±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 0 Overall: 35984
New Yesterday: 7 Visitors: 187

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs


Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts



Post Posted: Sep 04, 14 14:22

Looking for some input.

Exhibit is an iPad A1455.

Got a large quantity of IIOC stored in: private/var/mobile/Applications/com.atebits.Tweetie2/Documents/com.atebits.tweetie.compose.atttachements.

According to iOS forensic analysis by Simon Morrissey 2010 this location contains "Documents with hash numbers as file names that are actual attachments sent with tweets"

But I've not been able to find any other solid information on that location. A sample file name is: 01CB714D-3386-42BF-BB70-913516F8A439 this does not match the md5 or sha1 hash.

Has anyone else encountered pictures stored in this location, were you able to prove distribution and is there a way to identify whether a picture was sent or received?

Or any other insight into the matter would be appreciated.  


Re: com.atebits.tweetie.compose.attachements

Post Posted: Sep 12, 14 15:15

Hello DenMo,

I have had pictures in the "com.atebits.tweetie.compose.attachments" folder of an iPhone 4. I did testing with an exact make and model and found that pictures that were tweeted from the gallery of the phone are stored here. I noted that pictures tweeted from the Internet (such as Google Images), i.e. not stored in the gallery are not stored here.  

Page 1 of 1