Open-source intelligence researchers and hackers alike love social media for reconnaissance. Websites like Twitter offer vast, searchable databases updated in real time by millions of users, but it can be incredibly time-consuming to sift through manually. Thankfully, tools like Twint can crawl through years of Twitter data to dig up any information with a single terminal command.
With researchers continually looking for new databases to plunder for juicy pieces of information, Twitter represents a wild mix of primary source information and misleading rumors. While Twitter is often discounted as a source of OSINT information for being difficult to search and parse, there are ways to get around the bottleneck that comes from the time it takes to search through and make sense of the vast sea of Twitter data.
Twitter as an OSINT Database
The key to creating a good plan is a good researcher. Without an understanding of a situation, it’s difficult if not impossible to design a resource efficient plan. A good researcher can take a couple of essential steps to bring the pieces needed to form a plan together.
First, they ask answerable questions that data can prove or disprove, and then they determine the best source of information to search for the answers. Next, they analyze the data for hidden clues or patterns, pulling in more data when necessary to build a complete understanding of the target. Last, with knowledge of the facts of the situation, the data can be transformed into actionable intelligence to support decision making and a plan of action.
The process of defining a question, planning the collection, collecting the data, and analyzing the results is a continuous process of refining clues into understanding. Twitter supplements this mission by providing a sea of structured data to search, able to be sliced through with incredible accuracy.
Data You’ll Find on Twitter
For a red team using OSINT to decide on a plan of action, social media websites like Twitter can provide information not available anywhere else. Aside from the standard information released by official company accounts, Twitter also offers personal insights and observations of employees and even people in the right place at the right time.
You can expect to find the following kinds of information on Twitter:
- Images of badges and keys.
- Phone numbers and personal details exchanged in public mentions.
- Photos and videos of the inside of office spaces and private homes.
- Images and videos from other people at events with different viewpoints linked by hashtags.
- Primary source statements about any range of topics a person may currently be under investigation for.
- Places a target hangs out or spends time.
- Company or office photos showing the identities of other employees.
- Records of travel and upcoming personal events.
Imagine having access to a video that shows you the inside of a building you can’t physically enter, the hardware configuration of a system you can’t touch, or the personal interests of a potential social engineering target. These kinds of details dramatically change the course of a red team engagement by uncovering a weak link in an otherwise secure system.
Slicing Through Data with Twint
While the data contained in Twitter is valuable, it can also be time-consuming to find and process. The time a tweet was posted often plays an essential factor in whether or not a tweet is useful, as well as the location, subject, and many other variables. To help researchers slice through these options quickly, Twint comes equipped with search filters that you can combine in useful ways to show precise information.
Want to know every tweet a user made since last year geotagged near a specific city? Or maybe every tweet a person favorited mentioning a particular topic? With the right combination of search flags, you can even search for people publicly reaching out to exchange contact information with a targeted account.
While many search tools use your Twitter account to make the requests through Twitter’s API, Twint does not. This allows you to bypass rate limiting, query through proxies, and otherwise put distance between yourself and the target you’re researching. With the ability to quickly generate text and CSV files to archive tweets of interest, Twint makes a great forensic or investigative Twitter tool.
For more advanced users, Twint is a Python library that can be scripted to perform more custom or complex actions. The ability to script and scale Twitter searches with Twint makes it a simple but powerful way of extracting data from social media.
Step 1: Install Twint
To get started with Twint, we’ll download the developer version. I tried a few different installation methods from its GitHub page, but I found that only one worked on the Linux system I was using. You’ll need the pip package manager, which should come installed with Python3.
Open a terminal window, and type the following to download and install the development version.
pip3 install --upgrade -e git+https://github.com/twintproject/twint.git@origin/master#egg=twint
That should install everything needed. If you run into problems with a pip install, you can also try using Git, although installing it this way didn’t allow me to run it by typing twint in a terminal window the way I could with pip. To install with Git, open a terminal window and type the following commands.
git clone https://github.com/twintproject/twint.git cd twint pip3 install -r requirements.txt
Step 2: View Twint’s Options
Once the required libraries finish installing, you can start Twint and see the list of available search filters by running twint -h in a terminal window.
sudo twint -husage: python3 twint [options] TWINT - An Advanced Twitter Scraping Tool. optional arguments: -h, --help show this help message and exit -u USERNAME, --username USERNAME User's Tweets you want to scrape. -s SEARCH, --search SEARCH Search for Tweets containing this word or phrase. -g GEO, --geo GEO Search for geocoded Tweets. --near NEAR Near a specified city. --location Show user's location (Experimental). -l LANG, --lang LANG Search for Tweets in a specific language. -o OUTPUT, --output OUTPUT Save output to a file. -es ELASTICSEARCH, --elasticsearch ELASTICSEARCH Index to Elasticsearch. -t TIMEDELTA, --timedelta TIMEDELTA Time interval for every request. --year YEAR Filter Tweets before specified year. --since SINCE Filter Tweets sent since date (Example: 2017-12-27). --until UNTIL Filter Tweets sent until date (Example: 2017-12-27). --email Filter Tweets that might have email addresses --phone Filter Tweets that might have phone numbers --verified Display Tweets only from verified users (Use with -s). --csv Write as .csv file. --json Write as .json file --hashtags Output hashtags in seperate column. --userid USERID Twitter user id. --limit LIMIT Number of Tweets to pull (Increments of 20). --count Display number of Tweets scraped at the end of session. --stats Show number of replies, retweets, and likes. -db DATABASE, --database DATABASE Store Tweets in a sqlite3 database. --to TO Search Tweets to a user. --all ALL Search all Tweets associated with a user. --followers Scrape a person's followers. --following Scrape a person's follows --favorites Scrape Tweets a user has liked. --proxy-type PROXY_TYPE Socks5, HTTP, etc. --proxy-host PROXY_HOST Proxy hostname or IP. --proxy-port PROXY_PORT The port of the proxy server. --essid [ESSID] Elasticsearch Session ID, use this to differentiate scraping sessions. --userlist USERLIST Userlist from list or file. --retweets Include user's Retweets (Warning: limited). --format FORMAT Custom output format (See wiki for details). --user-full Collect all user information (Use with followers or following only). --profile-full Slow, but effective method of collecting a user's Tweets and RT. --store-pandas STORE_PANDAS Save Tweets in a DataFrame (Pandas) file. --pandas-type [PANDAS_TYPE] Specify HDF5 or Pickle (HDF5 as default) --search_name SEARCH_NAME Name for identify the search like -3dprinter stuff- only for mysql -it [INDEX_TWEETS], --index-tweets [INDEX_TWEETS] Custom Elasticsearch Index name for Tweets. -if [INDEX_FOLLOW], --index-follow [INDEX_FOLLOW] Custom Elasticsearch Index name for Follows. -iu [INDEX_USERS], --index-users [INDEX_USERS] Custom Elasticsearch Index name for Users. --debug Store information in debug logs --resume RESUME Resume from Tweet ID. --videos Display only Tweets with videos. --images Display only Tweets with images. --media Display Tweets with only images or videos. --replies Display replies to a subject. -pc PANDAS_CLEAN, --pandas-clean PANDAS_CLEAN Automatically clean Pandas dataframe at every scrape. --get-replies All replies to the tweet.
Step 3: Grab a User’s Recent Tweets
Now that we see the ways we can slice data, we can begin pursuing an investigation. Let’s say we want to track a target or begin investigating a Twitter user. For this guide, we’ll pretend to be a freshly-hired IRS agent assigned to work his or her first audit. We’ve been handed the file of someone accused of tax evasion and are tasked with determining how best to proceed with approaching them.
The name on the file of our first audit is John McAfee. After a quick search, we can see they’re a Twitter user with a handle of “officialmcafee.”
First, we can grab information about the most recent tweets by using the -u flag for the target username and — since for today’s date.
sudo twint -u officialmcafee --since 2019-2-171096956729768767488 2019-02-16 18:17:19 PST <officialmcafee> Oh yeah!! 1096947035360636928 2019-02-16 17:38:48 PST <officialmcafee> Yes. Every last one. Every last one. 1096946784113516544 2019-02-16 17:37:48 PST <officialmcafee> I was so stoned in that photo. I remember tweeting that out . Can't recall why.
Step 4: Locate Historical Evidence
John McAfee was in the news recently after he tweeted that he was fleeing the country, fearing the IRS was planning to indict him for tax evasion. He also tweeted at some point earlier in the year that he had not filed a tax return in a very long time.
Let’s locate the evidence of this tweet by using the -s flag, or subject, to look for tweets this year talking about tax returns.
sudo twint -u officialmcafee -s "tax return" --since 2019-1-011080953136985133062 2019-01-03 14:24:45 PST <officialmcafee> I have not filed a tax return for 8 years. Why? 1: taxation is illegal. 2: I paid tens of millions already and received Jack Shit in services. 3. I'm done making money. I live off of cash from McAfee Inc. My net income is negative. But i am a prime target for the IRS. Here I am.
Great, we have the target admitting to not filing tax returns for eight years. Assuming we were investigating this case, we’ll need to collect some evidence. Did the target make any other statements regarding evading taxes? Let’s collect them in a text file for later review.
To do this, we’ll use the -o flag to output to a text file, and a more general search for tweets about “taxes.”
sudo twint -u officialmcafee -s "taxes" --since 2009-01-01 -o mcafeetax1097243822143213568 2019-02-17 13:18:07 PST <officialmcafee> Yes. Income taxes are illegal. 1096836632672653312 2019-02-16 10:20:06 PST <officialmcafee> I had cataract surgery 6 months ago and bright light still hurts my eyes. I will not take them off for you my friend. And taxes are unconstitutional. I will not pay. Why the fuck do you? Where are your fucking balls? 1092592264164134913 2019-02-04 17:14:29 PST <officialmcafee> Good God woman!! We're running from the fucking tax man. Why don't we just rename our private sessions. I've always favored "Bring that God-like scepter here babe". 1091156545398804481 2019-01-31 18:09:27 PST <officialmcafee> It's all I could afford. The IRS taxed the remaining pixels. 1090719204687429634 2019-01-30 13:11:37 PST <officialmcafee> Lmfao Deal. But my $15 mil is locked up in a swiss account due to a Swiss tax assessment. If you give me the 2 mil to unlock it, I will send you the 15. Really. You can trust me. 1088992872890802178 2019-01-25 18:51:48 PST <officialmcafee> The IRS survived withoit income tax for over a hundred years. Furst showed up during the civil War 1088462380051369985 2019-01-24 07:43:48 PST <officialmcafee> tltorally wrong. . Get real. It isn't a crime not to file taxes. Grand Juries aren't convened for failure to pay taxes. And if you believe taxes are good, you have purchased our government's propaganda. You are way worse off than me. We had no taxes before the Cuvil War. 1082710638365835264 2019-01-08 10:48:26 PST <officialmcafee> Good God!!!! Educate yourself! Thr U.S. had no income tax at all, with the exception of the Civil War, until 1913. We fucking did fine. This is what Im talking about. People are buying Government propaganda and eating it up. We font need income taxes. 1082709806031368192 2019-01-08 10:45:08 PST <officialmcafee> I have paid tens of millions in taxes in the past. Dont dare talk to me abour "orher tax payers". 1081582572461834240 2019-01-05 08:05:54 PST <officialmcafee> Income taxes are unconstitutional. That's my beef. You may not mind being controlled by a corrupt givernment but i do 1081309939841286144 2019-01-04 14:02:34 PST <officialmcafee> We declared our independence from Britain and fought a bloody war to escape burdensome taxes, yet here we are, less than 250 years later, being burdened by income taxes that are more crushing than anythung rhe British dreamed of. Free yourselves people! https://www.ccn.com/crypto-shill-john-mcafee-i-havent-filed-a-tax-return-in-8-years/ ... 1081122728005066752 2019-01-04 01:38:39 PST <officialmcafee> Fox News reported that i don't pay taxes. The IRS is angry (and corrupt). They will strike using law, twisted by 'their' facts, as a club. My offense is small and won't do. inferences of conspiracy or foreign collusion, or something, will come. I promise. https://www.foxnews.com/us/john-mcafee-trashes-irs-in-series-of-tweets ... 1081019828658495488 2019-01-03 18:49:46 PST <officialmcafee> We had no income tax in the U.S. prior to the Civil War. There are uncountable alternativrs. Look it up and educate yourself. 1081017561695903744 2019-01-03 18:40:45 PST <officialmcafee> No sir. We had no income taxes prior to the Civil War and yet we were a world powet. There are thousands of ways to fund a givernment besides income taxes. Pay for service is one way: pay for road use by mileage, pay to access National parks, etc., 1080988662077247488 2019-01-03 16:45:55 PST <officialmcafee> My Crypto goals drive the IRS mad. Privacy coins will obsolete income taxes. Can't tax money you cant see, and I promote this as a good thing. The SEC is legally failing in their power grab so It's up to the IRS now to silence me. I've called them out. They will come. You'll see. 1080953136985133062 2019-01-03 14:24:45 PST <officialmcafee> I have not filed a tax return for 8 years. Why? 1: taxation is illegal. 2: I paid tens of millions already and received Jack Shit in services. 3. I'm done making money. I live off of cash from McAfee Inc. My net income is negative. But i am a prime target for the IRS. Here I am. 1080854344331939840 2019-01-03 07:52:11 PST <officialmcafee> I'm done trashing the SEC. Let's move on to the IRS - the agency that takes from you an average of three months of your labor each year. First - taxation is theft. It is unconstitutional. Prior to the civil war there was no income tax, yet we managed. Stay tuned for the truth. 1071899943680512001 2018-12-09 14:50:36 PST <officialmcafee> And that does'n happen to me constantly??? But ask-- who do the Feds work for? Me, as much as anybody since I've paid the Feds, through taxes, hundreds of millions of dollars for services I have never received. Every Fed burstung through the door will get a "Past Due" notice 1033463922735624193 2018-08-25 14:19:34 PST <officialmcafee> I have made enough in my lifetime to have paid over a quarter of a billion dollars in taxes. I do not have to account for my money anymore. Some of the dollars I spend, are from the millions I made in 1987, never mind the hundreds of millions over the subsequent 10 years. 997495042347622400 2018-05-18 08:12:05 PST <officialmcafee> The SEC created a fake ICO called the Howeycoin, where the "Buy" button takes you to a page which discourages the purchase of cryptocurrencies. This is where your tax dollars are going - into deception, subterfuge and a desperate attempt to save the SEC. https://www.howeycoins.com/index.html#team 951689398135001089 2018-01-11 21:36:48 PST <officialmcafee> Tax writeoffs. 947326031890911233 2017-12-30 20:38:21 PST <officialmcafee> When I follow someone, God gives them a new Bentley Azure. Tax free. 947325176701706241 2017-12-30 20:34:57 PST <officialmcafee> When I follow someone God himself comes down and gives them a Bentley Azure. Tax free. It used to be Ford Focus. Don't know why the upgrade. 947007111011151872 2017-12-29 23:31:04 PST <officialmcafee> As I said earlier ..... When I follow someone God himself comes down and gives them a new Bentley Azure ..... Tax free. 947005611253919744 2017-12-29 23:25:06 PST <officialmcafee> I did. But I don't believe your name is Tom. You realize, of course, that when I follow people, God himself comes down and blesses them - giving each of them a Bentley Azure - tax free. 939924816664121345 2017-12-10 10:28:33 PST <officialmcafee> Good God! Do I have to spell it out? Well ... No taxes, no regulatory problems, no traceable income, no tax accountant costs, etc,etc,etc 644436140183973888 2015-09-17 02:02:03 PST <officialmcafee> My policies now posted https://mcafee16.com/issues/ #ForeignPolicy #drugs #immigrants #tax #educate #economy #cyber +more pic.twitter.com/ugCnhKEBsL
Oh, wow. He really hates taxes. We now have a file called “mcafeetax” containing all the tweets we just scraped about taxes. If I were a law enforcement agency, I might be curious if I could talk to the target or if he might be a heavily armed loose cannon. Maybe Twitter can answer that question!
Step 5: Export Evidence & Metadata
Let’s see if we can identify any tweets about guns in the past year. In fact, let’s try to find an image of the target mentioning “gun” somewhere in the post.
To do this, we’ll add a — media flag to say we only want to see posts containing media like photos or video. Next, we’ll save the evidence we find to a CSV file called “mcafeeguns.”
sudo twint -u officialmcafee -s "gun" --since 2018-01-01 --media -o mcafeeguns --csv1071009885645627392 2018-12-07 03:53:49 PST <officialmcafee> U jumped the gun when I divulged the Skycoin video that someone shot during the week of revelry at my place. Seems there is a remix now. Great improvements plus without the shot of Hayden with his dick hanging out. (link: https://youtu.be/R5q7_UWKcDg ) http://youtu.be/R5q7_UWKcDg 1022223220861272067 2018-07-25 13:53:02 PST <officialmcafee> ANTI-GUN FOLK: READ NO FURTHER. Now -- guns don't kill people. Bullets kill people. And if you want to kill people with a handgun, no bullet beats the FN-57. High velocity, flat trajectory, tumbles on impact, making massive exit wounds. I urge all all if my security to use it. pic.twitter.com/P5hu2Hfur6 1007413614205120512 2018-06-14 17:04:57 PST <officialmcafee> This look like a water gun? pic.twitter.com/VKoh01GuCg 1000389938200895489 2018-05-26 07:55:22 PST <officialmcafee> About my guns pic.twitter.com/MIwq5K6amN 999482149190492160 2018-05-23 19:48:08 PST <officialmcafee> Bull shit. When am I not holding guns or surrounded by guards pic.twitter.com/fawZh7gBRv 999480884003786752 2018-05-23 19:43:06 PST <officialmcafee> When am I not in a photo with guns and guards? pic.twitter.com/iNC343Yq5I 971322857363005440 2018-03-07 01:53:10 PST <officialmcafee> You ask -- Why do I have guns? Dateline: Amy confesses to trying to kill me: http://www.nbcnews.com/video/dateline/50515302 ... Newsweek: Wife confesses to cooperating with Cartel: http://www.newsweek.com/topic/john-mcafee ... USA Today: War with Cartel: https://www.google.com/amp/s/amp.usatoday.com/amp/21712017 ... Google: Tons of stories. Any questions? pic.twitter.com/ODSm4wHz1K 965249086562734080 2018-02-18 07:38:10 PST <officialmcafee> People asked why I have guns in the corner of my previous post. Anyone want to explain why we have the right to bear arms in America? pic.twitter.com/NtT2Fg9qnq
In the CSV file I produced, I also have access to lots of metadata about each post.
I can see that each image I found is also extracted. Clicking on one, I can immediately see that yes, the target is indeed well armed.
There are a lot more images of guns but one, in particular, might be of interest during an investigation. In another “gun” tagged photo from this year, the target is holding a 5.7×28mm ammunition cartridge in front of an FN Five-seven pistol.
This particular handgun is an unusual model designed to defeat modern soft body armor, relying on special armor-piercing bullets fired at a very high rate. They are often hard to find because they are banned from being imported. The round the subject is holding is marked with a black tip, which marks it as armor-piercing ammunition designed to penetrate body armor.
The SS190 bullet has a steel penetrator and aluminum core, meaning any law enforcement agent trying to approach the suspect shouldn’t rely on soft body armor for safety. With a single search through Twint, we’ve determined not only that the suspect is armed, but that he also has access to special types of ammunition.
Step 6: Collect Real-Time Data
Twint has the advantage of being able to pull information about current events that Twitter users are reporting on. By combining the geolocation and subject flags, we can specify we only want to see posts about certain subjects in our local area that are happening now.
Let’s say we hear police raid down the street and want more information. We can search for posts tagged near Los Angeles, for example, searching for keywords like “arrested” or “LAPD” to locate images of events in progress.
sudo twint --verified -s "arrested" --near 'Los Angeles' --since 2019-02-17 --images1097368136293208064 2019-02-17 21:32:06 PST <KTLAMorningNews> Suspected DUI Driver Arrested in Deadly Hit-and-Run Crash in South-Central L.A. Caught on Video http://bit.ly/2SJbRGO pic.twitter.com/T2EYC0OtRB 1097353829375463425 2019-02-17 20:35:15 PST <KTLA> Yucaipa Father Arrested in Death of 6-Month-Old Baby Girl http://bit.ly/2SF1Ydx pic.twitter.com/O8Sd0k9wLt
If we want to search for video evidence instead, we can modify the command to search for that type of content as well. Here, a search for mentions of “LAPD” yields a video showing the end of a recent fatal police pursuit.
sudo twint --verified -s "LAPD" --near 'Los Angeles' --since 2019-02-17 --videos1097300577447378944 2019-02-17 17:03:39 PST <KevinTakumi> Fatal #crash #Chatsworth LAFD/LAPD on scene 2 car crash DeSoto/Plummer 2 transported to hospital 2 dead on scene, investigation ongoing long term @FOXLA pic.twitter.com/srlUTlgtdF 1097264275586871296 2019-02-17 14:39:24 PST <LAPDHQ> Our city might not be perfect, but it has life - it has culture. It's our privilege to be able to serve and protect the City of Angels. pic.twitter.com/yqXWyIIq8w
Now, let’s apply the ability to pull in live data to our search. Who are this person’s supporters? Let’s create a CSV file of everyone who has tweeted to this account using the — to flag, so we can review it for people possibly offering aid or giving other clues about encountering the target in person by tweeting a photo or greeting.
sudo twint --to officialmcafee --since 2019-01-01 -s help -o mcafeecontacts --csv1097503235684864000 2019-02-18 06:28:56 PST <FlyCryptoGuy> Which side defends the bees? Bees die, man dies. Why don't you support #Buzzcoin bro? Help mankind. Save the damn bees. It's easy to throw insults, start throwing solutions. Thank you sir. 1097356068164898816 2019-02-17 20:44:09 PST <SkepticalMinded> Well said, the labels that hold people back as a true progressive society, are the same labels that help those same people feel belonged and validated. So in other words fuck what people think and be yourself. 1097280716466020353 2019-02-17 15:44:43 PST <BitcoinGhost1> I'm in Germany, put me in mind and I'll be ready to help.
Opening the CSV file, we can see it is full of recent replies to the target, many offering support.
Great, so far our investigation shows the target is a heavily armed, unrepentant tax-evader with many supporters — good news for any law enforcement agency.
Step 7: Dig Deeper with Additional Searches
Let’s say we now want to learn any clues about how the target has been hiding his money before announcing his tax evasion.
Because the subject has made many statements about taxes since the story broke, we only want to find statements made before that period using the — year flag. We’re interested in the keywords “taxes” or “tax,” so we can construct a Twint search for any post talking about taxes posted before 2018 with the following command.
sudo twint -u officialmcafee -s taxes --year 2018947326031890911233 2017-12-30 20:38:21 PST <officialmcafee> When I follow someone, God gives them a new Bentley Azure. Tax free. 947325176701706241 2017-12-30 20:34:57 PST <officialmcafee> When I follow someone God himself comes down and gives them a Bentley Azure. Tax free. It used to be Ford Focus. Don't know why the upgrade. 947007111011151872 2017-12-29 23:31:04 PST <officialmcafee> As I said earlier ..... When I follow someone God himself comes down and gives them a new Bentley Azure ..... Tax free. 947005611253919744 2017-12-29 23:25:06 PST <officialmcafee> I did. But I don't believe your name is Tom. You realize, of course, that when I follow people, God himself comes down and blesses them - giving each of them a Bentley Azure - tax free. 939924816664121345 2017-12-10 10:28:33 PST <officialmcafee> Good God! Do I have to spell it out? Well ... No taxes, no regulatory problems, no traceable income, no tax accountant costs, etc,etc,etc 644436140183973888 2015-09-17 02:02:03 PST <officialmcafee> My policies now posted https://mcafee16.com/issues/ #ForeignPolicy #drugs #immigrants #tax #educate #economy #cyber +more pic.twitter.com/ugCnhKEBsL
It seems like the target has made statements about hiding money in cryptocurrency.
Knowing the suspect is now on the run, we can run a search for anyone publically tweeting to the target and offering support. To do this, we’ll look for people tweeting to the target with the — to flag and search for tweets likely containing contact information with the — phone flag.
We can also try to find where he is by searching for photos or video they may have posted of their whereabouts in the last week. Using the — location flag to specify only location-tagged tweets, we can pull any tweets containing media that might let us see where the target is from the last week.
sudo twint -u officialmcafee --location --since 2019-2-10 --media1096942869091356674 2019-02-16 17:22:14 PST <officialmcafee> pic.twitter.com/vbtdCI6ULP | Location House McAfee 1096932395012554754 2019-02-16 16:40:37 PST <officialmcafee> Back at the third floor of the "compound". We are just mellowing out after a day of speeding between islands in my first test of our tender (Moored alongside) pic.twitter.com/sd0ix15MPB | Location House McAfee 1096929852056395776 2019-02-16 16:30:31 PST <officialmcafee> Here is the third floor of our "Compound" right now. The "dingy" is moored alongside. pic.twitter.com/UCnRn3AoJX | Location House McAfee 1096915137087320064 2019-02-16 15:32:03 PST <officialmcafee> A boring video. But Rick took it. He's proud of it. He asked me to tweet it. I just did. He is outside of social media however, so I can dis him in this (for him) alternate universe, while I truly love him in that universe which, for me at this moment time, is alternate. pic.twitter.com/yXPdGF3oW1 | Location House McAfee 1096635092393517056 2019-02-15 20:59:15 PST <officialmcafee> Rick caught me with my harmonica attempting to regain favor with IT guy. He was way out of my league. pic.twitter.com/5HZxPKwyf8 | Location House McAfee 1096614989857738752 2019-02-15 19:39:22 PST <officialmcafee> Holy FUCK!!! My Bahamian IT guy -- whom I judged to be the dweebyest person on earth -- shows up in the band I hired for Choppy's bar for the weekend. People -- never judge. The IT guy is the sax player. pic.twitter.com/e0KW6fWIbY | Location House McAfee
One of the first results is a video of the target steering a boat through a chain of islands. In another tweet the day before, the target films himself at a bar in Georgetown, a city in the Bahamas. Based on media posted on Twitter in the past two days, the target is on a boat off the coast of Georgetown in the Bahamas.
Twitter Makes OSINT Easy
In our scenario, as a junior IRS agent learning about the subject of their first audit, we discovered our target is a heavily armed tax evader marauding around the islands of the Carribean with armor-piercing weapons. Rather than try approaching the offender ourselves, it’s much more likely we’d take advantage of the extradition treaty that went into effect between the Bahamas and the United States on Sept. 22, 1994, and make apprehending the target someone else’s problem.
Regardless of the type of investigation, data from social media can enrich your understanding of an event by providing a seemingly endless stream of information. From studying the interactions between users to finding alternative views of the same situation through media organized by hashtags, information shared on social media should be a part of any OSINT investigator’s toolkit.
I hope you enjoyed this guide to using Twitter as a source of OSINT information with Twint! If you have any questions about this tutorial on Twitter OSINT, leave a comment below, and feel free to reach me on Twitter @KodyKinzie.
Cover photo and screenshots by Kody/Null Byte
Originally published at https://null-byte.wonderhowto.com on May 2, 2019.