Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-cerber domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /var/www/wp-includes/functions.php on line 6114
My OSINT Blueprint - Methodology and Tools Part Two - AaronCTI
Site icon AaronCTI

My OSINT Blueprint – Methodology and Tools Part Two

My OSINT Blueprint Part Two: Usernames and Images

This took longer than I would have liked.

But unsurprisingly, work has been beyond crazy for the last few months, and getting the time to put thoughts on paper/fingers on the keyboard is way more challenging than it has been at other times. However, I had such an incredible response from my last post and similar content from GingerT and Micah Hoffman provided some further insights into the minds of those crazy enough to want to understand finding things on the Internet for a living.

Furthermore, since that last post, we formed the UK OSINT Community and held our first event in London in July. It was a phenomenal event with some incredible speakers and to see so many people attend, on a Friday, in awful summer conditions (opposed to good summer conditions!), was truly inspiring and showed just how much the UK needs a formal community to continue to push and promote OSINT. In addition to running events, we’re hoping to take things forward more with conferences and other forms of media in due course. Keep your 👀 peeled!

But back to the topic at hand, I feel like there are other avenues to consider and look at in terms of OSINT methodology. In the last post, I talked about email addresses and phone numbers and how we could use a combination of manual research, open-source tooling and some commercial offerings. This time, I thought about touching on username searches and imagery. How does that sound? Before I dive in, let’s caveat…

CAVEAT: Everything discussed in this series is around passive OSINT research. It does not involve interacting with a subject or doing anything that could be considered unethical or illegal, such as hacking into an account or social engineering on the subject to identify more information. I’m based in the UK and all OSINT research is conducted within the confines of the Computer Misuse Act (for better or worse) and within the code of ethics of membership bodies such as the Association of Crime & Intelligence Analysts and Security Institute.

Agreed? Right, let’s do some OSINT!

What’s in a Username?

Usernames are one of the easiest, but also most infuriating things to try and build out as an OSINT analyst. There’s a lot of tools (we’ll cover some!) and they all usually have one issue. False. Bloody. Positives.

Now usually, if you have a relatively unique username as MrOSINT_London_1993 (hopefully made up and not a real person), then you have a good chance of understanding that you can simply try this username on sites you want to check. For example on social media platforms like X or Instagram, you can append the username after the domain (so https://x.com/MrOSINT_London_1993 for example). Now, problems begin when we realise that most of us humans are, in fact, mere mortals… And not very unique.

If you have a common name or something that alludes to something else (like a fictional character, a sports team, a location) on their own, then it’s often the case that you’ll fire up a tool like WhatsMyName or Maigret and suddenly feel overwhelmed. You may occasionally also find that some research or services may offer all results as conclusive because they haven’t done any analysis. And a key part of doing intelligence work is indeed, analysis. What is this word and why are we scared of it? Well usually because it means we have to do some leg work to figure things out, understand what makes sense and helps us answer the intelligence requirement. As Freddy recently posted, understanding the questions we’re trying to answer, the context we’re looking at the information, and probably more importantly – If there are correlating factors that can give us increased confidence a profile belongs to the same subject (Avatar, location, posting style, grammar or common ways of saying things, links to other profiles etc).

So when it comes to usernames, there are plenty of options out there for doing some initial digging. I mentioned WhatsMyName and Maigret above, both are free to install or use from GitHub, but you can also use WhatsMyName’s web app over at whatsmyname.app, thanks to OSINT Combine for hosting! Likewise Maigret can be used on Telegram to run searches if you don’t necessarily want or have the ability to install tools from GitHub and get them working.

Another tool that’s continuing to come on leaps and bounds in this space is UserSearch. Earlier in 2024, the re-launched tool added a lot of very useful functionality, and has an impressive roadmap to being effectively an all in one OSINT web application. It’s still in Beta and thus development is still ongoing and there’s the occasional bug, but as well as the free username searching options, there are modules to search email addresses, phone numbers, web domains, images and more.

For commercial offerings on usernames, in part one I mentioned the likes of ShadowDragon, Social Links and OSINT Industries, and again these tools all offer username searching. Since the integration with Maltego, I have found myself using OSINT Industries a lot in this way for usernames, phone numbers and email address lookups, but that’s a preference I have being a huge nerd for link analysis and visualisation within my investigations.

Another and possibly less discussed avenue for username investigation would be data breach information. This daunting, huge and obviously super scary part of the Internet residing in the darkest recesses of the 1’s and 0’s. Actually that’s all a lie. There are several ways you could use data breach information within investigations without having to go “on the dark web” (Note: Actually a lot of the time you wouldn’t use the dark web at all to get this information as most of it is available on the “surface web”). I think when it comes to things like email addresses, this is relatively well understood, but often there are other bits of information that we could use in breach data, and usernames are one angle (you could also go via password too).

So to do this purely through OSINT, you would probably want a dedicated way of accessing dodgy forums, Telegram channels (at least for now pending the Telegram apocalypse) and enough storage to get hold of it all. It’s a long, often frustrating process but this would give you ways and means of curating your own data and having full control. It’s way more than a single blog could ever cover though, and if you are interested, I’d highly recommend Michael Bazzell’s digital guide on doing so, but if you’re willing to spend a relatively small amount of money, there are a few options that can let you search on usernames through breach data:

There are others too such as DeHashed, but honestly I’m not sure if they still add data to the platform so can’t really recommend it as you may hamper your investigations with only older breach data. The three mentioned though are all affordable for searches and offer options from a days access to several months, or work on a credit basis. And they should be enough to cover most investigations. I think breach data is one of the most important aspects for OSINT Investigations, and it’s the cornerstone of what my company, Perspective Intelligence offers to clients. So understanding how and where you can leverage this data in different ways is paramount to uncovering or identifying new angles for investigation. I had a recent case where by using breach data I could identify with pretty high confidence several email addresses for an individual I couldn’t have found otherwise, some of which have led to further opportunities and a happy client. This does work and it’s a great way to look at usernames.

Another tool I will always bang the drum for is Spiderfoot. With over 200 modules you can search against and get data collected from so many different places and it covers usernames, email addresses, phone numbers, web domains and more. It hasn’t had an update since 2022 on the open-source side since the acquisition of Spiderfoot by Intel471, but hopefully some new modules and updates will be forthcoming soon. Please? Pretty please?! 🙏

Usernames are cool, but what about Images?

Right. I will get this one out now, I am not very good at geolocation stuff with imagery and people that are scare the living shit out of me hahaha. But I’d suggest that geolocation is a skillset all of its own, and for this series I’m focusing more on people investigations. Where imagery can be an important part of the process.

So today image searching has evolved from running a photo in Google/Bing/Yandex/TinEye (seriously has anyone ever got a result from TinEye?!?!), and the adoption of facial recognition search engines is both creepy, but spectacular for those of us engaged in the OSINT space.

While the options for free tools are incredibly sparse and of potentially dodgy origin (Faceagle for example has ties to Iran), we can still use this technology in ways to help our investigations. For instance, AWS Rekognition is Amazon’s facial recognition technology, but does allow you to run facial comparisons for free. So for example here’s my profile image along with my celebrity lookalike Tom Hardy:

In the red box within the response, you can see the similarity is a paltry 0.69, which means I do not look like Tom Hardy. However when comparing to an image of myself at a UK OSINT Community event…

This second image shows a 99.98% match, with the .02% probably being the alarming different in colour between my hair and beard and my lovely, slimmer, photoshopped image. God that’s depressing.

But let’s bring this into an OSINT use-case, and obviously, using this technology to check how likely a profile is to be your subject is of course the first and most useful example. By using this technology you no longer have to squint, ask someone else’s opinion if they look the same, let the robots give you some numbers to back this up. What a world!

Other AI uses for this technology can include cleaning up or increasing the resolution of older images, which in turn could give you something else to search on. I had a case a year or so back where I was able to AI upscale an image, clean it up and then compare to another image of a subject, which helped me to confirm the account I got the older picture from was likely the same person. So shout to https://letsenhance.io!

And of course, the facial recognition search engines such as PimEyes and FaceCheck, are commercial options for searching across the Internet (and the latter does social media profiles), also a pro tip – UserSearch also offers searching via FaceCheck but your credits won’t expire if you buy them through UserSearch, so worth bearing in mind if you think you may not get total value for money for an initial purchase.

There are other options too but they may feel uncomfortable for some – CamGirl Finder does as it says on the tin and could be useful in cases of trafficking, modern slavery etc, and FindClone is a Russian service which requires mobile phone registration. Earlier on in this post I mentioned Faceagle too, which has Iranian links, which may or may not be suitable for some OSINT investigators. Of course, risk tolerance and operational security (OpSec) concerns should be front and foremost for any investigation, so understanding where your tools come from, what they offer and potentially what you’re giving away is incredibly important.

You always have a good old fashioned manual analysis approach too with imagery. Thinking of what’s inside an image, what can you identify, is there anything you could do further searches on like a business name, phone number or landmark? Nowadays with tools such as GeoSpy, identifying landmarks and locations has arguably never been easier. The free version of GeoSpy will also give you a city identifier, which may be enough for most investigations. If you can get pro access, then it’ll attempt to give you an exact location. Scary but incredible technology!

You may also find images contain useful metadata from time to time, depending on where you find them. Pretty much every major social media platform strips metadata out nowadays, so unless you find a Flickr account that gives EXIF data, you’re likely to luck out on social media. However, blogs and other types of website likely won’t automatically remove metadata, so it’s always worth considering depending on the source of the image.

Overall, images are pivotal to OSINT investigators in every possible angle – Geolocation, identification or verification or profile ownership. Understanding how you can leverage technologies to further the impact your investigation can have is paramount to any OSINT professional. This is a light introduction, but if your fascinated by things like geolocation, then check out Benjamin Strick’s OSINT at Home series on YouTube!

Where Next?

So in the two posts so far, we’ve looked at emails, phone numbers, usernames and images. Is there anything left? (Haha of course there’s an endless trove of data types and sources!) This took me so much longer than I anticipated getting round to, but I’m thoroughly enjoying writing about OSINT Methodology and my approach to it. So let me know in the comments if there’s any specific topics you’d like to see me discuss.

Time for a beer (depending on what time you’re reading this) 🍻

Exit mobile version