Image: © hapabapa | iStock

Digital forensics in the age of the social media moving target

by · Open Access Government

Heather Barnhart, a Senior Digital Forensic Expert at Cellebrite and the Head of Faculty at SANS, discusses digital forensics in the era of social media as a constantly changing target

Nearly every digital investigation, 97% to be exact, involves a mobile phone, meaning critical evidence is increasingly stored on devices and third-party apps.

Social media platforms such as TikTok, Snapchat, and other apps are constantly updating and changing how data is stored. As a result, investigators are facing a new reality: it’s not just about extracting data, but about understanding where it lives in the file system, how it behaves, and how to recover it when tools don’t keep up.

The rise in privacy concerns and the tightening of security protocols. An increasingly complex data environment makes mobile data collection methods more challenging for investigators and examiners, and the solutions they rely on must keep pace. This disrupts forensic tools, leading to gaps in extracted data. Understanding how to navigate and interpret the data is becoming just as central as the tools used to extract it.

Social media apps are a moving target

Within digital forensics, there has been a consistent frustration with vendors failing to provide rapid parsing support, as apps are constantly updating and changing. It can be as simple as adding a new column or table to a database that prevents a tool from working effectively due to a change in storage format.

Social media apps are a moving target, creating blind spots in forensic tools. Uncovering the largest amount of device data is critical in digital investigations to find evidence and uncover the truth behind the case.

Native apps are constantly changing, too. On iOS, Safari used to be stored in a single location as a plist. An update changed the file path and the file to a database. This happened many years ago, but Apple is still at it. Photos.sqlite is used to track media files on an iPhone and is one of the most popular files investigated on iPhones. A table change in the database from one iOS version to the next broke tool parsing support.

Essentially, it’s a constant loop of analyzing, researching, building capabilities into the tool, and then looping back to the app to ensure nothing has changed. This cycle repeats, and investigators research it and reupdate the tool and parsing techniques.

Delete doesn’t mean gone

A common misconception from online criminals is that hitting delete means the data is gone, but this isn’t the case. If a file format changes, for example, switching from Chromium-based apps such as SQLite to LevelDB, the data could remain in SQLite. Even if the user tries to delete it, the data could still be present in one file format and appear non-existent in the next because the app will only look at the current file format.

A simple forensic analysis may not reveal the data if the tool doesn’t parse it. This is where forensic skills come into effect. Investigators who understand SQLite queries and keyword searching within their tools are key to successful digital investigations of third-party apps when a tool is not parsing the data.

The role of collaboration in keeping pace

Leaning into the community is an essential component to keeping up to date with something so fast-evolving. When teaching or communicating, it is essential to build on what already exists and modify it. It is far easier to modify a script or query to what has changed, rather than starting from the ground up.

Community contributors create public iOS and Android images loaded with applications, then carefully document everything from what was installed and the process followed, which is then released alongside detailed PDFs.

These resources are highly valuable for testing and validation. When an investigator is stuck or needs a second opinion on specific applications, these shared materials provide a strong starting point.

The reality is that modern digital investigations and apps will continue to develop, and as a community of investigative leaders, we need to find ways to stay ahead of them.

RELATED ARTICLES

Home Office explores AI-powered Facial Age Estimation to support border age decisionsThe Home Office has published a guide detailing its plans to trial Facial Age Estimation technology throughout 2026Emily Warrender, 02 Jun 2026NHS SBS improves financial operations with Oracle Fusion Cloud ApplicationsNHS SBS is modernising its financial and procurement operations across the NHS by adopting Oracle Fusion Cloud Applications Harriet Belderbos, 28 May 2026Botched Digital ID launch has damaged public trustUK Home Affairs Committee warns that the future of digital ID verification depends on restoring public confidence after a poorly handled rolloutEmily Warrender, 20 May 2026EU-funded projects drive Europe’s digital future on the worldWorld Telecommunication and Information Society Day is on the 17th May each year, this day shows the importance of digital technologies in shaping modern societiesHarriet Belderbos, 18 May 2026The transformative potential of AI in healthcareAI can play a key role in transforming the way in which healthcare is delivered – but only if siloed systems can be joined upLorna Rothery, 15 May 2026North East AI growth zone brings new skills and job opportunitiesThousands of young people, teachers and businesses across the North East will begin to benefit from a new push to develop artificial intelligence skillsHarriet Belderbos, 14 May 2026