Blog

By Sarah Womer, Senior Analyst, Plessas Experts Network Inc.  

Prior to sharing OSINT products, research techniques, or related information, it is important to gauge whether the information should be shared in the first place. 

Traditionally, although OSINT is created from publicly available sources, the end product is often proprietary and, in some instances, classified based on the collection requirement, tradecraft, and methodologies used. Today, OSINT products are still often proprietary, confidential, and classified. Government Intelligence, Law Enforcement, Business Intelligence, and Private Investigators all create OSINT that may not be for public consumption. In addition, the definition of what is public differs between nation-states, agencies, organizations, and individuals. 

The OSINT Landscape has also radically changed with the open sharing of tradecraft, tactics, techniques, and tools since the early and mid-2000s with the changing digital ecosystem. OSINT practitioners now often collaboratively share inadvertently and directly. Oddly, even OSINT practitioners that may be at odds on a nation-state level through their governments may share tradecraft techniques through Social Media platforms simply by making a social media post on a topic. Investigative journalists have also increasingly become engaged in the OSINT field, as have non-profits, NGOs, and hobbyists. There are still government OSINT practitioners from a variety of governments that most likely lurk and passively collect versus post and engage. Many OSINT practitioners also engage collaboratively outside of work, but their work production remains proprietary.  I also sometimes wonder how many, if any, OSINT hobbyists or non-transparent OSINT social media accounts are government sock HUMINT puppets, as it is a plausible scenario. In addition, social media accounts pretending to be OSINT are engaged in influence activities versus OSINT creation, Fake OSINT. There is also confusion by non-OSINT practitioners on what OSINT is. I have seen many posts where a non-OSINT practitioner will refer to a Google Query as I “OSINTed” it versus I queried it. Researching something, as OSINT practitioners know, is not OSINT; it is a part of the process of creating OSINT.  

Regardless, not just OSINT, but in some instances, the sharing of OSINT tactics, techniques, procedures (TTPs), tools, tradecraft, and research should not be shared in an informal setting on social media as consideration should be given to how data is shared and what the data is.    

In the age of Social Media, where so many things can and are taken out of context, it is critically important to think about what is shared. Depending on the platform, there may be no paralinguistics to gauge, no tone, no physical tells, and sometimes just text. There is much room for miscommunication as one party may interpret the text differently than another. 

There is an opposite extreme - sharing nothing on Social Media. I have been there and practiced the art of passive collection before 2019, in which collection only occurred for research on social media with little to no sharing (because you are always at risk of a response). I did a test a decade ago to see what people would share with an overt sock puppet and found that many people are comfortable sharing information with a non-threatening persona, such as a dog. It was insightful as it showed what others would share, but I was still comfortably unnoticeable online. After the study, I then used that dog for animal rescue activities and made some wonderful friends. Today, there are thousands of dogs, cats, capybaras, and other “fake-identity” social media accounts. Some sock puppet social media accounts even have over a million followers and chat with influencer billionaires and politicians online, which amplifies their narratives.    

However, the art of not sharing in today’s digital environment as an OSINT practitioner may not be advisable for some, as many professional connections are now made on social media. Even though the number of followers should not impact the credibility and reliability of an OSINT practitioner, I suspect that it may. In some instances, the number of followers does reflect the expertise of the person, but in other instances, it does not. For example, there have been some fake OSINT accounts with high numbers of followers engaged in influence activities on social media resulting in far-reaching spread of misinformation. 

The hide-at-your-desk OSINT analyst in today's environment may be ignored simply for not speaking up, which equates to the concept of “if a tree falls in the forest but no one heard it, does it actually exist?” Unless, of course, that analyst is employed at an organization that celebrates a greater level of secrecy and social media silence. Ironically, this can also backfire as someone may then question why there is an absence of social media posts for that person. 

Multiple OSINT practitioners share on social media through the use of a fake persona or a sock puppet, which then raises the question of whether it is Cyber HUMINT and OSINT. If a research account engages with audiences, it is no longer simply an OSINT account, which brings the ongoing debate of where OSINT stops and HUMINT begins. Sometimes, this sock puppet use makes sense, and other times, it also raises the question of motivation. For example, is that OSINT sockpuppet from an adversarial state hiding because of fear of that government, or is that Social Media account a government entity? 

I remember my first feeling of exposure on social media in 2008. I shared a draft report on the potential of Terrorist Use of Twitter that was disseminated to a group of people via official email that had access to “For Official Use Only” who then shared it with larger groups of people within the same community. Someone then shared that report outside of the community and it was sent to the Federation of American Scientists (FAS), Wired, CNN, BBC, and a multitude of other channels. It was also shared on early social media, and pundits commented both for and against the draft report. Regardless, I was mortified and did not engage in social media. Fortunately, my client at the time got to have a wonderful interview with Defense News and received positive feedback for the product. I later got a letter of commendation from a really cool organization. At that time, OSINT analysts were not expected to publicly share collaboration, tools, means, and methodologies online.  We generally had small OSINT cluster communities of interest where we shared with each other, and there was an emphasis on not sharing on social media. 

I have gone back and forth on the limitations of sharing information. Recently, I was reminded that thoughtful consideration should occur before sharing information, and there is still something to be said about the art of not sharing. It does not mean analysts should hide behind a desk, although that is less threatening for some. I have come up with some suggested tips that collaborative community members can consider prior to sharing. 

Please note if you make a social media post it is not an OSINT Product but the OSINT collaborative community on Social Media does share- fact-checking, research techniques, resources, data, and other information that can be used for OSINT. OSINT communities will also sometimes share a product but the full product is generally not the post. For example, Bellingcat shares some outstanding products on Social Media by hotlinking.

Tips

• If the shared data does not represent your company or organization and if it is a personal social media account, make sure to always state on the account that it does not represent anyone other than yourself. Generally, a disclaimer in the social media profile should work. 

• If an observation is made on a resource before sharing, such as an article, it is typically not a stand-alone product and is usually from a larger resource. Always check that resource and cite it.

• If you comment or make an observation on an article, gauge how that hosting resource or other sources may react to it. For example, Elon Musk has sued the Center for Countering Digital Hate (CCH) for presenting research and data. In this instance, the CCDH gauged the risk of presenting the research and decided that sharing was worth the risk. 

• Consider the social media platform that you are on and the sharing limitations. Twitter, now X, as a platform, has a limited character set. If the context for the share can’t be added to a single post, don’t share it, or clearly mark and indicate that it is part of an organized thread. 

• Separately, if someone shares with you on X or another platform, check prior posts and whether they relate to the recent post. 

• LinkedIn generally ties directly to a person's place of employment, and personal opinions should be sparingly shared or shared with greater caution. Information that is shared should be supportive of professional goals and interests. 

• Each platform has a different culture and structure that impacts what and how a user should share. 

• If sharing information from a tool, don’t share the tool’s query response without citing it. If the tool may be unknown to the audience, explain how the tool works and why it is of interest. A tag to the tool may not suffice, as that can just be interpreted as a highlighted address. 

• Reference what intelligence gaps may exist when presenting data from a tool. It does not matter how good the tool is. It can be the best tool, and there is always room for error as humans create tools and humans make errors.

• If additional tools are used for information verification, then go back to the first point on whether the findings should be shared in the first place. Is the verified information important? What will the readers gain or interpret from it? How could it be misconstrued? 

• If the information to be shared is a vulnerability that could help protect others but possibly reflect negatively on a source, consider contacting the source directly versus posting it on social media. Sometimes, this may also backfire as the source of the vulnerability may not react positively. For example, in 2021, the Government of Missouri threatened to sue a journalist for sharing an open public vulnerability with a site. 

• In addition, if a vulnerability is noted but not fixed, highlighting it on social media can lead others to possibly exploit it. The vulnerability may still be exploited by someone at some time, even if not highlighted, as vulnerabilities often are exploited if left unfixed. However, instead of sharing the vulnerability on social media, contact the source of the vulnerability first to give the source a chance to fix it. If the source does not want to fix the vulnerability, then it may not be your problem. There is an exception to this concept, which is when a vulnerability is noted that could harm others, and the source won’t or can’t fix it. Then consideration should be given to whether there is another venue to provide the information to that is not public but that may fix the problem. A personal judgment also needs to be made on the degree of harm.  For example, if a domain had a vulnerability that could allow a visitor to receive a cryptojacker on their visiting operating system, a personal judgment would be made on whether to publicly share the observed vulnerability if it remains unfixed.

• There are instances where a vulnerability can’t or won’t be fixed. This exception is actually not unique and has been observed by multiple members in OSINT, INFOSEC, and hacking communities. I, and other analysts, often have examples of this, but we choose to responsibly not share our 2020, 2021, 2022, etc. epiphany on social media if it were to lead to adversarial exploitation. The important action is that the analyst contacted the appropriate venue to try and fix it. 

• If the observed vulnerability relates to national security, law enforcement, or military activities on Social Media, then the appropriate government channel should be contacted. For example, on August 26, 2021, I, and most certainly, other analysts, noted that there were live updates on Twitter from a user that was providing incremental consistent updates from claimed contact with ISIS-K, including passing a Taliban checkpoint, up to their attack on the Kabul airport with the last Tweet stating that it was to late to stop the attack. Reporting that type of information is a responsibility, even if you think it may have been reported, as you can’t assume it was. However, if the issue is reported in the news, such as BBC or CNN, then a judgment can be made that it does not have to be reported as the mainstream media are already covering it. For the observation on August 26, 2021, it was not reported in the news, and eventually, the account that claimed to be in contact with ISIS K was taken down. 

• Provide the context for why the information is shared. Data without shared context can be and is often misinterpreted. 

• One thing that many people forget in today’s media environment is what Marshall McCluhan said in 1964: “The Medium is the Massage” (sic) in which is meant the “Medium is the Message.” Is the medium that you are sharing the information on the best place to share? In many instances, a good old-fashioned phone call or email may be better than a public share.  Even if someone intends to be helpful, this can be seen as non-helpful to others who may interpret a social media post based on their cognitive biases or worldview.

Find Sarah on LinkedIn.

It is the holiday season and I thought I would give you my guide to the ultimate gifts for the OSINT analyst/investigator in your life. While I am posting this pre-Christmas, this list works for any holiday, even birthdays. Trust me, your OSINT fiend will love these any time.

OSINT gifts should most likely come in the form of software to use in investigations, however I added a couple hardware options as well. In no particular order:

Yubikey - from $25 Your analyst is going to highly value 2-factor authentication methods and Yubikey is the top of the security heap for this. Get this one and if they don’t already have one, it is a guaranteed win. You might go up a few notches in the perceived intelligence ratings as well.

1password - from $2.99/mo Speaking of security, password security is no joke. A password manager is a critical tool for someone with a number of accounts to manage. There are a number of managers out there, some free, like Keepass, and other low cost options like Dashlane and Lastpass. The preferences are subjective, but I find 1password might be the most popular among the security conscious OSINT analysts.

Maltego - from $999/year This one has a hefty price tag and the OSINT analyst will probably want to purchase additional “transforms” available from a number of sources, but it is a killer tool, capable of making a complex case easy to explain. It can trace bitcoin, website registrations or social network contact lists like a dream. It’s a very capable but relatively inexpensive (compared to the others in this class, like Analyst’s Notebook, below) link analysis tool that has weathered over a decade on the favorites list for many an OSINT investigator.

Builtwith Advanced - $99/year Get unlimited domain lookups with Builtwith for a low price. This is a fraction of the total Builtwith tool, but the most critical piece for OSINT analysts and investigators. For this low price, unlimited lookups can get you details like software used in building a website, including past builds, IP addresses and analytic accounts as well as ties to other websites using those IPs and accounts. It covers a good chunk (but definitely not all and not as far back into digital history) of what the DomainTools account does at a fraction of the price.

Norton VPN - $39.99/year There has to be a VPN on this list and Norton is my go to for two solid reasons. First, the price. They seem to always have a sale ($39.99 when I last checked) but even their regular price of $79.99/year is around the price of many of the competitors’ sale prices. The second reason is that Norton has been a trusted name in computer security for decades and you are only as private and secure as your VPN.

DomainTools Personal Membership - $995/year The personal membership for DomainTools has a limited amount of searches per category per month, but can be invaluable for OSINT research. DomainTools has a unique data set of internet history going back into the 1990’s that exists nowhere else. This is an invaluable tool for a researcher who is working with a number of online websites.

Hunch.ly - $129.99/year This relatively low cost tool can help a researcher keep track of the investigation as well as provide reports. Why worry about archiving evidence when Hunchly will do it for you automatically as you navigate the internet. Every page is screenshot and the html recorded and searchable so that no shred of evidence is misplaced. A fantastic value.

Manual to Online Public Records - $44.99 Everything is online, right? Maybe. But some of the online details are not as accessible without the proper guidance, and the author, OSINT subject matter expert, and librarian, Cynthia Hetherington, guides us through public record databases like no one else can. Her books are used as textbooks. Check out her other book, The Guide to Online Due Diligence Investigations.

Extreme Privacy - $41.84 This is the only privacy book on the list, but it’s a doozy. Author Michael Bazzell knows privacy like no other and shows what extremes you can go to to be private in America today. Every OSINT researcher knows the value of privacy. Check out his other unique book, Open Source Intelligence Techniques, used as a textbook in some universities.

ARCGIS - from $100/year If your OSINT friend loves maps and geography, grab a membership to the top of the line geographic analysis tool. The online version for individuals is surprisingly inexpensive and sure to give a big Wow! factor to your gift.

Analyst’s Notebook - from $9610 While it is definitely not cheap, this analyst tool is one of the top of many an analyst wish list. Capable of link analysis, concurrent timelines and geographic analysis and more, this tool is heavily used in corporate and government analysis organizations and has been for years. Considered top of its class, this tool also does not require any expensive addons to fully function but may require some serious training for use.

Shodan - from $59/month Known as the search engine for the “internet of things”, if it connects online, Shodan can help you find it. Shodan is a unique search engine with some crazy capabilities and your OSINT fiend will love being able to identify how many Amazon Echoes you own and whether you have online security cameras or doorbells.

Babel Street or Fivecast - I have no idea $$ If you have a lot of money you don’t know what to do with, your OSINT fiend would love a license to something premium, like Babel Street or Fivecast Onyx. This type of software will allow the researcher to geofence locations or monitor complex concepts, get analytics and more. You know it won’t be cheap and you have to contact their sales team to even get a ballpark price, but if you are looking for a killer gift that will blow someone away, this will do it.

VMWare - from $119.20 I had to add a virtual machine to the list, and VMWare is the top of the heap here. This tool will allow multiple virtual machines in a jiffy and help protect the main machine from malware. But don’t get confused with VMWare’s fancy lingo. Apparently plain English is not a strong suit - you are looking through their long list of products for the Workspace Desktop Hypervisors, and choose the Fusion version for Macs or the Workstation Pro and Player versions for Windows and Linux.

Sophos Home - $35.99/year covering 10 machines Why pay for antivirus in the time of capable free antivirus software? Control, plain and simple. If you have multiple devices (and your OSINT friend probably does), Sophos Home will give you a control point to manage the antivirus accounts on each machine. This means you can tell when one gets infected with malware and you can make sure each gets their software updates. Not only is this great for a user with multiple machines, this is perfect for keeping all the laptops in a family safe.

And of course

We highly recommend you give a subscription to our OSINT News database of curated tools and methodologies along with our premium high value newsletter - $65/year

Or, if you want to splurge, get our Comprehensive Training Bundle, including the OSINT News subscriptions, webinars and the latest full OSINT BASICs Training seminar (50+ hours of OSINTy goodness) for $2499

I wish you all the best in your investigations and happy holidays,

Kirby (and the crew: Kyle, Sarah and Heidi)

In his third and final project for his internship, Alec took a look at Buscador and explored the tools available. Alec, a sophomore CS student at the University of Arizona, provided screenshots and links as he discovered the capabilities of the tool. Here are his thoughts.

In my opinion, Buscador is a super useful tool for OSINT. The virtual machine comes fully loaded with many valuable, diverse investigative tools ranging from analysis of a target’s Twitter feed to searches based on a license plate. Overall, Buscador is an amazing tool, easy to understand, and capable of conducting deep, targeted searches.

To read his full report, click here.

Up until now, the intern program at Plessas Experts Network has been very informal. We have enjoyed the work of our fantastic interns and their contributions have helped our clients tremendously. We’ve recently gotten an influx of requests for internship, so it’s time to publicize what we require and expect from our interns and the benefits of interning with us.

Requirements:

• Student attending a college or university (undergraduate or graduate) located in the United States (we may open this to foreign students in the future, but not at this time)

• Has consistent access to internet service

• Can pass a background check

• Attention to detail

• Self-motivated (we will do weekly email checkins, but will not micro-manage)

• If you want college credits, you must negotiate that with your university

The virtual internship:

• 3 months/unpaid

• 3 research papers on techniques, methodologies or tools (usually incorporating your field of study)

• Research papers are due mid-month to allow for editing back-and-forth with staff

• Work from home/school

Benefits:

• Real-world valuable OSINT experience

• Resume material

• Published reports on plessas.net

If this fits you, please email your resume to info@plessas.net and include the subject line: Intern Inquiry

While Facebook Search appears to be as simple as plugging terms into the search field, the functionality of this search tool has long been complicated by apparent limitations of the results this search method produces. Facebook is a social network filled with vast data; much more information available than a basic search will yield.

Unfortunately, this June, Facebook cut off easy access to the bulk of the searchable data. Most of what can be searched now has to be done through their search interface. That means relying on the search bar again and facing its limitations, but these significant limitations may be overcome if you know how to do it.

This post will hopefully function as a guide to those who want or need to go further with Facebook search but are not web developers or marketing gurus. This is a guide for the lay-person.

Why do I need to go beyond the Facebook search bar?

In short, precision and efficiency drive the need to search beyond the data provided through the basic search field. This precision focuses searches, yielding results that are matched to exact users/pages/places.

When you perform a search in Facebook, based on the category of search that you choose, you will have a set of filters on the left sidebar to choose from. These filters vary greatly by topic. There are options for custom filters in almost all of these, but they are not keyword searches nor can you use ID numbers if you know them. Instead, the custom filters will populate with suggestions based on your keywords and you must choose one of the suggestions. If your desired custom filter is a specific user named “Mike Smith”, you must find the right Mike Smith among those suggested to you - and there will only be up to five suggestions to select from. Obviously there are more than five users named Mike Smith, and your Mike Smith may not show up on the suggestions unless you are friends or friends of friends. If you were able to identify the right Mike Smith and get his ID number, you still cannot use that as a search query in Facebook’s native search.

Nevertheless, that is not where this guide ends. There are a few tools out there that can help. Our favorite solutions include one created by S0wdust and another by Intelx.

While the tools are great shortcuts, when tools breakdown or go offline, it is important to know the information is still available and manually performing the searches is achievable for a layperson. With an understanding of the methodology a user may create new combinations and discover new searches. While this may be intimidating at first - with formulas starting in one format (JSON) and then being converted (encoded) into a gibberish-looking code (Base64) - it is a recipe that can be followed by anyone.

Knowing what JSON and Base64 are is not necessary to complete your searches. If you are interested to learn more about them, here are some references: JSON and Base64.

How to use the Facebook Matrix of formulas

1. On Facebook.com, perform a keyword search.

   • This search can be for anything and is changeable later.

   • Best practice is to keep it very short or to search for the same word as a result you would like to see. For example, if you will be looking for people named Mike Smith, search for “smith”

2. On the Facebook search results page, choose the category of search that matches your goals.

   • Posts, People, Photos, etc

   • If you are looking for someone named Mike Smith, choose People

3. Select a filter, any filter.

   • The goal is to get the Facebook URL to include the =FILTERS&filters= language

   • After this point in the URL, you will notice a string of letters and numbers. This is where the Base64 code begins.

4. Delete the current Base64 code so that the URL ends with =FILTERS&filters=

5. In a different tab, identify the ID numbers that you will need for your search

   • This could be a place ID, person ID, page ID, Group ID, etc

   • Go to plessas.net/facebookmatrix to learn how to get Facebook ID numbers

6. In the Facebook matrix at the bottom of plessas.net/facebookmatrix, identify the searches/JSON formulas you intend to use

7. Copy the JSON formula into a Base64 encoding tool

   • There are many Base64 encoding tools

   • Maybe the easiest to use for beginners is Base64encode.org

   • If you are combining two (or more?) JSON formulas

     • Remember that the outside braces of the formulas are only needed once

     • Put both formulas inside one set of braces

     • Separate the formulas with a comma

8. Copy the ID numbers previously identified on Facebook and insert into the JSON in the Base64 encoder

   • This must be done before running the encoder

9. ENCODE

10. Copy the Base64 results and return to Facebook. Paste the Base64 results immediately after =FILTERS&filters= and hit Enter or Return

11. The results should match your search choices

12. To edit the search keyword, look into the URL for it and change it

    • Do not edit it in the Facebook search field, this will reset your filters

    • If you are using two words, use %20 in the place of any spaces

13. Troubleshooting

    • Search results don’t seem right?

      • Check your category choice

      • Make sure you inserted your ID numbers in to JSON before encoding to Base 64

      • Check your keyword search

    • No results?

      • Check your category choice

      • Check your keyword search

    • Blank page or error page?

      • Make sure you converted the JSON to Base64

      • Make sure you inserted your ID numbers in to JSON before encoding to Base 64

If you want to get advanced, consider doing some of the searches through the regular Facebook interface and the converting them back from Base64 to discover the JSON strings used.

There are many great sources of OSINT tips and training online now. From the OSINT RocketChat to the OSINT Framework to Technisette’s great list of resources… and very many more. But something new is a coalition of OSINT professionals into a loose group called OSINTCurious. OSINTCurious hosts a biweekly live webcast (which is also broadcast as a podcast), a series of 10-minute videos and a blog.

Our own Kirby Plessas is a former advisor and founding member of OSINTCurious, and you can read up on the other members on the website.