Interpreting metadata on Twitter

Time and metadata

The exact time a message on Twitter has been posted is a type of metadata. You can see metadata as data that says something about other data. Examples of metadata are the name of the author of specific Word document and the title and time of creation of that document. The author, title and time of creation of the Word document are thus called the metadata. All three say something about the Word document.

Metadata in your investigation

Metadata is embedded in a lot of data, which can be useful for you as an investigator. After all, you not only have the “normal” data in your hands, but also the data that says something about this data. And this data sometimes contains more information than you think. For example, photos taken with digital cameras may even contain data, times and GPS coordinates. This allows you to find out very precisely on what date, at what time and at what place a photo was taken. Metadata from images made with digital cameras is what you call EXIF data, which stands for “Exchangeable Image File“. Read more about this in our earlier blog post.

Metadata on Twitter

After reading the above, you may think of locating GPS coordinates from photos posted on Twitter. Unfortunately we have to disappoint you, because this does not work. Large websites and social media such as Facebook, Twitter and LinkedIn remove this type of information after uploading. For you, that means that you can no longer extract this information from a photo. Sometimes you have more luck with smaller websites or social media. In any case, trying doesn’t hurt.

Fortunately, you can map on Twitter when a message or comment has been posted. And sometimes even from which location that has been. In this blog post we focus on mapping the dates and times of messages (“Tweets“) on Twitter. And that can be more difficult than you think.

Logged in versus not logged in

To understand what we are talking about, we recommend you to view a random message on Twitter and to note the time of the message. It is important that you do this once while you are logged in and once while you are logged out. Do you see the differences?

In the image below you see the same Tweet with an image twice. The left image shows us how the time looks when we are not logged in, the right image show us the time when we are logged in. Both images show the date January 23, 2015, but there is a difference at the time: the left image indicates 02:57, the right image 11:57 a.m.. Which of the two times is correct? And why are there differences?

Find out the correct time

In order to find the correct time, you must search for the Unix timestamp of the relevant message. The “Unix timestamp” is a time stamp from the Unixtime which is also called the “Epoch time.“”. Without going into the Unix time much deeper, the Unix time is a kind of system that indicates a specific moment in time. Because these moments in time are the same worldwide according to this system, Unix timestamps are widely used in computer systems. If you know the “Unix timestamp”, you can convert this timestamp to the time in your local time zone.

Finding Unix timestamps

Below we explain how you can find out the Unix timestamp of messages on Twitter. You can retrieve the Unix timestamp from Tweets when you are logged in, but also when you are not logged in: both will provide you with exactly the same Unix timestamp.

The first thing to do is move your mouse over the time of a message. If you do this, you will immediately see that a date is displayed. The time differs again, because the left image (not logged in) shows the time 02:57 while the right image shows 11:57. Then right-click on the time and then click on Inspect Element.

If you have clicked on “Inspect Element“, you will see the image below. You will see that the “Developer tools” of your web browser are opened and that certain information is highlighted in blue. You could also have received this image by clicking on F12 and selecting the date of the message. In the information below, the data-time=”1422010676″ section is important because it contains the Unix timestamp of the message. You need the timestamp “1422010676” to find out the time of the message.

Converting Unix timestamps

You now know that you need the Unix timestamp to find the date of the message. One way to convert the Unix timestamp to the time in your local time zone is through tools on a website such as WolframAlpha. As you can see below, the WolframAlpha website converts the Unix timestamp 1422010676 to 10:57:56 am UTC on Friday, January 23, 2015.

You can also convert the Unix timestamp to a “real” time via the Epochconverterwebsite. As you can see below, the Unix timestamp 1422010676 is converted to 10:57:56 GMT. This time is exactly the same as the time that WolframAlpha indicated.

What does this mean?

Both the tool on the WolframAlpha website and the tool on the Epochconverter website make the Unix timestamp 1422010676 the time 10:57:56. WolframAlpha calls this time in UTC, which stands for “Coordinated Universal Time” and Epochconverter calls this time in GMT, which stands for “Greenwich Mean Time“. Although both mention the same time, UTC and GMT do differ from each other. GMT is a time zone while UTC is not a time zone but a so called time standard. Both time formats never change, even when the clock is set forwards (“summer time”) or backwards (“winter time”).

If we want to read the time of 10:57:56 GMT / UTC in our local time zone, we must therefore take the summer and winter time into account. In addition, we must also take into account the time zone in which the Netherlands is located. The Netherlands is located the CET time zone, which stands for “Central European Time“. This time zone is 1 hour ahead of the UTC as standard, and an additional hour in the summer. Because the message was posted on January 23, 2015, we must therefore take winter time into account. That means that the message, converted to our local time zone, is posted at 11:57:56 (10:57:56 + 1 hour).

Then why are there different times on Twitter?

We have seen above that Twitter records the time as 02:57 if you are not logged in, and that the same message gets 11:57 a.m. if you are logged in. Why doesn’t Twitter automatically convert this time to your local time zone? A possible answer to this may be that each Twitter account has its own time settings. In our Twitter account, for example, the time zone is set to the GMT + 01: 00 (Amsterdam) time zone, which shows us the 11:57 time when we view the message.

If we then log in with one of our fake accounts, we will see that a completely different time is displayed. The left image below shows what the time will look like when we are logged in with an account with the time settings set to GMT-07:00 Mountain Time (US & Canada). The right image below shows what the time will look like when we are logged in with an account with the time settings set to GMT+01:00 Amsterdam.

Do you want to be sure?

Do you want to be sure that you have the correct time for a message, retweet or comment? Then make sure you find out the timestamp and that you convert this timestamp to your local time zone, taking into account the time of the year (summer time and winter time). It does not matter whether you are logged in or not, because the timestamp is always the same. If you are logged in, it is always good to know from your Twitter account which time zone it is set to. You can see this in the old version of Twitter (use the Add-on GoodTwitter) via Settings and privacy > Account > Time zone.

More information?

Do you want to know more about conducting research on Twitter? Or do you have an addition to this article? Then contact us! In our OSINT classess we will of course have a look at Twitter investigations.