OSINT Researchers - Human Vs Machine

Last year I was a speaker at OSMOSIS Conference in Myrtle Beach, South Carolina.  The conference is a draw for investigators across many professional fields.  One thing that I was curious to see was the vendor booths.  I already knew of some of the conference vendors, like Skopenow and TLO, being in the Private Investigation business.  This was the first time I would see demos from other companies like Liferaft and Voyager Labs.

Like many OSINT analysts, I'm selective when it comes to spending my software license budget and some of these vendors can have pretty large license costs.  That's why I was interested to see what these power house companies could do for an OSINT investigator.  The conference had some good breakout sessions where I got to see demos of the software in action. 

Machine Advantage

The 2 examples that wow-ed me the most were from Voyager Labs who demonstrated with a case study of the Instagram Models who were arrested with a large haul of cocaine on an Australian cruise ship.   

Geo-location of social media, drug trafficking and models makes for an interesting case study

Geo-location of social media, drug trafficking and models makes for an interesting case study

The analysis showed geo-location analysis and the different countries of port on the cruise ship where the cocaine was likely to have been brought on board. The software was able to quickly extract location data from target social media and create geographic points on a map for analysis.

The 2nd example that caught my attention was one of the social network mapping demos.  The context was gang member analysis on the west coast of the United States.  The software took a suspected gang member's Facebook page and visually mapped out the network of friends while pointing out specific details in common among the account's network of friends.  The software also took the data and graphed it out visually.

simulated social network graph

simulated social network graph

There were common profile account details that when analysed were subtle identifiers of potential gang involvement.  What was most impressive about this demo was the speed of the graphic analysis and the case management portal that gave a quick way to change and filter the graph based on account details.  If you wanted to see all the people in the suspect's Facebook network that were from the same city, high school or employer all you had to do was flip a few selectors and that data and the graph would both change on the fly.

The demonstrations showcased the power of automating some of the OSINT analysis within a custom dashboard giving a drastic speed advantage to portions of social media analysis.  

License Vs Open Source

The obvious advantage in comparing open source tools to licensed commercial material is cost.  Some of the lower cost social media tools on the market can still run you $50-150 per month for access to things that will automate the aggregation or analysis of social media and other online content.  While the heavy hitters like the vendors I mentioned above can run you several thousand dollars per year for a license to access this software.

Unless you have an unlimited budget, open source tools will likely be an area of interest.  Here are a few recommended tools and resources (open source) that OSINT investigators will want to check out:

Online Resource Collections-

http://osintframework.com/ (Visual Collection of tools based on category) Credit - @JNordine

https://inteltechniques.com/menu.html (Impressive collection of online search tools) - Credit @IntelTechniques

https://github.com/Ph055a/awesome_osint (Large collection of OSINT resources) - Credit @Ph055a

https://brokemy.network/osint-resources/ (Great collection of the great resource collections) - Credit @CryptoCypher 

https://start.me/p/m6XQ08/osint (start page of OSINT resources featuring some international tools) - Credit @TechNisette

https://start.me/p/VRxaj5/dating-apps-and-sites-for-investigators (Start page of OSINT tools for Dating Sites) - Credit @FrenchPI

Tools - 

Maltego Community Edition


Maltego Casefile






Buscador (OSINT Virtual Machine)


Human Advantage

While I was impressed with the software demonstrations I saw at OSMOSIS I never once felt like my skill set was threatened to be replaced by a machine.  The software gave a definite speed advantage, but the mind of a good OSINT investigator can come up with some brilliant comparisons and open source solutions that can be just as effective and run several levels deeper when it comes to full analysis of a target profile.

My Own Case Study

One set of research that I took on manually was Facebook account creation analysis.  My research is covered more in depth in previous blog.  But with a minimal amount of effort stretched over a long amount of time I was able to create a data set that lets me narrow down the date that a Facebook account was created based on the Facebook account ID number alone.  During the course of this research and analysis I was able to learn a lot about the inner workings of Facebook account creation and general strategies for research (sock puppet) account creation.

Using only open source data captured from hundreds of Facebook users, analysis of data points in a spreadsheet and graphing software I was able to generate a graph which allows me to determine the day an account was created.  This was NOT anything like scraping or mass collection by survey like we are seeing in the Cambridge Analytica headlines.  Using simple analysis of public Facebook posts over time the following graph was created and refined.

Data points generated from Open Source data collection of Facebook posts

Data points generated from Open Source data collection of Facebook posts

The real world use for this Facebook analysis has come in handy for cases where people have been impersonated online with false accounts and for cases where a subject created multiple accounts and I needed to map out potential account involvement based on an activity or event that had occurred at a certain point in time.  

This research was featured in the Facebook chapter of Michael Bazzell's Open Source Intelligence Techniques (6th Edition) 

Book available here:  https://inteltechniques.com/book1.html  


In the book entry I provided Michael with a range of Facebook ID number's that can help you quickly narrow into the specific year an account was created back through 2007.  Since then I've already been able to refine my data to where the average account can be narrowed down to a range of about 2 weeks down the exact day of account creation with only the account's ID number.

It was my own drive to solve a simple challenge in a case that lead me to developing my own tool I could rely on for many future cases.  These are the things that will separate human investigator from machine for a long time.  Knowing the advantages available in form of pricey software only pushes me and the other OSINT investigators I network with to research harder for our own specialized solutions and techniques.  

If you have any techniques to share or comments please drop me a line on Twitter @baywolf88

Happy OSINTing

Opting Out Like a Boss - The OSINT way (part 1)

Tip of the Hat

Quick tip of the hat to Michael Bazzell and Justin Carroll over at the Complete Privacy and Security Podcast.  The offense and defense segment they do toward the end of each episode goes over one newer OSINT tactic and a way to defend your privacy against it.  On a recent episode they discussed another people search site that popped up plus the opt-out link so you can have your information removed.  That episode got me thinking about these types of sites and this blog is a result of that brainstorming session.

People Searching

If you follow OSINT or Privacy techniques, then you are familiar with the main people search sites like Pipl, Spokeo and Radaris.  As an OSINT investigator I try to stay familiar with both the main sites and the smaller websites that continue to appear.  I notate the sites with reliable results for my investigation purposes and I make sure to opt my own information off the sites for privacy.  

osintframework.com  currently has 44 links to various people search websites

osintframework.com currently has 44 links to various people search websites

Opt Out

Opting out is not an easy task.  It takes time and effort to remove your information from the multiple sites on the internet.  Some sites have a simple opt out page, others require valid ID submission as proof of your record before they will remove it.  Its also not a one and done situation since new search sites appear every few months. 

There are 2 excellent resources I recommend if you are going to start down the path of opt out:

Lesley Carhart wrote a blog highlighting the removal process on several sites and also delves into security checkups on your social media accounts.

Micah Hoffman hosts an awesome document for opt out created by a colleague which is described on his website.


Once you feel like you have a handle on your publicly available info, set yourself a reminder and in about 6 months, go back and look for your info online again.  Be prepared for another round of opting out and also don't forget about others in your household.  Just because you removed all of your records from the internet doesn't mean I can't find a record of your significant other who happens to live with you now or in your past.  The task of opting out is never ending.  That said... can we do it more efficiently?

OSINT on the People Search sites

As I was checking out people search sites, something occurred to me.  Why haven't I done OSINT on the people search sites themselves?  On the OSINT framework photo I can see similarities in the names of the sites themselves.  Peoplefinder.com vs Peoplefinders.com and TruePeopleSearch vs. FastPeopleSearch are very similar in name.  The look and feel of the websites are all pretty similar, so my thought process goes like this.  What if some of these sites are the same companies?  If they were it would be pretty easy to just to launch another website and connect their people database to the new URL.  Maybe there is even a trigger for the database transfer, like a certain percentage of opt outs.  Those are all speculation, but I decided to dig a little bit.  

I started with 2 sites similar in appearance and name Truepeoplesearch and Fastpeoplesearch:

Side by side view

Side by side view

Visibly similar in layout and almost identical toward bottom of the web page is the Terms, Privacy and Contact links.  

For a closer look I drop both pages into a comparison tool at Copyscape.com.  Copyscape is part of a plagiarism checking service.  It runs a quick side by side comparison of matching words on 2 different webpages.

Snapshot of comparison checker at  Copyscape.com

Snapshot of comparison checker at Copyscape.com

97 and 99 percent matching to each other, we can posit that even if this isn't the same company, both sites at least used the same legal template and just changed out the company name. They even have the same update stamp visible of April 5, 2017.  I file this under interesting and add the comparison tool to my OSINT arsenal.  Time to search a deeper level than matching words.

Sub-domain Enumeration

In the world of penetration testing, sub-domain enumeration is used to find additional servers and machines on a network to increase the chances of finding a vulnerability for the pen test.

I'm not officially on the red team so while I know of programs like Sublister and Aquatone that make Sub Domain Enumeration more automated, there are other tools just as easy for me and my use cases.  Enter DNSdumpster.com:

I put DNSdumpster to work and looked for any overlap in the sub-domains of the people search websites.  I started with the list of sites on Inteltechniques.com Real Name Search found here.  I noticed something interesting when I got to Peoplefinders.com and Peoplesearchnow.com.

That MX record for Peoplesearchnow at looks interesting

That MX record for Peoplesearchnow at looks interesting

There it is again on Peoplefinders 

There it is again on Peoplefinders 

DNSdumpster has other features that I recommend exploring like the Domain mapping graphs and exporting the host info to an xls file, but more on that later.  What I've found is my first potential link between 2 people search sites.  To test my theory I want to try an opt out.  Domain maps lead me to believe that PeopleFinders network is the larger one.  In theory, if I opt out of the larger site, my info should drop off the smaller site as well.  

2 For 1 Opt Out Attempt

First I find my record on both sites to confirm I am a part of the database in both places  According to HowManyofMe.com there are approximately 142 people in the United States with the same name as me.  It doesn't take long to find my record with just my name and the state I live in.


There I am on Peoplefinders.com

There I am on Peoplefinders.com

There I am on PeopleSearchnow.com

There I am on PeopleSearchnow.com

You will find the opt out link for PeopleFinders here ( https://www.peoplefinders.com/manage ) and PeopleSearchNow here ( https://www.peoplesearchnow.com/opt-out ). I submit the opt out process on the PeopleFinders site:


Submit for my confirmation



So my record drops off of PeopleFinders.com instantly, which is nice since some sites will tell you your record may take 24 hours or more to stop showing up in search results.  Before I hit submit on the PeopleFinders opt out, I opened up my record in side by side browsers on the other site PeopleSearchNow.  After the opt out submission I hit a refresh on the browser on the right and....

Boom... 2 for 1 opt out

Boom... 2 for 1 opt out

So my theory is confirmed, if multiple sites are indexing my data from the same company or server, I can opt out of multiple sites if I know which ones are connected.  Since this is 2 sites out of many more that are online, I decide to dig further so I can determine if there are other ways the people search sites are connected.  

Coming in Part 2

I took a closer look at the company contact info for PeopleFinders I notice another company name in the mix.  I've done some OSINT pivoting on business search sites like Manta.com which look at business filings and business registration info.  (Items like Duns Number, SIC and NAICS which you can read more about here)

Those pages can lead you to the company's executive names and business contact info like phone number and addresses.  I'll take a closer look in part 2.

If you have any techniques to share or comments please drop me a line on Twitter @baywolf88

Happy OSINTing

Sharing DFIR research

While doing some research on a digital forensics challenge I noticed something.  My blog content doesn't cross over into digital forensics all that often.  Blogging about digital forensics takes a lot more work to sanitize private data and often times a DFIR concept requires making visual aid to help explain things.  

Boom, big reveal, not everyone likes reading hex code

Boom, big reveal, not everyone likes reading hex code

My site content is numerous in OSINT topics because if I find a method or tool I want to share I can quickly use sample data or test targets to share the concept.  It is much harder to generate sample data when it comes to things like computer and mobile forensics because what I'm working on may be confidential or my test device may include research accounts I do not wish to disclose.  That said I've got a few DFIR blogs in the works.

In the meantime, I thought I would share a few of the blogs and resources that I have found most useful in my case work over the last year.  The folks on this list did a great job creating easy to follow and highly educational DFIR content:


magnet blog.JPG


Magnet Forensics blog has some great webinars and white papers available.  I lean to this blog for updates on Android OS and what it means to my forensic methods as well as watching for new apps and technologies being researched for forensic value.  Jessica Hyde recently gave a webinar featuring forensic analysis of Internet of Things devices.  It's always good to know whats coming down the road in digital artifacts.




At one point last year I noticed DFIR Guy collecting an awesome list of DFIR tools on twitter.  This became in instant reference.  If I need to know if a tool exists or if there was a tool I remembered but couldn't think of the name, I go here to find it.  Between the value of the tool listing and the range of quality blog posts, it became a DFIR frequent stop for me.




SANS is a pillar in our InfoSec knowledge base.  The blog is a solid resource of research topics and white papers and the web of instructors all have different niches of specialty contributions to the Digital Forensics community.  Speaking of...




Heather Mahalik's blog became my go to source for mobile forensics.  When the major iOS updates happen I make sure to see what research Heather has available as phone forensics is a constant in my lab work.  




Blackbag is another forensic vendor that continuously produces quality blog posts.  When I have research involving Mac computers or mobile devices I usually end up checking their blog. 




Cheeky Monkey gets mad technical but the write ups are excellent to follow along with.  Monkey's blog posts go a great job of citing sources for additional research as well and I often times find myself reading a followup blog or 12.  When I'm in the mood for tech deep dive Cheeky4n6monkey's colorful blog is where I go.




Mari Digrazia's blog became valuable early on for its 'parsing' content.  Mari has links to some open source tools that have proven useful several times over in my casework.  Her technical write ups are also well done with illustrations that help you follow along.  

this week.JPG


Phil Moore does an awesome weekly round up of forensic highlights.  It takes a lot of time, research and dedication to stay up to date on all the aspects of the digital forensics field.  Phil makes that task a lot easier on the rest of us.



Last but not least is the forum of Forensic Focus.  If you google-fu your way to a DFIR solution there is a 99% you will land on this forum in your research. Some great sub categories of digital forensics are covered here and there are over thirty thousand members.  Your chances of finding somebody with relevant information to your case is pretty high.  


Thanks for checking out my favorite DFIR resources.  I hope you found them helpful.  If you have any of your own to share please drop me a line on twitter @baywolf88

Spydialer and OSINT on Danny Tanner

Ethical Creeping

Small sidebar before I get started.  The other members of the OSINT community I regularly engage with on Slack (shameless plug... Join us!  https://openosint.signup.team) have debated the best way to demo OSINT tools and techniques without doxxing (publishing private info about somebody) others.  I refer to this as ethical creeping.  We've seen bad examples of this at conference security talks and even vendor demos.  A presenter carelessly enters some random info and displays address, phone number, IP address or other information to the audience, solely to the benefit of the demo.  Please do not do this! If you are going to take the time to demo something that can potentially disclose the info of others, take some precaution.  For example, ask for a volunteer that doesn't care, use someone in the public eye already or do the work to obscure the info for your presentation before your demo.  Bare minimum use some common courtesy, please and thank you.  In the following demo I show some details, but nothing that general white page listings wouldn't show


I have used Spydialer in the past to see if a target number had a voicemail greeting that could identify an account.  It is a nifty trick and nice way to check a number anonymously** (I'll come back to those 2 little stars) without directly dialing the target number yourself. 

Last night one of the OSINT forums I frequent, notified me SpyDialer had added some functionality to the website. I wanted to check it out and also make sure that the updates had left my previous Opt-Outs intact.

** 2 Little Stars

So back to the anonymity disclaimer.  If you go to the 'How it Works' part of the Spydialer page you see the warning that the voicemail check isn't really anonymous.

This is true, if you enter a target number the target cell phone will either display missed call or get a quick ring before displaying the missed call.  So make sure if you have a jumpy target you choose another tool or you may spook your subject.


The opt out link is at http://www.spydialer.com/optout.aspx

There has always been debate in the security world on whether to trust the opt out process or not.  The main argument being that if you opt out, you are in turn validating your data and maybe the site will sell that validated data over to another marketing group.  I think that debate is the equivalent of which came first 'chicken or egg?'  

My Stance is:

1. Know what the service is capable of pulling on you (OSINT yourself!)

2. Figure out if they actually have an opt-out process and do it

3. See if they have a privacy policy listed online saying what they share with others

4. Follow the path of the others... if possible

5. Repeat steps 1 through 4... forever. (Kidding, but not really)

I can happily say that the opt outs I put in place a few months ago seemed to stay in effect even within the new features that SpyDialer launched. Kudos to SpyDialer for following a degree of honor regarding privacy.

No phone number for you!

No phone number for you!


New Features

So the 'People', 'Address' and 'Email' portions of the SpyDialer search seemed to be the new features.  Let's check them out!

New Feature... Address

With Ethical Creeping in mind, let's see what the 'Address' Function can find for us.  My approach was to look up an address that people have probably google searched many times already and any non-standard info I will obscure.  Let's creep on fictional Dad, Danny Tanner from Full House.  A quick google search for 'real address from Full House' nets the info of 1709 Broderick Street in San Francisco.  Input into Spydialer and get:

If we hit the details tab for Record 1 we see:

The neighbor reporting feature could come in handy as I have previously used a tool like Melissa Data Property Viewer to see public records info of addresses and nearby neighbors.  That's a nice added feature to get a quick listing of nearby addresses.  

New Feature... People

Continuing the Full House themed OSINT I input a search for Danny Tanner, the fictional father from the TV show.  


There are no Danny Tanners in San Francisco but SpyDialer is nice enough to tell us there are some elsewhere.

Details view of Danny Tanner Record 2 shows us that SpyDialer kindly obscures the last 4 digits of a cellular number.

Now would be a good time to point out that many sites partially obscure data due to being a 'free' website.  SpyDialer kindly advises you that BeenVerified is paid site that discloses full addresses and phone numbers.  Fortunately for OSINT investigators, there are many open source ways to see the incomplete info on SpyDialer.  FamilyTreeNow.com is one of those sources.  Using the name Danny Tanner from above, and finding an entry with location ties to Citrus Heights, CA is easy enough.  Being an ethical creeper I won't publish the last 4 digits of a stranger's cell phone, but see if you can find them.

New Feature... Email

Let's do a search for Danny Tanner's email.  Randomly I enter DannyTanner@yahoo.com

Well there's a surprise, Dannytanner@yahoo.com belongs to somebody name Geoff.  To try the email lookup service more completely I tried a few more. 


OK so maybe the email lookup tool isn't the best.  SpyDialer uncovered another Danny in Florida, and deduced a potential name from my 3rd search reporting the email MAY belong to somebody named Danny Tanner... brilliant!

Verdict on SpyDialer

OSINT tools constantly change, update, lose or gain functionality.  One thing stays the same in my own usage of them... I never use just one tool.  SpyDialer can be a decent starting point if you have a target phone number, but inevitably I will end up running the phone number through a PIPL.com search or see what other related addresses or phone numbers I can find listed on FamilyTreeNow.com.  My search methodologies go through a bank of OSINT resources and that bank changes depending on which data I already have and which data I am trying to find.  While the email search feature is pretty basic, I will continue to use SpyDialer if I have a starting phone number and no name.  If a site is good enough for me to want to opt out of it, the site is good enough for me to utilize it in an OSINT investigation.



When researching the house location info for this demo I found that site and was impressed with the level of detail and research somebody put into the house from the show.  Maybe a little creepy... but impressive.

If you have any techniques to share or comments please drop me a line on Twitter @baywolf88

Happy OSINTing






Fake Travel with Android Emulator

Twitter Teleportation

Back in November I was testing a scenario for a case I picked up and came up with this little trick. 

There are currently only 2 geo tagged tweets in my Twitter timeline:


The first tweet was 10:10am on 11-29-16 in Amsterdam, The Netherlands.

The second tweet was at 10:36am on 11-29-16 in South Carolina, USA.


On both tweets I intentionally posted a photo with a view outside the window.  The view shows I was physically in the same location even though the geo tags say otherwise.

Both tweets included the hashtag #metadata so I could capture them with mapd’s tweet map.


The Setup

I did this using the android emulator Blue Stacks. http://www.bluestacks.com/

Blue stacks is emulator software (free) that simulates an android device on your computer.  Once you log into a google account you can access the google play store and load your ‘android’ device with any apps you want to run on your CPU.

Before I got started on Twitter I made sure to download and install another application Fake GPS Location Spoofer Free. https://play.google.com/store/apps/details?id=com.incorporateapps.fakegps.fre

(Disclaimer: I have not vetted the privacy of this app so take the proper anonymity precautions as you see fit for your use case)

Before we start using any location based apps in the emulator we set the location. Fake GPS lets us drop a pin location onto a map deciding where we want to beacon a GPS signal from.

Drop a pin and the click the play button in the bottom right hand corner of the map and any apps you run will think you are in Columbia, SC.

Using this method is how I set my tweets to be on opposite sides of the Atlantic Ocean within the same hour. 

OSINT Framework Mobile Emulation Tools

Bluestacks is not the only emulator available. If you are interested in Android emulation head over to OsintFramework.com for an assortment of useful emulation tools.  

Pro Tip - Use Wireshark


I will leave specific ways you can use spoofed location to your imagination at this point.  But one thing I will recommend is running Wireshark in the background while experimenting with different android apps.  If you are skilled in using the network protocol analyzer you may be able to export and save certain artifacts that are intended to “disappear” from your android device.


Comments or Tips to Share

If you have any emulator tips to share or comments please drop me a line on Twitter @baywolf88



Twitter OSINT Ninja

Becoming a Twitter OSINT Ninja


Twitter analytics – socialbearing.com

For basic twitter account analysis I start here.  Social bearing will give us several account statistics including when the account was created, what types of different devices the tweets come from (desktop, tweet deck, iPhone, android).  The analysis can include up to 3200 tweets and loads 200 at a time.  Recently @FBIRecordsVault became active and since it only has 131 tweets in the lifetime of its account it makes a good punching bag… I mean example:

Down the left side of the page are many useful statistics, keywords and geotags (if enabled).  The main panel if you scroll down shows the tweets that you have queried for the stats above.

There are times when a Twitter account may be run by multiple account “managers”.  The ‘tweets by source’ would be a good way to analyze this as we may see several different types of devices contributing to the account.  This is an example of an account allegedly run by multiple people:


There are some API limitations (3200 tweets) so an account that’s been around for a while may have limited or partial results but there is good data on SocialBearing.com

URL manipulation with tinfoleak.com

Tinfoleak is another analytic site.

This example is to show how you can sometime manipulate the URL of a webpage to get past registrations or email captures.

To use Tinfoleak you are supposed to enter a twitter username for research and an email address that a link will be sent to that allows you access to the data.  This is a work around compliments Mike Bazzell of Inteltechniques.  Enter this in a web browser:


changing out <TwitterUserName> with a target twitter account.

The results seem to be varied, but when it works the readout gives you very streamlined recap of hashtags, mentions, media posts and geotags.  Try it on a few accounts and see what works.

Protected Accounts?

With protected accounts we can’t see tweets unless were are confirmed by the account owner. Try entering to:TwitterUserName in the search field of twitter at the top right of your browser. 


This will show you tweets to the protected account which is like seeing half of a conversation.  Not ideal, but you can glean information sometimes. 

This One Crazy Trick to Hack Protected Accounts

There is a theory online that if you create a brand new account and follow a protected account.  Log out, log back in and check the ‘who to follow’ section of your new account you will see suggestions that your protected target account has associations with.

This may have been a successful tactic a few years ago but twitter has updated the secret sauce to prevent this from working today. 

So What Else Can We Do?

Analytics of a protected account just shows account creation date and what the user has in their profile.

PIPL Search

Head to Mike Bazzell’s search tools click on Twitter on the left and enter the profile name into the PIPL search:

After you hit search take a look at your web URL:


Realdonaldtrump is where the twitter account goes you can just type in a new Twitter handle and try again.

sample_key shows that we are using a sample API key.  You will run into limitations on the sample key at some point if you do repeated searches.

I recommend registering on Pipl.com and they will give you free API keys to use.  If you hit the sample key limit, just copy and paste your key into the URL where it says sample_key.

The results vary just like any OSINT target will, but I have found real names, addresses, phone numbers, job history, and known associations just by searching a protected twitter account handle. 

When Does Your Target Sleep? - Sleepingtime.org

This site has a simple enough interface, but you have to sign in with Twitter to use the service.  Make a fake account if you don’t trust this.  You can also log into your Twitter account settings later and revoke access to your account here:


Ok, so when do I sleep?


That is fairly accurate but note some caveats.  If the user is in a different time zone or has their time zone set incorrectly you will get some variance in this report.  Protected accounts do not report on sleeping time at all. 

Let’s say our target works a 2nd or 3rd shift job the sleeping patterns will be shifted.  If you are trying to locate somebody in real life (like say a private investigator might need to) this could be a great way to find your windows of opportunity to catch a target on the way to work.

The Jester’s Internet AWACS http://internetawacs.jesterscourt.cc/

The Jester’s site has a few settings with impressive readouts.  The Jester has different alert monitoring nodes that are driven from the Twitter fire hose.  Check those out for fun and then run the Deep Dive Search on your target account. 

Psyche – Activity – Geolocation are analyzed.  If you ever need somebody to test geolocation on, Steve Wozniak’s account is good for target practice @SteveWoz :


Geo maps

Ever since the free portion of Echosec became defunct, I’ve been looking for a good geo-mapping replacement for twitter.  MapD and Tweetpaths are the sites I end up on the most now. 

MapD from MIT - Mapd.csail.mit.edu/tweetmap

MIT’s MapD allows some map based research on hashtags.  If you have a target that uses geo tagging you can find tweets by hashtag within the last 30 days. 

As you might expect #grrcon, a security conference, only had about 5 geotag enabled tweets with the conference name tagged.

However a hashtag #iphone7 nets about 1400 geotag enabled tweets in the last 30 days.


Once you find an account with geotags enabled Tweetpaths.com is a great way to see where they’ve been.  This is another site that requires a sign-in with your twitter account so, once again, use a fake account or know how to revoke the permissions afterwards.

We will pick on Woz again: Enter his user name in the top left, click on advanced options and check the show path option:

We can see that Steve likes to tweet when travelling and at dinner time.

Further Down the Rabbit Hole – Osintframework.com

Once you’ve gathered some data with your Twitter ninja skills head over to Justin’s (@jnordine) www.osintframework.com and see what other data you can pivot your way into.  The framework has a few twitter tools up its sleeve:

I hope you enjoyed this peak into OSINT tactics on Twitter.  If you have any techniques to share or comments please drop me a line on Twitter @baywolf88

Happy OSINTing!

Derbycon Shenanigans

That time I used twitter to orchestrate an icing of Hacking Dave...

Why is there a Tropical Fruit flavor?!?

Why is there a Tropical Fruit flavor?!?

This is a small tale of one of the many shenanigans that ensue when you get a bunch of hackers together in the same area for a few days.  One of the traditions of Derbycon is a little game called 'Icing'.  You can Ice people with Smirnoff Ice which is a questionable beverage at best.  These Derbycon Smirnoff have usually been enhanced by being heated up as well (Yuck level +10... gross).  So you find a target and hand them a warm Smirnoff and they must chug it down.  (Side note - totally OK to decline an Icing - nobody is forced to do anything at Derbycon they don't want to)  There are defensive bracelets available for purchase which proceeds support Hackers for Charity.  However if your Icer has more bracelets than you, your defense is invalidated.  Derbycon founder, Hacking Dave Kennedy usually ices a speaker or two mid talk which is totally awesome.

@HackingDave  sneak attack on  @JaysonStreet  mid talk

@HackingDave sneak attack on @JaysonStreet mid talk

So Saturday evening @Skydog was setting up his ID maker machine in the Hyatt lobby. I missed out on an ID the previous year and I decide to jump in line.  While tweeting for people to come get in line for one of Skydog's awesome badges I notice this message from @HumanHacker Chris Hadnagy:

I'm not equipped with any Smirnoff Ice... but I know somebody that is. So I hit up @Nullspace on DM.

I don't know the specifics of where @nullspace was, how he found @HackingDave or how he made his Ice-hit go down right next to the Skydog ID badge line I was standing in.  But sometimes things just work out perfectly and this happened 4 minutes after my DM:


Tropical Icey Goodness for Hacking Dave and Nullspace getting photo proof for Human Hacker

Tropical Icey Goodness for Hacking Dave and Nullspace getting photo proof for Human Hacker

The inevitable face you make after getting Iced

The inevitable face you make after getting Iced

I get entertained while waiting in line, Nullspace gets a free ticket to BourbonCon, Human Hacker gets a payback on Hacking Dave, Hacking Dave gets to experience the magic of Tropical Fruit flavored Smirnoff Ice... everbody wins!  Oh and Hacking Dave, no need for revenge plotting.  I was collateral damage Iced by Nullspace about 90 seconds later.

So Gross... Thanks Nullspace

So Gross... Thanks Nullspace

All fun and games aside, a huge thanks to Dave Kennedy and all the staff for everything that is Derbycon.  The infosec community is a better place because of this conference.  This year was my 2nd Derbycon and 1st time ever as a conference speaker.  One of the talks I saw on OSINT last year at Derbycon set me on a path that helped me find my way into my own Infosec career. See you next year Derbycon!

PS Thanks for the badge @Skydog and for making it awkward @JaysonStreet