Magnet AXIOM Cloud: User Guide To Acquiring Twitter Artifacts

by Sunny Hoi

Introduction: Magnet AXIOM – New Cloud Source Features Including Gathering Digital Forensic Evidence For Twitter, Facebook, And Slack

With the release of Magnet AXIOM 3.0, the cloud source features of AXIOM are considerably improved.

Magnet AXIOM has implemented additional support for new Twitter acquisition capabilities in the AXIOM Cloud module. Moreover, such forensic acquisition support is not merely confined to Twitter but also extends to other social networking platforms such as Facebook and services like Slack.

Digital forensic investigators may now utilize the new cloud extraction capabilities in AXIOM 3.0 such as the ability to acquire publicly available information on any specific Twitter account of interest.

Notably, law enforcement investigators may gather public Twitter information like tweets and users that may be useful in their investigation, identification, and apprehension of a suspect. Such publicly available data does not require login information of a particular user to obtain and does not need a warrant.

In terms of artifact enhancements, there are now also enhancements to carving for Twitter (Android) which can potentially lead to additional hits.

For our tutorial, we are going to be adding evidence to an existing case by opening an existing AXIOM case folder in Magnet AXIOM Process.

Note that when you first start AXIOM Process, you can also choose to create an entirely new case for purposes of acquiring evidence from not only from the cloud but from computers as well.

Our user guide will show you how to use Magnet AXIOM Cloud to acquire Twitter cloud artifacts by processing and examining the digital evidence correctly.

1. Ensure That The Information Under CASE DETAILS Is Properly Filled Before Proceeding Further

Under “CASE DETAILS“, ensure that you have selected the appropriate folder name and file location for the case files.

For organizational purposes, you’ll likely want to enter a “Case number“. Keep in mind that a case number is not required to finalize the steps of acquiring Twitter public information of a user.

You must select a “Case Type” or you will not be able to click the button later on to acquire Twitter public information of a potential adversary.

Ensure that the appropriate “LOCATION FOR THE ACQUIRED EVIDENCE” is also chosen, including the folder name.

Under “SCAN INFORMATION” and “Scanned by“, it’s a good idea to enter the digital forensic examiner’s full name. You may also enter a description that is useful for the current investigation.

Proceed by clicking on either the “EVIDENCE SOURCES” section on the left or the “GO TO EVIDENCE SOURCES” button on the bottom right.

2. Choose Evidence Source: CLOUD

For this tutorial, we will select “CLOUD” data as our evidence source.

Remember that Magnet AXIOM goes beyond cloud data acquisition and can acquire data from other sources such as computers and mobile devices.

3. Choose Evidence Source: ACQUIRE EVIDENCE

Click “ACQUIRE EVIDENCE“.

Proceed by clicking “NEXT” on the bottom right.

4. Choose Evidence Source – Twitter

To get evidence from Twitter, select “TWITTER” and proceed by clicking “NEXT” on the bottom right.

5. Choose TWITTER PUBLIC ACTIVITY As TWITTER ACCESS METHOD

To obtain Twitter activity from a user that is accessible to the public and may be beneficial for your digital forensic investigation, click “TWITTER PUBLIC ACTIVITY“.

If you have a user’s account credentials, you may choose the latter option “TWITTER USER ACCOUNT“.

We chose the first option to illustrate how easy it is to acquire public activity of a Twitter user without requiring a warrant and that AXIOM proves to be useful in even the complex cases.

Proceed by clicking “NEXT” on the bottom right.

6. Choose DATE RANGE & Add Twitter User Name (Handle) To Narrow Search Results

We recommend using filters to narrow your search results to pinpoint the most relevant evidence. This will help you build a case against a suspect.

Bear in mind that in some circumstances, AXIOM may be unable to obtain public Twitter activity. The reasons can be that the tweets are protected, the tweets are incompatible with the Twitter Standard Search API, or that Twitter has deployed content filtering which hinders your public search result acquisitions.

Under “SELECT DATE RANGE“, choose the applicable time period for the cloud data you are searching for.

As we want complete data and to conduct a thorough investigation, we will select “All dates” next to “Date Range“.

Under “ADD USER NAME“, we will add the suspect’s (User) Twitter account whose tweets we wish to obtain. For example, we will just go ahead and add our own Twitter user name (Handle: @SunnyHoi) to illustrate AXIOM’s new capabilities.

It’s imperative that you add the “@” before the Twitter user name.

Continue by clicking “NEXT” on the bottom right.

7. Observe Evidence Source To Be Added To Case & Click “ARTIFACT DETAILS” & “Cloud artifacts”

We can see that the evidence source to be added to our case is from “Cloud – Twitter Public Activity” which will serve as our “Image – location name” along with the relevant evidence number and Twitter user name (Handle).

Magnet AXIOM Process also shows us that the “Search type” is “Full” and that the current “Status” is “Ready to image“.

Proceed by clicking on the “ARTIFACT DETAILS” section on the left. Select “Cloud artifacts” under “ARTIFACT DETAILS“.

8. ARTIFACT DETAILS – Ensure Twitter Cloud Artifacts Are Selected

By default, Magnet AXIOM Process will already have selected all Twitter cloud artifacts including:

  • Cloud Twitter Direct Messages
  • Cloud Twitter Posts
  • Cloud Twitter Posts Public
  • Cloud Twitter Users
  • Cloud Twitter Users Public

Note that AXIOM will be unable to acquire Twitter Direct Messages (DMs) without a user’s account credentials. Such direct messages are not publicly available to investigators. A warrant will likely be required to read direct messages of a Twitter user.

Continue by clicking on the “GO TO ANALYZE EVIDENCE” button on the bottom right.

9. ANALYZE EVIDENCE – IMAGING IN PROGRESS – Wait Patiently For Magnet AXIOM Process To Acquire Twitter User Activity

During the imaging acquisition phase, it is essential to remain patient for Magnet AXIOM Process to do its job. This can take a significant amount of time to gather all the information if the person under investigation has abundant content, including tweets and followers.

AXIOM Process completes each section separately, and during the process of each section, you’ll see the “In Progress” message.

Keep the digital forensic software running in the background until we see the “Success” message under all three sections of “Acquiring Twitter activity“:

  • Acquiring live data for Twitter Public Activity Twitter Posts Public
  • Acquiring live data for Twitter Public Activity Twitter Users Public
  • Calculating image hashes

When all three sections are complete, you’ll be able to examine the acquired evidence as AXIOM Examine will open automatically to grant you a “Case dashboard“.

AXIOM Process will already have shown that the cloud artifact acquisitions are successful via the message “SEARCH COMPLETE“.

You can close AXIOM Process by clicking the “CLOSE” button on the bottom right. We only require AXIOM Examine now to conduct our forensic analysis.

10. Go From Case Dashboard To Artifacts Section

We see that we are now in AXIOM Examine and we can briefly see the types of artifacts retrieved from our Twitter account in the “ARTIFACT CATEGORIES” section.

At the bottom of the “Case dashboard“, we can see that the artifacts and evidence have been successfully processed via the message “Processing complete“. You can dismiss the message by clicking “OKAY“.

To observe these newly obtained artifacts in-depth, go and click on “Case dashboard” located on the upper left and select “Artifacts“.

11. Look At Artifact Evidence Under CLOUD and Cloud Twitter Users Public Sections

In the “Artifacts” section, we will immediately see under the “CLOUD” section, a subsection called “Cloud Twitter Users Public“.

We can see the first artifact. It’s our name, and if we scroll down the “DETAILS” pane, you could see our “Biography“, our “Location“, the number of “Friends” and “Followers“, our “Like Count”, the number of “Media” published, the direct web URL to the “Profile Picture“, web URL of the Twitter user name, and the “Date/Time” of the profile’s creation.

If we continue to scroll down, we can see other names as well including the “Biography” of another person and that the particular individual is “Following” us (“SunnyHoi“). This is an excellent method for your digital forensic investigation when you are attempting to track down other people who are following your suspect.

For instance, we entered “Kaspersky” as the search term on the upper right corner and clicked the “GO” button.

We are presented with the search results for the term “Kaspersky” that have been highlighted by AXIOM Examine for our convenience.

We can see that “Eugene Kaspersky” (@e_kaspersky), the CEO of Kaspersky Lab, follows us on Twitter. We can further confirm that it is indeed him because AXIOM Examine tells us that his Twitter account is verified.

Closer observation shows that there is another artifact entry under “MATCHING RESULTS” with “Eugene Kaspersky” as the “Name“. We can see that we (“SunnyHoi“) follow “Eugene Kaspersky” on Twitter.

As we can see, there is a lot of information that can potentially help us in our investigation. It’s important to be able to distinguish between relevant and irrelevant information, or we face our valuable time being wasted.

12. Click On MEDIA Section & Switch To Thumbnail View

We continue to examine additional artifacts by clicking on the “MEDIA” section on our left and switching to the “Thumbnail view” on the upper middle right. Note that the default view is “Column view“.

We can now see the profile pictures of individuals and potentially see photos that the suspect published on their own account.

For example, we see a photo of “Edward Snowden“, a former employee of the United States government. This artifact shows that we follow him (@Snowden) on Twitter.

Therefore, we can see that there is a lot of publicly identifiable information and artifacts that can be viewed without requiring a search warrant or the user’s account credentials.

Conclusion

We can see that Magnet Forensics has done a brilliant job making beneficial and meaningful changes to AXIOM Process and Examine.

Furthermore, it is obvious that digital forensic software plays a significant role in digital forensic investigations for many investigators such as law enforcement agencies in combating cybercrime.

To try AXIOM Cloud, you can request a free trial of Magnet AXIOM for 30 days.

Related Posts