Spoofs, Fakes, and Manipulation: The Challenge of Validating Messages and Social Media Content on Mobile Phones

Lars Daniel EnCE, CCPA, CCO, CTNS, CTA, CIPTS, CWA
Practice Leader - Digital Forensics at Envista Forensics
919-621-9335 / [email protected]


We would all like to believe that when we view a photo, the contents therein are a true and accurate representation of what they purport to be. Unfortunately, this is not always the case. We are all aware of software tools that allow for manipulating photos to create convincingly real fakes. Sometimes, these fakes are so convincing that veracity cannot be determined by examining the picture alone with the naked eye. 

This has been true with photos for a long time and is true today with videos using deep fake technology. Software applications are widely available that allow a person to manipulate video or audio in order to make it appear that he or she is saying something that they never said. Like with the Reface App[i],where a person's face can be replaced with another's. It seems that the technology has advanced to the point where anyone can create a very convincing fake video of events and do so using an application on his or her phone. The individual need not have any special expertise in creating videos, all they need is the software.

Making fake photos and videos is relatively simple but making faked and spoofed social media and messaging content is even easier.

Additionally, a person can alter or fake text message communications, and someone can do it with a low level of technical sophistication and relative ease.

In mobile device forensics, the best method to collect the evidence from a phone is performed by utilizing cell phone forensics software and hardware. Before we cover the problems with verifying pictures and screenshots of social media content and text messages, it is pertinent to have a high-level overview of how data is collected.

The forensic acquisition process encompasses all the methods and procedures utilized to collect digital evidence. This collection process can take many forms with mobile phones and the data from mobile devices can reside in numerous locations. With mobile phones, the data extraction methods used are determined by multiple factors, including the cell phone's make, model, operating system version, and physical damage, to name a few.  

How Mobile Phone Forensic Tools Verify Evidence  

When a forensic acquisition is performed on a computer hard drive, a bit-for-bit duplicate of the data is created. In other words, all the data contained on the hard drive, including existing data, deleted data, and unallocated space, are collected in a forensic image file. This forensic image file is exactly like the data contained on the computer hard drive. However, a forensic acquisition of a mobile device is different, as it almost always has to be powered on.

The forensic data collection process from the mobile device is better called a "forensics extraction," as data is extracted from the device instead of a perfect bit-for-bit copy of the evidence item. With the mobile phone powered on, the forensic software cannot access some areas of data. However, that inaccessible data is usually of little to no value evidentiarily.

Following the forensic copying comes the hashing process. A mathematical algorithm is run against the copied data, producing a unique hash value. This hash value can be thought of as a digital fingerprint, uniquely identifying the copied evidence exactly as it exists at that point in time.  

Preemptively raising the question, “Why bother hashing the forensic copy of a cell phone if it is not exactly the same as the original evidence like a computer?” Well, suppose you made a forensic copy of a phone today and hashed it, and sometime later an opposing attorney claimed you manipulated data. In that case, you could go back to the original forensic copy to prove you did not.

But what happens when the evidence is collected from a cell phone using screenshots or pictures? Since there is no mathematical algorithm or any other kind of forensic verification, how do we know that the messages or social media content are real?

Manual Examinations

To have confidence in the evidence gathered from mobile phones without forensic software and hardware begins with a correctly performed manual examination. A physical acquisition is the best option with mobile phone forensics, followed by a logical or filesystem acquisition. Manual examinations should be utilized as a last resort when other forensic acquisition methods are not possible. The risk of changing or deleting evidence on a mobile phone is significantly increased when performing a manual examination because it introduces a higher potential for human error.  

A manual examination of a cell phone involves an examiner manipulating the mobile phone to the different areas of information, such as text messages or call history, and taking pictures of the screen with a camera. A correctly performed manual examination will reduce the risks of modifying the original evidence. Therefore, a manual examination is a viable option when acquiring cell phone evidence with correct procedures and thorough documentation.

The quality of a manual cell phone examination depends on the competency of the examiner. For example, suppose proper procedures and detailed documentation are not part of the manual examination. In that case, it can call into question whether or not the evidence was properly preserved and if tampering, intended or otherwise, occurred during the examination of the cell phone.

Pictures only tell part of the story. What happened during the time between the individual pictures being taken? Pictures alone do not provide any real verification that the phone evidence has not been altered. A video camera running continuously throughout the manual examination process, with no breaks, pauses, or edits, is the only method for evidence verification in the absence of a mathematical hash value. The video should begin before the phone is powered up. At the end of the examination, the phone should be powered down in view of the camera.

In my experience, it is uncommon for forensic examiners to properly follow best practices and protocols when it comes to manual examinations. A video recording rarely accompanies the photos of the mobile phone contents.

Why It Matters: Fakes Are Spoofs Are Real and On The Rise

Social Media Fakes

The pervasiveness of social media in our culture and the frequency at which users access these platforms to communicate, share, and consume content have broadened and deepen the amount of courtroom evidence. However, social media evidence has one particular vulnerability, the ability to be altered or forged.

It does not take a high degree of technical capability or access to special software to create fake social media posts. Anyone can find websites that allow you to make fake social media posts and messages that look real, indistinguishable from authentic content.  

For example, here are posts I made between myself and you, the reader, as a means of illustration. In addition, I can create fake posts and messages for all major social media platforms. The following faked social media messages and posts were created using a web-based application that is both simple to use and free.[ii]

Facebook

The time, date, location, content, comments, reactions, and chat messages contained in these photos are all fake.