Your SlideShare is downloading. ×
0
Information Gathering Over Twitter
Information Gathering Over Twitter
Information Gathering Over Twitter
Information Gathering Over Twitter
Information Gathering Over Twitter
Information Gathering Over Twitter
Information Gathering Over Twitter
Information Gathering Over Twitter
Information Gathering Over Twitter
Information Gathering Over Twitter
Information Gathering Over Twitter
Information Gathering Over Twitter
Information Gathering Over Twitter
Information Gathering Over Twitter
Information Gathering Over Twitter
Information Gathering Over Twitter
Information Gathering Over Twitter
Information Gathering Over Twitter
Information Gathering Over Twitter
Information Gathering Over Twitter
Information Gathering Over Twitter
Information Gathering Over Twitter
Information Gathering Over Twitter
Information Gathering Over Twitter
Information Gathering Over Twitter
Information Gathering Over Twitter
Information Gathering Over Twitter
Information Gathering Over Twitter
Information Gathering Over Twitter
Information Gathering Over Twitter
Information Gathering Over Twitter
Information Gathering Over Twitter
Information Gathering Over Twitter
Information Gathering Over Twitter
Information Gathering Over Twitter
Information Gathering Over Twitter
Information Gathering Over Twitter
Information Gathering Over Twitter
Information Gathering Over Twitter
Information Gathering Over Twitter
Information Gathering Over Twitter
Information Gathering Over Twitter
Information Gathering Over Twitter
Information Gathering Over Twitter
Information Gathering Over Twitter
Information Gathering Over Twitter
Information Gathering Over Twitter
Information Gathering Over Twitter
Information Gathering Over Twitter
Information Gathering Over Twitter
Information Gathering Over Twitter
Information Gathering Over Twitter
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Information Gathering Over Twitter

5,738

Published on

Information Gathering Over Twitter: Targeted approach for digital investigations

Information Gathering Over Twitter: Targeted approach for digital investigations

Published in: Technology
1 Comment
7 Likes
Statistics
Notes
  • Great share. I cant download the slide because it is protected.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
5,738
On Slideshare
0
From Embeds
0
Number of Embeds
28
Actions
Shares
0
Downloads
1
Comments
1
Likes
7
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Intelligence GatheringOver TwitterBrian BaskinJan 2012
  • 2. Who Am I?• Computer Forensic Examiner – DC3 / DCFL• Senior Consultant – cmdLabs• Published author/coauthor of some books
  • 3. Overview• Basics of Twitter• Search Capabilities• Dissecting the Tweet• Long-term Archiving• Link Analysis
  • 4. What is Twitter• Micro-blogging site– 140-character short messages– Twitter : Facebook : SMS : Email– Began in 2006 but already has 200mil users*– As of June 2010: 65m tweets/day, 750 tweets/second– Open design allows access from web or client* http://www.pcmag.com/article2/0,2817,2371826,00.asp
  • 5. Twitter Clock
  • 6. Twitter Clock (2011)
  • 7. Tweet Philosophy• Celebrity-driven approach– Anyone can follow anyone– Focus for many is on collecting followers– One-way relationships instead of two-way(FaceBook/MySpace)• You can follow me, but I don’t have to follow you• Users follow others that interest them– Tweets made by others appear in your “timeline”
  • 8. Who Uses It• 13% of Online Americans use Twitter*– Up from 8% a year ago– Most between ages of 18-29– Ethnicity favored to Black and Hispanic– Urban environments more than suburban/rural– Biggest user base: young urban minorities– Large communities around any topic*http://www.pewinternet.org/~/media/Files/Reports/2011/Twitter%20Update%202011.pdf
  • 9. Comms Channel• Widely used as a communications channel when othersfail (or are censored)– Iran – 2009 – Protests over election results• Twitter to take down site for maintenance• US State Department prompted Twitter to hold-off– Egypt – January 2011• Protests to overthrow 30-year President and instill democracy
  • 10. Comms Channel• Used extensively by Anonymous and Occupymovements
  • 11. Tweets and Replies• Tweets appear in yourpublic timeline• Only shows broadcasttweets or replies toothers you follow• Will not include normalmessages from peopleyou do not follow
  • 12. Mentions• When someone tweets yourname preceded by @• If you follow them, shows intimeline• Otherwise, have to check‘@Mentions’
  • 13. Retweets• Repeating someone’smessage to all of yourfollowers• Old and New Styles– Old: Manually add “RT” or “via”– New: Automatic
  • 14. Yes, The World Can See It
  • 15. Protected Accounts• Not viewable by public• Users have to request permission to follow you• Only users allowed to follow you can see yourtweets• @Mentions only show up to followers• Tweets do not appear in search
  • 16. Direct Messages• Private messages sent between two users• ‘D [or DM] User Message’• Receiver must follow the sender– Possible for uni-directional DMs if both parties don’t followeach other• Message sent through Twitter and email• DM Fails**http://thenextweb.com/socialmedia/2010/08/05/has-twitter-employees-dm-fail-confirmed-shoutout-feature/
  • 17. Notifications• Users get email notifications when receiving:– New followers– Direct Messages– Often delayed– Not consistent– TweetDeck better
  • 18. Favorites• Users can star a tweet tosave it as a favorite• Anyone can viewsomeone else’s favoritelisttwitter.com/<user>/favorites
  • 19. Hash Tags• Popular way of grouping tweets• Simplifies searching• #Keyword– #CyberCrime2012– #FF (Follow Friday)– #DFIR– #TheWalkingDead
  • 20. Moving on…• Now that we got the basics out of the way…
  • 21. Search Capabilities• http[s]://search.twitter.com
  • 22. Search Limitations• Only search tweets up to about two weeks old• API limits on how many results you can retrieve at onetime– Law enforcement request to Twitter can whitelist anLE account to near unlimited results• Very unreliable
  • 23. Google Search• Google used to provide immediate Twitter searchresults• Results can span back multiple years• Service died at the start of Google Plus
  • 24. Anatomy of a Tweet
  • 25. Anatomy of a Tweet
  • 26. {"in_reply_to_status_id_str":"57454830603616256","text":"@bbaskin That isan awesomesite!","contributors":null,"retweeted":false,"in_reply_to_user_id_str":"17442948","id_str":"57476924934590464","entities":{"hashtags":[],"urls":[],"user_mentions":[{"screen_name":"bbaskin","indices":[0,8],"id_str":"17442948","name":"BrianBaskin","id":17442948}]},"place":null,"coordinates":null,"source":"web","geo":null,"truncated":false,"created_at":"Mon Apr 11 16:15:41 +00002011","in_reply_to_user_id":17442948,"in_reply_to_status_id":57454830603616256,"favorited":false,"user":{"time_zone":null,"profile_text_color":"333333","url":null,"screen_name":“LLRurik","profile_sidebar_fill_color":"DDEEF6","description":"The OtherMe.","id_str":"134196003","show_all_inline_media":false,"follow_request_sent":false,"lang":"en","geo_enabled":false,"profile_background_tile":false,"location":"Maryland","contributors_enabled":false,"profile_link_color":"0084B4","is_translator":false,"statuses_count":1,"profile_sidebar_border_color":"C0DEED","followers_count":1,"default_profile":true,"listed_count":2,"created_at":"Sat Apr 17 18:26:02 +00002010","following":false,"notifications":false,"profile_use_background_image":true,"friends_count":2,"protected":false,"verified":false,"profile_background_color":"C0DEED","name":"Rurik","profile_background_image_url":"http://a3.twimg.com/a/1302214109/images/themes/theme1/bg.png","favourites_count":0,"profile_image_url":"http://a3.twimg.com/profile_images/830973443/Rurik-avatarpic-l_normal.png","id":134196003,"default_profile_image":false,"utc_offset":null},"retweet_count":0,"id":57476924934590464,"in_reply_to_screen_name":"bbaskin"},,
  • 27. {"in_reply_to_status_id_str":"57454830603616256","text":"@bbaskin That is an awesome site!","in_reply_to_user_id_str":"17442948","id_str":"57476924934590464","entities":{"hashtags":[],"urls":[],"user_mentions":[{"screen_name":"bbaskin","indices":[0,8],"id_str":"17442948","name":"Brian Baskin","id":17442948}]},"created_at":"Mon Apr 11 16:15:41 +0000 2011","user":{"time_zone":null,"url":null,"screen_name":“LLRurik","description":"The Other Me.","id_str":"134196003","location":"Maryland","created_at":"Sat Apr 17 18:26:02 +0000 2010","protected":false,"name":“LLRurik","profile_image_url":"http://a3.twimg.com/profile_images/830973443/LLRurik-avatarpic-l_normal.png",}Anatomy Excerpts
  • 28. Twitter Account Creation• Gives date when any account was created– Chrome plugin (old Twitter only)• https://chrome.google.com/extensions/detail/pfpkfkhhigghmggnhfjdfjiihmeancof?hl=en– http://www.whendidyoujointwitter.com/
  • 29. TweetDeck
  • 30. TweetDeck Forensics• %AppData%Tweetdeck.<xyz>Local Storetd_26_<username>.db (SQLite Database)– ‘friends’ – Details on all accounts the user follows• Twitter User #, Name, Screen Name, URL to profile image• fUserID (Twitter User #) can show relative age of accounts• Includes accounts that even no longer exist– ‘columns’ – What columns are currently shown to client– ‘lists’ – Lists the user manages• Name, public/private, URL, # of members, description
  • 31. TweetDeck Forensics• %AppData%Tweetdeck.<xyz>Local Storepreferences_<username>.xml– Recently used hash tags:<hashtags hash0="#FF" hash1="#RallyForSanity"hash2="#CyberCrime2012" hash3="#DEFCON"hash4="#OWS" hash5="#stuxnet" />– Email service:<email service="0"url="https://mail.google.com/mail/"/>
  • 32. Application Cached Data• Applications cache tweets upon download– If a tweet is deleted a cached copy may still exist inthird-party application– Possible for message to be read/repeated even afterbeing deleted at its source– Forensic Caching:• Archivist (http://visitmix.com/labs/archivist-desktop/)• Twinbox – Saves all tweets to Outlook inbox
  • 33. Tweet Scraping• Tools to automatically collect and saverelevant tweets– Archivist (http://visitmix.com/labs/archivist-desktop/)– Twinbox – Saves all tweets to Outlook inbox– Twitter Archive Google Spreadsheet (TAGS) -http://mashe.hawksey.info/2012/01/twitter-archive-tagsv3/
  • 34. URL Shorteners• Due to size limitation of tweets, URLshorteners are common place– Vector of attack– Most offer preview capability:• http://bit.ly/gAhOlo+• http://preview.tinyurl.com/62j4zla– http://resolves.me – Universal URL Previewer
  • 35. Tweet Longer• Due to size limitation of tweets, messageextension services are also somewhatcommon.– TwitLonger hosts extended posts– Hosts on TwitLonger.com– Uses tl.gd domain
  • 36. Media Hosting• Twitter is limited to just textcontent. Media services provideimage / video hosting– Images: yFrog, TwitPic, Flikr– Video: TwitVid, Twiddeo, Twitc• If tweet is removed mediaremains• EXIF data remains to be exploited– iCanStalkU.comJanis Krums
  • 37. Media Hosting• TwitCaps.com– Searches all Twitter media sites– Results are often NSFW
  • 38. Social Network Mapping• NodeXL– Free mappingtool forMicrosoft Excelnodexl.codeplex.comCurrently at 1.0.1.196Marc Smith
  • 39. NodeXL Associations
  • 40. NodeXL #CyberCrime2012
  • 41. D3.js Visualization
  • 42. D3 TwitterCommunity Visualizer
  • 43. Maltego• Professional data analysis tool• “Social Networking Special Ops” - ChrisSumner (Suggy) at BlackHathttp://www.securityg33k.com/blog/?p=180• Mining data from aTwitter scavenger hunt
  • 44. Take Away Notes• Following someone does not show the entirety oftheir communications• Targets are notified if you follow/favorite them• Twitter’s search is very impaired• Information spreads beyond core-Twitter site• Follow early and archive tweets using third-partytools for later analysis• Use Link-Analysis to find outliers
  • 45. Contact Us:e-mail: contact@cmdlabs.comp: 443.451.7330www.cmdlabs.com1101 E. 33rd Street, Suite C301Baltimore, MD 21218Brian Baskin

×