More

    A Guide to Social Media Intelligence (SOCMINT)

    Share

    As people’s private lives is increasingly available in the public domain, social media platforms’ relevance, as both a source of information and a medium of transmission, rises. Hence, social media intelligence (SOCMINT) appears as an opportunity to better cope with a growingly changing threat environment.

    1. What is Social Media Intelligence?

    Social Media Intelligence (SOCMINT) is considered being a sub-discipline of Open-source Intelligence (OSINT). It refers to the techniques and tools that allow for the collection and analysis of information originating from social media platforms (source). SOCMINT includes all social media platforms, not only social networking sites. Both state and non-state actors can collect and analyse SOCMINT to gain knowledge about specific groups, individuals, or events (source).

    You can conduct SOCMINT on different platforms:

    • Microblogging such as X/Twitter or Weibo
    • Photo sharing such as Instagram or Flickr
    • Social networking such as Facebook or Vkatonkte
    • Blogs such as WordPress
    • Social bookmarking such as Pinterest
    • Video sharing such as YouTube or TikTok
    • Forums such as Reddit or Baidu

    2. Why is SOCMINT important?

    You can use social media intelligence for a wide range of purposes, including:

    • Counter-terrorism
    • Conflict monitoring
    • Fight against organised crime (human trafficking, drug trafficking, arms trafficking, etc.)
    • Health and disease monitoring
    • Combating child sexual exploitation
    • Disaster prediction and response

    As Sir David Omand explained,

    “SOCMINT could contribute decisively to public safety: identifying criminal activity, giving early warning of disorder and threats to the public, or building situational awareness in rapidly changing situations. Understanding the content of social media presents an opportunity for the security services to better understand, and respond to, the public they serve”.

    (source).

    Compared to other forms of intelligence collection and analysis, SOCMINT has decisive advantages (source):

    • Many users are highly liberal with the information they share on social media, which facilitates the collection and analysis.
    • The fact that anyone can post on social media can be perceived as both an advantage and an inconvenience. While it sometimes diminishes the reliability of the collected information, it ensures a large diversity of material.
    • Social media is much faster to disseminate information.

    3. How to conduct SOCMINT?

    You can collect different types of information through social media. Broadly speaking, social media intelligence allows for the collection of (source):

    • Profile information: this includes all kinds of static information publicly available. For instance, on a LinkedIn profile, you can possibly find a (profile) picture, contact information, current and past employers, job title, etc. On Facebook, you can find a profile picture and a name, and potentially a birth date, location, friends, etc.
    • Interactions: social media users not only own an account; they often interact with each other’s. You can monitor these interactions to identify connections and links between individuals or groups. Interactions can include posting, reacting, commenting, re-sharing, liking, etc.
    • Metadata: the content of social media posts is not the only information that can be collected and analyzed. Indeed, posts generate metadata – the data about the data. Therefore, SOCMINT includes not only text and images but also timestamps, locations, and sometimes the type of device used to post.

    3.1. Facebook investigations

    Social media intelligence investigators consider Facebook a real goldmine, as it is the most widely used social media platform. You can use advanced semantic searches to locate information within Facebook’s database. While Facebook removed its Graph Search options in 2019, tools still exist to make the search easier.

    • Snowdust (https://www.sowsearch.info/): you can search for posts from a specific user/page, restrict to posts published in groups, or specific locations. You can also filter by date and keywords. Other options include search by image, pages, places, etc.
    • Facebook Graph Searcher from Intelligence X (https://intelx.io/tools?tab=facebook): search for posts from a specific date, specific user, or from unknown users. You can also search for people, posts, events, places, videos, and photos.

    Other tools and online services exist, such as those to simplify the process of collection and analysis from Facebook accounts. For instance, Lookup ID (https://lookup-id.com/) helps you find Facebook personal IDs, which are necessary for Facebook keyword searches.

    3.2 X/Twitter investigations

    X, formerly known as Twitter, has a built-in advanced search functionality (upper-right side of the screen). A simple search allows you to perform a basic search in the X/Twitter database – similar to Google. You can also conduct more advanced, specialized research on the X/Twitter developer site (https://twitter.com/search-advanced).

    3.2.1. Basic search queries

    • To search for a hashtag, you can use the (#) operator followed by the search keyword. For instance, #SOCMINT.
    • To search for tweets containing an exact keyword, you can use “keyword”, such as “SOCMINT”.
    • Love OR hate for instance, will find all the tweets containing “love”, “hate”, or both.
    • You can use the operator (from) to find tweets from a specific user, such as from:NASA for instance.
    • You can use the operator (to) to find tweets replying to a specific X/Twitter account, such as to:NASA for instance.
    • You can use the operator (@) to find tweets mentioning a specific user, such as @:NASA for instance.
    • To limit results to a specific language, use the (lang) operator. For instance, SOCMINT lang:en will return the tweets containing SOCMINT in English language only. You can find a link of the supported language and their abbreviation here.

    You can combine those search operators to perform a more precise search. For instance, “SOCMINT” from:NASA lang:en will find all the tweets containing “SOCMINT” from the user NASA, and that are in English only.

    3.2.2 Advanced search queries

    • To search for tweets sent up to a specific date, you can use the (until) operator. For example, SOCMINT until:2023-04-10 (the date has to be in a yyyy-mm-dd format). This will generate all the tweets containing “SOCMINT” and sent up until the 10th of April 2023.
    • To search for tweets generated since a specific date, you can use the (since) operator followed by a date. For instance, SOCMINT since 2023-04-10 will return all the tweets containing SOCMINT and posted since the 10th of April 2023.
    • You can use the (images) keywords to find the tweets containing an image within it. For example, SOCMINT Filter:images – this will generate all the tweets containing the keyword SOCMINT and have an image embedded within them). To retrieve tweets with video, you can use the (video) filter (for example: SOCMINT Filter:video).
    • To find tweets containing either a video or a photo, use the (media) operator. For instance, SOCMINT Filter:media.
    • To find tweets containing a link (URL), use the (links)keywords (for instance, SOCMINT Filter:links). If you want the URL link to contain a specific keyword, use the URL keyword. For instance, SOCMINT url:intelligence will return the tweets containing SOCMINT and a URL with the word “intelligence” in it.
    • To search for tweets from verified users, use the (verified) operator. For example, SOCMINT Filter:verified.
    • You can use the (min_retweets) operator followed by a number to return all the tweets containing your keyword that have been retweeted at least the minimum number indicated. For instance, SOCMINT min_retweets30 will return all the tweets containing SOCMINT that have been retweeted at least 30 times.
    • Use (min_faves) followed by a number to find all tweets with the indicated number or more likes. For instance, SOCMINT min_faves:50 will return all the tweets that have at least 50 or more likes and contains SOCMINT.
    • To search for tweets reflecting a negative attitude, you can use the symbol :(. For instance, “SOCMINT :(” will find all the tweets containing the keyword SOCMINT and reflecting a negative attitude.

    4. Tips and Tricks for SOCMINT

    • Encrypt your connection, by using a VPN for instance.
    • Use an anonymous browser (the Duckduckgo Chrome extension, or TOR for instance)
    • Research the history of an image through reverse image search.
    • Follow SOCMINT communities and groups on social media.
    • Don’t forget to check the metadata of a media. It can be very useful for your investigation. You can use online tools such as https://exifdata.com/ to make it easier.
    • You can conduct a reverse email search to help determine the identity of the email owner by scanning other places where the email has been used online. Tools such as https://www.emailsherlock.com/ are helpful for that.
    • Don’t forget to scan suspicious links, files, domains, and IPs to stay safe (https://www.virustotal.com/gui/home/upload)
    • Travel back in time. Finding old and/or deleted web pages can be useful (https://archive.org/web)
    • Cross-check information!
    • Free courses on SOCMINT (and OSINT), such as the Digital Sherlocks of the DFRLab (Atlantic Council) are available online.

    5. Common mistakes to avoid when conducting SOCMINT

    One of the most common mistakes while conducting SOCMINT is to take the veracity of the information collected for granted. Especially on social media, where misinformation and disinformation are widely spread, it is essential that you verify images and information (source). Hence, you should consider some basic fact-checking principles:

    • Who – The veracity of a photo, video, or text is likely to be influenced by the source and platform in which it has been disseminated.
    • Where – verifying the geolocation of an image or a video is essential to determine the veracity of information shared on social media. If the location indicated in the post doesn’t match your geolocation research, the information is likely to be (purposefully) fake.
    • When – Chrono-location helps determine the time of an event. If you can prove that the video or photo was taken at a different time than what is claimed in the post, then it is likely to be false.
    • Why – the motivations behind a post can impact its veracity.
    • Originality – is the media shared original, or is it fake/edited? Has the picture been repurposed?

    6. Tools and resources for SOCMINT

    Various tools are available on the Internet. Investigative companies such as Bellingcat offer guides on how to conduct online investigation. Bellingcat also has a spreadsheet compiling a wide range of online tools to help you in your investigation.

    Most internet users have more than one account (source). As many people use the same username across multiple social media platforms, you can search to see if they have other social media accounts. While you can do it manually by searching the username on the different social media platforms, tools such as Check Username (http://checkusernames.com) check the use of specific usernames across 160 social networks.

    Similarly, Hashatit (https://www.hashatit.com/) is a free tool for simultaneous hashtag search on Facebook, Instagram, X/Twitter, YouTube, Reddit, Flickr, Vimeo, and Tumblr.

    The Google Account Finder (EPIEOS – https://tools.epieos.com/google-account.php) allows you to find the profile picture and public Google Maps Reviews and Photos associated with a Gmail address. It can also check for phone numbers and email addresses on social networks.

    7. Frequently Asked Questions about SOCMINT

    • How does SOCMINT differs from traditional intelligence? SOCMINT differs from traditional intelligence gathering because it relies on publicly available information, whereas traditional intelligence gathering often involves the use of covert means to collect information.
    • What are the ethical considerations when using SOCMINT? The ethical considerations when using SOCMINT include issues of privacy, transparency, accuracy, and potential biases in the data. Ensuring that any information gathered through SOCMINT is done so legally and ethically, and that the privacy rights of individuals are respected, is important.
    • What are the potential limitations of using SOCMINT for intelligence gathering? The potential limitations of using SOCMINT for intelligence gathering include issues of data quality, biases in the data, and the potential for misinformation and disinformation to spread through social media platforms.
    • What are the privacy concerns associated with using SOCMINT? The use of SOCMINT raises privacy concerns, which include issues of data collection and storage, the potential misuse of personal information, and the need to ensure that individuals’ privacy rights are respected when conducting SOCMINT analysis.
    • Where do I start? Learning how to conduct SOCMINT can be overwhelming, due to the enormous volume of information available on the Internet. You could start by picking a topic you are interested in, and monitor its evolution, while familiarizing yourself with the various techniques.

    8. Advanced techniques for SOCMINT

    Many different skills are necessary to conduct a SOCMINT investigation. Advanced techniques and skills exist to ensure an accurate and effective analysis of social media data. These include:

    • Social Network Analysis (SNA): SNA is a technique that analyses the relationships and interactions between individuals and groups on social media platforms. This can help to identify key influencers, connections between individuals or groups, and patterns of behaviour.
    • Geolocation: You can use geolocation techniques to identify the physical location of social media users based on their posts or profile information. This can help to identify where specific events or incidents are taking place, and to track the movement of individuals or groups.
    • Dark Web Monitoring: You can use advanced SOCMINT techniques to monitor activity on the dark web, including underground forums, marketplaces, and communication channels.. This can help to identify threats or criminal activity that may not be visible on public social media platforms.
    • Natural Language Processing (NLP): You can use NLP techniques to analyze the sentiment, tone, and context of social media posts, comments, and conversations. This can help to identify underlying themes, opinions, and emotions related to specific topics or issues.

    9. Case studies for SOCMINT

    A joint investigation between the Radio Free Europe/Radio Liberty (RFE/RL) and the Conflict Intelligence Team (CIT) shed light on concerns voiced by relatives of Russian soldiers for an apparent deployment near Ukraine, before the 2022 invasion (source)(source).

    Numerous reactions and comments on TikTok suggested that Russian contract soldiers were being sent from the Eastern military district, either on a “business trip” or “to exercises”. The analysis of social media profiles sent by the relatives of Russian soldiers suggests that a large proportion of the soldiers heading west from Russia’s Far East belong to groups capable of shoring up a full-scale ground invasion, including military police, special forces, and tactical teams.

    For instance, comments mentioned Belogorsk in the Amur region. Next to it is the base of military unit 53790 — the 54th Command and Control Brigade. A photograph of the arriving Russian troops posted by the Ministry of Defense of Belarus shows a carriage number. The Russian Railways database shows that the consigner of this carriage is the 54th Command and Control Brigade.

    The Belogorsk unit is not the only CCB (Command and Control Brigade) sent to Belarus. In the first half of January, the CIT observed several trains moving from Krasnaya Rechka station, from videos posted on social media. Similarly, the researchers discovered several videos showing the loading or transportation of vehicles common to Spetsnaz units (such as numerous GAZ-Tigr armored cars) on trains. Some of the videos were filmed during loading in Khabarovsk, while others were filmed along the train’s route across Siberia.

    Their investigation, published in January 2020, almost a month before the invasion, suggests that at least some units of Russia’s Eastern Military District were transferring a significant part of their personnel, and not just vehicles, towards Ukraine, and that the transferred elements of those units could stay in Belarus and/or western Russia for a relatively long period.

    Thus, analysts from RFE/RL and CIT managed to identify which troops were being moved and where they were being moved to, prior to the full-scale invasion of Ukraine, through the analysis of social media interactions and content.

    10. Conclusion

    SOCMINT is a powerful tool that can provide valuable insights and intelligence from publicly available social media data. By analysing social media content, SOCMINT can help identify and track extremist groups, monitor public sentiment and opinion, and support law enforcement investigations. However, it is important to approach SOCMINT analysis ethically and responsibly, considering issues of privacy, accuracy, and potential biases in the data. As advanced SOCMINT techniques continue to evolve, it is crucial for professionals in the field to stay up to date on the latest trends and best practices. By using SOCMINT effectively and responsibly, organizations and governments can gain valuable insights and make informed decisions to address a wide range of issues and challenges.

    Zélie Petit
    Zélie Petit
    Junior Intelligence Analyst

    Table of contents

    Newsletter

    Get the weekly email from Grey Dynamics that makes reading intel articles and reports actually enjoyable. Join our mailing list to stay in the loop for free!

    Related contents