On Github, user x0rz has created a tool called Tweets Analyzer. As you might expect, it lets you enter someone’s Twitter handle, and it pulls the content of their tweets and provides you with data about their activity. It’s available to download here: https://github.com/x0rz/tweets_analyzer. It requires that you create both a Twitter API key and an Access token, but both of these are free to create.
The tool is written in Python, making it easy enough to customize or add onto. It’s currently licensed under the GNU GPL 3.0. Details about how it may be used is present here: https://github.com/x0rz/tweets_analyzer/blob/master/LICENSE
What’s really posting as that handle?
The output of Tweets Analyzer is clean and straight-forward. We pointed the tool at a cybersecurity account, which we know is operated by a human. This was our output:
If possible, Tweets Analyzer will pull down the time zone of the user in question. The chart shows a definite dip in activity in the early morning hours in the eastern coast of the United States, where the operator lives.
This has already given us a ton of useful data. We can pick up the following details:
-This individual is focused on CyberSecurity (#malware, #wannacry, #dfir, #infosec)
-This is a personal account (A mixture of different hashtags, tweets on the weekends and off hours)
-Individual speaks English
-Individual primarily uses an iPhone to make tweets
If we wanted to simulate an attack on this individual, we may want to do research into the Twitter app and look for vulnerabilities. Then, we could tweet a CyberSecurity “related” story URL to them, or send it via their Direct Messages, and attempt to compromise their device or phish them. Or, if we were looking for additional sources of digital evidence, we’d have good reason to suspect the user has at least an iPhone and iPad, and likely an Android device and desktop computer, too.
Below is more output from Tweets Analyzer. Note the differences in the activity distribution graph:
There is more activity, but the activity is more uniform. The name of the account is actually listed in the “Detected Sources” section (we’ve redacted it here), which definitely points to automated posting activity. Since everything is not exactly the same, there’s a chance that there’s also a human using this account. Maybe it was operated by a human for some time, and then the activity was scripted from some point to the present. Either way, recent activity does look automated.
Tweets Analyzer gives a couple of useful options. A screenshot of this data is below.
The “-s” command line switch is particularly helpful for forensic analysts, since it lets us download and preserve tweets for later analysis. Switch “–no-retweets” is also useful, as we tend to focus on a subject’s original content (unless our focus is just gathering general account activity.)
Even for feeds full of content, Tweets Analyzer downloads and analyzes data in under a minute.
The ability to quickly download and analyze data about a subject is often crucial to a digital investigation and this tool does the trick. Major props to x0rz for creating this is fantastic tool, and a big thank you for making this available to the forensic community!