(Note: This posting is a modified version of a presentation I made to the Digital & Multimedia Evidence Section of the American Academy of Forensic Sciences at the 65th Annual Conference - slide deck from the presentation is available upon request)
Founded
in 2006, Twitter is an online social media outlet that allows its users to post
micro-blogs of up to 140 characters, called “tweets.” The rapid growth and acceptance of Twitter by
the public is evidenced by the fact that the company now has over 500 million
users; and, according to the web information site Alexa, their most recent
three-month tracking numbers show that Twitter is the eighth most popular
website in the world. Its social
significance can also be gauged by the enormous popularity of segments on
late-night television programs such as Jimmy
Kimmel Live!, where celebrities appear on the show to read mean-spirited
tweets about themselves.
Although
there are multiple third-party options from which a user can access and utilize
a Twitter account (i.e. HootSuite, Tweetings, Echofon, etc.), a recent article
on TechCrunch.com cites statements made by the founder of Semiocoast, a French
social media monitoring company, that “Twitter’s own access points, including TweetDeck,
represent 75.4% of all public tweets.” We
recently used this statistic to determine the most probable methods by which
Twitter artifacts would be generated. At the time, we were putting together a
presentation, but this information could be very important if a case involving
digital evidence from social media sources.
For our test, we installed a fresh operating system on
a 40GB drive; installed FireFox (v.14), Chrome (v.20), Safari (v.5), IE (v. 8,
9); and loaded TweetDeck with dummy accounts already created. Then, we started
generating Twitter activity, including tweets and direct messages. When the
test activities were complete, we examined the drive for artifacts of Twitter
activity, including unallocated/slack space.
In a nutshell, what we found was that there wasn’t
much of anything left, either by the web interface or through using
TweetDeck. However, we did find a couple
of interesting artifacts:
1.
Upon logging in
to TweetDeck, a number of keys are added to the Windows registry under the
general heading of “TrollTech.” After
looking up TrollTech (now known as QT, part of Digia), we found that the
company specializes in enabling applications to function across various
platforms (iOS, Android, etc.)
2.
We found that in
the Internet history, if a user tries to log in through the Twitter web
interface and enters an incorrect password, the user is redirected back to the
login screen; however, the following entry is seen showing the user’s Twitter
account handle in plain text:
A
prime example illustrating the need for this type of analysis can be found in a
2011 case from the U.S. District Court for the District of Colorado, Doe v. Hofstetter. The court found that
the defendant created a fake Twitter account, impersonated the plaintiff, and
“communicated with third parties using the Fake Twitter account.” In this particular matter, knowing the types
of artifacts left by the usage of Twitter through either the web interface or
through TweetDeck could have proven beneficial to those examiners investigating
the defendant’s computer. Additionally,
the high-profile matter involving inappropriate tweets that may or may not have
been sent from former Representative Anthony Weiner’s Twitter account
highlights the need for reliable research to identify what, if any, artifacts
are left behind on a computer by Twitter usage.