AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Twitter

Legal Disclaimer: 

The information listed below is purely informational in nature and not meant to be a substitute for legal advice. One should consult with their respective jurisdiction’s district attorney, prosecutor, judge, etc prior to using this language for any legal process in an actual investigation. AboutDFIR and its authors are not liable for any content, accuracy, or context.

Serving Preservation Letters/Search Warrants

As stated on this section’s home page, for every digital investigation where a Preservation Letter or Search Warrant is involved, Search.org’s ISP List should be your number one stop regarding proper steps to serve your legal process.

Twitter Law Enforcement Portal

Twitter doesn’t so much have a portal as they do a landing page for their requests. You can find that page here

Twitter Preservation Letters

For Twitter, you will need the account identified, i.e. @suspectusername including the @. Twitter allows users to change their username so be sure to specify a timeframe or ask for any and all usernames associated with a given registered phone number, registered email address, etc for a specified timeframe.

Preservation Letter/Search Warrant Language Template

Pursuant to Title 18, United States Code, Section 2703(f), you are requested to preserve all records relating to any Twitter account(s) associated with the registered email address suspect@domain.com from X date/time to Y date/time UTC including but not limited to:

  • All user account information including but not limited to: account creation date, registered email address, registered phone number, associated payment methods (including billing address and name), and terms of service IP address
  • The content of all messages, public and private, sent by the above user, including deleted and edited messages
  • The content of all tweets sent or received by the above user, including deleted tweets and associated metadata
  • All images and media sent or received by the above user during the above timeframe either via tweet, direct message, or replies to tweets including deleted items and all associated metadata

Alternative Language:

Any and all content for the Twitter account(s) with the username @suspectusername from X date/time to Y date/time UTC including but not limited to:

Any and all content relating to any Twitter account(s) associated with the registered phone number 1-123-456-7890 from X date/time to Y date/time UTC including but not limited to:

Notes:

It may be possible to discover other account(s) owned by the suspect using the verbiage above. As long as probable cause supports it, it doesn’t hurt to see what else the suspect is doing beyond known account(s). It may help your case become stronger.