Preserving social-media evidence: the snapshot-or-lose-it problem

The single biggest source of "we had it but lost it" failures in modern OSINT investigations is social-media evidence preservation. The smoking-gun Instagram post that contradicts the disability claim, the deleted tweet that establishes the timeline, the Facebook check-in that places the suspect at the scene — all of these are gone forever the moment the subject hits delete.

Why screenshots aren't enough

A screenshot of a tweet is not evidence of the tweet. It's evidence that someone produced an image that looks like a tweet. The defense will (correctly) point this out. What you need:

- The original tweet ID + URL at the time of capture - The exact response from the platform's API (including HTTP status, headers, response body) - A timestamp from a trusted source (not just your local clock) - A cryptographic hash of the captured content - Continuous custody from capture through presentation

Without those, the screenshot is impeachable in seconds.

What actually preserves

The Wayback Machine + Archive.today are good for public web pages. For social-media-specific content:

- Twitter/X: API v2 + tweet ID + Wayback snapshot of the tweet URL = three independent confirmations - Instagram: This is harder. Public posts can be Wayback-archived; private posts can't be preserved without consent or subpoena - Facebook: Public posts archive; private posts are out of OSINT scope - LinkedIn: Posts archive but profile changes don't; snapshot the full profile, not just the post - TikTok: Public videos can be downloaded with metadata; private cannot

The temporal-window problem

The window between "investigator discovers the post" and "subject deletes the post" is sometimes hours, sometimes minutes. The investigator who manually screenshots and saves to a folder will lose ~20% of evidence to deletion before they get back to the case.

Automated capture at discovery time is the only reliable answer. Tracelight's OSINT workers snapshot evidence at the moment they find it — the raw API response is stored, hashed, timestamped, and never deleted from the workspace's storage. Months later, you can prove the tweet existed at 14:32 UTC on May 14, even if the live tweet is gone.

What about chain of custody

Custody = continuous documented possession. The post-it-on-an-engineer's-laptop approach loses chain of custody the moment that laptop is sold or wiped. The snapshot-and-screenshot approach loses it the moment someone questions the screenshot's provenance.

Production-grade chain of custody requires:

- Capture under a documented system (Tracelight, or equivalent) - Storage in a system that records access + downloads (audit log) - Hash continuity from capture through presentation - Witness statement from the system operator if challenged

Real-case implications

Multiple insurance fraud cases have turned on the SIU team's ability to produce a Facebook post the claimant deleted hours after they realized the carrier was investigating. The cases that won had documented capture-at-discovery-time. The cases that lost relied on a screenshot saved to a desktop folder.

The cost difference between "we have a screenshot" and "we have a hash-locked, timestamped, audit-trailed snapshot" is the cost of the carrier paying out a claim that should have been denied.

Practical takeaway

If your investigation tooling doesn't preserve evidence at discovery time, your evidence has a half-life. For non-time-sensitive cases that's fine. For litigation, fraud, and any case that may end up in court, it's the deciding factor between winning and losing.