1. Intelligence Gathering
Over Twitter
Brian Baskin
Jan 2012

2. Who Am I?
• Computer Forensic Examiner – DC3 / DCFL
• Senior Consultant – cmdLabs
• Published author/coauthor of some books

3. Overview
• Basics of Twitter
• Search Capabilities
• Dissecting the Tweet
• Long-term Archiving
• Link Analysis

4. What is Twitter
• Micro-blogging site
– 140-character short messages
– Twitter : Facebook : SMS : Email
– Began in 2006 but already has 200mil users*
– As of June 2010: 65m tweets/day, 750 tweets/second
– Open design allows access from web or client
* http://www.pcmag.com/article2/0,2817,2371826,00.asp

5. Twitter Clock

6. Twitter Clock (2011)

7. Tweet Philosophy
• Celebrity-driven approach
– Anyone can follow anyone
– Focus for many is on collecting followers
– One-way relationships instead of two-way
(FaceBook/MySpace)
• You can follow me, but I don’t have to follow you
• Users follow others that interest them
– Tweets made by others appear in your “timeline”

8. Who Uses It
• 13% of Online Americans use Twitter*
– Up from 8% a year ago
– Most between ages of 18-29
– Ethnicity favored to Black and Hispanic
– Urban environments more than suburban/rural
– Biggest user base: young urban minorities
– Large communities around any topic
*http://www.pewinternet.org/~/media/Files/Reports/2011/Twit
ter%20Update%202011.pdf

9. Comms Channel
• Widely used as a communications channel when others
fail (or are censored)
– Iran – 2009 – Protests over election results
• Twitter to take down site for maintenance
• US State Department prompted Twitter to hold-off
– Egypt – January 2011
• Protests to overthrow 30-year President and instill democracy

10. Comms Channel
• Used extensively by Anonymous and Occupy
movements

11. Tweets and Replies
• Tweets appear in your
public timeline
• Only shows broadcast
tweets or replies to
others you follow
• Will not include normal
messages from people
you do not follow

12. Mentions
• When someone tweets your
name preceded by @
• If you follow them, shows in
timeline
• Otherwise, have to check
‘@Mentions’

13. Retweets
• Repeating someone’s
message to all of your
followers
• Old and New Styles
– Old: Manually add “RT” or “via”
– New: Automatic

14. Yes, The World Can See It

15. Protected Accounts
• Not viewable by public
• Users have to request permission to follow you
• Only users allowed to follow you can see your
tweets
• @Mentions only show up to followers
• Tweets do not appear in search

16. Direct Messages
• Private messages sent between two users
• ‘D [or DM] User Message’
• Receiver must follow the sender
– Possible for uni-directional DMs if both parties don’t follow
each other
• Message sent through Twitter and email
• DM Fails*
*http://thenextweb.com/socialmedia/
2010/08/05/has-twitter-employees-
dm-fail-confirmed-shoutout-feature/

17. Notifications
• Users get email notifications when receiving:
– New followers
– Direct Messages
– Often delayed
– Not consistent
– TweetDeck better

18. Favorites
• Users can star a tweet to
save it as a favorite
• Anyone can view
someone else’s favorite
list
twitter.com/<user>/favorites

19. Hash Tags
• Popular way of grouping tweets
• Simplifies searching
• #Keyword
– #CyberCrime2012
– #FF (Follow Friday)
– #DFIR
– #TheWalkingDead

20. Moving on…
• Now that we got the basics out of the way…

21. Search Capabilities
• http[s]://search.twitter.com

22. Search Limitations
• Only search tweets up to about two weeks old
• API limits on how many results you can retrieve at one
time
– Law enforcement request to Twitter can whitelist an
LE account to near unlimited results
• Very unreliable

23. Google Search
• Google used to provide immediate Twitter search
results
• Results can span back multiple years
• Service died at the start of Google Plus

24. Anatomy of a Tweet

25. Anatomy of a Tweet

27. {"in_reply_to_status_id_str":"57454830603616256","text":"@bbaskin That is
an awesome
site!","contributors":null,"retweeted":false,"in_reply_to_user_id_str":"1
7442948","id_str":"57476924934590464","entities":{"hashtags":[],"urls":[]
,"user_mentions":[{"screen_name":"bbaskin","indices":[0,8],"id_str":"1744
2948","name":"Brian
Baskin","id":17442948}]},"place":null,"coordinates":null,"source":"web","
geo":null,"truncated":false,"created_at":"Mon Apr 11 16:15:41 +0000
2011","in_reply_to_user_id":17442948,"in_reply_to_status_id":574548306036
16256,"favorited":false,"user":{"time_zone":null,"profile_text_color":"33
3333","url":null,"screen_name":“LLRurik","profile_sidebar_fill_color":"DD
EEF6","description":"The Other
Me.","id_str":"134196003","show_all_inline_media":false,"follow_request_s
ent":false,"lang":"en","geo_enabled":false,"profile_background_tile":fals
e,"location":"Maryland","contributors_enabled":false,"profile_link_color"
:"0084B4","is_translator":false,"statuses_count":1,"profile_sidebar_borde
r_color":"C0DEED","followers_count":1,"default_profile":true,"listed_coun
t":2,"created_at":"Sat Apr 17 18:26:02 +0000
2010","following":false,"notifications":false,"profile_use_background_ima
ge":true,"friends_count":2,"protected":false,"verified":false,"profile_ba
ckground_color":"C0DEED","name":"Rurik","profile_background_image_url":"h
ttp://a3.twimg.com/a/1302214109/images/themes/theme1/bg.png","fav
ourites_count":0,"profile_image_url":"http://a3.twimg.com/profile_imag
es/830973443/Rurik-avatarpic-l_normal.png","id":134196003,
"default_profile_image":false,"utc_offset":null},"retweet_count":0,"id":5
7476924934590464,"in_reply_to_screen_name":"bbaskin"},
,

28. {"in_reply_to_status_id_str":"57454830603616256",
"text":"@bbaskin That is an awesome site!",
"in_reply_to_user_id_str":"17442948",
"id_str":"57476924934590464",
"entities":{"hashtags":[],"urls":[],"user_mentions":[{
"screen_name":"bbaskin","indices":[0,8],"id_str":"17442948",
"name":"Brian Baskin","id":17442948}]},
"created_at":"Mon Apr 11 16:15:41 +0000 2011",
"user":{
"time_zone":null,
"url":null,
"screen_name":“LLRurik",
"description":"The Other Me.",
"id_str":"134196003",
"location":"Maryland",
"created_at":"Sat Apr 17 18:26:02 +0000 2010",
"protected":false,
"name":“LLRurik",
"profile_image_url":"http://a3.twimg.com/profile_images/83
0973443/LLRurik-avatarpic-l_normal.png",
}
Anatomy Excerpts

30. Twitter Account Creation
• Gives date when any account was created
– Chrome plugin (old Twitter only)
• https://chrome.google.com/extensions/detail/pfpkfkhhigghmggnhfjdfjiihmeancof?hl=en
– http://www.whendidyoujointwitter.com/

31. TweetDeck

32. TweetDeck Forensics
• %AppData%Tweetdeck.<xyz>Local Store
td_26_<username>.db (SQLite Database)
– ‘friends’ – Details on all accounts the user follows
• Twitter User #, Name, Screen Name, URL to profile image
• fUserID (Twitter User #) can show relative age of accounts
• Includes accounts that even no longer exist
– ‘columns’ – What columns are currently shown to client
– ‘lists’ – Lists the user manages
• Name, public/private, URL, # of members, description

33. TweetDeck Forensics
• %AppData%Tweetdeck.<xyz>Local Store
preferences_<username>.xml
– Recently used hash tags:
<hashtags hash0="#FF" hash1="#RallyForSanity"
hash2="#CyberCrime2012" hash3="#DEFCON"
hash4="#OWS" hash5="#stuxnet" />
– Email service:
<email service="0"
url="https://mail.google.com/mail/"/>

34. Application Cached Data
• Applications cache tweets upon download
– If a tweet is deleted a cached copy may still exist in
third-party application
– Possible for message to be read/repeated even after
being deleted at its source
– Forensic Caching:
• Archivist (http://visitmix.com/labs/archivist-desktop/)
• Twinbox – Saves all tweets to Outlook inbox

35. Tweet Scraping
• Tools to automatically collect and save
relevant tweets
– Archivist (http://visitmix.com/labs/archivist-
desktop/)
– Twinbox – Saves all tweets to Outlook inbox
– Twitter Archive Google Spreadsheet (TAGS) -
http://mashe.hawksey.info/2012/01/twitter-
archive-tagsv3/

39. URL Shorteners
• Due to size limitation of tweets, URL
shorteners are common place
– Vector of attack
– Most offer preview capability:
• http://bit.ly/gAhOlo+
• http://preview.tinyurl.com/62j4zla
– http://resolves.me – Universal URL Previewer

42. Tweet Longer
• Due to size limitation of tweets, message
extension services are also somewhat
common.
– TwitLonger hosts extended posts
– Hosts on TwitLonger.com
– Uses tl.gd domain

43. Media Hosting
• Twitter is limited to just text
content. Media services provide
image / video hosting
– Images: yFrog, TwitPic, Flikr
– Video: TwitVid, Twiddeo, Twitc
• If tweet is removed media
remains
• EXIF data remains to be exploited
– iCanStalkU.com
Janis Krums

44. Media Hosting
• TwitCaps.com
– Searches all Twitter media sites
– Results are often NSFW

45. Social Network Mapping
• NodeXL
– Free mapping
tool for
Microsoft Excel
nodexl.codeplex.com
Currently at 1.0.1.196
Marc Smith

46. NodeXL Associations

47. NodeXL #CyberCrime2012

48. D3.js Visualization

49. D3 Twitter
Community Visualizer

50. Maltego
• Professional data analysis tool
• “Social Networking Special Ops” - Chris
Sumner (Suggy) at BlackHat
http://www.securityg33k.com/blog/?p=180
• Mining data from a
Twitter scavenger hunt

51. Take Away Notes
• Following someone does not show the entirety of
their communications
• Targets are notified if you follow/favorite them
• Twitter’s search is very impaired
• Information spreads beyond core-Twitter site
• Follow early and archive tweets using third-party
tools for later analysis
• Use Link-Analysis to find outliers

52. Contact Us:
e-mail: contact@cmdlabs.com
p: 443.451.7330
www.cmdlabs.com
1101 E. 33rd Street, Suite C301
Baltimore, MD 21218
Brian Baskin