Social Media

LinkedIn

Advanced searches

This allows you to filter by profiles, companies, schools, groups, jobs, events, etc.

Remember to reverse image search on the photo associated with the target's profile.

Google searches may be useful too:

site:linkedin.com "Account Executive at Uber”

site:www.linkedin.com john smith microsoft

The following URL queries Google for any images:

https://www.google.com/search?q=site:linkedin.com+john+-smith&tbm=isch

The following URL replicates our image search, but focuses only on videos:

https://www.google.com/search?q=site:linkedin.com+john+smith&tbm=vid

Timestamps

LinkedIn hides the dates and times behind generic announcements such as "posted 2 weeks ago".

To get something more specific, inside the post, click the three dots in the upper-right which presents a new menu. Then click "Copy link to comment".

Loading that URL in the browser presented the same comment, but it was technically a unique page from the original post which generated this response.

Right-click on the page, "View Page Source", searched through this code for the message you want to locate the time stamp.

The numbers represent Unix time, use epochconverter.com to convert this number to GMT time.

PDF Generation

In the target profile select "Generare PDF Profile View" to quick download user's information.

Viewing profiles without an account

Visit Google's Mobile Friendly Test (search.google.com/test/mobile-friendly).

Enter any LinkedIn URL.

The preview only displays a portion of the LinkedIn profile. Instead, consider the following.

  • Click on the "HTML" tab above the profile on the test page.

  • Click the "Copy" icon above the source code.

  • Navigate to CodeBeautify (codebeautify.org/htmlviewer) and paste the HTML code.

  • Click "Run" and view the entire LinkedIn profile without requiring an account.

IntelTechniques LinkedIn Tool

Simplify advanced LinkedIn searches.

Code in LinkedIn.html.

Other Tools

- Crosslinked:

git clone https://github.com/m8r0wn/crosslinked

cd crosslinked

pip3 install -r requirements.txt

crosslinked -h

crosslinked.py <name format> <company>

chmod 755 crosslinked.py

Examples:

crosslinked.py -f '{first}.{last}'@tesla.com' tesla

crosslinked.py -f '{first}.{last}@breitbart' breitbart -o breitbart.txt

- linkedin2username (https://github.com/initstring/linkedin2username):

Will try to extract all names of a company and create username assumptions if desired.

Instagram

Media & Data Extraction Tools

Logging into an account will download better resolution images and get better results, instagram usually blocks suspicious activity.

- Instalooter

To install:

mkdir ~/Downloads/Programs/Instalooter

cd ~/Downloads/Programs/Instalooter

python3 -m venv instalooterEnvironment

source instalooterEnvironment/bin/activate

sudo pip install instalooter

deactivate

To download images from an account:

instalooter user mikeb

To log in to an account to see restricted content (private accounts):

instalooter login -u {username} -p {password} user mikeb

- Instaloader

To install:

mkdir ~/Downloads/Programs/Instaloader

cd ~/Downloads/Programs/Instaloader

python3 -m venv instaloaderEnvironment

source instaloaderEnvironment/bin/activate

sudo pip install instaloader

deactivate

To download images from an account:

instaloader user mikeb

To log in to an account to see restricted content (private accounts):

instaloader --login {username} -p {password} user mikeb

- Toutatis

To install:

mkdir ~/Downloads/Programs/Toutatis

cd ~/Downloads/Programs/Toutatis

python3 -m venv toutatisEnvironment

source toutatisEnvironment/bin/activate

sudo pip install toutatis

deactivate

To get account details, full email addresses and partial telephone numbers, before running the tool:

  • Log in to an Instagram account from your Firefox browser.

  • Right-click an empty area of the page and choose "Inspect".

  • Click the "Network" tab in the new menu at the bottom.

  • Navigate to any user's Instagram page.

  • In the Inspector menu, click on an entry similar to "200 GET www.instagram.com".

  • Click the "Cookies" tab in the Inspector menu to the right.

  • Scroll down this list and find "sessionid:"

  • Copy the alphanumeric entry.

Then run the following command specifying the session ID:

toutatis -u mikeb -s 24316:Lh59ygrmY4N:4

- Osintgram

To install:

cd ~/Downloads/Programs

git clone https://github.com/Datalux/Osintgram.git

cd Osintgram

python3 -m venv OsintgramEnvironment

source OsintgramEnvironment/bin/activate

sudo pip install -r requirements.txt

deactivate

make setup

sed -i 's/followinfnumbers/followingnumbers/g' ~/Documents/scripts/instagram.sh

sudo apt install libncurses5-dev libffi-dev -y

Interesting commands:

python3 main.py -c photos mikeb

python3 main.py -c stories mikeb

python3 main.py -c comments mikeb

python3 main.py -c captions mikeb

python3 main.py -c followers mikeb

python3 main.py -c fwersemail mikeb

python3 main.py -c fwersnumber mikeb

python3 main.py -c followings mikeb

python3 main.py -c fwingsemail mikeb

python3 main.py -c fwingsnumber mikeb

python3 main.py -c info mikeb

*If you received any "challenge errors, that means Instagram has found your activity to be suspicious. You would need to log in to your Instagram account and confirm the activity as non malicious. If you execute the Instagram custom tools and receive no results, it may be because of this.

- Custom instragram.sh script

#!/usr/bin/env bash
opt1="Instalooter (Without Login)"
opt2="Instaloader (Without Login)"
opt3="Instalooter (With Login)"
opt4="Instaloader (With Login)"
opt5="Toutatis"
opt6="OsintGram Photos"
opt7="OsintGram Stories"
opt8="OsintGram Comments"
opt9="OsintGram Captions"
opt10="OsintGram Followers"
opt11="OsintGram Followers Emails"
opt12="OsintGram Followers Numbers"
opt13="OsintGram Following"
opt14="OsintGram Following Emails"
opt15="OsintGram Following Numbers"
opt16="OSINTGram Info"
opt17="Add Instagram Credentials"
socialmenu=$(zenity  --list  --title "Instagram Utilities" --radiolist  --column "" --column "" TRUE "$opt1" FALSE "$opt2"  FALSE "$opt3" FALSE "$opt4" FALSE "$opt5" FALSE "$opt6" FALSE "$opt7" FALSE "$opt8" FALSE "$opt9" FALSE "$opt10" FALSE "$opt11" FALSE "$opt12" FALSE "$opt13" FALSE "$opt14" FALSE "$opt15" FALSE "$opt16" FALSE "$opt17" --height=600 --width=300)
case $socialmenu in
$opt1 )
handle=$(zenity --entry --title "Instalooter" --text "Enter TARGET Instagram User ID")
mkdir ~/Documents/instalooter/ 
mkdir ~/Documents/instalooter/$handle/
instalooter user $handle ~/Documents/instalooter/$handle/ -v -m -d -e 
open ~/Documents/instalooter/$handle/
exit;;
$opt2)
mkdir ~/Documents/instaloader
cd ~/Documents/instaloader
handle=$(zenity --entry --title "Instaloader" --text "Enter TARGET Instagram User ID")
instaloader $handle
open ~/Documents/instaloader/$handle/
exit;;
$opt3)
username=$(zenity --entry --title "Credentials" --text "Enter YOUR Instagram Username")
pass=$(zenity --entry --title "Credentials" --text "Enter YOUR Instagram Password")
handle=$(zenity --entry --title "Instalooter" --text "Enter TARGET Instagram User ID")
mkdir ~/Documents/instalooter/ 
mkdir ~/Documents/instalooter/$handle/
instalooter logout
instalooter login -u $username -p $pass
instalooter user $handle ~/Documents/instalooter/$handle/ -v -m -d -e 
open ~/Documents/instalooter/$handle/
exit;;
$opt4)
username=$(zenity --entry --title "Credentials" --text "Enter YOUR Instagram Username")
pass=$(zenity --entry --title "Credentials" --text "Enter YOUR Instagram Password")
handle=$(zenity --entry --title "Instaloader" --text "Enter TARGET Instagram User ID")
instaloader --login $username --password $pass $handle
open ~/Documents/instaloader/$handle/
exit;;
$opt5)
handle=$(zenity --entry --title "Toutatis" --text "Enter TARGET Instagram User ID")
session=$(zenity --entry --title "Session" --text "Enter YOUR Session ID")
toutatis -u $handle -s $session
read -rsp $'Press enter to continue...\n'
exit;;
$opt6)
handle=$(zenity --entry --title "OSINTGram" --text "Enter TARGET Instagram User ID")
cd ~/Downloads/Programs/Osintgram/
mkdir ~/Documents/OSINTGram/$handle/
clear
python3 main.py $handle -c photos -o ~/Documents/OSINTGram/$handle/Photos/
open ~/Documents/OSINTGram/$handle/Photos/
exit;;
$opt7)
handle=$(zenity --entry --title "OSINTGram" --text "Enter TARGET Instagram User ID")
cd ~/Downloads/Programs/Osintgram/
mkdir ~/Documents/OSINTGram/$handle/
clear
python3 main.py -c stories -f $handle -o ~/Documents/OSINTGram/$handle/stories/
open ~/Documents/OSINTGram/$handle/stories/
exit;;
$opt8)
handle=$(zenity --entry --title "OSINTGram" --text "Enter TARGET Instagram User ID")
cd ~/Downloads/Programs/Osintgram/
mkdir ~/Documents/OSINTGram/$handle/
clear
python3 main.py -c comments -f $handle > ~/Documents/OSINTGram/$handle/comments.txt
open ~/Documents/OSINTGram/$handle/comments.txt
exit;;
$opt9)
handle=$(zenity --entry --title "OSINTGram" --text "Enter TARGET Instagram User ID")
cd ~/Downloads/Programs/Osintgram/
mkdir ~/Documents/OSINTGram/$handle/
clear
python3 main.py -c captions -f $handle > ~/Documents/OSINTGram/$handle/captions.txt
open ~/Documents/OSINTGram/$handle/captions.txt
exit;;
$opt10)
handle=$(zenity --entry --title "OSINTGram" --text "Enter TARGET Instagram User ID")
cd ~/Downloads/Programs/Osintgram/
mkdir ~/Documents/OSINTGram/$handle/
clear
python3 main.py -c followers -f $handle > ~/Documents/OSINTGram/$handle/followers.txt
open ~/Documents/OSINTGram/$handle/followers.txt
exit;;
$opt11)
handle=$(zenity --entry --title "OSINTGram" --text "Enter TARGET Instagram User ID")
cd ~/Downloads/Programs/Osintgram/
mkdir ~/Documents/OSINTGram/$handle/
clear
python3 main.py -c fwersemail -f $handle > ~/Documents/OSINTGram/$handle/followersemails.txt
open ~/Documents/OSINTGram/$handle/followersemails.txt
exit;;
$opt12)
handle=$(zenity --entry --title "OSINTGram" --text "Enter TARGET Instagram User ID")
cd ~/Downloads/Programs/Osintgram/
mkdir ~/Documents/OSINTGram/$handle/
clear
python3 main.py -c fwersnumber -f $handle > ~/Documents/OSINTGram/$handle/followersnumbers.txt
open ~/Documents/OSINTGram/$handle/followersnumbers.txt
exit;;
$opt13)
handle=$(zenity --entry --title "OSINTGram" --text "Enter TARGET Instagram User ID")
cd ~/Downloads/Programs/Osintgram/
mkdir ~/Documents/OSINTGram/$handle/
clear
python3 main.py -c followings -f $handle > ~/Documents/OSINTGram/$handle/following.txt
open ~/Documents/OSINTGram/$handle/following.txt
exit;;
$opt14)
handle=$(zenity --entry --title "OSINTGram" --text "Enter TARGET Instagram User ID")
cd ~/Downloads/Programs/Osintgram/
mkdir ~/Documents/OSINTGram/$handle/
clear
python3 main.py -c fwingsemail -f $handle > ~/Documents/OSINTGram/$handle/followingemails.txt
open ~/Documents/OSINTGram/$handle/followingemails.txt
exit;;
$opt15)
handle=$(zenity --entry --title "OSINTGram" --text "Enter TARGET Instagram User ID")
cd ~/Downloads/Programs/Osintgram/
mkdir ~/Documents/OSINTGram/$handle/
clear
python3 main.py -c fwingsnumber -f $handle > ~/Documents/OSINTGram/$handle/followingnumbers.txt
open ~/Documents/OSINTGram/$handle/followinfnumbers.txt
exit;;
$opt16)
handle=$(zenity --entry --title "OSINTGram" --text "Enter TARGET Instagram User ID")
cd ~/Downloads/Programs/Osintgram/
mkdir ~/Documents/OSINTGram/$handle/
clear
python3 main.py -c info -f $handle > ~/Documents/OSINTGram/$handle/info.txt
open ~/Documents/OSINTGram/$handle/info.txt
exit;;
$opt17)
cd ~/Downloads/Programs/Osintgram/
make setup
exit;;
esac

To make a desktop shortcut of this script:

[Desktop Entry]
Type=Application
Name=Instagram Tool
Categories=Application;OSINT
Exec=/home/osint/Documents/scripts/instagram.sh
Icon=/home/osint/Documents/icons/instagram.png
Terminal=true

Instagram searches through Google Dorks

It has benefits searching away from the Instagram website.

Instagram posts that mention "OSINT":

site:instagram.com "OSINT"

To search people and/or terms:

site:instagram.com darren kitchen hak5

site:instagram.com darren hak5

site:instagram.com "hak5darren”

To find other people mentioning the target.

site:instagram.com "@hak5darren"

Manual approach for downloading images

- Profile Image

Profile image is in lower-resolution.

To locate these low-resolution images and identify the full high-resolution, right-click anywhere else on the profile, click "View Page Source" and search for "ogrimage".

The extremely long URL within this line should appear similar to the following.

https://scontent-ord5-2.cdninstagram.com/v/t51.2885-15/13534173_1620017484977625_1916767107_a.jpg?stp=dst-jpg_s100x100&amp;_nc_cat=107&amp;cob=1-7&amp;_nc_sid=8ae9d6&amp;nc_oh=y-uchsMyXNsAX_5vNhj&amp;_nc_ht=scontent-ord5-2.cdninstagram.com&amp;oh=00_AfA78t3nIbelEWLpJBLyMsIdUCAuVIw97itb5C_ng50Q&amp;o=63753A41

In the previous URL, notice the number directly before "jpg". The last set of numbers is "1916767107". Back in the page of source code for the profile, conduct a search for these numbers. You should receive three results, the third is a URL similar to the following:

https:\/\/scontent-ord5-2.cdninstagram.com½v\t51.2885-15\13534173_1620017484977625_1916767107 _a.jpg?stp=dst-jpg_s200×200&_nc_cat=107&ccb=1-7&_nc_sid=8a9d6&_nc_oh=y-uchsMyXNsAX_5vN hi&_nc_ht=scontent-ord5-2.cdninstagram.com&oh=00_AfDJgRUwCm4PkSk_o8VtVhGg7YcJuDiyPayKC7KiYBeRQ&oe=63753A41

Replace every instant of "\/" within the URL with "/", it loads fine.

This is not the full-size image, but it possesses a higher resolution.

- Posts Images

Right-click on the post image and select "View Page Source”.

Conduct a search within this text for "jpg. The third URL which contains "jpg" within it, which also includes

"OG:Image" before it, should appear similar to the following:

https://scontent-ord5-2.cdninstagram.com/v/51.29350-15/228704624_1648970191970827_5792204972766774242n.jpg?stp=dst-jpg_s640×6408amp;_nc_cat=105&amp;ceb=1-7&amp;_nc_sid=8ae)d6&amp;_nc_ohc=bToTyKGo058AX_tI8Q-&amp;_nc_oc=AQmy71YJjzxne3IeDZkOi-I]8Hb)tpU-NnInXRCJVLPpJEumH2gOiC]0pmIz7h0gM8U&amp;_c_ht=scontent-ord5-2.cdninstagram.com&amp;oh=00_AfCGGq5HIvcAd_19Uos1VKnFQSQZULX24Sy8KGOmTQrDQ&amp;o=6374F47D

If we replace every instant of "&amp;" within the URL with "&"; it loads fine.

https://scontent-ord5-2.cdninstagram.com/v/t51.29350-15/228704624_1648970191970827_5792204972766774242_n.jpg?stp=dst-jpg_s640x640&_nc_cat=105&ccb=1-7&_nc_sid=8a9d6&_nc_ohc=bToTyKGo058AX_tI8Q-&_nc_oc=AQmy71YJjzxne31eDZkOi-IJ8Hb)tpU-NnLnXRCJVLPpJEumH2gOiCJ0pmIz7h0gM8U&_nc_ht=scontent-ord5-2.cdninstagram.com&oh=00_AfCGGqa5HTvcAd_19Uos1VKnFQSQZULX24Sy8KGOmTQrDQ&oe=6374F47D

This image might be higher resolution.

Then to get the "HID" version of the image. The second to last (usually fifth) jpg file within this source code appeared as follows:

https:\/\/instagram.fbek1-1.fna.fbcdn.net\/wV+51.2885-19\/44884218_345707102882519_2446069589734326272 _n.jpg?efg=eylybWQiOipZ19hbmRyb2IkX21vYmIsZVOuZXR363J+X3N0YWNrX3Rp729uX21u c19oaWdoX3NhbXBsZV9yYXRIX3FwbF8zOmNvbnRyb2wifQ|140026_nc_ht=instagram.fbek1-1.fna.fbcdn.net\\u0026_nc_cat=1\\u0026_nc_ohc=tHpVc ZIbIAX8«Awill\4002Gedm=ABsR1pMBAAAA\|u0026ccb=7-5\\u0026ig_cache_key=YW5vbnItb3VzX3Bvb2ZpbGVfcGI:.2-ccb7-5\\40026oh=00_AfB90TA b2DABOx_fOhiGIpXLH2gsRCSav]nb_w7mpDAKGA\|u0026oe=6374F04F\|u0026_nc_sid=3f45ac\

Replace every instant of "\/" within the URL with "/". Also replace everv instant of "u0026" within the URL with "&”, it should load.

Third-party services that replicate this:

https://instadownloader.co/

https://igram.io/

https://igdownloader.com/

https://toolzu.com/downloader/instagram/photo/

Metadata Details

- profile_id

Consider digging into the source code of your evidence in order to identify further details that could be valuable. First, I like to identify the user number of an account.

People can change their username on Instagram, but not their user number. Right-click on your target profile page and select the option to view the source code and "Crtl" +

"F” and search for "profile_id".

If the results doesn’t match, copy all of the source code and paste it into a text editor, then search there.

If you know that your target's user ID, but you can no longer access the profile based on the username, we can query the Instagram API to get the new details.

First spoof your user-agent, use “User Agent Switcher”, drop-down menu to "Android"; change the first dropdown menu to "Instagram"; "Apply; and navigate to the following page:

https://jinstagram.com/api/v1/users/340416780/info/

If the target had changed his username, we would see it here.

- Timestamps

Let's tackle exact timestamps. Instagram might tell you a photo was posted 67 weeks ago, and hovering over that notification should tell you the exact date, but it never tells you the time of the post. This detail can be crucial to a legal investigation.

Right-click the profile and select the "Inspect", Click on the "Network" tab and reload the page. Click the small magnifying glass to conduct a search (not the filter URL option). Search for

"taken". The number following "taken", is a Unix timestamp. Convert this with the following website: epochconverter.com

- Followers & Following

Navigating to the target profile, you will be able to simply click on "Followers" or "Following", scroll down the entire list to load all of the accounts, "Crtl" + "A", right-click and choose "Copy selected links”. Open Excel and paste the results.

- Likes

The heart is a summary such as "557 Likes" Clicking on this opens a new window, which identifies each account that liked the post.

Similar to the previous method of capturing friends and followers of a target, "Crtl" + "A" and "Crtl" + "C”.

- Comments

If you locate a comment which is valuable to your investigation, you may want to document the date and time of the post. This is not available within the standard view.

For example, inside the comments includes a response of "now I gotta go buy some beer".

right-click and choose "Inspect” and search for the terms (now I gotta go buy some beer), you can now see the exact time and date.

- Complete Post Analysis

Once located your suspect and found an incriminating post, this is a high-priotity investigation, and extensive manual documentation is justified.

First attack the account with Instaloader, Instalooter, and Osintgram. Then perform the following steps:

  • View the source code of https://www.instagram.com/p/BK1KWEthQkb.

  • Copy all jpg URLs and apply modifications as previously explained.

  • Paste the modified URLs into a browser and download the full version of the images.

  • Return to https://www.instagram.com/p/BK1KWEthQkb.

  • Scroll through the comments, and expand any, if necessary, by clicking "+"

  • Click the summary of likes below the heart icon.

  • Scroll until all are loaded, select all with "Ctrl" + "A" or "command" + "A" on keyboard.

  • Open a new spreadsheet through Microsoft Office or LibreOffice and paste the results.

  • Rename this tab "BK1KWEthQkb" and open a new tab.

  • Repeat the process with any other posts of interest.

Video Download

While viewing any Instagram video page, launch the "Inspector", click the "Network" tab and play the video. If the video was already playing, reload the page. Type "mp4" within the search field.

This should eliminate all of the data and leave you with one URL. Right-click this URL and select "Open in New Tab".

The new tab within your browser should present the same video in full-size resolution. You can now right-dick on the video and select the option to save it.

Twitter Instagram Search

Many people who post to Instagram broadcast the links on Twitter.

For example, to identify posts on Twitter (site:twitter.com) which mention "hack5darren", and possess an Instagram image URL:

site:twitter.com "hak5darren" "instagram.com/p"

Instagram Stories Tools

- InstaFollowers (instafollowers.co/ download-instagram-stories)

- StoriesDown (https://storiesdown.com/)

Other third-party tools

The best is not relying on these on daily investigations.

- Downloader for Instagram (downloader-for-ig.com)

- Dumpor (dumpor.com)

Can be used without the need of an account.

- Toolzu (toolzu.com)

Relies on the Instagram API, so you will not find any content which is not already public. However, the layout and analysis of profile data is unique.

- Code of a Ninja (codeofaninja.com/tools/find-instagram-user-id/)

- ImgInn (imginn.com)

IntelTechniques Instagram Tool

This can not replicate the source code techniques, but may save time with username and keyword searching.

Code in Instagram.html.

Twitter

Data Extraction Tools

- Twint:

git clone https://github.com/twintproject/twint.git

cd twint

pip3 install -r requirements.txt

Examples:

To dump following:

twint -u mattgaetz --following -o gaetzfollowing --csv

To dump followers:

twint -u mattgaetz --followers -o gaetzfollowers --csv

To search for words in tweets:

twint -u mattgaetz -s trump

To scrape all tweets and put them in a database:

twint -u mattgaetz --database mattgaetzDB

With sqlite browser open, go to File--> Open and select the mattgaetzDB file.

Here we can create SQL queries to search this data. Let's search for every tweet where Mr. Gaetz mentions his friend 'trump".

SELECT tweet	

FROM tweets
	
WHERE tweet LIKE '%trump%

Official Twitter Search Option

- Twitter Advanced Search (twitter.com/search-advanced)

- Search by Email Address

Twitter does not allow the search of a username by providing an email address.

To bypass this limitation, you can use a feature offered within the mobile app version of Twitter.

Within Android, open the Contacts application and add the email address of your target within a new contact and save the entry. Open the Twitter app, navigate to the left menu and select "Settings and privacy", click on "Privacy and safety", then Discoverability and contacts™. You can then manage your data and allow Twitter to sync your Android contacts to their service.

You should see a pending notification which states "Find your friends on Twitter. Clicking this should present the "Suggested Followers”, do not choose that option. If you do, your target will be sent a notification from your account.

- Twitter Search Operators

from:IntelTechniques

to:IntelTechniques

to:IntelTechniques from:protonprivacy

from:IntelTechniques filter:replies

from:IntelTechniques -filter:replies

- Media, Likes, Lists, Moments, Topics, Links, and Followers

Media embedded: https://twitter.com/IntelTechniques/media/

Twitter Lists: https://twitter.com/IntelTechniques/lists/

To see if is in someone else list: https://twitter.com/IntelTechniques/lists/memberships

Once you identify a Twitter List of interest, clicking that List will open something like this:

https://twitter.com/i/lists/1588523704245489664

1588523704245489664 is the List number.

To see members of the List and and the followers of the List:

https://twitter.com/i/lists/1588523704245489664/members

https://twitter.com/i/lists/1588523704245489664/followers

Twitter Moments: https://twitter.com/IntelTechniques/moments

Twitter Topics: https://twitter.com/IntelTechniques/topics

Tweets from a user which include a link to additional media: from:IntelTechniques filter:links

Popular posts: from:IntelTechniques min_faves: 150

from:IntelTechniques min_ replies: 100

To see Followers and Following:

https://twitter.com/IntelTechniques/followers

https://twitter.com/IntelTechniques/ following

We can combine and include a few searches:

to:Intel Techniques from:protonprivacy since:2018-03-01 until:2018-03-31 filter:links filterreplies

- Search by Location

Tweets known to have been posted from within one kilometer of the GPS coordinates of 43.430242,-89.736459:

geocode:43.430242,-89.736459,1km

This can be changed to 5, 10, or 25 reliably.

To view this search from the address bar of the browser, the following page would load the same results.

https://twitter.com/search?q=-geocode:43.430242,-89.736459,1km

We can add seatch parameters to either of these searches if the results are overwhelming:

geocode:43.430242,-89.736459,1km "fight"

- Mandatory and Optional Search Terms

"mandatory". Additional optional words could be added with the term "OR". Example:

"Michael Parker" kill OR stab OR fight

- Date Range Search

since:2015-01-01 until:2015-01-05 "bomb threat"

We can combine it with the "to" operator or a name search (or both).

from:humanhacker since:2012-01-01 until:2012-12-31

- Deleted, Suspended, and Missing Tweets

If a user has recently deleted some or all of their messages, we can conduct a cache search of their profile.

Using Google may be enough (“Twitter {user}”), but if the target deleted the content weeks or months before, replicate it in Bing and Yandex.

To force Google to present direct links to actual posts: site:twitter.com/westcornfield/status

While our target removed his content from his profile, he did not remove his history, then, we should check options in “Media, Likes, Lists, Moments, Topics, Links, and Followers” section.

- Twitter Post Details

Check tweets of interest, If there is an image embedded, to see the original full-size version, right-click the image and choose "View image", This will load a new URL such as the following.

https://pbs.twimg.com/media/Ek3FxAhVcAE]t_t?format=jpg&name=small

After removing "&name=small" from the URL, the full image is available.

To see the time posted, right-click on the Tweet and choose "View Source", "Ctrl" + "F" and search for "time _zone".

- Tweet Deck (tweetdeck.twitter.com)

Tweet Deck is owned by Twitter.

Click the plus (+) option, then “Search”.

List of search examples and how ther may benefit the investigator:

"Victim Name": A homicide investigator can monitor people mentioning a homicide victim.

"School Name": A school can monitor anyone mentioning the school for suspicious activity.

"Subject Name": An investigator can monitor a missing person's name for relevant information.

"Event": Officials can monitor anyone discussing a special event such as a festival or concert.

The "User" option will allow you to enter a Twitter username and monitor all incoming and outgoing public messages associated with the user.

You can also use the Geo search mentioned earlier.

Example of use:

First, creat a search column with

"to:myclient".

Next, create a column of "to:myclient kill OR die OR shoot OR death".

If you identify a suspect, then create another column of "from:suspect to:myclient".

Add one final Tweet Deck column of

"from:suspect to:myclient kill OR die OR shoot OR death" and add an alert.

Third Party Resources

Use a junk Twitter account when this is required.

- All My Tweets (allmytweets.net)

Provides a clean display of all of a user's Twitter posts.

"Ctrl" + "F", search terms.

This also prevents you from constantly loading more Tweets at the end of every page.

- TweetBeaver (tweetbeaver.com)

One of the best tools.

Options:

  • Convert Name to ID: This can be vital for investigations. Users can always change their username at any time, but the user number cannot be modified.

  • Convert ID to Name: Opposite of the above technique.

  • Check if two accounts follow each other

  • Download a user's favorites: we can choose to either display the results on the screen or download them as a CSV spreadsheet.

  • Search within a user's favorites

  • Download a user's timeline: The most useful, provide a target name and it will extract the most recent 3,200 posts, it will include the date and time of each post and the direct URL to the message. When I have a Twitter target of interest, I fun this tool on the account daily.

  • Search within a user's timeline

  • Get a user's account data: The benefit is obtaining quick data.

  • Bulk lookup user account data

  • Download a user's friends list

  • Download a user's followers list

  • Find common followers of two accounts

  • Find common friends of two accounts

  • Find conversations between two users

  • Find accounts in a user's followers and friends list

  • Find accounts followed by one user that also follow another named user: Assume you wanted to find any profiles which are followed by jms_dot_py, which also follow IntelTechniques.

  • Get the first 25 users to follow an account: learn of the first 25 people who began monitoring the profile.

  • Get the first 25 accounts followed by a user

  • Bulk Account Data Example: can accept up to 15,000 Twitter usernames. If I had hundteds or thousands of Twitter usernames, this would allow me to sort by location or popularity. I could also sort by creation date in order to identify newly created accounts.

- Followerwonk (followerwonk.com)

Offers options unavailable through TweetBeaver. The second tab at the top of the page, titled

"Compare Users", will allow you a thorough search.

The previous example identified people whom our targets followed. This will often include celebrities. However, the people who follow your targets are more likely to be real people, so criteria can be changed to "Compare their followers" in the drop-down menu next to the search button.

It also has other search capabilities for user analysis.

The first tab at the top of the screen will search any term or terms to identify any Twitter bios that contain those words.

We can also use "Twitter Bios Only" option or switch to "Search Twitter Profiles. The "More Options" under the main search box will display numerous fields including Location, Name, and Follower details.

The third tab, titled "Analyze", allows you to analyze the people the user follows or the people who follow that user. This will display numerous pie charts and graphs about the user. The most useful is the map that identifies the approximate location of the people connected to the person's Twitter account.

The location data is very vague, should only be used to identify the general area.

- Social Bearing (socialbearing.com)

It relies on the Twitter API, so it will only analyze the most recent 3,200 Tweets.

  • Total audience reach: This tells me whether the target has true followers or "fakes".

  • Total impressions: This tells me an accurate size of the target's audience.

  • Total ReTweets: This discloses if the target's audience engages with the content.

  • Total audience favorites: This confirms engagement from the target's audience.

  • Tweet sentiment: This indicates positive or negative tone within comments.

  • Tweet types: This identifies new content versus ReTweets of others.

  • Tweet sources: This discloses the source of submission, such as mobile, desktop, or API.

  • Domains shared: This summarizes the web links posted within Tweets.

Word cloud: This provides a summary of the most common words posted.

The graphical output of this resource is impressive, but the CSV export is more useful. Additionally, we can query an account directly via static URL:

https://socialbearing.com/search/user/inteltechniques

- Twitter Biography Changes (spoonbill.io)

- Twitonomy (twitonomy.com)

The most complete analytics service for a single Twitter handle.

- Omnisci (www.heavy.ai/ demos/ tweetmap)

Massive database platform developed through collaboration between MIT and Harvard.

This website can search by topic, username, or location. It can also combine all three options to conduct a detailed search.

- One Million Tweet Map (onemilliontweetmap.com)

Displays the most recent one million Tweets on an international map.

Monitoring a large event can provide Live intelligence in an easily viewed format.

- Tweet Mapper (keitharm.me/projects/tweet)

Occasional results, but Social Bearing is better

Fake Followers

Two websites that will assist in distinguishing the authentic profiles from the fraudulent.

- SparkToro (sparktoro.com/tools/fake-followers-audit)

Query further users at the following static URL:

https:/ /sparktoro.com/fake-followers/inteltechniques

- Twitter Audit (twitteraudit.com)

Miscellaneous Twitter Sites

- Sleeping Time (sleepingtime.org)

Search of an exact Twitter profile name, and provides the average time period that this user sleeps.

- Twiangulate (twiangulate.com)

Identifies mutual friends on two specific accounts.

- Tinfoleak (tinfoleak.com)

Provides a simple yet thorough report.

- FollerMe (foller.me)

Similar to the previous options. Presents the typical bio, statistics, topics, hashtags, and mentions analysis that you can find other places. FollerMe provides a bit more detail including posting patterns per hour.

- TweetTopic (tweettopicexplorer.neoformix.com)

It collects the most recent 3,200 Tweets and creates a word cloud. This identifies the most common words used within posts by the target.

Clicking on any word within the result displays only the Tweets that include the selected term.

Clicking on any of the text circles would immediately identify posts related to those terms.

- Memory.lol (github.com/travisbrown/memory.lol)

Web service that provides historical information about social media accounts.

Most of this data has been scraped from either the Twitter Stream Grab or the Wayback Machine.

IntelTechniques Twitter Tool

Perform manual queries to twitter and other resources mentioned in this section manually.

Code in Twitter.html.

Facebook

Official Facebook Options

Once a user's profile is located:

Considering an interest in the term "OSINI":

Profile Details and Queries

- Location of UserID, eventID, groupID and pageID

To conduct detailed searches, you must know the user number of your target. This number is a unique identifier that will allow us to search otherwise hidden information from Facebook.

Right-click on a Facebook profile page (not an image) and select

"View Page Source. Be sure not to hover on any hyperlinks during the right-click.

Conduct a search on this. page for "userlD".

When necessary, copy all of the source code and paste it into a text editor, then search through it.

While you may find an online option which still functions, we should not rely on these.

A site which currently attempts to automatically replicate this process:

https://findidfb.com/

For Business pages, we must seatch within the source code for "pagelD".

Event profile numbers can be found by searching "eventID"

Group profile numbers can be found by searching "groupID".

- Base64 Queries

To query through URL we need to follow a base64 encoded structure.

https://facebook.com/search/photos/?q=photos&epa=FILTERS&filters=

This is followed by the structure of the following.

{"rp_author":"{\"name\":\"author \”,\"args\”:\ "[USERID]\"}”}

This must be presented in Base64 format:

https://codebeautify.org/base64-encode

https://codebeautify.org/base64-decode

IntelTechniques Facebook Tool

This tool automatically performs the base64 queries among other options.

Code in Facebook.html (IntelTechniques Custom Tools Collection)

Facebook Phone Number Search

The following URI requests Facebook to locate an account for a password reset. Entering a telephone number will confirm if an account is associated to it, and will sometimes display the profile image for the user.

https://mbasic.facebook.com/login/identify/?etx=recover

However, clicking "Try Another Way within this technique should present even more details.

Friends Extraction

If your target has a large list of friends, taking screenshots is not good enough.

To capture the hyperlinks to each account and have a data set that can be manipulated:

Hold down the space bat on the keyboard to load the entire page, highlight entire friends list and use "Ctrl" + "C", click directly above the left side of the first friend and hold until the lower right area of the last friend. The friends list should highlight. Now, open Microsoft Excel. Click on the "B" in column B to highlight the entire column. Paste the content with "Ctrl" + "V".Then use F5 to launch the "Go To' menu and select "Special". Select "Objects" and click OK. This will select all of those images. Hit the delete key to remove them. You will now see only the text data (with hyperlinks). Now click the "A" in column A and paste the friend content again with "Ctrl" + "V". Right-dick any cell in this column and choose "Clear Contents" This will remove any text, but keep the images.

Place your mouse in between columns A and B and resize column A to be a bit larger than one of the images.

Do the same with Column B to fit in all of the text. Use the "Find and Replace" feature to find every instance of "Add Friend" and replace it with nothing. This will remove those unnecessary entries. In the "Home" menu, choose "Format" and then "Auto Fit Row Height. This will eliminate unnecessary spacing. Select Column B and Left Justify the text.

Facebook Email Search

- Page Role Trick

  • Open "Menu" and click "Page" in the upper-right corner, then create a new page.

  • Assign a random name to your profile, select any category, and click "Continue"

  • Skip all optional steps.

  • Once you see the new profile, click the "Manage" button in the upper-right.

  • On the new menu, click "Page Access" in the left column. In the "People with Facebook access" section, click "Add new"

  • Enter the target email address.

This should present any Facebook profiles associated with the address entered.

Telegram

To manually locate telegram domains:

site:telegram.me "osint"

site:t.me "osint"

sitestelegra.ph "osint"

- Telegram Analytics (tgstat.ru - telemetrio)

The most robust Telegram Channel search options currently available.

- Contact Exploitation

Consider the contact exploitation technique explained in Android Virtualization section.

Snapchat

- Official Search Options

Keyword Search: (https://story.snapchat.com/search?q=osint)

Story Search: (https:/ /story.snapchat.com/s/inteltechniques)

User Search: (https://www.snapchat.com/s/inteltechniques)

Snap Map: (map.snapchat.com)

To perform a Google Search:

site:snapchat.com "inteltechniques"

- Ghostdex (ghostdex.app)

Only usefull if you know your target's snapchat name.

Reddit

- Bulk Downloader For Reddit

To install:

mkdir ~/Downloads/Programs/bdfr

cd ~/Downloads/Programs/bdfr

python3 -m venv bdfrEnvironment

source bdfrEnvironment/bin/activate

sudo pip install -U bdfr

deactivate

To retrieve up to 1000 posts within a subreddit "{name you are looking for, example: osint}" and save the data:

python3 -m bdfr download ~/Documents/Reddit/osint/ --subreddit osint

To retrieve all the posts by an user within a subreddit and save the data:

python3 -m bdfr download ~/Documents/Reddit/osint/ --user inteltechniques --subreddit osint

- Reddits Finder

To install:

mkdir ~/Downloads/Programs/redditsfinder

cd ~/Downloads/Programs/redditsfinder

python3 -m venv redditsfinderEnvironment

source redditsfinderEnvironment/bin/activate

sudo pip install -U redditsfinder

deactivate

To target a reddit user and get current and deleted post metadata attached to the target username:

redditsfinder inteltechniques

To request every post of an user regardless of delegation, along with any uploaded images:

redditsfinder inteltechniques -pics -d

- Downloader For Reddit

To install:

cd ~/Downloads/Programs

git clone https://github.com/MalloyDelacroix/DownloaderForReddit.git

cd DownloaderForReddit

python3 -m venv DownloaderForRedditEnvironment

source DownloaderForRedditEnvironment/bin/activate

sudo pip install -r requirements.txt

deactivate

To run the GUI:

cd ~/Programs/DownloaderForReddit

python3 main.py

- Custom Reddit.sh Script

#!/usr/bin/env bash
opt1="Subreddit Download"
opt2="User Download"
opt3="User Archive"
opt4="Launch Downloader"
redditmenu=$(zenity  --list  --title "Reddit Tool" --radiolist  --column "" --column "" TRUE "$opt1" FALSE "$opt2" FALSE "$opt3" FALSE "$opt4" --height=400 --width=300)
case $redditmenu in
$opt1 )
url=$(zenity --entry --title "Subreddit Download" --text "Enter Subreddit")
python3 -m bdfr download ~/Documents/Reddit/$url/ --subreddit "$url"
open ~/Documents/Reddit/$url
exit;;
$opt2 )
url=$(zenity --entry --title "User Download" --text "Enter Subreddit")
user=$(zenity --entry --title "User Download" --text "Enter Username")
python3 -m bdfr download ~/Documents/Reddit/$user/ --user $user --subreddit "$url"
open ~/Documents/Reddit/$user
exit;;
$opt3 )
url=$(zenity --entry --title "User Archive" --text "Enter Reddit Username")
mkdir ~/Documents/Reddit/
cd ~/Documents/Reddit/
redditsfinder "$url"
open ~/Documents/Reddit/users/$url
exit;;
$opt4 )
cd ~/Downloads/Programs/DownloaderForReddit/
python3 main.py
exit;;
esac

- Desktop Shortcut

[Desktop Entry]
Type=Application
Name=Reddit Tool
Categories=Application;OSINT
Exec=/home/osint/Documents/scripts/reddit.sh
Icon=/home/osint/Documents/icons/reddit.png
Terminal=true

- Investigation Subreddits

  • Reddit Bureau of Investigation (reddit.com/t/rbi)

  • Pic Requests (reddit.com/r/picrequests)

  • What Is This Thing? (reddit.com/г/whatisthisthing)

Google Networks

Every Google account has been issued a specific numeric ID which associates the account with any Google service used.

First, we must find the ID itself:

  • Log in to any covert Google account and navigate to mail.google.com/ chat.

  • Right-click on the page and select "Inspect".

  • Click "Find a Chat" and enter your target's email address.

  • Strike enter but do not send any communication.

  • In the "SearchHTML" field, enter the email address of your target.

One of the results should contain data such as

"data-member-id="user/human/100202552162672367520”. The numbers after "human/" is the

Google User ID of your target.

You can also use the automated service at Epieos (tools.epieos.com/ email php)

Following URLs would display any public photo albums and map contributions made by this target.

https://get.google.com/albumarchive/100202552162672367520

https://www.google.com/maps/contrib/100202552162672367520

Tumblr

site:tumblr.com "osint"

Once you find a blog associated with your target, consider the Photo Gallery Tool.

Also a lot of queries has been incorporated into the Username Tool.

Russian Social Networks

- VK (vk.com)

- Odnoklassniki (ok.ru)

Chinese Social Networks

- Ozone (qq.com)

- Renren (renren.com)

TikTok

URL structure displays the user profile for "inteltechniques":

https://www.tiktok.com/@inteltechniques

If you suspect your target possesses a username which includes "osint":

https://www.tiktok.com/search/user?q=osint

To display posts which include the tag "osint":

https://www.tiktok.com/tag/osint

To search posts which include "osint" within the original post:

https://www.tiktok.com/search?g=osint

To isolate this search to only display videos which include "osint":

https://www.tiktok.com/search/video?g=osint

Google indexes individual TikTok posts, This can be beneficial to discover deleted posts.

site:tiktok.com osint

Curtent live streams can be found:

https://www.tiktok.com/live

Once located a target, search the following text within the source code view of the TikTok page of @target:

"authorld" (6727327145951183878)

"uniqueld" (willsmith)

"nickname" (Will Smith)

We can now search the user number within search engines in order to identify additional posts which may no longer be present within the TikTok website. Once you identify an individual post, right-click the video and save it natively as an MP4 file.

If you prefer to obtain a full date and time of upload, right-click a post and choose to view the page source, crtl+F and search for "~tplv".

We can convert this number at unixtimestamp.com.

Accessing comments within a post requires you to be logged in.

Export Comments (exportcomments.com) will extract the first 100 comments from any post. A premium account is required to download larger content.

TikTok services which provide analytics on target profiles:

https://tokcount.com/tiktok-analytics/vancityreynolds

https://tokcounter.com/tiktok-analytics/vancityreynolds

https://exolvt.com/user/vancityreynolds/full

https://analisa.io/profile-tiktok/vancityreynolds

Dating Apps

Tinder

In order to access Tinder from vour web browser, several things must be perfectly aligned in order to prevent account blocking. Tinder gets bombarded with fraudulent accounts, and their radar for investigative use is very sensitive.

  • Connect to a public Wi-Fi location, without a VPN, near your target.

  • Click the Login button at tinder.com and choose "Log In With Phone Number"

  • Supply a Google Voice number.

  • Confirm the text message received on Google Voice number.

  • Complete registration with alias name and photo.

Tinder has begun blocking any type of GPS spoofing, even if done manually through the browser inspector.

We should keep an old Android phone ready for any Tinder investigations we have the Tinder app installed along with the "Fake GPS Location" app.

This will not work on an iPhone due to GPS spoofing restrictions. Since Tinder actively blocks emulators, connecting through VirtualBox or Genymotion does not work.

Other popular dating websites

  • Match (match.com)

  • Plenty of Fish (pof.com)

  • Harmony (eharmony.com)

  • OK Cupid (okcupid.com)

  • Christian Mingle (christianmingle.com)

  • Ashley Madison (ashleymadison.com)

  • Adult Friend Finder (adultfriendfinder.com

  • Farmers Only (farmersonly.com)

  • Elite Singles (elitesingles.com)

  • Zoosk (zoosk.com)

  • Friendfinder-X (friendfinder-x.com)

  • Badoo (badoo.com)

Discord

For finding, joining, and archiving a Discord server:

First, navigate to Disboard (disboard.org). This free service indexes numerous Discord servers.

If you do not find any servers of interest on Disboard, try Discord Me (discord.me).

The within the official Windows application while inside a virtual machine:

  • Clone your Original Windows 10 virtual machine.

  • Title your new VM "Discord" and conduct the following inside the Windows VM.

  • Download and install the Discord app from https://discord.com/download.

  • Download the first file titled "DiscordChatExporter.zip" from the website located at https://github.com/Tyrrrz/DiscordChatExporter/releases.

  • Extract the contents of the zip file to your Windows VM Desktop.

  • Launch DiscordChatExporter.exe from within the new folder.

  • Launch the Discord app, provide your account credentials, and connect to the target Discord server (example: https:/ / discord.com/invite/DbtGker).

  • Press "Ctrl" + "Shift" + "I" on the keyboard to launch the Discord developer options.

  • Click the arrows in the upper right and select "Application"

  • Double-click "Local Storage" and select "https://discord.com"

  • Press "Ctrl" + "R" on the keyboard and look for "Token" in the right menu.

  • Select and copy the entire token key (without the quotes).

  • Paste the token into the DiscordChatExporter program and click the arrow.

  • Select the desired target server on the left and the target channel on the right.

  • Choose the "CS" export format and leave the dates empty.

  • Choose the save location and click "Export"

Discord is not the only platform for this type of communication, but I find it to be the most popular with amateur cyber criminals. Slack (slack.com) appears very similar, but it is targeted more toward professionals.

Riot (about.riot.im) and Tox (tox.chat) each possess encrypted communications and better overall security, but adoption is lower than Discord.

Other Online Comunities

- 4chan (4chan.org)

Image-board website and users generally post anonymously.

Internet subcultures and activism groups, most notably Anonymous.

- Hacker News (news.ycombinator.com)

Text Search: https://hn.algolia.com/?query=OSINT&type=all

Username Search: https://news.ycombinator.com/user?id=inteltechniques

User Posts: https://news.ycombinator.com/submitted?id=inteltechniques

User Comments: https://news.ycombinator.com/threads?id=inteltechniques

User Favorites: https://news.ycombinator.com/favorites?id=inteltechniques

Google Search: https://www.google.com/search?q=site:news.ycombinator.com+OSINT

- Nextdoor (nextdoor.com)

Allows for people within a specific neighborhood or geographical area to communicate privately within a controlled space.

In order to join a specific neighborhood, one must either receive an invite from another neighbor or request a physical invite be sent via postal mail to an address within range.

Clicking the "Explore Neighborhoods" button should present surrounding areas which you can join. You can usually see the majority of your county by joining all available groups.

- Meetup (meetup.com)

Name Search (John Morrison): site:meetup.com inutl:member john morrison

Event Search (Protest): site:meetup.com inurl:events Protest

Post Search (Protest): site:meetup.com inurl:discussions Protest

Google Keyword Search (OSINT): site:meetup.com OSINT

- Board Reader (boardreader.com)

Board Reader queries many forum communities, message boards, discussion threads, and other general interest groups which post messages back and forth. It also offers an advanced search which allows you to choose keywords, language, date range, and specific domain. If you have trouble filtering results on other forum search sites, this can be useful.

- Craigslist Forums (forums.craigslist.org)

- BugMeNot (bugmenot.com)

BugMeNot allows users to share their logins for various websites with the world.

- IntelTechniques Communities Tool

The previous and a lot more communities can be automatically queried through this tool.

Code in Communities.html.

PreviousUsers & EmailsNextDocuments

Last updated