Occasionally you may find that a notable Twitter profile may remove tweets, or be shut down before preservation can be initiated by the forensic examiner. Should this be the case, you may be required to refer to caching services such as Google Cache or Twicsy for example. I recently had need to evidence data found on Twicsy, however the web interface isn't exactly forensic friendly when it comes to how it displays the data. Twicsy.com is a Twitter picture search engine, which appears to duplicate the original textual data from a tweet containing an image, and stores this information on their own web server. The image from a tweet is simply referred to from the source, and if the tweet is deleted or the profile removed, you'll find the image won't exist any more. However the textual data does still remains on Twicsy's website despite the original tweet not existing. After discovering this I wrote a ruby script to extract each of the archived tweets and place it into a format which is readable.

Also known as When responsible disclosure gets you no-where, make them listen by going public but it didnt have such a good ring to it. So, to the meat of the business. I have a Nokia Lumia 920 which a Continue reading

Following a recent discussion I had with a university dive club member about a request to remove a back-link from a now dead forum from a travel insurance company, I thought Id take this opportunity to delve into the mystical Continue reading

A little experiment script I cobbled together for live incident tracking over Twitter, very useful for identifying, and evidencing signs of racism or death threats towards others. If the scenario requires it, geo data can be included in the capture, along with tweet source which identifies how the tweet was made either via a mobile device or a web browser. Also quite handy if and when exhibits need to be seized, and you need to narrow down what device the tweets were made from.

After a couple of requests from members on Forensic Focus, I've updated this script so that profiles can be accessed / extracted via Twitter's API update 1.1. I had converted the original script into an executable which was available for download on SourceForge, however since the API now requires authentication, I don't like the idea of packaging my own API keys into this. All this means is that you will require your own API keys, which you can create at Twitter's Application management page.

This is a great script for obtaining the metainfo contained within torrent files. Due to the encoding used, keyword searches conducted during computer forensic analysis may not return any results when analyzing these types of files. This ruby script decodes the torrent, allowing an examiner to view the contained information, such as tracker list, file names, file sizes, directories, MD5 sum, etc. Credit goes to Rob Williams for creating this, all I did was alter the Bencoding Library, as I was unable to get the original to function. Hopefully you'll find this as useful as I did!

So I wrote this back in late 2012, for use with the Twitter API V1.0. Unfortunately this script it is now some what redundant as the API was updated in June 2013 to use OAuth. However I'm re-posting this, as it was originally hosted on launchpad.net, but I'm now centralizing all my scripts on github.com. Despite the current condition of the script, it may prove valuable to someone out there, you just never know!