Friday, March 22, 2013

Artifacts left by Twitter Web Interface and TweetDeck

(Note: This posting is a modified version of a presentation I made to the Digital & Multimedia Evidence Section of the American Academy of Forensic Sciences at the 65th Annual Conference - slide deck from the presentation is available upon request)

Founded in 2006, Twitter is an online social media outlet that allows its users to post micro-blogs of up to 140 characters, called “tweets.”  The rapid growth and acceptance of Twitter by the public is evidenced by the fact that the company now has over 500 million users; and, according to the web information site Alexa, their most recent three-month tracking numbers show that Twitter is the eighth most popular website in the world.  Its social significance can also be gauged by the enormous popularity of segments on late-night television programs such as Jimmy Kimmel Live!, where celebrities appear on the show to read mean-spirited tweets about themselves.

Although there are multiple third-party options from which a user can access and utilize a Twitter account (i.e. HootSuite, Tweetings, Echofon, etc.), a recent article on cites statements made by the founder of Semiocoast, a French social media monitoring company, that “Twitter’s own access points, including TweetDeck, represent 75.4% of all public tweets.”  We recently used this statistic to determine the most probable methods by which Twitter artifacts would be generated. At the time, we were putting together a presentation, but this information could be very important if a case involving digital evidence from social media sources.

For our test, we installed a fresh operating system on a 40GB drive; installed FireFox (v.14), Chrome (v.20), Safari (v.5), IE (v. 8, 9); and loaded TweetDeck with dummy accounts already created. Then, we started generating Twitter activity, including tweets and direct messages. When the test activities were complete, we examined the drive for artifacts of Twitter activity, including unallocated/slack space.

In a nutshell, what we found was that there wasn’t much of anything left, either by the web interface or through using TweetDeck.  However, we did find a couple of interesting artifacts:

1.       Upon logging in to TweetDeck, a number of keys are added to the Windows registry under the general heading of “TrollTech.”  After looking up TrollTech (now known as QT, part of Digia), we found that the company specializes in enabling applications to function across various platforms (iOS, Android, etc.)

2.       We found that in the Internet history, if a user tries to log in through the Twitter web interface and enters an incorrect password, the user is redirected back to the login screen; however, the following entry is seen showing the user’s Twitter account handle in plain text:

A prime example illustrating the need for this type of analysis can be found in a 2011 case from the U.S. District Court for the District of Colorado, Doe v. Hofstetter. The court found that the defendant created a fake Twitter account, impersonated the plaintiff, and “communicated with third parties using the Fake Twitter account.”  In this particular matter, knowing the types of artifacts left by the usage of Twitter through either the web interface or through TweetDeck could have proven beneficial to those examiners investigating the defendant’s computer.  Additionally, the high-profile matter involving inappropriate tweets that may or may not have been sent from former Representative Anthony Weiner’s Twitter account highlights the need for reliable research to identify what, if any, artifacts are left behind on a computer by Twitter usage.

Monday, January 23, 2012

References to Facebook Pics in Unallocated Space

There are a lot of articles/blog posts/webinars that I have reviewed recently regarding the ever-increasing role that evidence from social media sites, specifically Facebook is playing in both civil and criminal cases.  An interesting example of a case where Facebook evidence (more specifically the destruction of said evidence) was prominently involved can be found in Lester v. Allied Concrete, Nos. CL08-150, CL09-223 (Va. Circuit Court, Charlottesville).  Long story short here - Plaintiff's counsel directed their client to "clean up" his Facebook page, which resulted in the Plaintiff deleting multiple photographs off of the page.  Needless to say, the other side found out about the deletions and the judge smacked Plaintiff's counsel with an order to pay over $500K for the discovery violations.

That piqued my curiosity as to how exactly you could go about running a quick search for any evidence referring to photos that may have been deleted from your Facebook page.  The first step was for me to download a copy of my Facebook page as a compressed archive so I could review the HTML code to look for anything that could aid in my search.  Once that was downloaded, I used EnCase to look at the code (full disclosure - it's not necessary to use EnCase, any hex/text editor would work) and identified the following snippets of code, with which I could perform a search for data in unallocated space relating to Facebook pictures (bold text added by me to highlight variables): 

Profile Pictures

<a href="album-Profile%20Pictures.html" rel="enclosure"> 

Mobile Uploads

<div class="photo-container hmedia">

Photo Albums

<div class="album"><a href="album-[PHOTO ALBUM NAME].html" rel="enclosure">

The src attribute pointing to the URL for each of these is found immediately after the snippets listed above (for the photo albums, the src points to the first picture in the album).  While the pictures themselves reside in the various photo albums located within the Facebook page, the above-listed snippets can at least be used to identify the names of photos and photo albums that existed on the Facebook page at one time.  If nothing else, they can be compared to content currently located on a Facebook site to determine if the data is still there.

While this is by no means an exhaustive compilation of artifacts that can help identify pictures from a Facebook page, it is a start and could easily be incorporated into a quick search if this type of evidence is germane to the matter at hand.