Blog

by Sarah Womer

Collecting entities tracking domain visitations can be helpful for OPSEC and OSINT investigations. 

On January 14, 2023, I authored a LinkedIn blog post on “Domain Ads and Ad Analytics as an Information Resource for OSINT Investigations FouAnalytics PageXray for Domain Profiling a Propaganda Outlet.”

At the time, I noted-

“Typically, people will often look at Ad Analytics when visiting a domain for marketing, OPSEC risks, and privacy concerns. However, ad tracking, fingerprint canvassing, and other collection activities that can be viewed are also a resource of information for investigative collection. Just as metadata may be crucial to an OSINT investigation, so may Ad Analytics. Ad Analytics may be used for fraud investigations, Bot Detection, identifying authentication vulnerabilities between login and domain, foreign connections, domain relationships to other domains, domain profiling, and has other uses.” 

Ad Trackers on a domain can be used beyond marketing for user visitation surveillance. Visitors can be tracked after they leave the domain and targeted as a part of an attack. Checking who is tracking visitors on a domain is counter-surveillance and OPSEC. 

It is important to stress that the website owner or maintainer may not even be aware of the extent of the tracking, as many trackers are placed from a package of ads that are purchased through a third-party broker. Likewise, the service, such as a webpage builder or host, may have a built-in network of trackers. Easy website builders, for example, like GoDaddy, Wix, and Squarespace, may come with trackers. Site owners are able to check which third-party services are tracking on their domain but oftentimes don't. The reason for this flaw is simple: the identification and importance of that type of threat has been understated for years.

On May 11, 2023 Jonathan Pidgen at Media Analytics Global noted-

“Ad fraud is everyone’s problem, and there are very few exceptions. The majority of global brands have the same issues, so don't feel alone. You can't be blamed for something you never knew about. Let's learn together and grow together! The root of the problem is the "black box" legacy verification vendors. Their ineptitude has allowed "ad fraud" to flourish and become the "norm." The trade associations (ANA, IAB, TAG, etc.) have rubber-stamped the global epidemic of ad fraud by parroting the 1% IVT reported by legacy verification vendors.”

It is everyone's problem, as this type of fraud does not just impact marketing and branding; it impacts the consumers, customers, and visitors to a domain. In addition, tracking is sometimes a part of something larger or different than advertising. For example, what happens when a government uses browser fingerprinting and tracking as a third-party tracker on a domain? A government oftentimes has a larger budget and can buy ad-tracking technology just like a company, a charity, or anyone else.  In addition, some government sites have ad tracking from third parties, which also may present security concerns. 

For OSINT communities, most practitioners know that tracking is a threat to privacy and that it can compromise collection requirements. Many OSINT practitioners suggest ad blockers, malware removers, VPNs, privacy-enhanced search engines, and other options. However, unless a domain is visited with no-touch research techniques (including air gapping as an option)  or a Virtual Machine with a VPN, there is still much wiggle room for error, especially when some third-party trackers that download to a computer are designed to evade blockers or may be hidden in creative ways. 

Following are some compromise examples and suggestions on how to gauge tracking on a domain for OPSEC and Investigations

Scenario: Not Common But Occurs, Organizational Tracking

Much of the tracking present on the following domain is not ad tracking and is organizational tracking. Tools used in the following example include- Fou Analytics Page XRay, Domain Tools Who Is, and Webbkoll Dataskydd.

National Bugle Neo NAZI Tracking

FouAnalytics PageXRay is used first, as I have found it to be the most comprehensive out of any of the tools for showing ad tracking and malvertising on a domain. It also provides an excellent first stop for OPSEC before visiting a URL and oftentimes provides pivotal information for an investigation.

Below is a description of the tool from Dr. Augustine Fou-

“The PageXray tool is a headless Chrome browser which loads a webpage and allows the javascript to run. A headless browser is a normal browser but one that does not have a screen. These are developer tools used to automate tasks like testing a webpage to make sure it loads correctly. With a headless browser, we go beyond the static code that is visible on the page when a user clicks "views source." We record all the network calls made by the javascript and preserve the "chains" of "what called what." Then we plot these in a tree graph that shows the cascade of what calls what to reveal the shocking number of ads and trackers and other things loaded into a webpage, often without the users' knowledge.”

As of August 7, 2023 FouAnalytics Page Xray showed that visitors to the National Bugle had tracking as depicted on the following graph.

A cursory look from FouAnalytics PageXRay shows this domain had tracking from the United States and Russia. It did not show any browser fingerprinting or supercookies. Of interest is that there are two instances of ad server requests from a Daily Stormer domain out of Russia. The Daily Stormer is not an ad company or ad tracker, it is another extremist Neo NAZI domain that has been banned from multiple other locations. In this instance, confirming the location of the tracker is fairly clear as there is no intermediary tracker between the National Bugle and the Daily Stormer. 

For double-checking the Daily Stormer’s Russia location, there are options. In this instance, a basic WHO IS was conducted with Domain Tools. The WhoIs reconfirmed a possible Russia connection to the tracking domain of Daily Stormer that can be further investigated. A simple Search Engine query of the domain name “dailystormer.in” and Russia provided a VOX 2017 article,”Neo-Nazi site Daily Stormer resurfaces with Russian domain following Google and GoDaddy bans”, by Aja Romano stated that the domain resurfaced in Russia during the 2017 timeframe.

For OPSEC, If tracking is of concern from Russia by a Neo NAZI extremist organization, then enhanced security should be incorporated into visiting the site and in any collection plans. Possible risk mitigation measures include- no-touch research with the Internet Archive Way Back Machine or other measures. If all that is needed is a preview of what is on a particular URL for OPSEC and a screenshot, then Fou Analytics Page XRay provides that with a URL query of the domain. 

In addition, FouAnalytics PageXRay provides a preview of all of the external links hot-linked on a page with their position on a page. This provides further security as the information is provided without touching the domain. The domain is touching Fou Analytics PageXRay. Below are examples of hotlinks that were available for preview with a hover versus a domain click on the FouAnalytics query that provided enhanced OPSEC and possible pivot points for an investigation.

Hovering over “Contact Us” showed that the listed Point of Contact for the National Bugle is Zio Watch. This is a possible pivot point for a domain or organization investigation.

Hovering Over “Join the Conversation” provided a lead for a social media venue for the organization on ChantNGo.

Hovering Over “Donate” requested fundraising donations through cryptocurrency.

In addition to showing where external links are on a page, FouAnalytics PageXray also provides a compiled list of external hotlinks to a URL that can be useful for OPSEC and investigations. Below is an excerpt from the compiled external links of the National Bugle Domain URL as of August 6, 2023, via Fou Analytics Page XRay, including several social media locations from Vokante, a Russian social media platform.  If the domain or organization were under investigation, this information may be useful.

FouAnalytics PageXray also provides a list of the internal links on a page and a list of ad-serving domains.

For the domain of The Daily Bugle, Internal Links provided further insights for fundraising through cryptocurrency. The Adserving Domains showed ads were served through WordPress. 

There are also several other options available on Fou Analytics PageXRay that may be of use. A user can cross-compare the graph with the HTTPs HAR JSON and the Detailed JSON, which are offered for download. Additional insights on the tracking are also offered in the JSON. A download of the domain graph is also offered as SVG.

This is not a complete overview of Fou Analytics Page XRay as that would be an entire user manual, and Dr. Augustine Fou has authored multiple articles about this resource that are available on his LinkedIn page.  This example simply introduced how to use Fou Analytics PageXray for checking a domain OPSEC, privacy, and investigative leads. 

In order to further check OPSEC as it relates to the domain and for further investigative leads, I am now going to pivot to Webbkoll DataSkyDD (Webbkoll).

Webbkoll provides a description of “monitors privacy-enhancing features on websites, and helps you find out who is letting you exercise control over your privacy.”  This resource is useful to domain maintainers and visitors for OSPEC and investigations. 

The following Webbkoll query results of the National Bugle provide additional OPSEC and investigative insights that are broken into sections of- front end summary, Content Security Policy, Reporting, HTTP Headers, Cookies, Third Party Requests, IP Address, and Raw Headers.

The front-end summary on this resource shows that the domain may have some vulnerabilities as it relates to privacy. It also shows that there were 18 requests to unique hosts, which further confirms findings on Fou Analytics PageXray that also depicted 18 “other requests.” It also has conveniently provided the IP for pivoting to IP investigations.

Next, this resource provided insights into a possible vulnerability with the Content Security Policy. A full explanation is provided by Webbkoll highlighting why this may be a vulnerability, including- “Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to distribution of malware.”

In other words, from an OPSEC perspective, this site may not be safe to click on.

The next part of the Webbkoll query showed the CSP, Certificate Transparency, and Network Logging, explaining why they are important.

After that, Webbkoll provides OPSEC insights on the HTTP Headers of the National Bugle and why that may be a problem. Webkoll notes “The referrer header is a privacy nightmare as it allows websites and services to track you across the web and learn about your browsing habits (and thus possibly private, sensitive information), particularly when combined with cookies.”

This resource then showed that no cookies are present, which is a good thing, but the HTTP headers issue is still of concern, and there were 18 other tracking-related requests.

Webbkoll’s  Third-Party Requests data confirmed data that FouAnalytics PageXRay provided and provided the IP addresses of those 18 requests and whether they were secure or insecure. 

In addition, a user can attain additional information from each URL. 

This may be overkill for an OPSEC check, but it can definitely be of use for a domain and organizational investigation and offers additional pivot points.

Webbkoll also offers further IP information and Raw Header data, including software of the server that may be of investigative use.

The FouAnalytics PageXRay Query, Domain Tools Who Is, and Webbkolmay may be enough for an OPSEC assessment prior to visiting the domain. In most instances, a visit to Fou Analytics PageXRay is enough in and of itself if the concern is a tracking check. 

For pivoting in OSINT investigations, multiple leads were provided in this example that could be pivoted to additional resources such as URLScanIO, Joe’s Sandbox (to check for Malware), BuiltWith, a backlinks checker like AHREFs, View DNS INFO, Shodan, and many others. 

Contact Sarah Womer on LinkedIn.

To learn more techniques and how to apply these to your investigations, take Sarah’s full day class “Tracking the Trackers" on February 20 or On Demand.

By Sarah Womer, Senior Analyst, Plessas Experts Network Inc.  

Prior to sharing OSINT products, research techniques, or related information, it is important to gauge whether the information should be shared in the first place. 

Traditionally, although OSINT is created from publicly available sources, the end product is often proprietary and, in some instances, classified based on the collection requirement, tradecraft, and methodologies used. Today, OSINT products are still often proprietary, confidential, and classified. Government Intelligence, Law Enforcement, Business Intelligence, and Private Investigators all create OSINT that may not be for public consumption. In addition, the definition of what is public differs between nation-states, agencies, organizations, and individuals. 

The OSINT Landscape has also radically changed with the open sharing of tradecraft, tactics, techniques, and tools since the early and mid-2000s with the changing digital ecosystem. OSINT practitioners now often collaboratively share inadvertently and directly. Oddly, even OSINT practitioners that may be at odds on a nation-state level through their governments may share tradecraft techniques through Social Media platforms simply by making a social media post on a topic. Investigative journalists have also increasingly become engaged in the OSINT field, as have non-profits, NGOs, and hobbyists. There are still government OSINT practitioners from a variety of governments that most likely lurk and passively collect versus post and engage. Many OSINT practitioners also engage collaboratively outside of work, but their work production remains proprietary.  I also sometimes wonder how many, if any, OSINT hobbyists or non-transparent OSINT social media accounts are government sock HUMINT puppets, as it is a plausible scenario. In addition, social media accounts pretending to be OSINT are engaged in influence activities versus OSINT creation, Fake OSINT. There is also confusion by non-OSINT practitioners on what OSINT is. I have seen many posts where a non-OSINT practitioner will refer to a Google Query as I “OSINTed” it versus I queried it. Researching something, as OSINT practitioners know, is not OSINT; it is a part of the process of creating OSINT.  

Regardless, not just OSINT, but in some instances, the sharing of OSINT tactics, techniques, procedures (TTPs), tools, tradecraft, and research should not be shared in an informal setting on social media as consideration should be given to how data is shared and what the data is.    

In the age of Social Media, where so many things can and are taken out of context, it is critically important to think about what is shared. Depending on the platform, there may be no paralinguistics to gauge, no tone, no physical tells, and sometimes just text. There is much room for miscommunication as one party may interpret the text differently than another. 

There is an opposite extreme - sharing nothing on Social Media. I have been there and practiced the art of passive collection before 2019, in which collection only occurred for research on social media with little to no sharing (because you are always at risk of a response). I did a test a decade ago to see what people would share with an overt sock puppet and found that many people are comfortable sharing information with a non-threatening persona, such as a dog. It was insightful as it showed what others would share, but I was still comfortably unnoticeable online. After the study, I then used that dog for animal rescue activities and made some wonderful friends. Today, there are thousands of dogs, cats, capybaras, and other “fake-identity” social media accounts. Some sock puppet social media accounts even have over a million followers and chat with influencer billionaires and politicians online, which amplifies their narratives.    

However, the art of not sharing in today’s digital environment as an OSINT practitioner may not be advisable for some, as many professional connections are now made on social media. Even though the number of followers should not impact the credibility and reliability of an OSINT practitioner, I suspect that it may. In some instances, the number of followers does reflect the expertise of the person, but in other instances, it does not. For example, there have been some fake OSINT accounts with high numbers of followers engaged in influence activities on social media resulting in far-reaching spread of misinformation. 

The hide-at-your-desk OSINT analyst in today's environment may be ignored simply for not speaking up, which equates to the concept of “if a tree falls in the forest but no one heard it, does it actually exist?” Unless, of course, that analyst is employed at an organization that celebrates a greater level of secrecy and social media silence. Ironically, this can also backfire as someone may then question why there is an absence of social media posts for that person. 

Multiple OSINT practitioners share on social media through the use of a fake persona or a sock puppet, which then raises the question of whether it is Cyber HUMINT and OSINT. If a research account engages with audiences, it is no longer simply an OSINT account, which brings the ongoing debate of where OSINT stops and HUMINT begins. Sometimes, this sock puppet use makes sense, and other times, it also raises the question of motivation. For example, is that OSINT sockpuppet from an adversarial state hiding because of fear of that government, or is that Social Media account a government entity? 

I remember my first feeling of exposure on social media in 2008. I shared a draft report on the potential of Terrorist Use of Twitter that was disseminated to a group of people via official email that had access to “For Official Use Only” who then shared it with larger groups of people within the same community. Someone then shared that report outside of the community and it was sent to the Federation of American Scientists (FAS), Wired, CNN, BBC, and a multitude of other channels. It was also shared on early social media, and pundits commented both for and against the draft report. Regardless, I was mortified and did not engage in social media. Fortunately, my client at the time got to have a wonderful interview with Defense News and received positive feedback for the product. I later got a letter of commendation from a really cool organization. At that time, OSINT analysts were not expected to publicly share collaboration, tools, means, and methodologies online.  We generally had small OSINT cluster communities of interest where we shared with each other, and there was an emphasis on not sharing on social media. 

I have gone back and forth on the limitations of sharing information. Recently, I was reminded that thoughtful consideration should occur before sharing information, and there is still something to be said about the art of not sharing. It does not mean analysts should hide behind a desk, although that is less threatening for some. I have come up with some suggested tips that collaborative community members can consider prior to sharing. 

Please note if you make a social media post it is not an OSINT Product but the OSINT collaborative community on Social Media does share- fact-checking, research techniques, resources, data, and other information that can be used for OSINT. OSINT communities will also sometimes share a product but the full product is generally not the post. For example, Bellingcat shares some outstanding products on Social Media by hotlinking.

Tips

• If the shared data does not represent your company or organization and if it is a personal social media account, make sure to always state on the account that it does not represent anyone other than yourself. Generally, a disclaimer in the social media profile should work. 

• If an observation is made on a resource before sharing, such as an article, it is typically not a stand-alone product and is usually from a larger resource. Always check that resource and cite it.

• If you comment or make an observation on an article, gauge how that hosting resource or other sources may react to it. For example, Elon Musk has sued the Center for Countering Digital Hate (CCH) for presenting research and data. In this instance, the CCDH gauged the risk of presenting the research and decided that sharing was worth the risk. 

• Consider the social media platform that you are on and the sharing limitations. Twitter, now X, as a platform, has a limited character set. If the context for the share can’t be added to a single post, don’t share it, or clearly mark and indicate that it is part of an organized thread. 

• Separately, if someone shares with you on X or another platform, check prior posts and whether they relate to the recent post. 

• LinkedIn generally ties directly to a person's place of employment, and personal opinions should be sparingly shared or shared with greater caution. Information that is shared should be supportive of professional goals and interests. 

• Each platform has a different culture and structure that impacts what and how a user should share. 

• If sharing information from a tool, don’t share the tool’s query response without citing it. If the tool may be unknown to the audience, explain how the tool works and why it is of interest. A tag to the tool may not suffice, as that can just be interpreted as a highlighted address. 

• Reference what intelligence gaps may exist when presenting data from a tool. It does not matter how good the tool is. It can be the best tool, and there is always room for error as humans create tools and humans make errors.

• If additional tools are used for information verification, then go back to the first point on whether the findings should be shared in the first place. Is the verified information important? What will the readers gain or interpret from it? How could it be misconstrued? 

• If the information to be shared is a vulnerability that could help protect others but possibly reflect negatively on a source, consider contacting the source directly versus posting it on social media. Sometimes, this may also backfire as the source of the vulnerability may not react positively. For example, in 2021, the Government of Missouri threatened to sue a journalist for sharing an open public vulnerability with a site. 

• In addition, if a vulnerability is noted but not fixed, highlighting it on social media can lead others to possibly exploit it. The vulnerability may still be exploited by someone at some time, even if not highlighted, as vulnerabilities often are exploited if left unfixed. However, instead of sharing the vulnerability on social media, contact the source of the vulnerability first to give the source a chance to fix it. If the source does not want to fix the vulnerability, then it may not be your problem. There is an exception to this concept, which is when a vulnerability is noted that could harm others, and the source won’t or can’t fix it. Then consideration should be given to whether there is another venue to provide the information to that is not public but that may fix the problem. A personal judgment also needs to be made on the degree of harm.  For example, if a domain had a vulnerability that could allow a visitor to receive a cryptojacker on their visiting operating system, a personal judgment would be made on whether to publicly share the observed vulnerability if it remains unfixed.

• There are instances where a vulnerability can’t or won’t be fixed. This exception is actually not unique and has been observed by multiple members in OSINT, INFOSEC, and hacking communities. I, and other analysts, often have examples of this, but we choose to responsibly not share our 2020, 2021, 2022, etc. epiphany on social media if it were to lead to adversarial exploitation. The important action is that the analyst contacted the appropriate venue to try and fix it. 

• If the observed vulnerability relates to national security, law enforcement, or military activities on Social Media, then the appropriate government channel should be contacted. For example, on August 26, 2021, I, and most certainly, other analysts, noted that there were live updates on Twitter from a user that was providing incremental consistent updates from claimed contact with ISIS-K, including passing a Taliban checkpoint, up to their attack on the Kabul airport with the last Tweet stating that it was to late to stop the attack. Reporting that type of information is a responsibility, even if you think it may have been reported, as you can’t assume it was. However, if the issue is reported in the news, such as BBC or CNN, then a judgment can be made that it does not have to be reported as the mainstream media are already covering it. For the observation on August 26, 2021, it was not reported in the news, and eventually, the account that claimed to be in contact with ISIS K was taken down. 

• Provide the context for why the information is shared. Data without shared context can be and is often misinterpreted. 

• One thing that many people forget in today’s media environment is what Marshall McCluhan said in 1964: “The Medium is the Massage” (sic) in which is meant the “Medium is the Message.” Is the medium that you are sharing the information on the best place to share? In many instances, a good old-fashioned phone call or email may be better than a public share.  Even if someone intends to be helpful, this can be seen as non-helpful to others who may interpret a social media post based on their cognitive biases or worldview.

Find Sarah on LinkedIn.

It is the holiday season and I thought I would give you my guide to the ultimate gifts for the OSINT analyst/investigator in your life. While I am posting this pre-Christmas, this list works for any holiday, even birthdays. Trust me, your OSINT fiend will love these any time.

OSINT gifts should most likely come in the form of software to use in investigations, however I added a couple hardware options as well. In no particular order:

Yubikey - from $25 Your analyst is going to highly value 2-factor authentication methods and Yubikey is the top of the security heap for this. Get this one and if they don’t already have one, it is a guaranteed win. You might go up a few notches in the perceived intelligence ratings as well.

1password - from $2.99/mo Speaking of security, password security is no joke. A password manager is a critical tool for someone with a number of accounts to manage. There are a number of managers out there, some free, like Keepass, and other low cost options like Dashlane and Lastpass. The preferences are subjective, but I find 1password might be the most popular among the security conscious OSINT analysts.

Maltego - from $999/year This one has a hefty price tag and the OSINT analyst will probably want to purchase additional “transforms” available from a number of sources, but it is a killer tool, capable of making a complex case easy to explain. It can trace bitcoin, website registrations or social network contact lists like a dream. It’s a very capable but relatively inexpensive (compared to the others in this class, like Analyst’s Notebook, below) link analysis tool that has weathered over a decade on the favorites list for many an OSINT investigator.

Builtwith Advanced - $99/year Get unlimited domain lookups with Builtwith for a low price. This is a fraction of the total Builtwith tool, but the most critical piece for OSINT analysts and investigators. For this low price, unlimited lookups can get you details like software used in building a website, including past builds, IP addresses and analytic accounts as well as ties to other websites using those IPs and accounts. It covers a good chunk (but definitely not all and not as far back into digital history) of what the DomainTools account does at a fraction of the price.

Norton VPN - $39.99/year There has to be a VPN on this list and Norton is my go to for two solid reasons. First, the price. They seem to always have a sale ($39.99 when I last checked) but even their regular price of $79.99/year is around the price of many of the competitors’ sale prices. The second reason is that Norton has been a trusted name in computer security for decades and you are only as private and secure as your VPN.

DomainTools Personal Membership - $995/year The personal membership for DomainTools has a limited amount of searches per category per month, but can be invaluable for OSINT research. DomainTools has a unique data set of internet history going back into the 1990’s that exists nowhere else. This is an invaluable tool for a researcher who is working with a number of online websites.

Hunch.ly - $129.99/year This relatively low cost tool can help a researcher keep track of the investigation as well as provide reports. Why worry about archiving evidence when Hunchly will do it for you automatically as you navigate the internet. Every page is screenshot and the html recorded and searchable so that no shred of evidence is misplaced. A fantastic value.

Manual to Online Public Records - $44.99 Everything is online, right? Maybe. But some of the online details are not as accessible without the proper guidance, and the author, OSINT subject matter expert, and librarian, Cynthia Hetherington, guides us through public record databases like no one else can. Her books are used as textbooks. Check out her other book, The Guide to Online Due Diligence Investigations.

Extreme Privacy - $41.84 This is the only privacy book on the list, but it’s a doozy. Author Michael Bazzell knows privacy like no other and shows what extremes you can go to to be private in America today. Every OSINT researcher knows the value of privacy. Check out his other unique book, Open Source Intelligence Techniques, used as a textbook in some universities.

ARCGIS - from $100/year If your OSINT friend loves maps and geography, grab a membership to the top of the line geographic analysis tool. The online version for individuals is surprisingly inexpensive and sure to give a big Wow! factor to your gift.

Analyst’s Notebook - from $9610 While it is definitely not cheap, this analyst tool is one of the top of many an analyst wish list. Capable of link analysis, concurrent timelines and geographic analysis and more, this tool is heavily used in corporate and government analysis organizations and has been for years. Considered top of its class, this tool also does not require any expensive addons to fully function but may require some serious training for use.

Shodan - from $59/month Known as the search engine for the “internet of things”, if it connects online, Shodan can help you find it. Shodan is a unique search engine with some crazy capabilities and your OSINT fiend will love being able to identify how many Amazon Echoes you own and whether you have online security cameras or doorbells.

Babel Street or Fivecast - I have no idea $$ If you have a lot of money you don’t know what to do with, your OSINT fiend would love a license to something premium, like Babel Street or Fivecast Onyx. This type of software will allow the researcher to geofence locations or monitor complex concepts, get analytics and more. You know it won’t be cheap and you have to contact their sales team to even get a ballpark price, but if you are looking for a killer gift that will blow someone away, this will do it.

VMWare - from $119.20 I had to add a virtual machine to the list, and VMWare is the top of the heap here. This tool will allow multiple virtual machines in a jiffy and help protect the main machine from malware. But don’t get confused with VMWare’s fancy lingo. Apparently plain English is not a strong suit - you are looking through their long list of products for the Workspace Desktop Hypervisors, and choose the Fusion version for Macs or the Workstation Pro and Player versions for Windows and Linux.

Sophos Home - $35.99/year covering 10 machines Why pay for antivirus in the time of capable free antivirus software? Control, plain and simple. If you have multiple devices (and your OSINT friend probably does), Sophos Home will give you a control point to manage the antivirus accounts on each machine. This means you can tell when one gets infected with malware and you can make sure each gets their software updates. Not only is this great for a user with multiple machines, this is perfect for keeping all the laptops in a family safe.

And of course

We highly recommend you give a subscription to our OSINT News database of curated tools and methodologies along with our premium high value newsletter - $65/year

Or, if you want to splurge, get our Comprehensive Training Bundle, including the OSINT News subscriptions, webinars and the latest full OSINT BASICs Training seminar (50+ hours of OSINTy goodness) for $2499

I wish you all the best in your investigations and happy holidays,

Kirby (and the crew: Kyle, Sarah and Heidi)

In his third and final project for his internship, Alec took a look at Buscador and explored the tools available. Alec, a sophomore CS student at the University of Arizona, provided screenshots and links as he discovered the capabilities of the tool. Here are his thoughts.

In my opinion, Buscador is a super useful tool for OSINT. The virtual machine comes fully loaded with many valuable, diverse investigative tools ranging from analysis of a target’s Twitter feed to searches based on a license plate. Overall, Buscador is an amazing tool, easy to understand, and capable of conducting deep, targeted searches.

To read his full report, click here.

Up until now, the intern program at Plessas Experts Network has been very informal. We have enjoyed the work of our fantastic interns and their contributions have helped our clients tremendously. We’ve recently gotten an influx of requests for internship, so it’s time to publicize what we require and expect from our interns and the benefits of interning with us.

Requirements:

• Student attending a college or university (undergraduate or graduate) located in the United States (we may open this to foreign students in the future, but not at this time)

• Has consistent access to internet service

• Can pass a background check

• Attention to detail

• Self-motivated (we will do weekly email checkins, but will not micro-manage)

• If you want college credits, you must negotiate that with your university

The virtual internship:

• 3 months/unpaid

• 3 research papers on techniques, methodologies or tools (usually incorporating your field of study)

• Research papers are due mid-month to allow for editing back-and-forth with staff

• Work from home/school

Benefits:

• Real-world valuable OSINT experience

• Resume material

• Published reports on plessas.net

If this fits you, please email your resume to info@plessas.net and include the subject line: Intern Inquiry

While Facebook Search appears to be as simple as plugging terms into the search field, the functionality of this search tool has long been complicated by apparent limitations of the results this search method produces. Facebook is a social network filled with vast data; much more information available than a basic search will yield.

Unfortunately, this June, Facebook cut off easy access to the bulk of the searchable data. Most of what can be searched now has to be done through their search interface. That means relying on the search bar again and facing its limitations, but these significant limitations may be overcome if you know how to do it.

This post will hopefully function as a guide to those who want or need to go further with Facebook search but are not web developers or marketing gurus. This is a guide for the lay-person.

Why do I need to go beyond the Facebook search bar?

In short, precision and efficiency drive the need to search beyond the data provided through the basic search field. This precision focuses searches, yielding results that are matched to exact users/pages/places.

When you perform a search in Facebook, based on the category of search that you choose, you will have a set of filters on the left sidebar to choose from. These filters vary greatly by topic. There are options for custom filters in almost all of these, but they are not keyword searches nor can you use ID numbers if you know them. Instead, the custom filters will populate with suggestions based on your keywords and you must choose one of the suggestions. If your desired custom filter is a specific user named “Mike Smith”, you must find the right Mike Smith among those suggested to you - and there will only be up to five suggestions to select from. Obviously there are more than five users named Mike Smith, and your Mike Smith may not show up on the suggestions unless you are friends or friends of friends. If you were able to identify the right Mike Smith and get his ID number, you still cannot use that as a search query in Facebook’s native search.

Nevertheless, that is not where this guide ends. There are a few tools out there that can help. Our favorite solutions include one created by S0wdust and another by Intelx.

While the tools are great shortcuts, when tools breakdown or go offline, it is important to know the information is still available and manually performing the searches is achievable for a layperson. With an understanding of the methodology a user may create new combinations and discover new searches. While this may be intimidating at first - with formulas starting in one format (JSON) and then being converted (encoded) into a gibberish-looking code (Base64) - it is a recipe that can be followed by anyone.

Knowing what JSON and Base64 are is not necessary to complete your searches. If you are interested to learn more about them, here are some references: JSON and Base64.

How to use the Facebook Matrix of formulas

1. On Facebook.com, perform a keyword search.

   • This search can be for anything and is changeable later.

   • Best practice is to keep it very short or to search for the same word as a result you would like to see. For example, if you will be looking for people named Mike Smith, search for “smith”

2. On the Facebook search results page, choose the category of search that matches your goals.

   • Posts, People, Photos, etc

   • If you are looking for someone named Mike Smith, choose People

3. Select a filter, any filter.

   • The goal is to get the Facebook URL to include the =FILTERS&filters= language

   • After this point in the URL, you will notice a string of letters and numbers. This is where the Base64 code begins.

4. Delete the current Base64 code so that the URL ends with =FILTERS&filters=

5. In a different tab, identify the ID numbers that you will need for your search

   • This could be a place ID, person ID, page ID, Group ID, etc

   • Go to plessas.net/facebookmatrix to learn how to get Facebook ID numbers

6. In the Facebook matrix at the bottom of plessas.net/facebookmatrix, identify the searches/JSON formulas you intend to use

7. Copy the JSON formula into a Base64 encoding tool

   • There are many Base64 encoding tools

   • Maybe the easiest to use for beginners is Base64encode.org

   • If you are combining two (or more?) JSON formulas

     • Remember that the outside braces of the formulas are only needed once

     • Put both formulas inside one set of braces

     • Separate the formulas with a comma

8. Copy the ID numbers previously identified on Facebook and insert into the JSON in the Base64 encoder

   • This must be done before running the encoder

9. ENCODE

10. Copy the Base64 results and return to Facebook. Paste the Base64 results immediately after =FILTERS&filters= and hit Enter or Return

11. The results should match your search choices

12. To edit the search keyword, look into the URL for it and change it

    • Do not edit it in the Facebook search field, this will reset your filters

    • If you are using two words, use %20 in the place of any spaces

13. Troubleshooting

    • Search results don’t seem right?

      • Check your category choice

      • Make sure you inserted your ID numbers in to JSON before encoding to Base 64

      • Check your keyword search

    • No results?

      • Check your category choice

      • Check your keyword search

    • Blank page or error page?

      • Make sure you converted the JSON to Base64

      • Make sure you inserted your ID numbers in to JSON before encoding to Base 64

If you want to get advanced, consider doing some of the searches through the regular Facebook interface and the converting them back from Base64 to discover the JSON strings used.

There are many great sources of OSINT tips and training online now. From the OSINT RocketChat to the OSINT Framework to Technisette’s great list of resources… and very many more. But something new is a coalition of OSINT professionals into a loose group called OSINTCurious. OSINTCurious hosts a biweekly live webcast (which is also broadcast as a podcast), a series of 10-minute videos and a blog.

Our own Kirby Plessas is a former advisor and founding member of OSINTCurious, and you can read up on the other members on the website.