Virtual Machines for OSINT

August 17, 2020

If you are an OSINT investigator you undoubtedly have your cache of tools and search resources. There is no short supply of start.me pages and link collections out there. However, for good operational security and case management a good virtual machine is just as vital to your investigation.

For the last several years Michael Bazzell and David Wescott’s Buscador VM was my go to for this, however since that project is no longer updated I’ve changed my strategy a bit. Luckily there are still several free options out there pre-configured and pre-loaded with tools that can help you get up and running quickly. We’ll do a quick tour of several of my favorites and I’ll try to leave you with enough resources you can build out your own custom virtual machine. The latter isn’t the fastest or easiest but will probably give you the best environment since you the investigator know what tools you consider a must have and which ones you would use from time to time.

To try a virtual machine out, you may not always want to grab a 20 gigabyte image file for a test drive… so I did it for you! Let’s take a quick tour!

Pre-built VM

Trace Labs Virtual Machine

Screen Shot 2020-07-23 at 11.04.27 AM.png

Trace Labs produced their own custom VM for anyone who may be participating in one of the OSINT Search Party CTFs. The system is a customized Kali Linux build so if you are familiar with the famous penetration testing VM you may have an extra comfort level. There were several pre-built apps and a massive OSINT bookmarks section installed in Firefox.

Nice assortment of links sorted by category

Anbox (Android in a Box) a containerized android system seemed convenient to have pre-installed, as mobile emulators can sometimes be frustrating to setup quickly.

Other cool programs like Phone Infoga were also ready to go. If you don’t know Phone Infoga has some phone number research mixed with google dorks which opens up across multiple tabs for some fast OSINT.

Those were two of the most handy pre-loads I found but there is a lot more to unpack the full list of applications in the build can be found on the Trace Labs Github page: https://github.com/tracelabs/tlosint-live#applications-included-in-the-build

With that many features the Tracelabs VM is likely an easy starting point for many researchers. The project is also on version 2.0 and seems to have some community momentum so the potential for it to improve is high.

Trace Labs VM is available for download here: https://www.tracelabs.org/trace-labs-osint-vm/

Tsurugi Linux

Screen Shot 2020-07-27 at 6.36.32 PM.png

Tsurugi Linux is a hybrid VM designed for digital forensics, malware analysis and OSINT. I’ve used it a couple times when it first came out but they’ve released a few updates, so I grabbed a fresh copy for a look.

As I poked around the tools and features of the OS it is quickly apparent this VM is loaded.

The preloaded applications for malware analysis and digital forensics are impressive, but there is an OSINT switcher that toggles many of those away for better access to the other more commonly used OSINT tools.

As I explored the OSINT tools one thing that stands out to me about the Tsurugi toolsets is that really seemed to be catered to actual analysis of data, not just collection and pivoting. There are several options for analysis of photos, video files, website structure and one of the most important sections that should never be overlooked… reporting.

If you find yourself doing specialized investigation (Digital Forensics or Malware Analysis) then you should definitely grab the latest copy for your tool kit.

Tsurugi can be downloaded here: https://tsurugi-linux.org/downloads.php

Tails

I’m counting Tails as a virtual machine for this blog, but Tails is a self-contained (on USB drive) privacy centered operating system. If I was somewhere away from my own machines or office but had access to a Tails USB drive and somebody else’s computer I could use Tails to conduct an investigation without risk of contaminating the host system. Kind of a quick and dirty solution, but one to know about. The setup goes through a bit of a process to ensure a clean install so it can take a while to setup initially.

Tails can be downloaded here: https://tails.boum.org/install/index.en.html

Remnux + SIFT

Remnux recently had an update so if you happen across anything malware related in your OSINT cases this is a good VM to know about. The documentation page found here is very useful and has a rundown of the tools and uses found in the virtual machine.

Screen Shot 2020-08-12 at 12.24.57 PM.png

I’ve used a hybrid VM in the past that coupled the more digital forensics focused SIFT workstation. Lenny Zeltser wrote a blog earlier this month showing a few options to make the hybrid VM.

Making the hybrid VM takes a little work, but the documentation out there is great so It is pretty easy for most to follow along even if not an expert in virtual machines.

You can download Remnux here: https://docs.remnux.org/install-distro/get-virtual-appliance

You can download SIFT here: https://digital-forensics.sans.org/community/downloads

Roll Your Own

There are several free options to get ‘clean’ operating systems and bake in your own tools and configurations. Let’s face it each of us has our own investigative methods and patterns so building out your own system is not going to be the easiest answer but you may be able to keep handy the best tools for both investigating, note taking and reporting if you build out your own research VM. Below you will find a few links that may help you get started:

Ubuntu Linux

https://ubuntu.com/download/desktop

Windows 10

https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/

Genymotion Android Emulator (Personal Edition)

https://www.genymotion.com/fun-zone/

My good friends at The OSINTcurious Project reminded me that our own Nixintel wrote a great blog series about building your own custom VM

https://nixintel.info/linux/build-your-own-custom-osint-machine-diy-buscador-part-1/

If you have any VM suggestions to share or comments please drop me a line on Twitter @baywolf88

Happy OSINTing

OSINT For Good

January 2, 2020

I’ve been using the hashtag #OSINTforGood and #OSINT4Good for a few years now. Once my network of OSINT professionals and enthusiasts was established I started to find more and more examples of people doing charitable or ethical work to help others by using their OSINT skillsets. One of the first examples I recall was a Vice article talking about a Europol site that you could help identify items in the background of photos that could shed some light on child sexual abuse cases. A simple identifier that could give a clue to the region that a photo was from and help law enforcement drill into a potentially stale investigation. What a great way to use OSINT for a good cause! Europol’s Trace an Object page can be found here https://www.europol.europa.eu/stopchildabuse

https://twitter.com/baywolf88/status/885133953837010944

You don’t need to be directly tied to law enforcement to find your own ways to do OSINT for Good. Last year I tweeted a google dork that I use to find Crimestopper and BOLO bulletins that I often use to hone my OSINT hunting skills. I found early on that if i was researching things that were happening in my own region there was certain sense of urgency that drove me to dig even further on an OSINT thread. The Google dork from that tweet is below and you can insert your own city and state into it to see what kinds of things you can help investigate in your own town. You can learn a lot and might even help out somebody in your neighborhood.

https://twitter.com/baywolf88/status/1145808345703604226

One of the most amazing things about OSINT for Good is the amount of organizations out there that have surfaced in the last few years doing this amazing work. These are a few of my current favorites:

Innocent Lives Foundation

Founded by Chris Hadnagy AKA Human Hacker, the ILF helps unmask child predators. Tapping his network of incredibly smart folks in the information security field as volunteers the ILF breaks the anonymity that child predators hide behind and interfaces with law enforcement to open investigations.

The BADASS Army

The BADASS in badassarmy stands for battling against demeaning & abusive selfie sharing. In other words revenge porn and image abuse. Founded by the vicious Katelyn Bowden (its pronounced bow as in bow down) this non profit assists those who are victims deal with the aftermath of revenge porn as well as education to keep us informed of ways to protect ourselves from becoming victims.

TraceLabs

The TraceLabs Group has turned OSINT for Good into a Capture the flag contest. Using real missing persons cases already in view of law enforcement you can help uncover new leads with OSINT investigation and Trace Labs validates the information and formally turns it over to LE for help in recovery of lost loves one. They hold these contests live at conferences and also have a virtual CTF like the one that is happening next month. Details are on their twitter page. I highly suggest participating if you have OSINT skills and want to help out.

https://twitter.com/TraceLabs/status/1207299368321245184

Other OSINTFORGOOD Groups

There are many other groups out there doing #OSINTFORGOOD. If you know of any others please leave them in the comments of my twitter page as I plan to compile them for a future post on the OSINT Curious project’s blog page. I strongly support the groups doing good things with OSINT and will continue to signal boost the OSINT for good cause in several other ways this year.

Happy OSINT-ing and Happy New Year!

OSINT Researchers - Human Vs Machine

April 2, 2018

Last year I was a speaker at OSMOSIS Conference in Myrtle Beach, South Carolina. The conference is a draw for investigators across many professional fields. One thing that I was curious to see was the vendor booths. I already knew of some of the conference vendors, like Skopenow and TLO, being in the Private Investigation business. This was the first time I would see demos from other companies like Liferaft and Voyager Labs.

Like many OSINT analysts, I'm selective when it comes to spending my software license budget and some of these vendors can have pretty large license costs. That's why I was interested to see what these power house companies could do for an OSINT investigator. The conference had some good breakout sessions where I got to see demos of the software in action.

Machine Advantage

The 2 examples that wow-ed me the most were from Voyager Labs who demonstrated with a case study of the Instagram Models who were arrested with a large haul of cocaine on an Australian cruise ship.

Geo-location of social media, drug trafficking and models makes for an interesting case study

The analysis showed geo-location analysis and the different countries of port on the cruise ship where the cocaine was likely to have been brought on board. The software was able to quickly extract location data from target social media and create geographic points on a map for analysis.

The 2nd example that caught my attention was one of the social network mapping demos. The context was gang member analysis on the west coast of the United States. The software took a suspected gang member's Facebook page and visually mapped out the network of friends while pointing out specific details in common among the account's network of friends. The software also took the data and graphed it out visually.

There were common profile account details that when analysed were subtle identifiers of potential gang involvement. What was most impressive about this demo was the speed of the graphic analysis and the case management portal that gave a quick way to change and filter the graph based on account details. If you wanted to see all the people in the suspect's Facebook network that were from the same city, high school or employer all you had to do was flip a few selectors and that data and the graph would both change on the fly.

The demonstrations showcased the power of automating some of the OSINT analysis within a custom dashboard giving a drastic speed advantage to portions of social media analysis.

License Vs Open Source

The obvious advantage in comparing open source tools to licensed commercial material is cost. Some of the lower cost social media tools on the market can still run you $50-150 per month for access to things that will automate the aggregation or analysis of social media and other online content. While the heavy hitters like the vendors I mentioned above can run you several thousand dollars per year for a license to access this software.

Unless you have an unlimited budget, open source tools will likely be an area of interest. Here are a few recommended tools and resources (open source) that OSINT investigators will want to check out:

Online Resource Collections-

http://osintframework.com/ (Visual Collection of tools based on category) Credit - @JNordine

https://inteltechniques.com/menu.html (Impressive collection of online search tools) - Credit @IntelTechniques

https://github.com/Ph055a/awesome_osint (Large collection of OSINT resources) - Credit @Ph055a

https://brokemy.network/osint-resources/ (Great collection of the great resource collections) - Credit @CryptoCypher

https://start.me/p/m6XQ08/osint (start page of OSINT resources featuring some international tools) - Credit @TechNisette

https://start.me/p/VRxaj5/dating-apps-and-sites-for-investigators (Start page of OSINT tools for Dating Sites) - Credit @FrenchPI

Tools -

Maltego Community Edition

https://www.paterva.com/web7/buy/maltego-clients/maltego-ce.php

Maltego Casefile

https://www.paterva.com/web7/buy/maltego-clients/casefile.php

Gephi

https://gephi.org/

Tweetmap

https://www.mapd.com/demos/tweetmap/

Buscador (OSINT Virtual Machine)

https://inteltechniques.com/buscador/

Human Advantage

While I was impressed with the software demonstrations I saw at OSMOSIS I never once felt like my skill set was threatened to be replaced by a machine. The software gave a definite speed advantage, but the mind of a good OSINT investigator can come up with some brilliant comparisons and open source solutions that can be just as effective and run several levels deeper when it comes to full analysis of a target profile.

My Own Case Study

One set of research that I took on manually was Facebook account creation analysis. My research is covered more in depth in previous blog. But with a minimal amount of effort stretched over a long amount of time I was able to create a data set that lets me narrow down the date that a Facebook account was created based on the Facebook account ID number alone. During the course of this research and analysis I was able to learn a lot about the inner workings of Facebook account creation and general strategies for research (sock puppet) account creation.

Using only open source data captured from hundreds of Facebook users, analysis of data points in a spreadsheet and graphing software I was able to generate a graph which allows me to determine the day an account was created. This was NOT anything like scraping or mass collection by survey like we are seeing in the Cambridge Analytica headlines. Using simple analysis of public Facebook posts over time the following graph was created and refined.

Data points generated from Open Source data collection of Facebook posts

The real world use for this Facebook analysis has come in handy for cases where people have been impersonated online with false accounts and for cases where a subject created multiple accounts and I needed to map out potential account involvement based on an activity or event that had occurred at a certain point in time.

This research was featured in the Facebook chapter of Michael Bazzell's Open Source Intelligence Techniques (6th Edition)

Book available here: https://inteltechniques.com/book1.html — Book available here: https://inteltechniques.com/book1.html

In the book entry I provided Michael with a range of Facebook ID number's that can help you quickly narrow into the specific year an account was created back through 2007. Since then I've already been able to refine my data to where the average account can be narrowed down to a range of about 2 weeks down the exact day of account creation with only the account's ID number.

It was my own drive to solve a simple challenge in a case that lead me to developing my own tool I could rely on for many future cases. These are the things that will separate human investigator from machine for a long time. Knowing the advantages available in form of pricey software only pushes me and the other OSINT investigators I network with to research harder for our own specialized solutions and techniques.

If you have any techniques to share or comments please drop me a line on Twitter @baywolf88

Happy OSINTing

Opting Out Like a Boss - The OSINT way (part 1)

January 25, 2018

Tip of the Hat

Quick tip of the hat to Michael Bazzell and Justin Carroll over at the Complete Privacy and Security Podcast. The offense and defense segment they do toward the end of each episode goes over one newer OSINT tactic and a way to defend your privacy against it. On a recent episode they discussed another people search site that popped up plus the opt-out link so you can have your information removed. That episode got me thinking about these types of sites and this blog is a result of that brainstorming session.

People Searching

If you follow OSINT or Privacy techniques, then you are familiar with the main people search sites like Pipl, Spokeo and Radaris. As an OSINT investigator I try to stay familiar with both the main sites and the smaller websites that continue to appear. I notate the sites with reliable results for my investigation purposes and I make sure to opt my own information off the sites for privacy.

osintframework.com currently has 44 links to various people search websites

Opt Out

Opting out is not an easy task. It takes time and effort to remove your information from the multiple sites on the internet. Some sites have a simple opt out page, others require valid ID submission as proof of your record before they will remove it. Its also not a one and done situation since new search sites appear every few months.

There are 2 excellent resources I recommend if you are going to start down the path of opt out:

Lesley Carhart wrote a blog highlighting the removal process on several sites and also delves into security checkups on your social media accounts.

https://tisiphone.net/2017/01/25/thwart-my-osint-efforts-while-binging-tv/

Micah Hoffman hosts an awesome document for opt out created by a colleague which is described on his website.

https://webbreacher.com/2017/04/24/removing-yourself-from-the-internet/

Once you feel like you have a handle on your publicly available info, set yourself a reminder and in about 6 months, go back and look for your info online again. Be prepared for another round of opting out and also don't forget about others in your household. Just because you removed all of your records from the internet doesn't mean I can't find a record of your significant other who happens to live with you now or in your past. The task of opting out is never ending. That said... can we do it more efficiently?

OSINT on the People Search sites

As I was checking out people search sites, something occurred to me. Why haven't I done OSINT on the people search sites themselves? On the OSINT framework photo I can see similarities in the names of the sites themselves. Peoplefinder.com vs Peoplefinders.com and TruePeopleSearch vs. FastPeopleSearch are very similar in name. The look and feel of the websites are all pretty similar, so my thought process goes like this. What if some of these sites are the same companies? If they were it would be pretty easy to just to launch another website and connect their people database to the new URL. Maybe there is even a trigger for the database transfer, like a certain percentage of opt outs. Those are all speculation, but I decided to dig a little bit.

I started with 2 sites similar in appearance and name Truepeoplesearch and Fastpeoplesearch:

Visibly similar in layout and almost identical toward bottom of the web page is the Terms, Privacy and Contact links.

For a closer look I drop both pages into a comparison tool at Copyscape.com. Copyscape is part of a plagiarism checking service. It runs a quick side by side comparison of matching words on 2 different webpages.

Snapshot of comparison checker at Copyscape.com

97 and 99 percent matching to each other, we can posit that even if this isn't the same company, both sites at least used the same legal template and just changed out the company name. They even have the same update stamp visible of April 5, 2017. I file this under interesting and add the comparison tool to my OSINT arsenal. Time to search a deeper level than matching words.

Sub-domain Enumeration

In the world of penetration testing, sub-domain enumeration is used to find additional servers and machines on a network to increase the chances of finding a vulnerability for the pen test.

I'm not officially on the red team so while I know of programs like Sublister and Aquatone that make Sub Domain Enumeration more automated, there are other tools just as easy for me and my use cases. Enter DNSdumpster.com:

I put DNSdumpster to work and looked for any overlap in the sub-domains of the people search websites. I started with the list of sites on Inteltechniques.com Real Name Search found here. I noticed something interesting when I got to Peoplefinders.com and Peoplesearchnow.com.

That MX record for Peoplesearchnow at 204.44.57.11 looks interesting

DNSdumpster has other features that I recommend exploring like the Domain mapping graphs and exporting the host info to an xls file, but more on that later. What I've found is my first potential link between 2 people search sites. To test my theory I want to try an opt out. Domain maps lead me to believe that PeopleFinders network is the larger one. In theory, if I opt out of the larger site, my info should drop off the smaller site as well.

2 For 1 Opt Out Attempt

First I find my record on both sites to confirm I am a part of the database in both places According to HowManyofMe.com there are approximately 142 people in the United States with the same name as me. It doesn't take long to find my record with just my name and the state I live in.

You will find the opt out link for PeopleFinders here ( https://www.peoplefinders.com/manage ) and PeopleSearchNow here ( https://www.peoplesearchnow.com/opt-out ). I submit the opt out process on the PeopleFinders site:

Submit for my confirmation

So my record drops off of PeopleFinders.com instantly, which is nice since some sites will tell you your record may take 24 hours or more to stop showing up in search results. Before I hit submit on the PeopleFinders opt out, I opened up my record in side by side browsers on the other site PeopleSearchNow. After the opt out submission I hit a refresh on the browser on the right and....

So my theory is confirmed, if multiple sites are indexing my data from the same company or server, I can opt out of multiple sites if I know which ones are connected. Since this is 2 sites out of many more that are online, I decide to dig further so I can determine if there are other ways the people search sites are connected.

Coming in Part 2

I took a closer look at the company contact info for PeopleFinders I notice another company name in the mix. I've done some OSINT pivoting on business search sites like Manta.com which look at business filings and business registration info. (Items like Duns Number, SIC and NAICS which you can read more about here)

Those pages can lead you to the company's executive names and business contact info like phone number and addresses. I'll take a closer look in part 2.

If you have any techniques to share or comments please drop me a line on Twitter @baywolf88

Happy OSINTing

Sharing DFIR research

November 15, 2017

While doing some research on a digital forensics challenge I noticed something. My blog content doesn't cross over into digital forensics all that often. Blogging about digital forensics takes a lot more work to sanitize private data and often times a DFIR concept requires making visual aid to help explain things.

Boom, big reveal, not everyone likes reading hex code

My site content is numerous in OSINT topics because if I find a method or tool I want to share I can quickly use sample data or test targets to share the concept. It is much harder to generate sample data when it comes to things like computer and mobile forensics because what I'm working on may be confidential or my test device may include research accounts I do not wish to disclose. That said I've got a few DFIR blogs in the works.

In the meantime, I thought I would share a few of the blogs and resources that I have found most useful in my case work over the last year. The folks on this list did a great job creating easy to follow and highly educational DFIR content:

https://www.magnetforensics.com/blog/

Magnet Forensics blog has some great webinars and white papers available. I lean to this blog for updates on Android OS and what it means to my forensic methods as well as watching for new apps and technologies being researched for forensic value. Jessica Hyde recently gave a webinar featuring forensic analysis of Internet of Things devices. It's always good to know whats coming down the road in digital artifacts.

https://www.dfir.training/index.php/dfir-blog

At one point last year I noticed DFIR Guy collecting an awesome list of DFIR tools on twitter. This became in instant reference. If I need to know if a tool exists or if there was a tool I remembered but couldn't think of the name, I go here to find it. Between the value of the tool listing and the range of quality blog posts, it became a DFIR frequent stop for me.

https://digital-forensics.sans.org/blog/

SANS is a pillar in our InfoSec knowledge base. The blog is a solid resource of research topics and white papers and the web of instructors all have different niches of specialty contributions to the Digital Forensics community. Speaking of...

http://smarterforensics.com/blog/

Heather Mahalik's blog became my go to source for mobile forensics. When the major iOS updates happen I make sure to see what research Heather has available as phone forensics is a constant in my lab work.

https://www.blackbagtech.com/index.php/blog

Blackbag is another forensic vendor that continuously produces quality blog posts. When I have research involving Mac computers or mobile devices I usually end up checking their blog.

http://cheeky4n6monkey.blogspot.com/

Cheeky Monkey gets mad technical but the write ups are excellent to follow along with. Monkey's blog posts go a great job of citing sources for additional research as well and I often times find myself reading a followup blog or 12. When I'm in the mood for tech deep dive Cheeky4n6monkey's colorful blog is where I go.

http://az4n6.blogspot.com/

Mari Digrazia's blog became valuable early on for its 'parsing' content. Mari has links to some open source tools that have proven useful several times over in my casework. Her technical write ups are also well done with illustrations that help you follow along.

https://thisweekin4n6.com/

Phil Moore does an awesome weekly round up of forensic highlights. It takes a lot of time, research and dedication to stay up to date on all the aspects of the digital forensics field. Phil makes that task a lot easier on the rest of us.

http://www.forensicfocus.com/forums

Last but not least is the forum of Forensic Focus. If you google-fu your way to a DFIR solution there is a 99% you will land on this forum in your research. Some great sub categories of digital forensics are covered here and there are over thirty thousand members. Your chances of finding somebody with relevant information to your case is pretty high.

Thanks for checking out my favorite DFIR resources. I hope you found them helpful. If you have any of your own to share please drop me a line on twitter @baywolf88

Google Maps... more OSINT than you think

June 27, 2017

Anybody that's used OSINT to try and geolocate a photo already knows the value of google maps. You may not get an entirely up to date photo of an area, but the ability drop the 'yellow street view dude' onto most places on the map and explore can do amazing things for reconnaissance.

I've noticed in South Carolina a lot of the street view photos will be dated from 2012-2014. The Google car can't be everywhere updating all the time and there are a lot of rural areas in this state, so that is to be expected. However, when I was doing research for a talk on real time OSINT I noticed there was a way to get a more updated aspect of the maps.

Real Time Example

This morning my Tweetdeck filter caught some activity in Aiken county, SC based on the keyword 'manhunt' I had used on a previous filter.

A Georgia reporter was tweeting about a search for a suspect that was posted less than 30 minutes from when I read it. The tweet identifies Aiken South Carolina as the general region of the photo and the photo cuts off a street sign "...int Drive" which is half visible. If I point google maps to Aiken South Carolina and type in some possible matches to complete the street sign (Pint, Mint, Lint), Flint Drive is auto completed.

If you read enough news articles regarding crime stories you see the addresses frequently reported in block format. For example a shooting was reported near the 1500 block of Elm street. At the time of this tweet there was no block address given, but since I've determined Flint Drive as a likely candidate for the location of the event, we can try something.

Directions

It is possible to 'walk' the entirety of Flint Drive with street view and look for the intersection shown in the twitter photo, but I've found that asking google for directions through the area of interest usually works a little faster.

With heavy police presence as shown on the twitter photo, traffic will likely be an issue wherever the picture was taken. Zooming in and out of the area I pick some landmarks around the area of interest and ask for directions. Next, I drag the blue path around until we see some traffic congestion in the area.

Drop 'Little street view dude' into the red traffic area for a look.

The photo in street view is 5 years old dated May 2012.

Even with a 5 year difference between today's Twitter photo and Google maps I can validate a few items.

The street sign(yellow), a unique shaped sign post(red), and a broken branch formation in the tree(blue) are all visible in both photos. So next time something is happening in real time see if the directions method can help you quickly zero in on a location.

If you have any techniques to share or comments please drop me a line on Twitter @baywolf88

Happy OSINTing

Spydialer and OSINT on Danny Tanner

June 13, 2017

Ethical Creeping

Small sidebar before I get started. The other members of the OSINT community I regularly engage with on Slack (shameless plug... Join us! https://openosint.signup.team) have debated the best way to demo OSINT tools and techniques without doxxing (publishing private info about somebody) others. I refer to this as ethical creeping. We've seen bad examples of this at conference security talks and even vendor demos. A presenter carelessly enters some random info and displays address, phone number, IP address or other information to the audience, solely to the benefit of the demo. Please do not do this! If you are going to take the time to demo something that can potentially disclose the info of others, take some precaution. For example, ask for a volunteer that doesn't care, use someone in the public eye already or do the work to obscure the info for your presentation before your demo. Bare minimum use some common courtesy, please and thank you. In the following demo I show some details, but nothing that general white page listings wouldn't show

SpyDialer

I have used Spydialer in the past to see if a target number had a voicemail greeting that could identify an account. It is a nifty trick and nice way to check a number anonymously** (I'll come back to those 2 little stars) without directly dialing the target number yourself.

Last night one of the OSINT forums I frequent, notified me SpyDialer had added some functionality to the website. I wanted to check it out and also make sure that the updates had left my previous Opt-Outs intact.

** 2 Little Stars

So back to the anonymity disclaimer. If you go to the 'How it Works' part of the Spydialer page you see the warning that the voicemail check isn't really anonymous.

This is true, if you enter a target number the target cell phone will either display missed call or get a quick ring before displaying the missed call. So make sure if you have a jumpy target you choose another tool or you may spook your subject.

Opt-Out

The opt out link is at http://www.spydialer.com/optout.aspx

There has always been debate in the security world on whether to trust the opt out process or not. The main argument being that if you opt out, you are in turn validating your data and maybe the site will sell that validated data over to another marketing group. I think that debate is the equivalent of which came first 'chicken or egg?'

My Stance is:

1. Know what the service is capable of pulling on you (OSINT yourself!)

2. Figure out if they actually have an opt-out process and do it

3. See if they have a privacy policy listed online saying what they share with others

4. Follow the path of the others... if possible

5. Repeat steps 1 through 4... forever. (Kidding, but not really)

I can happily say that the opt outs I put in place a few months ago seemed to stay in effect even within the new features that SpyDialer launched. Kudos to SpyDialer for following a degree of honor regarding privacy.

New Features

So the 'People', 'Address' and 'Email' portions of the SpyDialer search seemed to be the new features. Let's check them out!

New Feature... Address

With Ethical Creeping in mind, let's see what the 'Address' Function can find for us. My approach was to look up an address that people have probably google searched many times already and any non-standard info I will obscure. Let's creep on fictional Dad, Danny Tanner from Full House. A quick google search for 'real address from Full House' nets the info of 1709 Broderick Street in San Francisco. Input into Spydialer and get:

If we hit the details tab for Record 1 we see:

The neighbor reporting feature could come in handy as I have previously used a tool like Melissa Data Property Viewer to see public records info of addresses and nearby neighbors. That's a nice added feature to get a quick listing of nearby addresses.

New Feature... People

Continuing the Full House themed OSINT I input a search for Danny Tanner, the fictional father from the TV show.

There are no Danny Tanners in San Francisco but SpyDialer is nice enough to tell us there are some elsewhere.

Details view of Danny Tanner Record 2 shows us that SpyDialer kindly obscures the last 4 digits of a cellular number.

Now would be a good time to point out that many sites partially obscure data due to being a 'free' website. SpyDialer kindly advises you that BeenVerified is paid site that discloses full addresses and phone numbers. Fortunately for OSINT investigators, there are many open source ways to see the incomplete info on SpyDialer. FamilyTreeNow.com is one of those sources. Using the name Danny Tanner from above, and finding an entry with location ties to Citrus Heights, CA is easy enough. Being an ethical creeper I won't publish the last 4 digits of a stranger's cell phone, but see if you can find them.

New Feature... Email

Let's do a search for Danny Tanner's email. Randomly I enter DannyTanner@yahoo.com

Well there's a surprise, Dannytanner@yahoo.com belongs to somebody name Geoff. To try the email lookup service more completely I tried a few more.

And

OK so maybe the email lookup tool isn't the best. SpyDialer uncovered another Danny in Florida, and deduced a potential name from my 3rd search reporting the email MAY belong to somebody named Danny Tanner... brilliant!

Verdict on SpyDialer

OSINT tools constantly change, update, lose or gain functionality. One thing stays the same in my own usage of them... I never use just one tool. SpyDialer can be a decent starting point if you have a target phone number, but inevitably I will end up running the phone number through a PIPL.com search or see what other related addresses or phone numbers I can find listed on FamilyTreeNow.com. My search methodologies go through a bank of OSINT resources and that bank changes depending on which data I already have and which data I am trying to find. While the email search feature is pretty basic, I will continue to use SpyDialer if I have a starting phone number and no name. If a site is good enough for me to want to opt out of it, the site is good enough for me to utilize it in an OSINT investigation.

Random

http://www.full-house.org/fullhouse/fullhouse_house.php

When researching the house location info for this demo I found that site and was impressed with the level of detail and research somebody put into the house from the show. Maybe a little creepy... but impressive.

If you have any techniques to share or comments please drop me a line on Twitter @baywolf88

Happy OSINTing

Facebook Origins (updated 4/21/17)

March 1, 2017

Facebook Origins – An OSINT deep dive on account creation

**Since I published this last month I have gone back and discovered 15 digit ID #'s in November 2009 so I have updated part of this blog accordingly**

One thing I love about OSINT is sometimes its highly technical involving web APIs and python coding. Other times it’s all about good old fashioned research. This example is the latter (although driven by the former).

Earlier this year, I needed to investigate some Facebook accounts for a case I was working. Somebody was impersonating somebody else online so account creation date was my target data. I noticed that some accounts have Facebook username associated and some accounts only have a Facebook ID number.

To clarify the way Facebook account creation works ALL Facebook accounts have an ID number that is assigned at time of registration, but you only get a username if you register one. As described here:

https://www.facebook.com/help/www/121237621291199?helpref=platform_switcher&ref=platform_switcher

Consider an anonymous account intended for mischief or a sock puppet account for research. Those accounts are likely going to be registered with a throwaway email account and unless the user is going to keep it as a long term alias, the username probably won’t ever be registered. It will always have a Facebook ID # so that is what my focus is on.

Profile and ID numbers

Mark Zuckerberg's Facebook profile

Example -

Mark’s username is ‘Zuck’ and his page can be found at www.facebook.com/zuck

Mark’s Facebook ID # is 4. If you navigate a browser to https://www.facebook.com/profile.php?id=4 you will end up on the same page.

Mark Launched Facebook in February 2004 and his user ID is #4.

I joined Facebook in 2006 and my user ID in in the 500,000,000 realm.

A buddy of mine joined kind of late in the game in 2012 and his user ID is in the 10004000000000 realm.

Facebook has only been around since 2004, so if I find a person that registered each month since it was created I can make a guide giving an estimate of creation date. Right?

No, not quite. Why?

Facebook History Lesson

The history of the site is fairly interesting to research and it sheds some light on the user ID structure for me as well.

https://en.wikipedia.org/wiki/History_of_Facebook

https://en.wikipedia.org/wiki/Timeline_of_Facebook

After a little research we can see a timeline take shape:

February 2004 – Facebook launches for Harvard students only

March 2004 – Facebook expands to Columbia, Stanford, Yale, MIT, Boston College, Boston University, Northeastern University and Dartmouth

College expansions continue and some more notable timeline points are:

September 2005 - High School versions are added

October 2005 - 21 universities in the UK and worldwide are added

September 2006 - Open registration for anyone age 13 and up with an email address

What does it mean?

The research takes a slightly technical turn again at this point. As I pressed the idea of coming up with a timeline of plotted account creations I find this article on Quora:

https://www.quora.com/What-is-the-history-of-Facebooks-user-ID-numbering-system

So we see that even though Zuckerberg’s account is ID #4 at Harvard, the timeline of included schools were segmented by SQL groupings. So the first Columbia students may have been assigned ID 100001, the first Stanford student 200001 and so on. The plotted timeline doesn’t work in this case because the different school groupings could overlap in a non-sequential manner.

So my timeline isn’t completely out the window but a simple plotted graph solution not going to work. I can’t be the only person to have thought of this. Right?

Nope. Datascience.com article by Massoud Seifi did some great analysis with the Facebook ID’s before and after the 64bit ID transition mentioned at the end of the Quora article above.

Massoud Says in the article:

What Massoud has done is prove the difficulty I was going to see in plotting data points from the start to finish across the history of Facebook. His graph on the right could very well be a cluster of Stanford, Yale and Columbia students with no discernable correlation.

The data set he used for this graph is here: http://metadatascience.com/2013/03/14/lookup-table-for-inferring-facebook-account-creation-date-from-facebook-user-id/

My own research

I started some of my own data collection prior to finding Massoud’s work and noticed an anomaly in the data around December 2009 which ended up being the transition point of the 64bit UID numbering.

Facebook User ID Account Creation Date

50048xxxx 9/27/2006
51656xxxx 12/11/2006
60038xxxx 12/13/2007
66377xxxx 1/29/2007
68354xxxx 2/2/2007
102800xxxx 2/1/2008
113941xxxx 12/26/2008
123414xxxx 1/26/2009
124999xxxx 2/2/2009
126996xxxx 1/10/2008
131217xxxx 1/29/2009
160779xxxx 12/9/2009
10000047407xxxx 11/19/2009
10000052513xxxx 12/8/2009
10000054775xxxx 12/7/2009
10000055600xxxx     12/5/2009
10000056058xxxx     12/2/2009
10000056433xxxx 1/1/2010
10000057823xxxx 12/25/2009
10000058442xxxx     12/28/2009
10000058952xxxx     12/27/2009
10000058999xxxx     12/23/2009
10000059413xxxx 12/25/2009
10000059415xxxx 12/22/2009
10000060484xxxx     12/23/2009
10000062964xxxx   1/1/2010
10000063278xxxx 1/14/2010
10000067576xxxx 1/28/2010
10000073555xxxx 1/30/2010
10000167660xxxx 12/11/2010
10000173753xxxx 12/12/2010
10000174332xxxx 12/12/2010
10000179414xxxx 12/10/2010

What we see in December 2009, between the 8th and the 12th, the Facebook ID numbers changed from a 10 digit format to a 15 digit format. Based on the dates having overlap in the month of December 2009 with both 10 and 15 digit numbers we can’t determine a clean transition date. We can make one major assumption from this data. An account with a 15 digit ID number can likely NOT be older than November 2009

Happy Faceversary!

As luck would have it the day after I decided to start plotting out this data, my wife was showing me a video she got from Facebook that showed her when she joined. It’s called Faceversary and it is a wonderful source of OSINT!

Run a search on Tagboard for the term ‘faceversary’ and you have an easy way to start cataloging account creation dates.

tagboard.com cross platform social media search tool

https://tagboard.com/faceversary/search

If you click on the people names it will take you to their Facebook page and you can see the actual #faceversary video. Around the 31 second mark of each video we get this lovely moment:

Previously we had to research a Facebook user’s first post or first profile photo for an approximation of when they created their account. My own page is a prime example of why this is only a guess since I joined in 2006, but my first post is in 2007. So while there are traditional OSINT methods to research we now have an easy out. With so many people publicly posting Faceversary videos it shouldn’t take much for a keen investigator to use Facebook IDs to determine very accurate account creation windows.

Further Research

My research here isn’t over. With a little OSINT work I was able to determine that the Yale facebook ID blocks are likely 300000-399999. Remember the format:

https://www.facebook.com/profile.php?id=INSERT_FACEBOOK_id#

With enough research I’m confident I can determine more of the school groupings. Then I can run analysis on the data in each school's SQL group separately to drill in the data prior to the November 2009 transition.

I will update the blog as I go.

**Since I started researching this I have done manual OSINT and estimate the following SQL groupings by school:

Columbia ID block 100000-199999

Stanford ID block 200000-299999

Yale ID block 300000-399999

Cornell ID block 400000-499999

Dartmouth ID block 500000-599999

NYU ID block 800000-899999

My focus has shifted on account data post 2009 so I'm putting the school group research on hold temporarily.

If you have any techniques to share or comments please drop me a line on Twitter @baywolf88

Happy OSINTing

See All The Things

February 21, 2017

Part of the research for the OSINT fire drill series included finding how many webcams in my area were publicly available. I ended up finding a little over 500 in the state of South Carolina. Some were right from Department of transportation websites and some were indexed through other sites like Shodan or Insecam.

Since I found so many, I decided to begin a 'small' undertaking to see how many public cameras were available nationwide and in the future aggregate them into some type of map based tool.

As I build this resource I will make the links available to my fellow OSINT researchers on a Github page. If anybody has built their own state's resource please share and I will add them to the collection.

https://github.com/baywolf88/seeallthethings

OSINT Fire Drill Part 2 - Know How to Know Things

January 24, 2017

In part 1 of this series I touched on how to monitor changes on the internet. The methods and sites I mentioned are a good way to 'Cast Nets' to catch information on specific topics or targets of interest. The essence of this series is how to gain intelligence in a real-time scenario (or as close to real time as possible). That said, internet page alerts are a good way to detect a change online, but you would have to know something could happen ahead of time. So part 2 will focus on research once something has already happened.

Originally part 2 was going to be about social media, but social media won't ALWAYS hold the answer so I want to touch on knowing things in general first. Remember the saying of read the instructions first? That applies here. In my digital forensics work I always start by looking up the specs of the device I am about to investigate. Once I know what a device's specs and features are I get a general sense of what information the device may contain. Then I can confidently dissect device data with the appropriate tools for the job.

In part 2 I present resources to find info on physical 'Things' which may be in your investigation.

Real World Example - Vehicle Identification Numbers (VIN)

In December 2016 I was in an auto accident in which the other driver abandoned his vehicle and fled the scene. On my police report I was given a VIN and I knew the other vehicle's make and model. Finding the driver is not what I want to focus on. Instead I focus on the 'thing' in the investigation, a Ford truck. (When somebody enjoys OSINT the way I do, I will say my insurance company received PLENTY of information on the driver)

One thing people may not know is that a VIN can be decoded because the number contains certain identifying features of the vehicle. I learned about this because there was a typo on the VIN I acquired. So I went here http://www.fleet.ford.com/partsandservice/vin-guides/ and downloaded a guide for the vehicle I was researching.

As you can see in the chart above the different positions of the VIN number are used to identify specs. Such as engine type, production year and assembly plant of origin. This brochure connects detailed vehicle options to VIN values by position. So my invalid VIN number was corrected by matching features from the vehicle. As a result the VIN started working in regular lookup tools.

Now that my VIN was complete I could run searches on the VIN itself. To prevent doxing I picked a random Ford Explorer from Cars.com to pull the following information:

Entering the VIN number into a site like www.vindecoderz.com we can find very specific features tied to that exact vehicle. http://www.vindecoderz.com/EN/check-lookup/1FM5K8GT4HGB27072

Another excellent resource is Berla's iVe automotive digital forensics lookup page. https://berla.co/products/ive/vehicle-lookup/

A full listing of features such as this has the potential to help us with identification of a vehicle. It can also say what level of data evidence might be present if we needed to perform digital forensics on an infotainment center within a vehicle.

VIN and Owner Information

You can try basic google searching by VIN number but your query may not always hit deep enough on the web without the proper search tools. These are a few I recommend (from the OSINT Framework):

https://thatsthem.com/vin-search

http://vin.place/

https://www.nicb.org/theft_and_fraud_awareness/vincheck

Car Dealerships and the Wayback Machine

Let's say you don't have a VIN number but you know make/model/year. With a little OSINT you can likely determine the geographic area and approximate time that a vehicle was purchased. Most local car dealerships have used vehicle inventory online.

Ford Dealership with 81 used vehicles available at the time of this blog post

If we take the URL from the used inventory page of this dealer to the Wayback Machine's beta search https://web-beta.archive.org/

The dealership's used car page was archived 75 times since October 2013.

2013 snapshot with 122 used vehicles in stock all with VIN #s

Knowing the previous info you should now be able to:

Go back in time and retrieve VINs -

https://web-beta.archive.org/

Piece VINs back together based on car features-

http://www.fleet.ford.com/partsandservice/vin-guides/

Get full detailed features and specs of a vehicle

https://berla.co/products/ive/vehicle-lookup/

http://www.vindecoderz.com/

Run searches connecting people data to vehicles

http://vin.place/

https://www.nicb.org/theft_and_fraud_awareness/vincheck

https://thatsthem.com/vin-search

Know How to Know Other Things

Once you know how to know things at this level you will find there are many types of these online resources you should know about. To save this blog from being 9 miles long I won't break down each category the same way. These are a few of the resources that come to mind when I need to research 'things'.

Buildings and Houses

https://www.emporis.com/

http://www.melissadata.com/lookups/propertyviewer.asp

http://www.zillow.com/

Businesses

https://www.google.com/maps/

https://www.linkedin.com

https://leadferret.com/search

Mobile Devices

http://www.phonescoop.com/phones/

Electronic Devices (anything with an FCC ID number)

http://fcc.io/

Weapons

http://www.smallarmssurvey.org/weapons-and-markets/tools/weapons-id-database.html

OSINT is often about linking personal data to some object. Being able to deep dive into the physical objects of an investigation should help in validating those connections.

Suggestions

I've said before it's impossible to know all of the good tools out there. If you have any recommendations or investigation tips to share please drop me a line on Twitter @baywolf88

Coming in Part 3 - Advanced Social Media OSINT (for real this time)

Fake Travel with Android Emulator

January 9, 2017

Twitter Teleportation

Back in November I was testing a scenario for a case I picked up and came up with this little trick.

There are currently only 2 geo tagged tweets in my Twitter timeline:

https://twitter.com/baywolf88/status/803617220374851585

The first tweet was 10:10am on 11-29-16 in Amsterdam, The Netherlands.

The second tweet was at 10:36am on 11-29-16 in South Carolina, USA.

https://twitter.com/baywolf88/status/803623573000781829

On both tweets I intentionally posted a photo with a view outside the window. The view shows I was physically in the same location even though the geo tags say otherwise.

Both tweets included the hashtag #metadata so I could capture them with mapd’s tweet map.

https://www.mapd.com/demos/tweetmap/

The Setup

I did this using the android emulator Blue Stacks. http://www.bluestacks.com/

Blue stacks is emulator software (free) that simulates an android device on your computer. Once you log into a google account you can access the google play store and load your ‘android’ device with any apps you want to run on your CPU.

Before I got started on Twitter I made sure to download and install another application Fake GPS Location Spoofer Free. https://play.google.com/store/apps/details?id=com.incorporateapps.fakegps.fre

(Disclaimer: I have not vetted the privacy of this app so take the proper anonymity precautions as you see fit for your use case)

Before we start using any location based apps in the emulator we set the location. Fake GPS lets us drop a pin location onto a map deciding where we want to beacon a GPS signal from.

Drop a pin and the click the play button in the bottom right hand corner of the map and any apps you run will think you are in Columbia, SC.

Using this method is how I set my tweets to be on opposite sides of the Atlantic Ocean within the same hour.

OSINT Framework Mobile Emulation Tools

Bluestacks is not the only emulator available. If you are interested in Android emulation head over to OsintFramework.com for an assortment of useful emulation tools.

Pro Tip - Use Wireshark

https://www.wireshark.org/

I will leave specific ways you can use spoofed location to your imagination at this point. But one thing I will recommend is running Wireshark in the background while experimenting with different android apps. If you are skilled in using the network protocol analyzer you may be able to export and save certain artifacts that are intended to “disappear” from your android device.

Comments or Tips to Share

If you have any emulator tips to share or comments please drop me a line on Twitter @baywolf88

OSINT Fire Drill Part 1 - Monitoring the Internet

December 12, 2016

One project I've been working on is the ability to conduct OSINT at a real-time pace while an event is happening. I've been conducting some fire drills when there have been active shooter scenarios in progress to see how much intelligence I could produce about the area the shooter was in as well as watch for social media posts in the area of the incident.

The recap of those drills will be for another post in what may be a 3 or 4 part series. Part 1 will cover some of the tools used to monitor current events or activities that are happening online.

Staying Current

We all know that a majority of people get their current events and news happenings from social media sites like Facebook and Twitter. (Insert fake news grumble here) With a well crafted Twitter feed of the local news stations in your city you can get fairly up to the minute accounts of current events or emergencies in your area. Once you follow the activity of a particular station you may even find twitter accounts of specific reporters who specialize in events such as crime, traffic, or weather. When it comes to crime, some cities have a fairly active law enforcement social media feed as well. Your local sheriff's department will likely let you know if there is an escaped convict in your neighborhood (more on that angle in a later part of this series). Going live on Facebook or Periscope with a press conference after something happened is becoming common place. (Often these have geo location turned on as well)

Monitoring Specifics

If you don't want to stay glued to your social media feed all day, I recommend setting up some alerts.

If you have been researching a topic online setting up a google alert will tell you when there is new content available via an email notification. Since I did a few talks about OSINT this year I tried to setup some alerts to tell me if people were linking to my website or putting my name online. One alternative to Google Alerts that I found useful for this purpose was Talkwalker Alerts.

Talkwalker.com - Free Tools — Talkwalker.com - Free Tools

When I setup the alerts on my name I found that the Philadelphia Eagles Wide Receiver Josh Huff had recently been arrested for drug and gun charges. As a result, any alerts I tried to setup in my name were flooded by NFL news reports of the football player. So I learned how to filter keywords off your targeted alert search. The following alert with the AND NOT modifier seemed to cut back on alerts for the football player:

Alert for "Josh Huff" AND NOT (eagles OR arrest OR nfl OR court OR hearing OR team OR football OR receiver OR week)

Now I get a daily email with links to sites with Josh Huff mentioned. There are obviously more than 2 Josh Huffs (okay 7 if you go by http://howmanyofme.com), but this is a good way to see if anybody is mentioning my talks.

This link is a guide to all the operators you can use to refine your alerts: http://twalertsupport.talkwalker.com/what-forms-of-search-queries-are-respected/

You could use these type of alerts for specific OSINT targets you may be seeking information on or even to monitor brand reputation of your business name.

Website Changes

Just yesterday I had an excellent chance to test out some of the 'Change Detection' tools from the OSINT Framework

I was anxiously awaiting the launch of SANS Holiday Hack Challenge which was scheduled to launch Monday December 12th. I took this chance to setup an alert on 3 of the 4 tools in the OSINT Framework. ( https://visualping.io , http://www.changedetection.com and https://www.followthatpage.com )

All 3 of the sites were super easy to use. Enter a website you want to monitor for changes, enter an email to send the alert to and set the threshold of change that you want to trigger an alert. Change detection let you set up a daily alert. Follow That Page let you setup an hourly alert (every 10 mins with paid account). Visual Ping let you setup a daily alert (hourly with paid account). So I dropped them in place and wanted to see who delivered the good news first when the site was launched on Monday.

A few hours later, something awesome happened:

@EdSkoudis announces early release of Holiday Hack Challenge

Look at those time stamps! 3:46pm exactly!

Disclaimer: I don't know exactly when Ed and his team hit the Holiday Hack launch button before he tweeted the announcement but I would say Follow That Page did a pretty awesome job of hitting me with the fastest alert especially for a free service.

How did the sites compare?

Followthatpage.com emailed me at 3:46pm Sunday the 11th (was set to hourly)

Changedetection.com emailed me at 7:57am Monday the 12th. (set to daily)

Visual Ping emailed me at 12:25pm Monday the 12th. (set to daily)

Suggestions?

I talk OSINT a lot, but it is impossible to know all the tools. If you have any recommendations for online monitoring please leave some suggestions on twitter @baywolf88

Coming in Part 2 - Know How to Know Things

Twitter OSINT Ninja

November 4, 2016

Becoming a Twitter OSINT Ninja

Twitter analytics – socialbearing.com

For basic twitter account analysis I start here. Social bearing will give us several account statistics including when the account was created, what types of different devices the tweets come from (desktop, tweet deck, iPhone, android). The analysis can include up to 3200 tweets and loads 200 at a time. Recently @FBIRecordsVault became active and since it only has 131 tweets in the lifetime of its account it makes a good punching bag… I mean example:

Down the left side of the page are many useful statistics, keywords and geotags (if enabled). The main panel if you scroll down shows the tweets that you have queried for the stats above.

There are times when a Twitter account may be run by multiple account “managers”. The ‘tweets by source’ would be a good way to analyze this as we may see several different types of devices contributing to the account. This is an example of an account allegedly run by multiple people:

There are some API limitations (3200 tweets) so an account that’s been around for a while may have limited or partial results but there is good data on SocialBearing.com

URL manipulation with tinfoleak.com

Tinfoleak is another analytic site.

This example is to show how you can sometime manipulate the URL of a webpage to get past registrations or email captures.

To use Tinfoleak you are supposed to enter a twitter username for research and an email address that a link will be sent to that allows you access to the data. This is a work around compliments Mike Bazzell of Inteltechniques. Enter this in a web browser:

www.tinfoleak.com/reports/<TwitterUserName>.html

changing out <TwitterUserName> with a target twitter account.

The results seem to be varied, but when it works the readout gives you very streamlined recap of hashtags, mentions, media posts and geotags. Try it on a few accounts and see what works.

Protected Accounts?

With protected accounts we can’t see tweets unless were are confirmed by the account owner. Try entering to:TwitterUserName in the search field of twitter at the top right of your browser.

This will show you tweets to the protected account which is like seeing half of a conversation. Not ideal, but you can glean information sometimes.

This One Crazy Trick to Hack Protected Accounts

There is a theory online that if you create a brand new account and follow a protected account. Log out, log back in and check the ‘who to follow’ section of your new account you will see suggestions that your protected target account has associations with.

This may have been a successful tactic a few years ago but twitter has updated the secret sauce to prevent this from working today.

So What Else Can We Do?

Analytics of a protected account just shows account creation date and what the user has in their profile.

PIPL Search

Head to Mike Bazzell’s search tools click on Twitter on the left and enter the profile name into the PIPL search:

After you hit search take a look at your web URL:

https://api.pipl.com/search/v5/?username=realdonaldtrump&key=sample_key

Realdonaldtrump is where the twitter account goes you can just type in a new Twitter handle and try again.

sample_key shows that we are using a sample API key. You will run into limitations on the sample key at some point if you do repeated searches.

I recommend registering on Pipl.com and they will give you free API keys to use. If you hit the sample key limit, just copy and paste your key into the URL where it says sample_key.

The results vary just like any OSINT target will, but I have found real names, addresses, phone numbers, job history, and known associations just by searching a protected twitter account handle.

When Does Your Target Sleep? - Sleepingtime.org

This site has a simple enough interface, but you have to sign in with Twitter to use the service. Make a fake account if you don’t trust this. You can also log into your Twitter account settings later and revoke access to your account here:

https://twitter.com/settings/applications

Ok, so when do I sleep?

That is fairly accurate but note some caveats. If the user is in a different time zone or has their time zone set incorrectly you will get some variance in this report. Protected accounts do not report on sleeping time at all.

Let’s say our target works a 2nd or 3rd shift job the sleeping patterns will be shifted. If you are trying to locate somebody in real life (like say a private investigator might need to) this could be a great way to find your windows of opportunity to catch a target on the way to work.

The Jester’s Internet AWACS http://internetawacs.jesterscourt.cc/

The Jester’s site has a few settings with impressive readouts. The Jester has different alert monitoring nodes that are driven from the Twitter fire hose. Check those out for fun and then run the Deep Dive Search on your target account.

Psyche – Activity – Geolocation are analyzed. If you ever need somebody to test geolocation on, Steve Wozniak’s account is good for target practice @SteveWoz :

Geo maps

Ever since the free portion of Echosec became defunct, I’ve been looking for a good geo-mapping replacement for twitter. MapD and Tweetpaths are the sites I end up on the most now.

MapD from MIT - Mapd.csail.mit.edu/tweetmap

MIT’s MapD allows some map based research on hashtags. If you have a target that uses geo tagging you can find tweets by hashtag within the last 30 days.

As you might expect #grrcon, a security conference, only had about 5 geotag enabled tweets with the conference name tagged.

However a hashtag #iphone7 nets about 1400 geotag enabled tweets in the last 30 days.

Tweetpaths.com

Once you find an account with geotags enabled Tweetpaths.com is a great way to see where they’ve been. This is another site that requires a sign-in with your twitter account so, once again, use a fake account or know how to revoke the permissions afterwards.

We will pick on Woz again: Enter his user name in the top left, click on advanced options and check the show path option:

We can see that Steve likes to tweet when travelling and at dinner time.

Further Down the Rabbit Hole – Osintframework.com

Once you’ve gathered some data with your Twitter ninja skills head over to Justin’s (@jnordine) www.osintframework.com and see what other data you can pivot your way into. The framework has a few twitter tools up its sleeve:

I hope you enjoyed this peak into OSINT tactics on Twitter. If you have any techniques to share or comments please drop me a line on Twitter @baywolf88

Happy OSINTing!

Derbycon Shenanigans

October 6, 2016

That time I used twitter to orchestrate an icing of Hacking Dave...

This is a small tale of one of the many shenanigans that ensue when you get a bunch of hackers together in the same area for a few days. One of the traditions of Derbycon is a little game called 'Icing'. You can Ice people with Smirnoff Ice which is a questionable beverage at best. These Derbycon Smirnoff have usually been enhanced by being heated up as well (Yuck level +10... gross). So you find a target and hand them a warm Smirnoff and they must chug it down. (Side note - totally OK to decline an Icing - nobody is forced to do anything at Derbycon they don't want to) There are defensive bracelets available for purchase which proceeds support Hackers for Charity. However if your Icer has more bracelets than you, your defense is invalidated. Derbycon founder, Hacking Dave Kennedy usually ices a speaker or two mid talk which is totally awesome.

@HackingDave sneak attack on @JaysonStreet mid talk

So Saturday evening @Skydog was setting up his ID maker machine in the Hyatt lobby. I missed out on an ID the previous year and I decide to jump in line. While tweeting for people to come get in line for one of Skydog's awesome badges I notice this message from @HumanHacker Chris Hadnagy:

I'm not equipped with any Smirnoff Ice... but I know somebody that is. So I hit up @Nullspace on DM.

I don't know the specifics of where @nullspace was, how he found @HackingDave or how he made his Ice-hit go down right next to the Skydog ID badge line I was standing in. But sometimes things just work out perfectly and this happened 4 minutes after my DM:

Tropical Icey Goodness for Hacking Dave and Nullspace getting photo proof for Human Hacker

The inevitable face you make after getting Iced

I get entertained while waiting in line, Nullspace gets a free ticket to BourbonCon, Human Hacker gets a payback on Hacking Dave, Hacking Dave gets to experience the magic of Tropical Fruit flavored Smirnoff Ice... everbody wins! Oh and Hacking Dave, no need for revenge plotting. I was collateral damage Iced by Nullspace about 90 seconds later.

All fun and games aside, a huge thanks to Dave Kennedy and all the staff for everything that is Derbycon. The infosec community is a better place because of this conference. This year was my 2nd Derbycon and 1st time ever as a conference speaker. One of the talks I saw on OSINT last year at Derbycon set me on a path that helped me find my way into my own Infosec career. See you next year Derbycon!

PS Thanks for the badge @Skydog and for making it awkward @JaysonStreet