How to Authenticate Online Evidence (and Why It’s Crucial)
The internet is a treasure trove of useful information for your investigation. But if you don't capture and authenticate it before it disappears, that evidence and, in turn, your case, could be lost.
"Once you have located a potentially useful and relevant social media post, what should you do? Don’t delay. Immediately capture it." urge Robert C. Bonsib, Esq. & Megan E. Coleman, Esq. "Even if the initial manner in which you preserve the evidence isn’t the best, it is important to capture it because people can quickly close down or delete a social media site."
Wondering how to authenticate online evidence? This quick guide explains common methods every investigator should know.
Are you getting the most out of the internet's best free tool?
Search engines can provide loads of helpful evidence for your investigation if you know how to use them effectively. Watch this free webinar to learn tips and tricks for using Google to find information on your subject quickly and easily.
One method you can use to authenticate evidence is creating a screen cast or screen recording. Using software such as Camtasia, you can record what's happening on your screen as you conduct your online search. You can also record yourself looking at a site's metadata to add a layer of authentication.
Start the recording by saying your name, the date and time and case number or some other identifying information about your investigation. Then, conduct your search as usual. Adding the information at the beginning of the recording shows that it is legitimate and not doctored, making it more likely to be admissible in court.
This method is useful for scrolling through an entire website, social media profile history or other large piece of online evidence.
To capture just one web page or a few social media posts, you can take a picture of your screen, otherwise known as a screen grab or screenshot. You can do this by either taking a picture of your computer with your phone/camera or taking a screenshot straight from your computer.
To strengthen your evidence, be sure to include the time and date in the screen shot. This might appear at the top or bottom of your screen and be captured in the grab automatically. You can also add it in manually (find OS-based instructions here.)
If you can, get a neutral witness (such as a notary) to observe and/or sign off on your screenshots. Authenticated screenshots are more likely to be admitted in court.
"Take a screen shot of the entire screen, capturing as much as you can, and not just the relevant picture or message. In order to later authenticate the screenshot you may need to show the whole page so you can see other information that helps tie the screenshot to the person you are attempting to prove posted the message or picture," Bonsib and Coleman explain.
Do you know or suspect that a subject hid or deleted key evidence? You might be able to view it using the Internet Archive's Wayback Machine. Just type the URL you want to explore into the search bar and the Wayback Machine will show you archived versions of the site by month and year.
You'll find snapshots of the site from its creation to present. Each snapshot acts as a working webpage, so you can click around the site using links the same as you would have when that version of the site was live.
You can conduct a similar search using your Google account, as explained below.
Pages Cached by Google
Throughout the day, "Google takes a snapshot of each web page as a backup in case the current page isn't available." These are also handy if you don't have the time or knowhow to document a web page yourself.
To find the cached version of a page, type the URL into Google. Then, click on the arrow to the right of the result and click "Cached." Google will take you to the cached version of the page, complete with a date and time stamp. You can view and save/print/download the full version of the page, a text-only version or the page source.
Cynthia Hetherington, MLS, MSM, CFE, notes that "social media content may still be cached from the source directly, or a third party." So, even if you don't authenticate a subject's profile or posts before they delete evidence, you could still find them again.
Why You Need to Authenticate Online Evidence
Have you ever deleted an old, embarrassing social media post? Then you know how easy it is to make them disappear. With just the click of a button, a person can:
- Delete posts or profiles
- Edit posts or profiles
- Hide posts or profiles
- Make posts or profiles private
This applies best to social media, but also to any website someone runs, including business or professional sites.
You might find a juicy bit of intel, but if the person deletes or hides it later, there's no way to prove it was there unless you use one of the methods above. Letting a key piece of online evidence slip through your fingers can mean the difference between winning and losing a case.