cover image for OSINT

OSINT

R

OSINT OPS

In this article I wanted to briefly overview the OSINT investigation methodologies used, and some of my personal favorite tools.

Nowadays, everything is online, sometimes even things we don't want online, end up online. Social media has taken over the world, and no matter which part of the world you're in, somebody somewhere has their camera out.

Privacy is almost non-existent in the world we live in today, and investigators have a lot of tools available in their arsenal to discover many details about you.

So what does this all mean? In days of old we had bounty hunters who would ride horseback scouring the wilderness for scoundrels up to no good.

Today we have digital bounty hunters and professional OSINT specialists who scour the internet for information on any one subject or group.

Just like a private eye would search for clues in the physical realm, OSINT specialists can gather information, oftentimes without your knowledge.

Okay so what is even OSINT mean? OSINT stands for Open Source Intelligence, information freely available online, and if you do a little digging you can almost find anything.

So now we know who these investigators are in a sense, and what they do, how do they do it? First we need to understand a few basic principles. Just like Dick Tracy (a tough and intelligent police detective), a quote I like comes to mind,

"A good investigator needs to be conscious of his or her own thinking, and that thinking needs to be an intentional process."

Traditionally in any investigation, we ask common questions, "who, what, where, when, why, and how". Who is the focus of this investigation?, an individual or group? Why is this person or group being investigated? Is the investigation legal? What purpose does the investigation serve? Is the person or group a danger to society? What are the motives for this investigation?, was there any crime committed? Is there already an ongoing investigation by law enforcement?, so to answer most of these questions, an investigator must have experience in the following area's of expertise.

Critical incident response, interpretation of criminal law, for your jurisdiction and the locale of the subject or target, evidence identification and preservation, forensic tools and evidence analysis, witness management, case preparation and documentation, evidence preservation for court proceedings, in the event the investigation goes to court, at a later date.

In addition to these skills of process and practice, investigators must also have strategic analytical thinking skills for risk assessment and effective incident response. Engaging these higher-level thinking skills is the measure of expertise and professionalism for investigators.

Okay that's a class of learning in its own right, let's keep it brief. What kind of information can be gathered? Usually the top information gathered would be location. So how do you find someone? There are a few options, sometimes you will hear people say an IP address, and that maybe the case, GeoIP location data for example, is a great thing, however the closest you would get possibly would be a square kilometer, if you're lucky, try your own, you'll see it's probably not even close. Additionally, some tech-savvy individuals rarely interact online without some form of proxy and or VPN.

So in a nutshell, an IP address isn't really a viable source for a subjects' location, sometimes you do get lucky though. So what are some other options? The top possible identifiers would be something they have shared, on social media, usually you can connect them to someone else who overshares, from there you could possibly find an image and do some location investigation from there.

So how can you find location data from an image? Honestly speaking, there is none greater than Google Images, you can upload an image and almost instantly get back a general location of a place, anywhere on the planet. Sometimes people take pictures and many clues can be found even in the pictures themselves, street signs, restaurant names, license plates, etc. Maybe they posted a review of a restaurant on Yelp lol. Oftentimes subjects are not aware of their surroundings when taking photographs, and then sharing those online.

Social media, people are creatures habit sometimes, they post similar things on various platforms, FaceBook, Instagram, Twitter, TikTok, Spotify, Tinder, all treasure troves of information, and if they haven't posted identifying information, someone they are connected to have. Or they actually mention what they do for a living, especially if what they do is unique, and let's say they also mention the kind of car they drive.

Work data, email addresses, websites, blogs, GitHub and LinkedIn also can give a large amount of data. What school they attend, who they follow, what they like. For example, if they often post or like about a particular topic, you can often connect the dots back to other topics of interest, and find even more information.

Okay, social media tools? There are many, My personal favorite is spider-foot, others include OSINT framework, Google Dorks, Maltego, Recon-ng, theHarvester, shodan, and so on, just like doing an investigation or pentest on a company or corporation, the process is similar on people too.

Let's do a quick hypothetical scenario; subject posts something online, they have a social media profile connected to that account or profile, or multiple accounts, searching social media history, they commented or shared something identifiable at some point in the past or present, they shared a detail about someone close to them, let's say a family member. Family member has terrible opsec, family member posts things from work, pictures that have location data, or easily identify where they work, you identify where they work, and then where they live follows. Simple as that, isn't it?

Not really but kinda, sometimes.

Think of OSINT like being a detective, you look for clues, breadcrumbs, and you search those clues down a rabbit hole until you find something viable, everything you search, each crumb is documented, meticulously as you never know which crumb will yield that one piece of information you need to break your case wide open.

In 2019 my team and I won the OSINT CTF at BSides Toronto and was mentioned in tracelabs blog, Microwave Gang during our CTF we helped the Toronto Police service on an active criminal case, and we also tracked down a missing person back to Mainland China, my time in China helped there quite a bit, and the China proxy connection. My good friend Pupper wrote about it on his blog back then, TraceLabs CTF @ BSidesTO 2019, was a great event put on by BSides Toronto, I hope to attend this year in October 8th, 2022.

Speaking of tracelabs, you can get involved today by being a part of a crowdsourced effort.

So what did I use during this event? I was asked after the event by some TPS Intelligence unit members, I just told him Kali Linux. Mostly, just the internet. just like being in the streets.

Did you like this article? Should I post more on the OSINT topic? Let me know email me, be sure to put OSINT as the topic.

Also don't forget to add me on Twitter

In closing, this was just a high overview of the OSINT topic, and of course I'm not going to reveal publicly how I conduct my investigations, but if you want to learn from me, you can contact me about training, or if you have an OSINT job pending. And as a disclaimer I only work with law enforcement, and I only work on legal cases within the confines of the law. I don't consider myself a "white hat" but I don't entertain any "blackhat" activities whatsoever, I never break the law, and neither should you.