Artifacts left by Twitter Web Interface and TweetDeck

(Note: This posting is a modified version of a presentation I made to the Digital & Multimedia Evidence Section of the American Academy of Forensic Sciences at the 65th Annual Conference - slide deck from the presentation is available upon request)

Founded in 2006, Twitter is an online social media outlet that allows its users to post micro-blogs of up to 140 characters, called “tweets.”  The rapid growth and acceptance of Twitter by the public is evidenced by the fact that the company now has over 500 million users; and, according to the web information site Alexa, their most recent three-month tracking numbers show that Twitter is the eighth most popular website in the world.  Its social significance can also be gauged by the enormous popularity of segments on late-night television programs such as Jimmy Kimmel Live!, where celebrities appear on the show to read mean-spirited tweets about themselves.

Although there are multiple third-party options from which a user can access and utilize a Twitter account (i.e. HootSuite, Tweetings, Echofon, etc.), a recent article on TechCrunch.com cites statements made by the founder of Semiocoast, a French social media monitoring company, that “Twitter’s own access points, including TweetDeck, represent 75.4% of all public tweets.”  We recently used this statistic to determine the most probable methods by which Twitter artifacts would be generated. At the time, we were putting together a presentation, but this information could be very important if a case involving digital evidence from social media sources.

For our test, we installed a fresh operating system on a 40GB drive; installed FireFox (v.14), Chrome (v.20), Safari (v.5), IE (v. 8, 9); and loaded TweetDeck with dummy accounts already created. Then, we started generating Twitter activity, including tweets and direct messages. When the test activities were complete, we examined the drive for artifacts of Twitter activity, including unallocated/slack space.

In a nutshell, what we found was that there wasn’t much of anything left, either by the web interface or through using TweetDeck.  However, we did find a couple of interesting artifacts:

1.       Upon logging in to TweetDeck, a number of keys are added to the Windows registry under the general heading of “TrollTech.”  After looking up TrollTech (now known as QT, part of Digia), we found that the company specializes in enabling applications to function across various platforms (iOS, Android, etc.)

2.       We found that in the Internet history, if a user tries to log in through the Twitter web interface and enters an incorrect password, the user is redirected back to the login screen; however, the following entry is seen showing the user’s Twitter account handle in plain text:

A prime example illustrating the need for this type of analysis can be found in a 2011 case from the U.S. District Court for the District of Colorado, Doe v. Hofstetter. The court found that the defendant created a fake Twitter account, impersonated the plaintiff, and “communicated with third parties using the Fake Twitter account.”  In this particular matter, knowing the types of artifacts left by the usage of Twitter through either the web interface or through TweetDeck could have proven beneficial to those examiners investigating the defendant’s computer.  Additionally, the high-profile matter involving inappropriate tweets that may or may not have been sent from former Representative Anthony Weiner’s Twitter account highlights the need for reliable research to identify what, if any, artifacts are left behind on a computer by Twitter usage.