If you follow me, I’ll OSINT you

I tend to have a look at the profiles following me on Twitter or trying to connect on LinkedIn. On LinkedIn I’ve become a little picky on whom to connect with and they have to match my career interests. On Twitter I just look for red flags in general. If your profile promotes racism and hate speech, deliberately spreads disinformation or supports Borussia Dortmund, I will block you (just kidding on the last one). Of course, I can’t do a deep dive into each and every follower on Twitter. But today I would like to show you what kind of red flags I look for and how these can lead to further investigations.

Follow me and I’ll check out your profile

Around lunch time I noticed a new follower on Twitter.

Martin recently joined Twitter and hasn’t tweeted yet. He is following 25 accounts, has no followers of his own and something about his profile picture is odd.

Since I have created many pictures using This Person Does Not Exist, I could immediately tell that the image above was created on that site. The alignment of the eyes, the weird ears and several other glitches were a sure sign of this. My buddy Nixintel wrote a great blog on how to identify such images a while back and I highly encourage you to read it.

Next up, I had a look at the other accounts Martin choose to follow. Most of them where Russia-friendly accounts, often spreading Russian propaganda, some even known conspiracy theorists. Next to the apparent German name, Martin was following German-speaking people on Twitter. So I am pretty sure he is German-speaking as well.

And in between all these, there where some accounts that actually investigate the general topics I mentioned above (Russia & disinformation). For me, this leaves two possibilities: Martin is either interested in the Russian propaganda and conspiracy theories from an investigative standpoint, or he supports them. It is not uncommon for supporters of conspiracy theories or foreign propaganda to follow those who try to debunk this disinformation (e.g. Bellingcat), so they can troll them. But why did he choose to follow me then, and not only me but also OSINTgeek?

OSINTgeek and I have many things in common, but none of these is any affiliation with the aforementioned topics. However, we are currently best known for organizing the German Open Source Intelligence Conference (or GOSINTCon). I could not see any interaction between Martin and the GOSINTCon Twitter account, so I decided to check our LinkedIn profile. Among the followers we received this afternoon, I found the following account:

Both follows must have happened roughly around the same time. Now let’s have a look at this Martin Krüger.

Same name, different picture and also 25 connections. The picture seemed a little too good looking in my opinion. I ran a quick reverse image search on the profile picture and could see it was an often used stock photo. This was so obvious, that even Google found it!

The fact that this profile only had 25 connections, led to the assumption that it was recently created. Looking into the CV posted on LinkedIn I saw several other things that caught my eye.

I googled the name in connection with the mentioned employers and came up completely empty handed. The CV shown here also had some inconsistencies. Large gaps between apparent jobs, and to me it looked like someone just quickly and very sloppily punched something into to LinkedIn here with a mix of German and English.

All in all, both profiles seem to be sock puppets in my opinion. I thought about if I should write this up or not, as there is a very slight chance that Martin does exist. However, the name is quite common in Germany and nothing shown here can be considered as doxxing. So, this goes out to Martin:

If you are real, you might want to clean up your LinkedIn profile. Those inexplicable gaps in your CV certainly will not help your career. If you are indeed a sock puppet: gotcha! You might want to read about how to set up a proper sock puppet on the OSINT curious site or another example of how not to do so on my blog. And while sock puppets are not a topic in this year’s GOSINTCon, come back next year and we might have a talk on that.

MW-OSINT / 16.11.2020

Where is Leonardo’s Car – Using OSINT to trace vehicles

I love cars and I love OSINT. Sometimes I get to combine these passions. Not only for work, but also in little exercises that help sharpen my research skills.

A while back I posted a blog about using car spotting sites to find and track vehicles. The sites I discussed in that article where only the tip of the iceberg when it comes to finding information about specific vehicles online. Today, I want to walk you through other means of finding cars using unique identifiers such as license plates or VINs (vehicle identification numbers). There’s nothing fancy about what I’m going to show here. I’ll just follow the digital breadcrumbs using simple OSINT techniques.

For some reason I stumbled upon a Youtube video showing an Italian soccer player’s Ferrari. We’ve all been down that rabbit hole before. You start watching Youtube videos about cooking and end up somewhere completely different. Oh, the joys of the internet…

This video had a visible license plate and I was curious to see other places the car was spotted. My usual car spotter websites actually came up empty handed, no matter how I tried to enter the license plate number. So I took my search back to Google. Search engines actually OCR some of the images they index, so I entered the plate number and instantly received some results:

Next to the Youtube video that got me started, I found a blog in which the author posted multiple pictures of the car I was looking for. The plate number wasn’t listed anywhere as text on the website (checked through the developer tools as well: nothing came up), so Google must have OCRed it. Thumbs up to Google for this!

But wait, it gets even better. Google is not the only platform to OCR images, Facebook does so as well. So, I decided to take my search to Facebook and see if I could find further images of the vehicle there. Using the standard Facebook search, I entered the plate number. Keep in mind, throughout each search you might have to use different variations, adding spaces between characters or writing everything together.

The picture results are shown right away, as I have a direct hit in this query. Sometimes the picture results will not be shown in your main search results and you may have to click on the tab to the left to get to the image filter. Some guy on Facebook posted the Ferrari as his profile pic in April this year and this picture looks like it had the car at a repair shop or possibly a dealer.

Now, if this theory was right, the vehicle might not even belong to Leonardo Bonucci anymore. I could go looking for sales ads for such a vehicle and hope to find it. A lot of this would just be Googling and browsing through sales sites and would require a lot of tenacity and also a little bit of luck. Although, I still have an ace up my sleeve when it comes to Italian vehicles. This ace would allow me to find out more details on the Ferrari I was searching for.

I have a little app on my phone called iTarga. With this app, I can enter any Italian license plate and will receive further information on the vehicle. Here in Italy, vehicles are assigned license plates for life. Even if the car is sold, it keeps the plate numbers. Let’s see what iTarga tells me about Leonardo Bonucci’s Ferrari.

First date of registration, a VIN, insurance information (including insurance company and policy number) and the residence of the owner are among the things that can be found in the app. In our case, no insurance is listed. It is likely that the vehicle is not insured at the moment, adding to my suspicion that it is/was for sale. The owner’s residence is Milan, which happens to be the city Bonucci played in at the time most of the previously seen images were taken (he’s moved on to Juventus Turin now). These details give me further pivot points for my search. I could narrow down the results of sales ads to 2013 models and look in and around Milan or Turin (assuming it would be sold there). Or I could just simply Google the VIN.

Et voilà, I do receive results for sales ads. However, the vehicle offered here is a red Ferrari. I thought I was looking for a black one. And nowhere on the website can I find the VIN. See, zero results:

Yet again, a simple OSINT technique will help clear this up. Looking into the developer tools will enable you to search within parts of the website that aren’t directly visible to users. When checking the VIN there, I found that all uploaded images actually have the VIN in the file name.

Not only that, the URL also contains the VIN:

A little more research and everything makes sense. Bonucci originally drove the red Ferrari and had it wrapped in black foil. For the current sale, the black foil was apparently taken off again.

While this example utilized an Italian app, there are many similar sites for countries throughout the world (except in Germany…). The lesson to be learned here is to follow the digital bread crumbs. Sometimes seemingly simple OSINT techniques will lead you to your goal if you know how to combine them. And now you get an idea of how I spend my time when sitting in the passenger seat while my wife is driving. Googling license plates, checking car spotting sites and tracking the history of random exotic cars I see.

MW-OSINT / 16.10.2020

Social Media around the World

When most people speak of social media, the have the ‘Big 3’ in mind: Facebook, Instagram & Twitter. But social media is so much more than just these three platforms, especially when it comes to OSINT on intelligence targets that don’t speak English.

In OSINT investigations we often end up scavenging social media to find information on our intelligence targets. Who are they connected to? Where have they been? What are their interests? These and many more questions can be answered by having a look a person’s profile. However, social media is constantly evolving and platforms that were relevant yesterday may not be relevant tomorrow. When I ask my daughter about Facebook, she says: “Facebook is for old people”. Thus, she does not have an account there. You would most likely find her dancing in TikTok videos, as with many other Generation Z youths. So age clearly defines which social media platforms are used. Another defining factor is the cultural background someone has. Maybe Facebook was never that big in that person’s country. The following graphic shows the evolution of social media worldwide and how Facebook became the most used platform. However, in some countries other platforms still have the upper hand and not all ‘legacy’ platforms overtaken by Facebook have been shut down. In this article I would like to give a brief overview of some of the lesser known platforms that may be useful for OSINT investigations.

VKontakte & Odnoklassniki

If your intelligence target is from a Russian-speaking country or has a Russian cultural background (or is a right-wing idiot that thinks he is being censored on Facebook), chances are high you might find this person on one of the Russian Facebook clones. The platforms VKontake (‘in contact’) and Odnoklassniki (‘classmates’) are very similar to Facebook when it comes to the functionality offered and the basic OSINT research techniques that can be applied here.

Above you can see a VKontakte profile. A profile picture, some more detailed information including a birthdate and current residence city, a friend list as well as posts and pictures. Pretty much what you can find on an average Facebook profile. As with other social media platforms, a user can choose to alter the privacy settings to hide information, so some profiles may not have an open friend list or may not share all posts with the overall public. An interesting feature on VKontakte is in the top right of the image: information when the profile was last active. In OSINT this is really helpful to figure out if a user is still active on the platform, even if no current content is posted. In many cases this last activity will lead back to the use of VKontakte as a messenger. People might not post content anymore, but will stay В Контакте (in contact) with others through this platform. The search functionality of VKontake is in some ways superior to what we now have on Facebook. At the top of the page is a search box. Filling in a search term here will enable us to browse through different categories of results and narrow these down by adding additional filters.

As you can see, you can filter people by age range, birth date information and even their views on smoking an alcohol. Posts can be sorted by the number of likes or the mentioning of specific links. All in all, there are some pretty neat filters in here.

Odnoklassniki is very similar, having friend lists, a date of birth on most profiles and information when the user was last active. The good thing with both VKontakte and Odnoklassniki, is that they accept multiple language settings, so you can use the platform in English and also a couple of other languages. If you search for names in Latin script, it will also show you corresponding results in Cyrillic script.

The last activity is right underneath the profile name and the searches in Odnoklassniki offer filters just like in VKontakte. They even allow users to add holiday destinations, which are also a filter criteria.

As I mentioned, this article is just a quick overview of some foreign social media platforms. There lots of other cool OSINT techniques that can help research here, including third-party sites to search by profile pics or sites that help with geo-referenced searches. But let’s leave that for future blog posts. Another example I want to show is very popular in the Persian-speaking community.

Facenama

Facenama is a big social media platform mainly used in Iran. At quick glance on SimilarWeb shows that this site is also accessed from other countries, as there are Iranian communities throughout the world.

Facenama looks very much like Facebook. Even the coloring scheme is identical (to the old Facebook UI).

Unfortunately, there is no way to change the language settings, but luckily the Google translate browser extension works quite well here.

The search bar in the top right of the page will enable you to search for user profiles. Just remember that the default language is Farsi, so most profiles will be in Arabic script (including profile names) and typing will occur from right to left.

The profiles will have the same type of information we have seen in the Russian sites: date of birth, friends, posts and much more (if these aren’t hidden due to privacy settings). Remember that dates will be shown in Persian, so you’ll probably have to use a calendar converter to make sense of these dates.

I could go on for hours listing and showing social media platforms: Gab for right wing nut jobs, Stayfriends for old German people, NK for Polish people and don’t even get me started on Chinese social media. The bottom line is, that there is more out there than just the ‘Big 3’ (Facebook, Instagram, Twitter). Before you start investigating someone, you should figure out where you might find these people online. Their age, culture, language, country of origin and personal taste will affect their choice of which web platforms they use and these might not always be in English. So, in the ongoing discussion of what I would like to get better at in OSINT, I didn’t choose to learn programming languages such as Python to automate tasks. I’d rather get a better grasp of languages (Arabic, Farsi, Russian, etc.) in general and master tools that help translate to help bolster my research efforts.

MW-OSINT / 04.10.2020

How to Geolocate Mobile Phones (or not)

Wouldn’t it be cool to geolocate mobile phones? The following article will show you possibilities and limits when it comes to accurately finding the location of a mobile phone.

Last week I published an article explaining how accurate the geolocation of IP addresses is. This time, I had a look a cellular data and how a mobile phone is registered while roaming as well. If you haven’t read last week’s article yet, go have a look before you continue here.

Today I decided to go on a little road trip, because I wanted to show you what kind of data your mobile phone produces while on the move. So, I’m inviting you to follow me on a short trip to Austria. Keep in mind, that all data you will see here is not only visible to me, but also to my provider and could be visible to law enforcement or intelligence services, should they choose to track me. However, this data is nothing that can be easily obtained by random individuals.

The starting and end point of my journey was the train station in Steinebach. If you dial *3001#12345#* on your iPhone, it will open a developer menu packed with cellular data, including the actual cell you are connected to and the signal strength for this connection (among other things). Unfortunately, I forgot to take a screenshot when I left the train station. I did, however, take a screenshot upon return. In any case, the same cell served my phone both when I left and when I returned. As you can see, my phone was connected to the Mobile Country Code (MCC) 262, which is the country code for Germany, and the Mobile Network Code (MNC) 3, which is the code for the provider O2/Telefonica. That’s the network this burner phone is running on.

The most relevant piece of information is the Physical Cell ID (PCI). This is the identifier for the actual cell my phone was registered to. The only problem here is that the developer menu on my iPhone doesn’t give me the ID of the cell tower (or eNodeB/ENB in an LTE network) this cell was actually broadcast from. Whenever I am dealing with cellular data, one of my go-to sites is CellMapper. Here I can browse through information on cell towers on a map or search for specific data. Let’s have a look at what we can find with the MCC, MNC and PCI from my phone. After adding the information I have to the search panel on the right, a new popup opens and displays all the cell towers in the German O2 network that use the PCI 422.

Rather than clicking through all these results, I just zoomed into the map manually (since I of course knew where I was) and clicked through the nearby towers until I found the tower that broadcasts the PCI 422. Cell 2 of eNB 100396 is the one my phone was connected to.

The train station is in the top right corner of the highlighted cell. Keep in mind, that the full extension or reach of the cell may not be accurately displayed here. So now you have seen how cellular information can be broken down to a rough physical location. I could narrow down this location even more, because my phone also knows which other cell towers are providing a signal in the area and it is constantly measuring the signal strength. So, if I know the location of these other cell towers and I know the signal strength to each tower, I could use that information to triangulate a more precise location. But let’s not go that far this time.

If I am connected to a UMTS or LTE network (3G or 4G), the cellular network will also allocate an IP address to my phone. The accuracy, or rather non-accuracy, was topic of the last blog article. Nonetheless, I would like to share the IP I had when I left the train station at around 09:00 o’clock, to show you what happens with this IP during my travel.

Above you can see the IP address and the result from a query on the Geo2IP Precision database from Maxmind. Maxmind is one of the leading IP geolocating companies worldwide. According to them, this IP address was located near Munich in a radius of 50km. Nothing wrong here, the train station in Steinebach is within that radius.

I decided to drive to Neuschwanstein (the inspiration for the Disney castle) near Füssen and from there quickly cross the boarder to Austria. During this drive, my phone would constantly reconnect to new cell towers and new cells whenever the signal in the current one was too weak. More on this topic can be read here:

https://www.netmanias.com/en/post/techdocs/6224/emm-handover-lte/emm-procedure-6-handover-without-tau-part-1-overview-of-lte-handover

Every once and while I completely lost signal. Now the interesting thing is that my phone kept the allocated IP address throughout the complete trip. Steinebach and Füssen are roughly 70km apart (beeline), I had multiple cell and cell tower handovers and thus my IP in Füssen was the same as when I left the train station in Steinebach. As the IP hadn’t changed, the Maxmind geolocation also hadn’t changed and was now clearly wrong. You could wonder why I wasn’t issued a new IP when my phone lost signal or connected to new cells or cells towers. For the cellular network there was no need to reissue a new IP address, because I technically never detached from the network. And why should the network go through the hassle of constantly issuing a new IP, when reconnects to cells and cell towers might occur every couple minutes? Getting a new IP in such a frequency clearly would cause some troubles for the user, if connected to a website or service continuously throughout the travels.

A new IP will be issued whenever you turn your phone off or put in in airplane mode and then turn it back on. Switching it off or using airplane mode sends a so-called “IMSI-detach” to the network, letting the network know you want to log off and thus won’t be needing service anymore. Temporary loss of signal won’t cause that command to be sent. If your phone is offline for a longer period of time, the network will automatically detach the IMSI (which is basically your main identifier in a cellular network) from the network. However, each provider might define a different time span before detaching.

At 12:10 o’clock, I was sitting at the McDonalds in Füssen and still had the same IP. Just to be sure, I checked it using a different browser, I didn’t want to risk cached data messing up my results.

Out of interest, I switched on the airplane mode and connected to the wifi hotspot while eating my McFlurry. Again, I checked this IP and looked it up on Maxmind.

The IP issued to me by my cell phone provider still had me located in Munich and the wifi hotspot came out over 400km away (in the middle of a lake in the center of Kassel). And once I reconnected to the cellular network, I received a new IP address, which according to Maxmind was still in a 50km radius of Munich.

So much for the accuracy of IP geolocations. The cellular data (MCC/MNC/PCI) put in me the correct location again.

I finished my ice cream and briefly crossed the border to Austria. Just enough to connect to an Austrian network. While the cell data put me in the right spot on CellMapper, the IP I then received from my provider placed me even further away than before. This time instead of Munich, the IP was supposedly in a 50km radius of Nuremberg.

The IP range was also different than any other IP address that O2 had given me in Germany, so I assume that O2 has an extra IP range reserved for roaming connections. I switched to a different Austrian provider and checked again.

Okay, now I’m confused. I went from Munich to Nuremberg to Stuttgart. On the other hand, the information I found here could prove to be relevant. If my provider uses a different IP range for phones located outside of the home network (in a foreign country) than the IP range using for phones ‘at home’, maybe other providers do so as well. This might enable finding out if a mobile phone is located in country or outside, similar to what a HLR lookup can provide (not gonna explain this time, just google it). Remember that the results shown here might differ in other countries and with other providers. But once more, the bottom line is that geolocation based on IPs is not as simple and accurate as some of us might think and geolocations based on cellular data could get you quite close to your actual target. That is, if you have access to this kind of data, which I assume most of my readers don’t.

And now you also know how I spend my Sundays. Combining road trips through the beautiful Bavarian alps with my passion for OSINT. In any case, the trip was totally worth it: new insight on cellular roaming and of course this amazing view:

Neuschwanstein

MW-OSINT / 12.07.2020

Geolocating Mobile Phones based on IPs

This article was written together with Nixintel and was published on Nixintel.info as well.

IP addresses feature prominently in digital investigations, but how useful are they for geolocation? The truth is that while IP addresses have many investigative uses, they can be quite unreliable as a precise geolocation method.

The limitations of IP addresses as geolocation tools are grounded in the technology itself. The current IPv4 protocol allows for the existence of just under 4.3 billion separate IP addresses. This was not an issue when the technology was designed in the early 1980s, but now the demand for IP addresses far exceeds supply.

To deal with this shortage, ISPs have developed several workarounds over the years. A reverse proxy server allows thousands of websites to share the same static IP address, for example.

Websites and services generally use IPs that are fixed, but if you’re reading this from your home internet connection then the chances are that you’ve been issued a dynamic IP address by your ISP. You might have the same IP address for a few hours or days, but ISPs constantly juggle and reallocate their IP addresses according to demand. The IP address you have today might be issued to someone else elsewhere in the country tomorrow.

With mobile IPs the IP shortage problem is even more pronounced. Whenever you connect to a 3G or 4G network, you are probably sharing that IP address with thousands of other users at the same time. Your IP address also changes very frequently on a cellular network, sometimes as often as every few seconds.

There is no real correlation between a physical location and a cellular IP address. IP addresses aren’t organised geographically in the way that old landline numbers used to be. It’s more accurate to think of them as being grouped by ISP and service type.

For more detailed information on this subject matter I recommend reading these research papers:

So what about IP geolocation services like Maxmind A little digging into their own data accuracy reports will tell you that we need to be extremely cautious about how much weight you attach to the geolocation information that they provide.

For example in Germany, Maxmind state that 83% of their IP addresses are accurately linked to their location – but only to within a 50km radius, and even then only with fixed broadband lines:

When we look at cellular IPs, the accuracy drops significantly. Only 38% accuracy within 50km:

The more specific the location, the lower confidence level. In Germany the confidence that a specific IP address is associated to a specific city is just 16%. In the USA this accuracy level is just 12%, with 73% of IPs being incorrectly resolved. So how much weight should you really put on the accuracy of a geolocated cellular IP if even the world’s leading IP geolocation companies have such low confidence of it being accurate to within 50km, let alone a single city?

This is not a fault of the GeoIP service providers. It simply reflects the fact that ISPs have no need to allocate IP addresses by geographic area, but instead allocate them according to network demand.

Yet it is common knowledge that mobile phones can be geolocated. A mobile phone connects to a cell tower, and as a matter of fact to all of the surrounding cell towers as well (at least to monitor the signal strength). Each cell tower has a unique ID. This ID can be picked up by several means, whether it is intercepting the radio connection between the mobile phone and the tower or by collecting information on one of the backlinks to the network. If the physical locations of the cell towers are known, a rough geolocation of the phone can be performed if of course you have the cell IDs. However, this can only be done (legally) by law enforcement and/or intelligence services. But is it possible to geolocate a phone based on other information than the cell ID?

Most mobile phones nowadays are constantly connected to the internet. We browse the web, we send messages through services such as Signal or WhatsApp and we check our emails and reply with our smartphones. Each of these connections will transmit an IP-address that has been allocated to our phone. On my normal computer, I could look up my IP address on sites such as IPLocation and it would show the approximate area I am located in. Of course, this only works if I am not using a proxy or VPN. Different databases might have slightly different locations, but as you can see in this example, I am located somewhere in the vicinity of Munich based on my IP address.

Just to put these locations into perspective, I plotted them on the map. I was located somewhere on this map while writing this article. Not really that precise, right?

That’s the landline I used, what about geolocating a phone based on the IP address? Getting the current IP address of the phone is not as easy as it sounds. Even if I were to receive an email sent from my target’s phone, chances are high that this would not include the originating IP address. Especially if sent from providers such as Gmail or Hotmail. How can we then obtain the actual IP of the phone?

Before you continue reading, a word of caution: The next step could be illegal in some countries and is very intrusive. It is definitely not something I would recommend as you have to actively engage your target. In this case I am just using the technique to prove my point.

I sent my target an email with a tracking pixel. Don’t worry, the target is one of my burner phones. I sent myself an email and opened it with my phone while connected to my provider on 4G (LTE). Tracking pixels, also known as web beacons, are used to figure out if a user has accessed content such as a webpage or an email. These trackers will provide information such as the access time and also the IP address from which the content was accessed. I used the site GetNotify to get a tracking pixel. Then opened the email with my phone. Here is the result:

As you can see, the tracking pixel sends back the time the email was opened, the user agent string for the browser on my phone and an IP. It states that this IP address is registered to Telefonica Germany, the provider this burner phone is running on. Let’s check the IPLocation site again:

Okay, we have Munich in there, but we also see other locations. Once more, I plotted them on the map.

I’m on here somewhere, but as you can see, two of the locations are quite a bit away from Munich. So apparently, the IP allocated to my phone by my provider seems to provide a very inaccurate location. One reason for this can be found in the 4G network infrastructure.

The IP address the mobile phone receives is a dynamic address allocated by the so-called Packet Data Network Gateway (P-GW). This is basically the exit node to the internet and the IP address is chosen randomly, coming for a pool of addresses. Each time you reconnect with the network you will receive a new random address from this pool, even if you connect to the same cell (for LTE eNodeB) again. There is no direct link between the IP and any other element of the network, such as the cell tower (eNodeB). Often, outgoing traffic from the P-GW will assign multiple registered mobile phones the same IP-address. While connections from a mobile phone will likely be handled by a regional P-GW, in my case the one physically located in Munich, it could also be registered to a P-GW hundreds of kilometers away. I spent an hour trying to find a friend that uses Telefonica/O2 as well and asked them to help me out here. I sent her an email with a tracking pixel. Here’s what came back:

This IP-address is supposedly located in Munich as well, my friend lives near Passau. That’s 170km apart! Keep in mind, all of this was done without any proxies or VPNs. Using a VPN will of course alter the results. Here’s my burner phone on LTE running through a Belgian IP:

In conclusion, geolocating a phone through an IP might give you the general area (if you are lucky), but just as with any regular IP address, it will not provide you pinpoint accuracy. I think geolocating landline IPs is actually more accurate than mobile phone IPs in most cases. Just keep this in mind for your future investigations.

Nixintel & MW-OSINT / 05.07.2020

Saving Images from Google Maps and Street View

Ever wonder how to properly save a Google photo sphere image? Have you just been taking screenshots of them so far? Well, I have another solution for you.

During my investigations I often end up browsing through Google Maps and Google Street View. Besides the official imagery, Google allows users to upload their own 360° panoramic pictures, so-called photo spheres. These are georeferenced (most of the time) and can be found in the same way you access Street View. A while back I learned you didn’t have to pull the yellow dude onto the map and that you could just click on him. For more information on what you can do with Google Maps and where I actually learned the trick with the little yellow dude, just check out OSINT Techniques‘ great 10 Minute Tip on Youtube.

Now, lets assume we are looking into an area that doesn’t have proper Street View coverage. In this case I want to see if there any photo spheres in a small Syrian town just south of Idlib. I’m lucky and I can find three of them marked on the map.

By clicking on the sphere itself, it will open this individual image. Let’s click on the one furthest to the west (on the left).

Now I can change my point of view by pivoting the image and I can also see which user uploaded this image and when it was uploaded. So far, if I wanted to save a copy of this image I would take a screenshot (or rather multiple screenshots). However, there is way to gain access to the complete image and as a matter of fact to any image that is uploaded to Google Maps, including a larger version of the profile picture seen here.

For this, we need to open the developer tools in our browser. While it could also be done in Chrome or Chromium-based browsers, I prefer using the developer tools in Firefox. Just press Ctrl+Shift+C to access the developer console or you can access it from the Firefox menu (Web Developer/Inspector). It will then look like this:

I have the console located in the bottom half of the screen, the default value usually opens it on the right side of the screen. I’m not going to go into details on all the functionalities of this console, for more information check out Webbreacher‘s 10 Minute Tip on Youtube. I want to direct your attention to the network panel. Clicking on the network panel will show you all the queries performed when you access the page you are viewing. As you can see, Google loads several JPG files for the image displayed above.

Rather than viewing all the traffic, we could also drill down to just images. But again, watch Webbreacher’s video for more details on what can be done with web developer tools. I said Google was loading several JPGs; actually Google is just loading one JPG but defines what we see by subdividing the JPG into different sections. Each section is defined by basic coordinates, depending on where in the overall image this pic is located. By hovering the mouse over the entries, you can see which section it relates to.

Here we can see a 512×512 pixel excerpt of a larger image. The coordinates show where the section is located horizontally in the image (x-axis) vertically (y-axis) and how far we have zoomed in (z-axis/value). As you can see, hovering over the entry will also display the link to the image. By clicking on this network event, we can see further details in a new panel on the right and from here copy the image URL (I compressed the traffic view in the following screenshot).

The URL can then be opened in a new tab. But before I show you the results, let me alter the URL a bit. Instead of opening the image with the coordinate-extension (e.g. =x1-y0-z”), I’ll open the image with an extension that alters the size. In this case I will use “=s8000”, with the number 8000 being the number of horizontal pixels (Google will auto-adjust the vertical pixel-number accordingly). Fairly high quality photo spheres may even allow larger resolutions.

Now just right-click and download the image just as you would download any other picture. Here’s what I’ve downloaded, a 8000×4000 pixel complete photo sphere. This size will easily enable me to zoom in and have a look at further details.

Seeing that we can download images from Google maps this way, let’s try out what else could be downloaded in higher resolutions. Remember the icon of the Google user that uploaded this picture? It is possible to download this icon in a larger resolution as well, and in fact any other picture that this person uploaded. For that, let’s just look the user’s “Local Guide” profile by clicking on his username.

On the “Local Guide” profile you can finds reviews and further images. To access them and the profile pic, just click on an image and open it. Again we will access the developer tools and have a look at the network traffic. Hovering over the entries will give us a preview and we can quickly identify the profile pic.

Copy the URL and manipulate the extension that defines the size or erase this extension completely. Then it usually displays the image at a standard 512×512 resolution or the original resolution (if smaller than 512×512). This is especially useful for profile pictures of people, as the enhanced image might allow you to do a proper reverse image search.

The shown techniques will enable you to download any picture from Google Maps, whether it is a photo sphere or an image posted by a “Local Guide”.

MW-OSINT / 01.07.2020

Using the WIPO IP Portal for OSINT

Conducting due diligence, business intelligence, competitive intelligence or just trying to identify a company logo through reverse image searching? The WIPO IP Portal might be able to help you out with those tasks.

One of my favorite sites when it comes to researching companies is the WIPO IP Portal. WIPO stands for World Intellectual Patent Organization and is an UN agency specialized on protecting intellectual property (IP) worldwide. Their Patentscope database allows you to search for patents, and they also incorporate (trade-)mark and design databases in this portal. Sometimes looking through this data will provide additional information on company affiliations or indications on upcoming products.

Let me give you a brief theoretical example. Your client has asked you to perform a pre-employment screening on the potential new head of research and development. Her CV does not show anything unusual, no past links to current competitors are noted here and the interview went quite well. When asked about any links to the competition, she denied having any. Using the WIPO database, an old patent is found in which she is mentioned as co-inventor together with a man that went on and founded a rival company in which he is still acting CEO. Whether or not any ties between the two still exist, is definitely something that should be discussed. This is just one example of how the WIPO portal can be used. Other areas are due diligence checks, business intelligence or competitive intelligence and even reverse image searching company logos.

Searching within the patent database Patentscope is quite simple. Once on the main page patentscope.wipo.int, you can query your search term worldwide. This could be the name of an individual, a company name or a specific product or keyword. The search allows Boolean operators such as “AND”, “OR” and quotation marks, just like you would use them in Google. Furthermore, the drop-down menu on the left allows you to choose the field in which your query is to be performed.

I decided to see which patents contain “OSINT”. As a result, OSINT is found in 77 entries. The list of results can sorted in various ways and foreign language content can be translated automatically (I’ll show that later).

Browsing through the results, I found a patent that looked quite interesting. A company named VERINT Systems Ltd. filed a patent to use social network analysis for target profiling. Maybe I can learn something from this patent. Clicking on the patent number will lead to the details of this filing.

We can see that this patent was applied for in Israel on 31.10.2011 (Application Date). By clicking on the tabs below the headline, you can access the description of the patent, the claims (what can this do?), any drawings that were filed with it and in some cases the original documents can be downloaded. VERINT Systems Ltd. is an American company founded by a former Israeli intelligence officer. Most of VERINT’s staff is working in Israel. That’s likely why this patent was registered in Israel. Had I not known that VERINT had Israeli roots, this patent could have been a starting point for further research into why the company registered it in Israel first. Another reason, next to the fact that most of their personnel is stationed there, could be that Israel is a primary target market.

Next up, I looked up “VERINT Systems Ltd” to see all the patents the company had registered. Among these was also the one previously mentioned, which had now been filed in the US as well. Such patents will include additional data regarding the preceding or original patent they are based on. The data field “Priority Data” on the bottom left is hyperlinked to the Israeli patent shown above. Furthermore, this patent also includes the name of the inventor, which we could also query.

As I mentioned before, the database will translate content in foreign languages automatically and allows you to choose which translation service you would like to use. This VERINT patent was filed in South Korea. By clicking on “Machine Translation” on top right, we can have this content translated. I picked Google translate in this case.

As you can see, using Patentscope could help you find out more about a company’s past and future activities, help you find people linked to the company and provide leads regarding their main area of operations. This database is basically a meta search engine, so always make sure to check to national patent registries too, as these might have current data that hasn’t been ingested into Patentscope yet. Researching patents is not all that can be done on this site. As mentioned in the first paragraph, (trade-)marks and designs can also be queried. For this, you have to click on the menu button in the top left corner and then navigate to “MARKS” or “DESIGNS”. Under “MARKS” use the “Global Brand Database”, under “DESIGNS” go to “Global Designs Database”.

The search for trademarks is quite easy. In the left tab (SEARCH BY), you can add filters to your query. I decided to search for an organization named UNITER that is (was) located in Germany. Underneath the SEARCH BY box, you’ll see the current query you have built. This system allows you to build very complex queries.

However, my favorite part is the integrated reverse image search. This can be found in the right tab (FILTER BY) under images.

You can upload an image here and adjust your search using “Pick a strategy” and “Pick an image type”. Hovering your mouse over the options will give you a brief description of what they do. I’ve uploaded an image and picked the “concept” strategy, as well as “nonverbal” image type (which means there is no text in my image).

I downloaded this image from the UNITER Facebook page. The first result is a perfect match. The image was registered by an organization in Switzerland. Those of you who know more about UNITER will understand why.

To sum it up, the WIPO database offers a lot of useful features for OSINTers, providing leads on individuals, companies, technologies and even a very powerful reverse image search for logos. I’m gonna go back to all the patents regarding OSINT, WEBINT and intelligence in general and start combing through them. Another case of OSINT on OSINT…

MW-OSINT / 03.05.2020

Be careful what you OSINT with

There are lots of neat OSINT platforms out there to make your life easier. But how many of you vet the software before using it? Not every platform should be entrusted with sensitive data as this case reveals.

In January 2019 I was tagged on Twitter, asking for my input on an OSINT platform named Lampyre. Before I use any type of software, I try to vet it as good as possible. This includes OSINT research on the company, asking tech-savy people I know for their opinion and ultimately reaching out to the company itself. No one had really heard of the software at that time, no one was using it, and I couldn’t really find much background information online. I ended up contacting Lampyre and asking them where they came from, what their background was and a couple of other questions. Unfortunately, they only sent evasive answers. They wouldn’t even tell me which country they were based in. I tried the software on one of my VMs and tested it with fake or non-relevant data. To be honest, I did like what I saw, but I decided not to use it operationally. As time passed, I noticed that many OSINTers started using the software and decided to have another look into the company and people behind it. It turns out, I was right not to use this platform. Lampyre isn’t who they claim they are. I teamed up with several helpful elves (to be honest, they did most of the work) and we found some pretty disturbing information.

Lampyre is apparently made by a company in Budapest (Hungary) called Data Tower. The company itself was registered in February 2019 and the CEO and sole shareholder is Laszlo Schmidt. The original address used to register the company leads to a law firm and the phone number that Data Tower provides belongs to another law firm in which Laszslo Schmidt is working as a lawyer. This information points to the fact that Data Tower is merely a shell company. So, how do you we get to the people behind Lampyre?

Looking into their online presence doesn’t lead to any notable individuals either. Some of the names used, such as John Galt, are most likely pseudonyms or fake accounts. Since searching for people didn’t provide any leads, we decided to look into the traffic that Lampyre sends to its back end in each query. The queries contain a brief description on what is requested and apparently the local language used by the developers is Russian, as each description is written not only in English but also in Russian.

Why should a company based in Hungary use Russian as their local language setting? Of course, the developers could be Russians working in Budapest, but again something just doesn’t seem right here: an organization that shows signs of being a shell company, the lack of transparency when directly confronted and now indications that point towards Russia. Decompiling the software showed further Russian language embedded in the code:

While this was being done, more OSINT research revealed a person named Andrey Skhomenko. This guy posted Python modules for Lampyre on Github and knew about the product in March 2018, way before it was released to public in October 2018. Andrey is based in Moscow and used to have a LinkedIn profile as well (which has been deleted in the meantime).

According to his LinkedIn, Andrey worked for the Russian Federal Security Service (also known as FSB) in the past and is now working for a company called Norsi-Trans. Norsi-Trans produces SIGINT and lawful interception equipment and software for the Russian government. It turns out that Norsi Trans also sells an OSINT platform called Vitok-ROI (or Vitok-OSINT).

The overall look of this platform reminded me of something I had seen before. Oh, that’s right! Both Lampyre and Vitok-OSINT have that Win95/Win98 appearance, not only in the network visualization, but also the software itself.

So far, this was just a gut feeling. Could anymore evidence be found that would link these two products and thus Norsi Trans and Data Tower? You bet? We pulled the certificates used by Lampyre and saw that they were registered in Russia and even more compelling: one of the certificates made a direct reference to Vitok.

This was the final nail in the coffin. Lampyre and Norsi Trans are in fact connected! While there is still plenty to be discovered, I think we have proof that Lampyre and Data Tower are not fully honest. And as everything you query in Lampyre is probably sent to Russian servers, I am happy I decided not to use this tool in my private and professional investigations. After all, Russia mandates decryption for domestic services.

Maybe Lampyre is Norsi Trans’ attempt to sell their software in the western world, maybe it is a rogue operation by a Norsi Trans employee (or a few). Although, I personally have doubts about that second theory. The software is quite powerful and receives regular updates. To create something like this, you’d surely need more than one person and having a rogue team within a company try to pull this off would surely not go unnoticed. What I find most interesting, is the fact that Andrey stated he had worked for the FSB. To put it in the words of one of my former colleagues: You don’t leave Russian intelligence services, you just change your cover and continue working for them.

MW-OSINT / 23.03.2020

Using the Microsoft Video Indexer for OSINT

Working on a case in which you have to go through loads of videos? Wouldn’t it be awesome to just download the videos and have them automatically transcribed and indexed?

Imagine you are following a current event that is topic of multiple videos throughout the internet. In some cases, you might not have the time to watch each and every video yourself. Wouldn’t it be great to download all these videos into one database and have them indexed by spoken content, topics and even people that appear in the videos? And wouldn’t it be even better to be able to search for specific content in those indexed videos?

These features, and many more, are part of the tool-set that the Microsoft Video Indexer offers. Microsoft allows a trial account on this platform and it enables you to login with various different account types, among them also Gmail. Let me point out some aspects of this platform, that might be useful during OSINT investigations.

Let’s go back to August 2019. The G7 summit is taking place in France and we’re interested collecting information on this topic. This summit is all over social media and there is also quite some press reporting on it. We download videos from sources like Youtube. For this we can use Y2Mate. Either by copying the Youtube link to their website or by adding ‘pp’ to the original Youtube-URL as shown below. This will automatically redirect you to the site.

Remember, that we’re not just limited to Youtube videos. We can upload Youtube videos and any other video to the Video Indexer. It’s pretty self-explanatory, the only thing to be aware of is the video language. The default value is English. If working with videos in another language, I would advise manually adjusting the input language. I have come across issues when uploading longer videos. In case you come across problems here, trying splitting the videos.

Once the video is uploaded, it will be indexed by the platform and this is where the magic happens. Here are some of the features that are included in this process:

Facial recognition
Full transcript of the audio, including translations
Topic detection
Item/setting detection
Sentiment detection

Let’s have a look at one of the videos I uploaded:

The panel on the right has two tabs: insights and timeline. Under insights you will find an overview of individuals that were identified in the video and also recognized by the underlining facial recognition software. As you can see, a guy named Stefan de Vries was recognized and the bar below shows the sections in which he appears in the video (highlighted in black). It also links to Bing search results of this person. If a person is not recognized and indexed automatically, you can manually edit this.

Unknown #12 is in fact Angela Merkel. By clicking on the edit button on the top right, we can change the name. By giving the people the same name, they will be automatically merged. The following two insight categories index general topics discussed in the video and also label the scenes by what can be seen. Marking a topic or label will show the section in which this appears in the video. Clicking on that highlighted section will jump forward to that specific part in the video, which is always displayed on the left. Keep in mind, that these results are not always plausible. In my video, a scene showing Donald Trump starting to speak was labeled as toiletry (although some people consider him to be a douche).

Next up, named entities are extracted and the sentiment is evaluated. I assume the sentiment evaluation is based on the words used. Words such as good, great and awesome will likely lead to a positive sentiment rating. Remember that these words are not always used in the proper context by the speaker, so I usually ignore this feature.

Most of the data shown in the insight tab is based off the speaker transcription, which is displayed in the timeline tab. Although it works pretty well, you might need to manually edit some of the data. In this final sentence shown here, I manually edited something.: instead of “my Chrome”, the speaker said “Macron”.

Looking into a video in a foreign language? In this case you can use the translate function to make it (kind of) readable. Just click on the world icon and choose the output language and the complete text will be translated.

So, we’ve uploaded a few videos, manually edited a few things and now have a fully indexed database of videos to run queries on. Going back to the main page of your profile, you will be able to search for anything that has been indexed: text, keywords, people and labels.

Searching for “Trump” will display the search results and categorize them by result types, as they are listed above the search results. This is just an excerpt of all the results, but you can see that a person, spoken text, a named entity and even written text were found. Written text? That’s one point I almost forgot. The Video Indexer also OCRs written text in videos.

That was just a brief overview of the possibilities of Microsoft’s Video Indexer. I think it can be useful for some OSINT investigations and if you really think about using this more intensely, you might want to consider upgrading to a paid account.

I was actually thinking about uploading talks from conferences, so I could create a database in which I could query specific OSINT topics without having to watch the complete videos. A TL;DR for videos 😊

MW-OSINT / 08.03.2020

How to Troll a Nigerian Prince

Have you ever received an email from a Nigerian prince? Why not answer for a change and see how things unfold.

Inside an Advance Payment Scam

Boy, am I lucky. Steven Richards, a regional director for the UBS bank just informed me that I am entitled to over 16 million pounds. Steven sent me the information in German from a Hotmail account, as he explained that he was doing this without the knowledge of his employer. It turns out that I am the last of kin of a UBS customer who recently died with his entire family. At first, I was devastated. Losing relatives is always hard and I didn’t even know them. After a brief phase of grief, I decided to claim my inheritance and answer to Steven. Of course, we all know that none of what is stated before is true. It is part of an advance payment scam. I decided to play along and see how far I can get in this scam.

I knew at some point I would have to present identification, so I googled pictures of German IDs until I found a picture that might do the job. Around this ID, I created a fake persona: Thomas, a 65 year old retiree that speaks very bad English. I created a new Protonmail account bearing his name and replied to Steven in German. Not even an hour later did I receive the answer, even though he obviously never sent an email to this account. This time the email was in English. As my alter ego Thomas didn’t understand much of what was written, he decided to call Steven (Steven provided a phone number in the initial email). The phone number was a virtual phone number registered in the UK. This was start of many interesting conversations between my fake persona and the scammer known as Steven. For starters, Steven didn’t sound British at all. He had a thick central or western African accent. I gave Thomas a thick German accent and Steven took the bait. Steven explained that I would need to send a letter to UBS making my claim to the 16 million pounds. While we were still on the phone, Steven sent me a pre-drafted letter that I only needed to sign and send to an UBS email-address he provided as well. I found a signature from the person I modeled my fake persona after on Google, “signed” the letter and sent it. Needless to say, the email address wasn’t really one belonging to UBS.

Afterwards, I called Steven again just to make sure I was doing things right. He told me that I should forward him all emails coming from the bank, so he could process them and give me further instructions. Immediately after our conversation, I received a reply from UBS. Almost, as if Steven had sent it himself 😉

I forwarded this document to Steven and he said he would take care of the first three things on the list, while I was to provide him with my banking details and a copy of my ID. I was also asked to pay about 60,000 pounds to Steven and his lawyer, so they could prepare the death certificate, will and affidavit that I obviously didn’t have. I sent him bank account details for an account that is used in another scam (fake invoices) and a copy of the ID I had based my fake persona on.

By the way: Google could have warned Steven that something wasn’t right with Thomas…

In the next phone call, I told Steven that the money I had wasn’t on my account since it was dirty money. I had obtained it through tax fraud. Clearly, Steven wasn’t amused about this and we had several phone calls and emails regarding the topic.

Eventually, he accepted this money and I told him I could go to the bank and try to transfer the money. For this, he requested a payment receipt as proof that I had sent the money. Steven called multiple times to make sure I was going to the bank. As with the ID card I googled and all the other fake documents I sent Steven, I quickly made a fake payment receipt without putting too much effort into it. To be honest, I was surprised that Steven was still taking me serious after all the obviously fake information I sent him. He didn’t seem to be the smartest person.

Upon sending the fake payment receipt, I called and told him that I could only transfer 10,000 Euros a day and that I would have to go back the next to transfer another batch. Steven seemed very satisfied and called back the following day, asking if I had already made it to the bank again. Again, he showed no signs of suspicion and was eager to receive the money.

Payback Time

So far, I played along and made the scammer think he was receiving money. During this, I unraveled additional email addresses, the bank account he used and received copies of the documents he created for this scam. Steven was happy as can be, assuming lots of money would soon end up on his bank account. It was time to give Steven a little something to think about.

While my alter ego, Thomas, was supposedly on the way to the bank to transfer the next batch of money, I used Emkei’s Fake Mailer to send Steven a fake email from Interpol.

One hour later, I called Steven again. This time posing as a special agent working for Interpol. I told him that Thomas was arrested upon trying to transfer money to a bank account that was linked to African terror groups such as Boko Harram. I could clearly hear the fear in his voice and he demanded to speak to Thomas.

In the next phone call, I switched between fake personas (special agent John and Thomas) and made Steven believe that Thomas had been arrested while visiting the bank a second time. To make things more believable, I used various different background sounds (thanks to Youtube) during all these conversations. Thomas was also crying on the phone when speaking to Steven. All of this really freaked Steven out and he denied having anything to do with this. Eventually he stopped answering phone calls, but he did still answer to emails sent to him. I was having so much fun, I pushed it a little bit to far. However, I finally got to use a phrase I’ve been waiting to use for a long time.

Aftermath

After a while, Steven wouldn’t reply to emails any more. Two days later, I wanted to log on to the Protonmail account I used in the case to go through the mails again before writing this blog article. It turns out my account had been suspended for apperently being part of an advance-fee scam. According to the Protonmail team, someone reported my account and provided them with messages as evidence (since Protonmail can’t see the content of emails).

To be honest, I find this hard to believe. The person that was so stupid and was fooled with cheap photoshopped images, an outrageous story and multiple fake personas (that all sounded alike), then reported my account to Protonmail and provided evidence? To me, it looks like something else triggered this…are we really sure Protonmail can’t read the content?

In any case, I sure did have fun trolling a scammer and while doing so, I did many others a great favor. Spending time interacting with me left less time for Steven to interact with people that might have actually fallen for this scam. And, it sure is a nice story to tell!

MW-OSINT / 26.01.2020