Recognizing the name of the accused as a sitting member of the client’s board of directors, our analyst created an alert, capturing all pertinent details of the post, and sent it to the client’s Chief of Security. The Chief’s response was simple: Find out who was behind the tweet.

The investigation was underway.

It started with the tweet itself. Then the account it came from. Then to the posting history and content therein. And on to the profile and cover images. Dissecting the account began to shape the story behind our trapped woodchuck, but no detail was more telling than a website linked to the account’s profile.

Following that link led us unexpectedly to a blog consisting of posts written about a community college—in fact, the same community college where the client’s board member also worked as a faculty member. The articles posted to the site consistently called for the removal of college faculty in key leadership positions, including the client board member.

Like the Twitter account before it, analyzing the website yielded more details. The majority of articles were authored by the same individual, identified by a first initial and last name. By sifting through many posts and comments, we discovered the next clue, a post left by a respondent to a particularly agitated article:

“Thanks Professor.”

With the primary author’s first initial and last name in hand, we cross-referenced the college’s faculty page and discovered not only his full identity but also that of several other individuals who posted and commented on the blog site. The group revealed was a coalition of faculty, students, and staff united in their opposition to the school’s leadership. Further diligence linked the names in the group to Twitter accounts that followed the original woodchuck tweet.

Next, we identified leading candidates for the original tweet by conducting open-source reviews of their public social media accounts. We discovered an association between one faculty member and an environmental activist who was protesting a logging project in her area that was being conducted by our client.

We reviewed the activist’s public account and discovered the exact image of the trapped woodchuck, posted on the same day, and just 13 minutes before, the case-originating tweet. It was clear now that the activist’s post was repurposed by the college protest group as leverage against our client’s board member.

The capstone to this identification came when we conducted reverse image searches on the woodchuck picture. These searches showed that the image was originally posted in 2013 by a survival instruction school, a full six years before the activist and protest group used it. In that time span, at least three other websites had reused the image, proving that this particular Marmota Rodentia could not have been the victim of the alleged activity.

Armed with this intelligence, our client’s PR team was able to mitigate the woodchuck episode. Beyond this, the accounts and websites identified through the investigation were now known to the client, allowing them to monitor and prepare for similar social media attacks against members of their company.

Tim Hendrickson is Managing Director – Investigations for TruView BSI, LLC, responsible the company’s global investigative and risk-based intelligence operations. Tim is a former commissioned U.S. Army Officer with five years of active duty service, including two deployments in support of Operation Iraqi Freedom, where he maintained a Top Secret Clearance as a Military Intelligence Officer and analyst, serving as a military advisor and liaison to the National Information and Investigation Agency, the Iraqi government’s equivalent of our own FBI.