OSINT

 

OSINT stands for Open Source Intelligence. Law enforcement, government agencies, attorneys, media outlets, and yes even hackers utilize OSINT as a way to perform reconnaissance of an individual or business. Before we get into what OSINT is, let’s talk about human behavior on the interwebs. We as humans in the 21st century plaster all of our personal information online. The internet has become a close BFF. When you think about it, various internet companies (Google and Facebook owned technologies for example) know more about us than our own friends and family. When something hurts, we Google it. When we want people’s opinions, we Tweet it or Facebook it. When we have an issue with our car, we post on an automotive forum. When we build a new craft, we Instagram it. During registration for these websites, we give them personal information including First and Last Name, Phone Number, Email Addresses, and Locations. These internet companies have a wealth of information on you. How often you get sick, how often you visit friends, who your closest friends are, your daily routines and where you go. It has been said that Google has enough information gathered about it’s users, that has the ability to tell if someone has a disease, or is about to commit a premeditated crime. As I mentioned in my previous “Passwords” article, humans are creatures of habit. We re-use handles throughout our online presence. Not only does Google index your whole online life, there are also other web crawlers out there that index your whole life too (and do not follow proper search engine restrictions like those found on a websites robots.txt file).

So what is OSINT? OSINT is intelligence collected from publicly available information. OSINT is not hacking. Let’s go through a simple “in the weeds” exercise . When people think of searching for a person on Facebook, they believe the only way to do so is either using the persons full name, phone number, or email address. But did you know you can use advanced Facebook searches to find a person based on their first name, general location, and a like or hobby?

Say for example I only know a persons first name. If I search Facebook for their first name, a whole load of results are displayed. Now I also know that this person just happens to enjoy beer, and The Walking Dead. Guess what? I can use an advanced Facebook search to find only people matching their first name, that live in Pittsburgh, and like beer and The Walking Dead.

At the time of this writing, Facebook displays two matches in my example. Let’s assume that my target is indeed one of these people. Looking at my targets profile, it appears they have listed their home address (why??), as well as a reference to an online handle. Now, I know a full name, address, and information that could lead me to other online profiles. I load up Instagram, and type the handle referenced on Facebook. Bingo! The users Instagram pops up.

I then Google the targets name, and handle. I just found more websites that the target belongs to. Let’s get a little fancy. I now know the targets full name, and location. Using any number of online resources, I am able to obtain the phone number. Is this the correct phone number for this person? Let’s go back to Facebook and search the user by this phone number. Bingo! It matches the target.

Just for the heck of it, let’s use some of this information to see if this individual has registered any domain names by searching WHOIS for the telephone number….again…bingo! I now have an email address, and was able to verify the previous phone number, and address match. Let’s recap…

What I brought to the table:

  • First Name
  • General Location
  • Personal Like

What I ended up with:

  • Full Name
  • Address
  • Online Handle
  • Instagram Account (as well as all the other major social networks)
  • Various website profiles
  • Phone Number
  • Email Address
  • Where they work

Did I hack anything? No. Did I Social Engineer anyone to gain this information? No. I simply used OSINT to gain this information (which the target had distributed one way or another online).

In closing, let’s go through some other sources of OSINT:

-EXIF data on pictures (Every picture you take, embeds metadata into the picture. This metadata can include things such as geolocation, model number of device taking the picture, time stamp and date stamp that the picture is taken). If the picture is manipulated in Photoshop, Photoshop will leave a parcel of information that at least states the image was saved in Photoshop.

-Google Maps.

-Google (More in depth using specialized Google search strings.)

-Newspaper websites.

-State and city public records.

-Social Media (Digging even deeper than I did in the above example).

-Caching websites (Just because 3 years into Facebooking you made your profile private, does not mean there isn’t a cache laying around of your non-private profile.)

This seems like a lot of manual labor to find this information. My next article will revolve around APIs, Programming, Automation, and Work Flows! (I know if a certain someone has actually read this, they will have laughed.) I am currently building a framework that automates a lot of these tasks that I have named OSINTive (Yes it also includes a sweet 90s ASCII art banner with a detective).