Join Us!

Clear all


New Member

Looking for some input.

Exhibit is an iPad A1455.

Got a large quantity of IIOC stored in private/var/mobile/Applications/com.atebits.Tweetie2/Documents/com.atebits.tweetie.compose.atttachements.

According to iOS forensic analysis by Simon Morrissey 2010 this location contains "Documents with hash numbers as file names that are actual attachments sent with tweets"

But I've not been able to find any other solid information on that location. A sample file name is 01CB714D-3386-42BF-BB70-913516F8A439 this does not match the md5 or sha1 hash.

Has anyone else encountered pictures stored in this location, were you able to prove distribution and is there a way to identify whether a picture was sent or received?

Or any other insight into the matter would be appreciated.

Posted : 04/09/2014 3:22 pm
New Member

Hello DenMo,

I have had pictures in the "com.atebits.tweetie.compose.attachments" folder of an iPhone 4. I did testing with an exact make and model and found that pictures that were tweeted from the gallery of the phone are stored here. I noted that pictures tweeted from the Internet (such as Google Images), i.e. not stored in the gallery are not stored here.

Posted : 12/09/2014 4:15 pm