TOMOKO DISCOVERY Social Media Discovery, Web Collection & Preservation Web: www.tomokodiscovery.com | Email: [email protected]

August 15, 2017  www.tomokodiscovery.com Agenda: 1. About Us 2. Quick Facts 3. Facebook 4. Twitter 5. People Searches 6. Search Engines 7. Preservation 8. Q&A

August 15, 2017  www.tomokodiscovery.com About Me: karhrman ziegenbein

1. Born and raised in Germany 2. Served in the military as a combat medic at the Joint Medical Service in the Armed Forces of Germany 3. Moved in 2011 to the United Sates 4. Founder of Toonari and Creator of Tomoko Discovery 5. Lives in St. Petersburg, Florida 6. 20 years of experience in the field of Data Mining, Tracking, Analytics and more 7. Board member of the St. Petersburg Kiwanis club 8. Favorite Author: Orson Scott Card 9. Favorite Pet: Dog

August 15, 2017  www.tomokodiscovery.com Tomoko Discovery: features The world’s most advanced Social Media Discovery & Website Forensic Tool. 1. Tomoko Tech Investigation Tool 2. White Label Case Reports 3. Cloud Storage 4. Local Possession of Evidence 5. Direct Exporting 6. Court Admissible Evidence 7. Authenticated Desktop & Webcam Recording 8. Authenticated Desktop and Webcam Recording. 9. Cross Platform – Windows & Mac

August 15, 2017  www.tomokodiscovery.com Tomoko Discovery: subscription Professional Edition • $79/month (1 User / Unlimited Cases)

Team 5 Edition • $249/month (Up to 5 Users / Unlimited Cases)

Team 10 Edition • $399/month (Up to 10 Users / Unlimited Cases)

NDIA Members • Receive 20% off and • In addition Toonari will donate 20% to the NDIA

Please contact me for a demo or sign up at www.tomokodiscovery.com Karhrman Ziegenbein / Mobile: (727) 772-3230 Email: [email protected]

August 15, 2017  www.tomokodiscovery.com Tomoko Discovery: osint training & education We provide seminars for law firms, corporations, federal and state government agencies, and courts worldwide.

1. Social Media Investigation & Intelligence 2. Online Media Forensics & Evidence Authentication 3. Online Investigation Techniques

No Fee Speaker / Learning Events Low Funded Agencies, Schools & Non Profits

There are no fees. However, you will be responsible for all the speaker’s expenses necessitated by his or her appearance at your event.

Specifically, expenses include: • Ground Transportation (Limousine, taxi, or rental car – to/from departure airport and to/from arrival airport) • Airfare • Accommodations • Meals and Incidental Expenses

August 15, 2017  www.tomokodiscovery.com Quick Facts

August 15, 2017  www.tomokodiscovery.com Social Media User Statistics: 2010 - 2018 Number of social network users worldwide from 2010 to 2018 (in billions) 3

2.5

2

1.5

1

0.5

0 2010 2011 2012 2013 2014 2015 2016 2017 2018

August 15, 2017  www.tomokodiscovery.com Statistics: quick facts

August 2017 Top-12 Monthly User Stats

▪ Facebook • 2 Billion ▪ YouTube • 1,5 Billion ▪ WhatsApp • 1,2 Billion ▪ Facebook Messenger • 1,2 Billion ▪ WeChat • 938 Million ▪ Instagram • 700 Million ▪ Tumblr • 357 Million ▪ Twitter • 328 Million ▪ Skype • 300 Million ▪ Snapchat • 255 Million ▪ Pinterest • 175 Million ▪ LinkedIn • 106 Million

August 15, 2017  www.tomokodiscovery.com Statistics: law enforcement Survey: LexisNexis

• Most investigators using Facebook and YouTube for their investigation

• 33% don’t have enough knowledge to use it

• More than 60% believe Social Media helps solve crime more quickly

August 15, 2017  www.tomokodiscovery.com Facebook

August 15, 2017  www.tomokodiscovery.com Facebook: quick facts Facebook is a social networking service that was created by Harvard student Mark Zuckerberg in 2004. Initially designed as a networking tool for Harvard students, it quickly spread to other schools and was finally opened to the public in 2006. Facebook is now, by a very wide margin, the biggest social network worldwide.

▪ As of the a third quarter of 2017, Facebook had more than 2 billion global monthly active users

▪ Facebook has 1.74 billion mobile monthly active users.

▪ Facebook generated 27.64 Billion USD in revenue.

August 15, 2017  www.tomokodiscovery.com Facebook: privacy Facts:

▪ Facebook users tend to keep information a little more secure than users of all other social media networking sites. ▪ By default, a new Facebook user must specify the privacy settings to their account during that creation of their profile.

Why?

▪ This is caused by privacy complaints of users and competitors that continuously protest against Facebook’s privacy policies. Many of these user settings simply do not promote privacy and leave the users information exposed for anyone to see.

August 15, 2017  www.tomokodiscovery.com Facebook: basic searching To search for something, click the search bar at the top of any page on Facebook, enter what you're looking for and choose from the results. When typing something, you may see suggestions for what you're looking for. If you see what you're looking for in these suggestions, click it to save time searching.

Search Bar Result Categories: ▪ All ▪ Posts ▪ People ▪ Photos ▪ Videos ▪ Pages ▪ Places ▪ Groups ▪ Apps ▪ Events

August 15, 2017  www.tomokodiscovery.com Facebook: search techniques a Timeline ▪ The Timeline provides a chronological list of all posts made ▪ Scrolling all the way down and clicking ‘show older stories’ will reveal posts from a greater time period ▪ If a user changes his or her privacy settings it will only apply to posts made after the change ▪ Change “Highlights” in gray next to the month and year on the Timeline to “Show All” in order to reveal all of the public content from older posts.

About ▪ This section will include the general information about an individual such as contact information, city of residence, workplace, etc. ▪ Be sure to click on all tabs on the left, look at more than the overview

August 15, 2017  www.tomokodiscovery.com Facebook: search techniques b Photo ▪ Be sure to browse through the photos and the comments for valuable information

Friends ▪ You can browse through the friends of a user ▪ You can also see friends who have been recently added

Edited Comments ▪ If a comment has been edited the word ‘Edited’ will appear next to it ▪ Clicking on ‘Edited’ will load a new window that displays the edits

August 15, 2017  www.tomokodiscovery.com Facebook: subject id The following queries will help you to identify a Facebook account (Username/User Name URL) by using the email or cell phone number of your target. After you identify the account you need to get the User ID. The Username can be changed easily and changes the account URL as well. However the User ID does not change and will stay with the account. Therefore you can always find the account again by collecting the User ID. The User ID is also needed to subpoena information from Facebook.

Search Subject ID: ▪ Account by Email ▪ Account by Cell Phone ▪ Username to User Number

Remember: Always record the User ID.

August 15, 2017  www.tomokodiscovery.com Facebook: videos In this case the queries will show you any video of and by the user including likes and comments.

Videos: ▪ Videos Of User ▪ Videos By User ▪ Videos Liked ▪ Video Comments ▪ Videos

August 15, 2017  www.tomokodiscovery.com Facebook: photos Photos are highly important during your investigation. The search strings that we have identified for you will help you to find pictures of the user and images the subject has been tagged on by somebody else. In addition it will show you the photos the user liked and comments on the images itself.

Photos: ▪ Photos By User ▪ Photos Liked ▪ Photos Of Tagged ▪ Photo Comments

August 15, 2017  www.tomokodiscovery.com Facebook: places & apps The identification of places that your target visited or currently is visiting can be vital during any investigation. In addition your findings can be used for surveillance purposes.

Identifying apps that are being used by your target can lead to additional data. The Nike+ Running app for example offers elevation tracking, integration with the Health app in iOS 8, a GPS map with location and course showing in addition how fast or slow they are ran at a particular time. The accuracy of the GPS map will depend on the smartphone’s signal throughout the run, but users have the option to calibrate every route following a run, to ensure the statistics reflect the accurate distance covered.

Places: ▪ Recent Places Visited ▪ Places Checked-In ▪ Places Liked ▪ Pages Liked

Apps: ▪ Apps Used

August 15, 2017  www.tomokodiscovery.com Facebook: intersect Some of the most helpful queries will show you a connection between two individuals. This can range from common groups to common events.

Multiple People Profiles (Connection between 2 People): ▪ Common Friends ▪ Length of Friendship ▪ Common Places ▪ Common Check-Ins ▪ Common Likes ▪ Photo Tags ▪ Common Photo Likes ▪ Common Photo Comments ▪ Common Video Comments ▪ Common Events ▪ Common Post Comments ▪ Common Groups

August 15, 2017  www.tomokodiscovery.com Facebook: events The “event invitation” and “event attended” queries will show you the event invitation and the actual event that the person attended. The event page itself will show you the people who have been invited, the people who went and the people who are interested in going.

Events: ▪ Event Invitations ▪ Events Attended

August 15, 2017  www.tomokodiscovery.com Facebook: posts Not finding the posts you are looking for? We got you covered with the “post by user”, “post comments” and “posts tagged on” queries.

Posts: ▪ Posts by User ▪ Post Comments ▪ Posts Tagged

August 15, 2017  www.tomokodiscovery.com Facebook: 2020 Ready Player One is a 2011 science fiction and dystopian novel by Ernest Cline. This novel is about a young, poor teenager living in a future world where chaos reigns and most people forget their miserable existence by spending most of their time inside the virtual world of OASIS.

The OASIS is a virtual universe, containing thousands of worlds. It functions both as an MMORPG and as a virtual society, with OASIS currency being the most stable currency in the world. MMORPG = Massively multiplayer online role-playing games.

Did You Know ... That every new employee at Oculus VR, the Facebook owned virtual reality company, is given a copy of the 2011 science fiction novel Ready Player One.

Social Media becomes Virtual Reality However this is not only Science Fiction. Currently Facebook has plans to build its Oasis. Oculus VR, the Facebook owned virtual reality company has the goal to create the Oasis by 2020.

August 15, 2017  www.tomokodiscovery.com Twitter

August 15, 2017  www.tomokodiscovery.com Twitter: overview ▪ A microblogging social network founded in 2006 by Jack Dorsey and Biz Stone

▪ Members can post "tweets" of up to 140 characters directing them to specific people via the @ symbol, linking them to specific topics with the # symbol, or releasing them to the world at large ▪ Direct messages are also available but these are not open to the public nor searchable by anyone other than the user

▪ Tweets are publicly visible by default, although tweets can be restricted

August 15, 2017  www.tomokodiscovery.com Twitter: quick facts ▪ As of September 2017, Twitter has 1.3 billion registered users (328 million active users) ▪ Fewer than half of tweets were posted using the Twitter.com interface, third-party applications used most. ▪ 80% of active users access Twitter using mobile device. ▪ Twitter’s percentage of total global social media sharing is 30%, 24% in North America, 45% in Europe. ▪ 56% of Twitter users use it to document their lives in real time. ▪ 1 in 7 tweets contain at least one curse word. ▪ 10,000 tweets per day contain racial slurs. ▪ In January 2012 in New York, police arrested 43 gang members linked to killings, shootings, and robberies because of posts members put on Twitter. ▪ Former NFL player home broken into by partying teens who caused $20,000 in damage. Arrests made based on photos teens posted of their actions on Twitter.

August 15, 2017  www.tomokodiscovery.com Twitter: partnerships Google: Partnership relaunched with Twitter started on May 19, 2015 Relevant mobile queries produce real-time content from Twitter in addition to traditional Google results. Search queries will display recent tweets by or about the subject you searched for.

Bing: Partnership dating back to 2009 New updates, due to Twitter partnership, makes it much easier to look up people and find tweets. Search results based on variety of factors such as popularity, retweets, and account status. Bing will make suggestions or alternatives as you type in search bar. Twitter data is now utilized in Bings Pay Per Click Advertising program.

Yahoo: Powered by Bing All Yahoo results are coming from Bing, after launching unsuccessful multiple redesigns of their search engine. Yahoo is currently shutting down other services like maps as well but its Keyword searches will return recent tweets if applicable due to the Bing Partnership.

August 15, 2017  www.tomokodiscovery.com Twitter: basic search Examples:

▪ Include: termA OR/AND termB Conan OR/AND Leno

▪ Exclude: termA –termB Conan –Leno

▪ Tweets From: from:Conan

▪ Tweets To: to:Conan

▪ Date Search iPhone since:2014-09-01 until:2014-09-20

▪ Tweets with links amazing filter:links

August 15, 2017  www.tomokodiscovery.com Twitter: advanced search

August 15, 2017  www.tomokodiscovery.com Twitter: location search a Location feature has to be turned on in mobile device ▪ Clicking on location will give time of post and Google Map position at time of posting

Twitter advanced search can search location if investigating an incident at a known location ▪ Put geocode: GPS coordinates, search radius ▪ Can also add search parameter such as the word “fire”

Tweetpaths (tweetpaths.com) ▪ Must know username ▪ Will show locations of tweets for user w/GPS enabled ▪ Can identify several users on the same map

August 15, 2017  www.tomokodiscovery.com Twitter: location search b MapD MIT (https://www.mapd.com/demos/tweetmap) MapD Harvard (http://worldmap.harvard.edu/tweetmap) ▪ Historical database of tweets displayed on a map ▪ 2009-2013

One Million Tweet Map (onemilliontweetmap.com) ▪ Live stream of most recent tweets from a location

GeoSocial Footprint (geosocialfootprint.com) ▪ Combines location information to form “Location Footprint” ▪ Can be used to identify areas of concern

Social Bearing (socialbearing.com) ▪ Identify tweets by location.

August 15, 2017  www.tomokodiscovery.com Twitter: tweet search All My Tweets (allmytweets.net) ▪ Presents ALL of an active user’s tweets together ▪ Can search for terms in tweets

First-Tweet (discover.twitter.com/first-tweet) ▪ Find anyone’s first Tweet

August 15, 2017  www.tomokodiscovery.com Twitter: relationships Twiangulate (twiangulate.com) ▪ Displays mutual friends of two Twitter profiles

August 15, 2017  www.tomokodiscovery.com Twitter: misc. Backtweets (backtweets.com) ▪ Can identify posts that link to a specific website ▪ Good for finding people promoting an illegal website

Foller Me (foller.me) ▪ Analytical look at a users profile and latest tweets ▪ Looks at user topics, join dates, and follower ratio

August 15, 2017  www.tomokodiscovery.com People Search

August 15, 2017  www.tomokodiscovery.com People Search: overview People search engines search for information on people. A people search can be used to find out information on a client, whether a person has an incriminating background, or how to contact a person. Some people search engines find out a person’s criminal record, email address, physical address and even license plates for that person.

▪ People search engines do the grunt work of looking for information about people for you. Making finding a person fast and simple.

August 15, 2017  www.tomokodiscovery.com People Search: search services ThatsThem A completely Free People Search service that allows you to lookup anyone's phone number, email address, postal address, and more. www.thatsthem.com

Pipl Finds high-quality results in pages that cannot be found on regular search engines www.pipl.com

ReverseGenie Provides free phone number, people, license plate, address, ip and email reverse lookup. www.reversegenie.com

August 15, 2017  www.tomokodiscovery.com Search Engines

August 15, 2017  www.tomokodiscovery.com Search Engines: overview There are many useful Search Engines that can be used during Social Media Discovery.

▪ For example, Social Search Engines search a variety of Social Media Networks while Million Short allows the user to filter out up to the top million sites.

▪ Iseek on the other hand helps the user with a handy cluster system to narrow our search by topic, people, places, organizations, etc.

▪ Google’s advanced search permits the search of indexed files including PDF, Excel, Word Doc., PPT and others. It also let you change the language, region, certain site or even domain for example.

August 15, 2017  www.tomokodiscovery.com Search Engines: cluster, advanced & social Search Engines: ▪ www.iseek.com ▪ www.carrot2.org ▪ www.instya.com ▪ www.yandex.com

Advanced Search: ▪ www.search.yahoo.com/web/advanced ▪ www.google.com/advanced_search

Filter Search: ▪ www.millionshort.com

Social Search ▪ www.social-searcher.com

August 15, 2017  www.tomokodiscovery.com Search Engines: isp & content provider The ISP List is a database of Internet service and other online content providers that will help you get the information you need for your case. For each Internet Service Provider listed, you’ll find the legal contact information and instructions needed to serve subpoenas, court orders, and search warrants.

On The Web: ▪ http://www.search.org/resources/isp-list

August 15, 2017  www.tomokodiscovery.com Preservation

August 15, 2017  www.tomokodiscovery.com Preservation: the screenshot Federal Rules of Evidence / Rule 902(14) Amendment The accompanying official Advisory Committee notes specifically reference to the importance of both generating “hash values” and verifying them post-collection as a means to meet this standard for self- authentication. This digital identification and verification process can only be achieved with applications like Tomoko Discovery.

Law Enforcement IMPORTANT In the law enforcement field, untrained patrol officers or field investigators are too often collecting electronic evidence in a manual and haphazard fashion, without utilizing the right tools that qualify as a “process of digital identification.” So for an example, if an untrained investigator collects a web page via the computer’s print screen process, that printout will not be deemed to be self-authenticating under Rule 902(14), and will face significant evidentiary hurdles compared to a properly collected web page via a solution such as Tomoko Discovery.

August 15, 2017  www.tomokodiscovery.com Preservation: metadata Types of Metadata: ▪ Structural metadata and descriptive metadata. Structural metadata is data about the containers of data. Descriptive metadata uses individual instances of application data or the data content.

Examples ▪ Means of creation of the data ▪ Purpose of the data ▪ Time and date of creation ▪ Creator or author of the data ▪ Location on a computer network where the data was created ▪ Standards used ▪ File size

August 15, 2017  www.tomokodiscovery.com Preservation: the digital signature Digital signatures can provide the added assurances of evidence to origin, identity and status of an electronic document. By using a public key that is included in the digital signature we can validate the authenticity of the content that was captured as evidence.

1. A digital signature is a mathematical technique used to validate the authenticity and integrity of a digital document. 2. A Digital Signature technology authenticates and validates the document, proving beyond a reasonable doubt it is what it says it is. 3. A digital signature is intended to solve the problem of tampering a digital document. 4. A Digital signature is based on public key cryptography, also known as asymmetric cryptography.

August 15, 2017  www.tomokodiscovery.com Preservation: tomoko’s sha-256 What is SHA-256? The SHA (Secure Hash Algorithm) is one of a number of cryptographic hash functions. A cryptographic hash is like a signature for a text or a data file. SHA-256 algorithm generates an almost-unique, fixed size 256-bit (32-byte) hash. Hash is a one way function – it cannot be decrypted back. This makes it suitable for password validation, challenge hash authentication, anti-tamper, digital signatures.

How Strong is the Sha-256? SHA-256 is one of the successor hash functions to SHA-1, and is one of the strongest hash functions available.

Example: In this example our input are the two words “Tomoko Discovery” our Sha256 output is “e5b4fd62e4f548568d1ab3401658b1d6647821e057ca3f988ceb36cdaa51b497”

August 15, 2017  www.tomokodiscovery.com Thank You Social Media Discovery, Web Collection & Preservation Web: www.tomokodiscovery.com | Email: [email protected]

August 15, 2017  www.tomokodiscovery.com