other critical infrastructure assets to collect and store any geolocated tweets in real time. But of course in order to take full advantage of this ability to gather key evidence such as the evidence, posted above, you need to own the software at the time of the incident.

2 Comments

Filed under Social Media Investigations

Tagged as , , , , , , , , , , , , ,

January 24, 2013 · 1:36 PM

Social Media Geolocation Provides Critical Evidence – Including Admissible Hearsay

Nearly all new mobile devices not only feature geo-location but set its activation by default. Many of the most popular mobile apps are built around the premise of geo-location to help you navigate the streets, find new restaurants and other points of interest, and even find your friends, so more and more mobile users are enabling this function. As such, a significant number of social media posts made from a mobile device have geo-location coordinate metadata associated with them. The evidentiary value of such information cannot be understated.

For court purposes, the content of such Tweets may be admissible hearsay themselves even if the actual identity of the author of a Tweet is never ascertained.  Under Rule 803(3) of the Federal Rules of Evidence, “[a] statement of the declarant’s then existing state of mind, emotion, sensation, or physical condition . . . but not including a statement of memory or belief to prove the fact remembered or believed unless it relates to the execution, revocation, identification, or terms of declarant’s will” is not excluded by the hearsay rule. Rule 803(3) arguably describes the vast majority of Tweets, especially those from the likes of Paris Hilton or Charlie Sheen.

And then there is the “excited utterance” exception under Rule 803(2) which provides that, “[a] statement relating to a startling event or condition made while the declarant was under the stress of excitement caused by the event or condition” is not excluded by the hearsay rule. So, a Tweet stating “Oh my gosh, a big SUV just ran a light and nailed that Prius!!!!” would arguably fall under Rule 803(2).

To enable our user base to leverage this key evidence, this week we are announcing a major enhancement to X1 Social Discovery software that we believe significantly advances the ball for social media investigations. X1 Social Discovery will now be able to map a given location such as a city block or even a full metropolitan area, and search the entire public Twitter feed to identify any geo-located tweets that have been made in the past three days (sometimes longer) within that designated area, as well as to capture any new tweets within that area going forward. This capability is extremely useful for law enforcement, corporate security and civil litigators.

Below is an example of a geo-located area with X1 Social Discovery, with the highlighted, captured Tweet suggesting that the author could be a key witness to a traffic accident:

accident4

From there, an investigator can silently follow identified persons of interest in furtherance and highly efficient investigation. For law enforcement, this is obviously useful to gather facts and identify potential witnesses for various crime scenes. This feature can also be employed proactively, to map an area around a school, an embassy, an oil drilling facility overseas, or other critical infrastructure assets to collect and store any geo-located tweets in real time. But in order to take full advantage of this ability to gather key evidence, you need to own the software at the time of the incident.

This upgrade is part of our continuing innovation for X1 Social Discovery. We strongly believe that we have the top social media investigation tool on the market and this new feature only solidifies this position.

> To learn more, contact us for a demo or come visit us next week at Legal Tech New York, where we will be in booth #2012.

Leave a comment

Filed under Best Practices, Social Media Investigations

Tagged as , , , , , , , , , , , , , , , ,

August 22, 2012 · 5:48 PM

No Legal Duty or Business Reason to Boil the Ocean for eDiscovery Preservation

As an addendum to my previous blog post on the unique eDiscovery and search burdens associated with the de-centralized enterprise, one tactic I have seen attempted by some CIOs to address this daunting challenge is to try to constantly migrate disparate data from around the globe into a central location. Just this past week, I spoke to a CIO that was about to embark on a Quixotic endeavor to centralize hundreds of terabytes of data so that it could be available for search and eDiscovery collection when needed. The CIO strongly believed he had no other choice as traditional information management and electronic discovery tools are not architected and not suited to address large and disparate volumes of data located in hundreds of offices and work sites across the globe that all store information locally. But boiling the ocean through data migration and centralization is extremely expensive, disruptive and frankly unworkable.

Industry analyst Barry Murphy succinctly makes this point:

Centralization runs counter to the realities of the working world where information must be distributed globally across a variety of devices and applications.  The amount of information we create is overwhelming and the velocity with which that information moves increases daily.  To think that an organization can find one system in which to manage all its information is preposterous. At the same time, the FRCPs essentially put the burden on organizations to be accountable for all information, able to conduct eDiscovery on a moment’s notice.  As we’ve seen, the challenge is daunting.

As I wrote earlier this month, properly targeted preservation initiatives are permitted by the courts and can be enabled by effective software that is able to quickly and effectively access and search these data sources throughout the enterprise.  The value of targeted preservation was recognized in the Committee Notes to the FRCP amendments, which urge the parties to reach agreement on the preservation of data and the keywords used to identify responsive materials. (Citing the Manual for Complex Litigation (MCL) (4th) §40.25 (2)).  And In re Genetically Modified Rice Litigation, 2007 WL 1655757 (June 5, 2007 E.D.Mo.), the court noted that “[p]reservation efforts can become unduly burdensome and unreasonably costly unless those efforts are targeted to those documents reasonably likely to be relevant or lead to the discovery of relevant evidence.”

What is needed to address both eDiscovery and enterprise search challenges for the de-centralized enterprise is a field-deployable search and eDiscovery solution that operates in distributed and virtualized environments on-demand within these distributed global locations where the data resides. This ground breaking capability is what X1 Rapid Discovery provides. Its ability to uniquely deploy and operate in the IaaS cloud also means that the solution can install anywhere within the wide-area network, remotely and on-demand. This enables globally de-centralized enterprises to finally address their overseas data in an efficient, expedient, defensible and highly cost-effective manner.

But I am interested in hearing if anyone has had success with the centralization model. In my 12 years in this business and the 8 years before that as a corporate attorney, I have yet to see an effective or even workable situation where a global enterprise has successfully centralized all of their electronically stored information into a single system consisting of hundreds of terabytes. If you can prove me wrong and point to such a verifiable scenario, I’ll buy you a $100 Starbucks gift certificate or a round of drinks for you and your friends at ILTA next week.  If you want to take the challenge of just meet up at ILTA next week in Washington, feel free to email me.

Leave a comment

Filed under Cloud Data, eDiscovery & Compliance, Enterprise eDiscovery, IaaS, Preservation & Collection

Tagged as , , , , , , , , , , , , , , , , ,

July 23, 2012 · 3:20 PM

Mid-Year Report: Legal Cases Involving Social Media Rapidly Increasing

As part of our ongoing effort to monitor legal developments concerning social media evidence, we again searched online legal databases of state and federal court decisions across the United States — this time to identify the number of cases in the first half of 2012 where evidence from social networking sites played a significant role. The results are available here in a detailed spreadsheet listing each case, allowing for anyone to review the cases and conduct their own analysis. The cases are accessible for free on Google Scholar.  The overall tally come in at 319 cases for this 6 month period, which is about an 85 percent increase in the number of published social media cases over the same period in 2011, as reported by our prior survey earlier this year.

As with the last survey, we reviewed all the search results and added annotations for the more notable cases, and were sure to eliminate duplicates and to not count de minimis entries — defined as cases with merely cursory or passing mentions of social media sites.  As only a very small number of cases–approximately one percent of all filed cases– involve a published decision that we can access online, it is safe to assume that several thousand, if not tens of thousands more cases involved social media evidence during this time period. Additionally, many of these published decisions involve fact patterns from as far back as 2008, as they are now just working their way through the appeals process. Finally, these cases do not reflect the presumably many thousands of more instances where social media evidence was relevant to an internal investigation or compliance audit, yet did not evolve into actual litigation. Even so, this limited survey is an important data point establishing the ubiquitous nature of social media evidence, its escalating importance and the necessity of best practices technology to search and collect this data for litigation and compliance requirements.

The search, limited to the top four social networking sites, tallied as follows: Facebook is now far in the lead with 197 cases, MySpace tallied in at 89, mostly with fact patterns circa 2009, Twitter with 25 and LinkedIn with 8. Criminal matters marked the most common category of cases involving social media evidence, followed by employment related litigation, insurance claims/personal injury, family law and general business litigation (trademark infringement/libel/unfair competition). One interesting and increasingly common theme involved social media usage being considered as a factor in establishing minimum contacts for jurisdictional purposes. (See Juniper Networks, Inc. v. JUNIPER MEDIA, LLC, and Lyons v. RIENZI & SONS, INC, as examples)

We plan on providing a complete summary for all of the 2012 cases in early January and it safe to assume that the second half of 2012 will continue to see a sharp increase in the presence of social media evidence.

> View all 2012 cases and more now

4 Comments

Filed under Case Law

Tagged as , , , , , , , , , , , , , , , , , , , , , , ,

June 27, 2012 · 2:50 PM

Authenticating Internet Web Pages as Evidence: a New Approach

By John Patzakis and Brent Botta

In recent posts, we have addressed the issue of evidentiary authentication of social media data. (See previous entries here and here). General Internet site data available through standard web browsing, instead of social media data provided by APIs or user credentials, presents slightly different but just as compelling challenges.

The Internet provides torrential amounts of evidence potentially relevant to litigation matters, with courts routinely facing proffers of data preserved from various websites. This evidence must be authenticated in all cases, and the authentication standard is no different for website data or chat room evidence than for any other. Under Federal Rule of Evidence 901(a), “The requirement of authentication … is satisfied by evidence sufficient to support a finding that the matter in question is what its proponent claims.” United States v. Simpson, 152 F.3d 1241, 1249 (10th Cir. 1998).

Ideally, a proponent of the evidence can rely on uncontroverted direct testimony from the creator of the web page in question. In many cases, however, that option is not available. In such situations, the testimony of the viewer/collector of the Internet evidence “in combination with circumstantial indicia of authenticity (such as the dates and web addresses), would support a finding” that the website documents are what the proponent asserts. Perfect 10, Inc. v. Cybernet Ventures, Inc. (C.D.Cal.2002) 213 F.Supp.2d 1146, 1154. (emphasis added) (See also, Lorraine v. Markel American Insurance Company, 241 F.R.D. 534, 546 (D.Md. May 4, 2007) (citing Perfect 10, and referencing MD5 hash values as an additional element of potential “circumstantial indicia” for authentication of electronic evidence).

One of the many benefits of X1 Social Discovery is its ability to preserve and display all the available “circumstantial indicia” – to borrow the Perfect 10 court’s term — to the user in order to present the best case possible for the authenticity of Internet-based evidence collected with the software. This includes collecting all available metadata and generating a MD5 checksum or “hash value” of the preserved data.

But html web pages pose unique authentication challenges and merely generating an MD5 checksum of the entire web page, or just the web page source file, provides limited value because web pages are constantly changing due to their very fluid and dynamic nature. In fact, a web page collected from the Internet in immediate succession would very likely calculate two different MD5 checksums. This is because web pages typically feature links to many external items that are dynamically loaded upon each page view. These external links take the form of cascading style sheets (CSS), graphical images, JavaScripts and other supporting files. This linked content can be stored on another server in the same domain, but is often located somewhere else on the Internet.

When the Web browser loads a web page, it consolidates all these items into one viewable page for the user. Since the Web page source file contains only the links to the files to be loaded, the MD5 checksum of the source file can remain unchanged even if the content of the linked files become completely different.  Therefore, the content of the linked items must be considered in the authenticity of the Web page. X1 Social Discovery addresses these challenges by first generating an MD5 checksum log representing each item that constitutes the Web page, including the main Web page’s source. Then an MD5 representing the content of all the items contained within the web page is generated and preserved.

To further complicate Web collections, entire sections of a Web page are often not visible to the viewer. These hidden areas serve various purposes, including metatagging for Internet search engine optimization. The servers that host Websites can either store static Web pages or dynamically created pages that usually change each time a user visits the Website, even though the actual content may appear unchanged.

In order to address this additional challenge, X1 Social Discovery utilizes two different MD5 fields for each item that makes a Web page.  The first is the acquisition hash that is from the actual collected information.  The second is the content hash.  The content hash is based on the actual “BODY” of a Web page and ignores the hidden metadata.  By taking this approach, the content hash will show if the user viewable content has actually changed, not just a hidden metadata tag provided by the server. To illustrate, below is a screenshot from the metadata view of X1 Social Discovery for website capture evidence, reflecting the generation of MD5 checksums for individual objects on a single webpage:

The time stamp of the capture and url of the web page is also documented in the case. By generating hash values of all individual objects within the web page, the examiner is better able to pinpoint any changes that may have occurred in subsequent captures. Additionally, if there is specific item appearing on the web page, such as an incriminating image, then is it is important to have an individual MD5 checksum of that key piece of evidence. Finally, any document file found on a captured web page, such as a pdf, Powerpoint, or Word document, will also be individually collected by X1 Social Discovery with corresponding acquisition and content hash values generated.

We believe this approach to authentication of website evidence is unique in its detail and presents a new standard. This authentication process supports the equally innovative automated and integrated web collection capabilities of X1 Social Discovery, which is the only solution of its kind to collect website evidence both through a one-off capture or full crawling, including on a scheduled basis, and have that information instantly reviewable in native file format through a federated search that includes multiple pieces of social media and website evidence in a single case. In all, X1 Social Discovery is a powerful solution to effectively collect from social media and general websites across the web for both relevant content and all available “circumstantial indicia.”

Leave a comment

Filed under Authentication, Best Practices, Preservation & Collection

Tagged as , , , , , , , , , , , , , , , , , , , , , , , ,