Social Media Investigation Techniques (Platform-Agnostic)

Platform-agnostic social media OSINT tutorial: handle pivots, timeline reconstruction, content preservation, and ethical investigation of public profiles.

Intermediate people

Social Media Investigation Techniques (Platform-Agnostic)

Platforms rise, fall, and rewrite their APIs. The techniques that survive are the ones grounded in general principles: pivot on identifiers, preserve before you analyse, read metadata carefully, and treat every claim as provisional. This tutorial is deliberately platform-agnostic.

Who this is for

Intermediate

Journalists, researchers, and civic investigators who need to verify a claim tied to a social account, reconstruct a timeline, or document online activity in a way that survives account deletion.

What you'll need

  • A dedicated research browser profile, ideally on a separate machine or container — not your personal account.
  • Screenshot and full-page capture tools.
  • yt-dlp for video preservation, ExifTool for any downloaded media.
  • Patience. Platform searches are noisy.

How it works

A social-media investigation is a chain of identifier pivots. A handle leads to a display name, a display name to a profile image, a profile image to a reverse-image result on an older platform, that result to an email, the email to a breach record or a domain registration. Each pivot is a separate source. The discipline is keeping them separate in your notes.

Step-by-step walkthrough

  1. Fix the identifier you actually have. Write down the exact handle with its platform prefix (for example @example on X vs on Instagram — not the same person). Record the profile URL, the account ID if the platform exposes one, and the display name as of today.

  2. Preserve before exploring. The moment you know an account is interesting, archive it:

    • Paste the profile URL into https://archive.today/ and https://web.archive.org/save/.
    • Take a full-page screenshot of the profile.
    • For a specific post, archive the post URL separately and save any embedded media with yt-dlp:
      yt-dlp --write-info-json --write-thumbnail <post-url>

  3. Pivot on the handle. Search the exact handle string in quotes across other platforms and the open web:

    "@example"
"example" site:github.com
"example" site:reddit.com

    Tools like https://namechk.com or https://whatsmyname.app/ enumerate handle availability across many services quickly — confirm each hit manually; collisions are common.

  4. Pivot on the display name and bio phrases. A distinctive bio phrase is more unique than a handle. Search it verbatim in quotes.

  5. Pivot on the profile image. Download the highest-resolution version, strip query parameters, then run it through multiple reverse image services. Stock photos and stolen headshots are red flags.

  6. Reconstruct the timeline. Pull the earliest posts (most platforms let you sort or jump to a date). Archive the first ten and the most recent ten. Note anomalies: a multi-year dormant account that suddenly posts daily, or a sudden language shift.

  7. Check cross-platform consistency. The same person across platforms should show consistent writing style, time-of-day posting patterns, and friend overlap. Inconsistencies are leads — sometimes to a shared account, sometimes to identity theft, sometimes to automation.

  8. Document the network carefully. Following and follower lists change constantly. Capture them with a timestamp. Do not publish follower lists of private individuals.

Common pitfalls

  • Alerting the target. Logging in with a real account that "views" a profile or sends a connection request can notify the target. Use research accounts with no real-world links.
  • Fabricated verification. Blue checks and platform badges mean what the platform says they mean this week. Do not treat them as identity proof.
  • Screenshot-only evidence. Screenshots are trivial to forge. Pair every screenshot with an independent archive URL.
  • Automated scraping at scale. Most platforms' terms of service prohibit large-scale scraping. Beyond legal exposure, it gets your access banned mid-investigation.
  • Ignoring aliases. The same person often maintains different handles for professional, political, and personal use. A clean "pivot" that assumes one-handle-per-person will miss the actual story.

Verifying your findings

Any identification of a real person behind an anonymous account needs multiple independent corroborators: a distinctive linguistic pattern, an infrastructure link (a domain they registered), a breach-data match, and ideally a direct admission in an archived post. The analysis phase guide covers how to structure these into a confidence-rated finding.

Related tutorials

Apply this in practice

See social-media pivots applied in the tracking a disinformation network case study. For grounded treatment of the ethical frame around identifying individuals during civic investigations, see the ICE Encounter rights guides.