tag:blogger.com,1999:blog-9763255926886686832024-02-20T11:50:43.282-08:00Forensics with FowlerJonathan Fowlerhttp://www.blogger.com/profile/03809510326191133898noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-976325592688668683.post-36285288061253610812013-03-22T07:35:00.000-07:002013-03-22T07:36:54.317-07:00Artifacts left by Twitter Web Interface and TweetDeck <br />
<div class="MsoNormal">
<span style="font-size: 10.0pt;"><i>(Note: This posting is a modified version of a presentation I made to the Digital & Multimedia Evidence Section of the American Academy of Forensic Sciences at the 65th Annual Conference - slide deck from the presentation is available upon request)</i></span></div>
<div class="MsoNormal">
<span style="font-size: 10.0pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-size: 10.0pt;">Founded
in 2006, Twitter is an online social media outlet that allows its users to post
micro-blogs of up to 140 characters, called “tweets.” The rapid growth and acceptance of Twitter by
the public is evidenced by the fact that the company now has over 500 million
users; and, according to the web information site Alexa, their most recent
three-month tracking numbers show that Twitter is the eighth most popular
website in the world. Its social
significance can also be gauged by the enormous popularity of segments on
late-night television programs such as <i>Jimmy
Kimmel Live!</i>, where celebrities appear on the show to read mean-spirited
tweets about themselves.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-size: 10.0pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-size: 10.0pt;">Although
there are multiple third-party options from which a user can access and utilize
a Twitter account (i.e. HootSuite, Tweetings, Echofon, etc.), a recent article
on TechCrunch.com cites statements made by the founder of Semiocoast, a French
social media monitoring company, that “Twitter’s own access points, including TweetDeck,
represent 75.4% of all public tweets.” We
recently used this statistic to determine the most probable methods by which
Twitter artifacts would be generated. At the time, we were putting together a
presentation, but this information could be very important if a case involving
digital evidence from social media sources. <o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-size: 10.0pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-size: 10.0pt;">For our test, we installed a fresh operating system on
a 40GB drive; installed FireFox (v.14), Chrome (v.20), Safari (v.5), IE (v. 8,
9); and loaded TweetDeck with dummy accounts already created. Then, we started
generating Twitter activity, including tweets and direct messages. When the
test activities were complete, we examined the drive for artifacts of Twitter
activity, including unallocated/slack space.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-size: 10.0pt;"><br /></span></div>
<div class="MsoNormal">
<span style="font-size: 10.0pt;">In a nutshell, what we found was that there wasn’t
much of anything left, either by the web interface or through using
TweetDeck. However, we did find a couple
of interesting artifacts:<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-size: 10.0pt;"><br /></span></div>
<div class="MsoListParagraph" style="text-indent: -0.25in;">
<!--[if !supportLists]--><span style="font-size: 10.0pt; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin;">1.<span style="font-size: 7pt;">
</span></span><!--[endif]--><span style="font-size: 10.0pt;">Upon logging in
to TweetDeck, a number of keys are added to the Windows registry under the
general heading of “TrollTech.” After
looking up TrollTech (now known as QT, part of Digia), we found that the
company specializes in enabling applications to function across various
platforms (iOS, Android, etc.)<o:p></o:p></span></div>
<div class="MsoListParagraph" style="text-indent: -0.25in;">
<span style="font-size: 10.0pt;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYUwSY1uS0YPx70vnZhUojDi42QUJtEc7u64l6XIA3DKilfjM5TyMu10sLEuB4pCftIR-OeULJPZbuuvnbXoH3ZOnhthYhPOeDFQDQZf6k6IL7TqNPvu8N1z5hQScasvF1bginTytqm_0/s1600/Blog1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="160" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYUwSY1uS0YPx70vnZhUojDi42QUJtEc7u64l6XIA3DKilfjM5TyMu10sLEuB4pCftIR-OeULJPZbuuvnbXoH3ZOnhthYhPOeDFQDQZf6k6IL7TqNPvu8N1z5hQScasvF1bginTytqm_0/s640/Blog1.png" width="640" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoListParagraphCxSpFirst" style="text-indent: -0.25in;">
<!--[if !supportLists]--><span style="font-size: 10.0pt; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin;">2.<span style="font-size: 7pt;">
</span></span><!--[endif]--><span style="font-size: 10.0pt;">We found that in
the Internet history, if a user tries to log in through the Twitter web
interface and enters an incorrect password, the user is redirected back to the
login screen; however, the following entry is seen showing the user’s Twitter
account handle in plain text:<o:p></o:p></span></div>
<div class="MsoListParagraphCxSpFirst" style="text-indent: -0.25in;">
<span style="font-size: 10.0pt;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiU-RQvAdJlb5ry4EzdoIupdePC2Ua5q_kQ1n9BRKamz7SPGCRP2QhVXDwH9SkIUkdSmBlpNuNfZXEoAN3-k9fvpGp3Uuw4HrfRgSJD6yD3tklYCeXe_2ehD3GXKiM-cG0G35KBffoUM0/s1600/Blog2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiU-RQvAdJlb5ry4EzdoIupdePC2Ua5q_kQ1n9BRKamz7SPGCRP2QhVXDwH9SkIUkdSmBlpNuNfZXEoAN3-k9fvpGp3Uuw4HrfRgSJD6yD3tklYCeXe_2ehD3GXKiM-cG0G35KBffoUM0/s1600/Blog2.png" /></a></div>
<div class="MsoListParagraphCxSpMiddle">
<br /></div>
<div class="MsoNormal">
<span style="font-size: 10.0pt;">A
prime example illustrating the need for this type of analysis can be found in a
2011 case from the U.S. District Court for the District of Colorado, <i>Doe v. Hofstetter</i>. The court found that
the defendant created a fake Twitter account, impersonated the plaintiff, and
“communicated with third parties using the Fake Twitter account.” In this particular matter, knowing the types
of artifacts left by the usage of Twitter through either the web interface or
through TweetDeck could have proven beneficial to those examiners investigating
the defendant’s computer. Additionally,
the high-profile matter involving inappropriate tweets that may or may not have
been sent from former Representative Anthony Weiner’s Twitter account
highlights the need for reliable research to identify what, if any, artifacts
are left behind on a computer by Twitter usage.<o:p></o:p></span></div>
Jonathan Fowlerhttp://www.blogger.com/profile/03809510326191133898noreply@blogger.com0tag:blogger.com,1999:blog-976325592688668683.post-48776015322537730302012-01-23T13:19:00.000-08:002012-01-23T13:19:11.862-08:00References to Facebook Pics in Unallocated SpaceThere are a lot of articles/blog posts/webinars that I have reviewed recently regarding the ever-increasing role that evidence from social media sites, specifically Facebook is playing in both civil and criminal cases. An interesting example of a case where Facebook evidence (more specifically the destruction of said evidence) was prominently involved can be found in <i>Lester v. Allied Concrete</i>, Nos. CL08-150, CL09-223 (Va. Circuit Court, Charlottesville). Long story short here - Plaintiff's counsel directed their client to "clean up" his Facebook page, which resulted in the Plaintiff deleting multiple photographs off of the page. Needless to say, the other side found out about the deletions and the judge smacked Plaintiff's counsel with an order to pay over $500K for the discovery violations. <br />
<br />
That piqued my curiosity as to how exactly you could go about running a quick search for any evidence referring to photos that may have been deleted from your Facebook page. The first step was for me to download a copy of my Facebook page as a compressed archive so I could review the HTML code to look for anything that could aid in my search. Once that was downloaded, I used EnCase to look at the code (<i>full disclosure - it's not necessary to use EnCase, any hex/text editor would work</i>) and identified the following snippets of code, with which I could perform a search for data in unallocated space relating to Facebook pictures (<i>bold text added by me to highlight variables</i>): <br />
<br />
<u>Profile Pictures</u> <br />
<br />
<span style="font-size: x-small;"><a href="album-Profile%20Pictures.html" rel="enclosure"><span style="font-size: small;"> </span> </span><br />
<br />
<u>Mobile Uploads</u><br />
<br />
<span style="font-size: x-small;"><div class="photo-container hmedia"></span><br />
<br />
<u>Photo Albums</u><br />
<u> </u><br />
<u> </u><span style="font-size: x-small;"><div class="album"><a href="album-<b>[PHOTO ALBUM NAME]</b>.html" rel="enclosure"></span><br />
<br />
<br />
The src attribute pointing to the URL for each of these is found immediately after the snippets listed above (for the photo albums, the src points to the first picture in the album). While the pictures themselves reside in the various photo albums located within the Facebook page, the above-listed snippets can at least be used to identify the names of photos and photo albums that existed on the Facebook page at one time. If nothing else, they can be compared to content currently located on a Facebook site to determine if the data is still there.<br />
<br />
While this is by no means an exhaustive compilation of artifacts that can help identify pictures from a Facebook page, it is a start and could easily be incorporated into a quick search if this type of evidence is germane to the matter at hand.Jonathan Fowlerhttp://www.blogger.com/profile/03809510326191133898noreply@blogger.com0