Information Gathering Over Twitter


Published on

Information Gathering Over Twitter: Targeted approach for digital investigations

Published in: Technology
1 Comment
  • Great share. I cant download the slide because it is protected.
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Information Gathering Over Twitter

  1. 1. Intelligence GatheringOver TwitterBrian BaskinJan 2012
  2. 2. Who Am I?• Computer Forensic Examiner – DC3 / DCFL• Senior Consultant – cmdLabs• Published author/coauthor of some books
  3. 3. Overview• Basics of Twitter• Search Capabilities• Dissecting the Tweet• Long-term Archiving• Link Analysis
  4. 4. What is Twitter• Micro-blogging site– 140-character short messages– Twitter : Facebook : SMS : Email– Began in 2006 but already has 200mil users*– As of June 2010: 65m tweets/day, 750 tweets/second– Open design allows access from web or client*,2817,2371826,00.asp
  5. 5. Twitter Clock
  6. 6. Twitter Clock (2011)
  7. 7. Tweet Philosophy• Celebrity-driven approach– Anyone can follow anyone– Focus for many is on collecting followers– One-way relationships instead of two-way(FaceBook/MySpace)• You can follow me, but I don’t have to follow you• Users follow others that interest them– Tweets made by others appear in your “timeline”
  8. 8. Who Uses It• 13% of Online Americans use Twitter*– Up from 8% a year ago– Most between ages of 18-29– Ethnicity favored to Black and Hispanic– Urban environments more than suburban/rural– Biggest user base: young urban minorities– Large communities around any topic*
  9. 9. Comms Channel• Widely used as a communications channel when othersfail (or are censored)– Iran – 2009 – Protests over election results• Twitter to take down site for maintenance• US State Department prompted Twitter to hold-off– Egypt – January 2011• Protests to overthrow 30-year President and instill democracy
  10. 10. Comms Channel• Used extensively by Anonymous and Occupymovements
  11. 11. Tweets and Replies• Tweets appear in yourpublic timeline• Only shows broadcasttweets or replies toothers you follow• Will not include normalmessages from peopleyou do not follow
  12. 12. Mentions• When someone tweets yourname preceded by @• If you follow them, shows intimeline• Otherwise, have to check‘@Mentions’
  13. 13. Retweets• Repeating someone’smessage to all of yourfollowers• Old and New Styles– Old: Manually add “RT” or “via”– New: Automatic
  14. 14. Yes, The World Can See It
  15. 15. Protected Accounts• Not viewable by public• Users have to request permission to follow you• Only users allowed to follow you can see yourtweets• @Mentions only show up to followers• Tweets do not appear in search
  16. 16. Direct Messages• Private messages sent between two users• ‘D [or DM] User Message’• Receiver must follow the sender– Possible for uni-directional DMs if both parties don’t followeach other• Message sent through Twitter and email• DM Fails**
  17. 17. Notifications• Users get email notifications when receiving:– New followers– Direct Messages– Often delayed– Not consistent– TweetDeck better
  18. 18. Favorites• Users can star a tweet tosave it as a favorite• Anyone can viewsomeone else’s<user>/favorites
  19. 19. Hash Tags• Popular way of grouping tweets• Simplifies searching• #Keyword– #CyberCrime2012– #FF (Follow Friday)– #DFIR– #TheWalkingDead
  20. 20. Moving on…• Now that we got the basics out of the way…
  21. 21. Search Capabilities• http[s]://
  22. 22. Search Limitations• Only search tweets up to about two weeks old• API limits on how many results you can retrieve at onetime– Law enforcement request to Twitter can whitelist anLE account to near unlimited results• Very unreliable
  23. 23. Google Search• Google used to provide immediate Twitter searchresults• Results can span back multiple years• Service died at the start of Google Plus
  24. 24. Anatomy of a Tweet
  25. 25. Anatomy of a Tweet
  26. 26. {"in_reply_to_status_id_str":"57454830603616256","text":"@bbaskin That isan awesomesite!","contributors":null,"retweeted":false,"in_reply_to_user_id_str":"17442948","id_str":"57476924934590464","entities":{"hashtags":[],"urls":[],"user_mentions":[{"screen_name":"bbaskin","indices":[0,8],"id_str":"17442948","name":"BrianBaskin","id":17442948}]},"place":null,"coordinates":null,"source":"web","geo":null,"truncated":false,"created_at":"Mon Apr 11 16:15:41 +00002011","in_reply_to_user_id":17442948,"in_reply_to_status_id":57454830603616256,"favorited":false,"user":{"time_zone":null,"profile_text_color":"333333","url":null,"screen_name":“LLRurik","profile_sidebar_fill_color":"DDEEF6","description":"The OtherMe.","id_str":"134196003","show_all_inline_media":false,"follow_request_sent":false,"lang":"en","geo_enabled":false,"profile_background_tile":false,"location":"Maryland","contributors_enabled":false,"profile_link_color":"0084B4","is_translator":false,"statuses_count":1,"profile_sidebar_border_color":"C0DEED","followers_count":1,"default_profile":true,"listed_count":2,"created_at":"Sat Apr 17 18:26:02 +00002010","following":false,"notifications":false,"profile_use_background_image":true,"friends_count":2,"protected":false,"verified":false,"profile_background_color":"C0DEED","name":"Rurik","profile_background_image_url":"","favourites_count":0,"profile_image_url":"","id":134196003,"default_profile_image":false,"utc_offset":null},"retweet_count":0,"id":57476924934590464,"in_reply_to_screen_name":"bbaskin"},,
  27. 27. {"in_reply_to_status_id_str":"57454830603616256","text":"@bbaskin That is an awesome site!","in_reply_to_user_id_str":"17442948","id_str":"57476924934590464","entities":{"hashtags":[],"urls":[],"user_mentions":[{"screen_name":"bbaskin","indices":[0,8],"id_str":"17442948","name":"Brian Baskin","id":17442948}]},"created_at":"Mon Apr 11 16:15:41 +0000 2011","user":{"time_zone":null,"url":null,"screen_name":“LLRurik","description":"The Other Me.","id_str":"134196003","location":"Maryland","created_at":"Sat Apr 17 18:26:02 +0000 2010","protected":false,"name":“LLRurik","profile_image_url":"",}Anatomy Excerpts
  28. 28. Twitter Account Creation• Gives date when any account was created– Chrome plugin (old Twitter only)•–
  29. 29. TweetDeck
  30. 30. TweetDeck Forensics• %AppData%Tweetdeck.<xyz>Local Storetd_26_<username>.db (SQLite Database)– ‘friends’ – Details on all accounts the user follows• Twitter User #, Name, Screen Name, URL to profile image• fUserID (Twitter User #) can show relative age of accounts• Includes accounts that even no longer exist– ‘columns’ – What columns are currently shown to client– ‘lists’ – Lists the user manages• Name, public/private, URL, # of members, description
  31. 31. TweetDeck Forensics• %AppData%Tweetdeck.<xyz>Local Storepreferences_<username>.xml– Recently used hash tags:<hashtags hash0="#FF" hash1="#RallyForSanity"hash2="#CyberCrime2012" hash3="#DEFCON"hash4="#OWS" hash5="#stuxnet" />– Email service:<email service="0"url=""/>
  32. 32. Application Cached Data• Applications cache tweets upon download– If a tweet is deleted a cached copy may still exist inthird-party application– Possible for message to be read/repeated even afterbeing deleted at its source– Forensic Caching:• Archivist (• Twinbox – Saves all tweets to Outlook inbox
  33. 33. Tweet Scraping• Tools to automatically collect and saverelevant tweets– Archivist (– Twinbox – Saves all tweets to Outlook inbox– Twitter Archive Google Spreadsheet (TAGS) -
  34. 34. URL Shorteners• Due to size limitation of tweets, URLshorteners are common place– Vector of attack– Most offer preview capability:••– – Universal URL Previewer
  35. 35. Tweet Longer• Due to size limitation of tweets, messageextension services are also somewhatcommon.– TwitLonger hosts extended posts– Hosts on– Uses domain
  36. 36. Media Hosting• Twitter is limited to just textcontent. Media services provideimage / video hosting– Images: yFrog, TwitPic, Flikr– Video: TwitVid, Twiddeo, Twitc• If tweet is removed mediaremains• EXIF data remains to be exploited– iCanStalkU.comJanis Krums
  37. 37. Media Hosting•– Searches all Twitter media sites– Results are often NSFW
  38. 38. Social Network Mapping• NodeXL– Free mappingtool forMicrosoft Excelnodexl.codeplex.comCurrently at Smith
  39. 39. NodeXL Associations
  40. 40. NodeXL #CyberCrime2012
  41. 41. D3.js Visualization
  42. 42. D3 TwitterCommunity Visualizer
  43. 43. Maltego• Professional data analysis tool• “Social Networking Special Ops” - ChrisSumner (Suggy) at BlackHat• Mining data from aTwitter scavenger hunt
  44. 44. Take Away Notes• Following someone does not show the entirety oftheir communications• Targets are notified if you follow/favorite them• Twitter’s search is very impaired• Information spreads beyond core-Twitter site• Follow early and archive tweets using third-partytools for later analysis• Use Link-Analysis to find outliers
  45. 45. Contact Us:e-mail: contact@cmdlabs.comp: 443.451.7330www.cmdlabs.com1101 E. 33rd Street, Suite C301Baltimore, MD 21218Brian Baskin