Where is Leonardo’s Car – Using OSINT to trace vehicles

I love cars and I love OSINT. Sometimes I get to combine these passions. Not only for work, but also in little exercises that help sharpen my research skills.

A while back I posted a blog about using car spotting sites to find and track vehicles. The sites I discussed in that article where only the tip of the iceberg when it comes to finding information about specific vehicles online. Today, I want to walk you through other means of finding cars using unique identifiers such as license plates or VINs (vehicle identification numbers). There’s nothing fancy about what I’m going to show here. I’ll just follow the digital breadcrumbs using simple OSINT techniques.

For some reason I stumbled upon a Youtube video showing an Italian soccer player’s Ferrari. We’ve all been down that rabbit hole before. You start watching Youtube videos about cooking and end up somewhere completely different. Oh, the joys of the internet…

This video had a visible license plate and I was curious to see other places the car was spotted. My usual car spotter websites actually came up empty handed, no matter how I tried to enter the license plate number. So I took my search back to Google. Search engines actually OCR some of the images they index, so I entered the plate number and instantly received some results:

Next to the Youtube video that got me started, I found a blog in which the author posted multiple pictures of the car I was looking for. The plate number wasn’t listed anywhere as text on the website (checked through the developer tools as well: nothing came up), so Google must have OCRed it. Thumbs up to Google for this!

But wait, it gets even better. Google is not the only platform to OCR images, Facebook does so as well. So, I decided to take my search to Facebook and see if I could find further images of the vehicle there. Using the standard Facebook search, I entered the plate number. Keep in mind, throughout each search you might have to use different variations, adding spaces between characters or writing everything together.

The picture results are shown right away, as I have a direct hit in this query. Sometimes the picture results will not be shown in your main search results and you may have to click on the tab to the left to get to the image filter. Some guy on Facebook posted the Ferrari as his profile pic in April this year and this picture looks like it had the car at a repair shop or possibly a dealer.

Now, if this theory was right, the vehicle might not even belong to Leonardo Bonucci anymore. I could go looking for sales ads for such a vehicle and hope to find it. A lot of this would just be Googling and browsing through sales sites and would require a lot of tenacity and also a little bit of luck. Although, I still have an ace up my sleeve when it comes to Italian vehicles. This ace would allow me to find out more details on the Ferrari I was searching for.

I have a little app on my phone called iTarga. With this app, I can enter any Italian license plate and will receive further information on the vehicle. Here in Italy, vehicles are assigned license plates for life. Even if the car is sold, it keeps the plate numbers. Let’s see what iTarga tells me about Leonardo Bonucci’s Ferrari.

First date of registration, a VIN, insurance information (including insurance company and policy number) and the residence of the owner are among the things that can be found in the app. In our case, no insurance is listed. It is likely that the vehicle is not insured at the moment, adding to my suspicion that it is/was for sale. The owner’s residence is Milan, which happens to be the city Bonucci played in at the time most of the previously seen images were taken (he’s moved on to Juventus Turin now). These details give me further pivot points for my search. I could narrow down the results of sales ads to 2013 models and look in and around Milan or Turin (assuming it would be sold there). Or I could just simply Google the VIN.

Et voilà, I do receive results for sales ads. However, the vehicle offered here is a red Ferrari. I thought I was looking for a black one. And nowhere on the website can I find the VIN. See, zero results:

Yet again, a simple OSINT technique will help clear this up. Looking into the developer tools will enable you to search within parts of the website that aren’t directly visible to users. When checking the VIN there, I found that all uploaded images actually have the VIN in the file name.

Not only that, the URL also contains the VIN:

A little more research and everything makes sense. Bonucci originally drove the red Ferrari and had it wrapped in black foil. For the current sale, the black foil was apparently taken off again.

While this example utilized an Italian app, there are many similar sites for countries throughout the world (except in Germany…). The lesson to be learned here is to follow the digital bread crumbs. Sometimes seemingly simple OSINT techniques will lead you to your goal if you know how to combine them. And now you get an idea of how I spend my time when sitting in the passenger seat while my wife is driving. Googling license plates, checking car spotting sites and tracking the history of random exotic cars I see.

Matthias Wilson / 16.10.2020

Social Media around the World

When most people speak of social media, the have the ‘Big 3’ in mind: Facebook, Instagram & Twitter. But social media is so much more than just these three platforms, especially when it comes to OSINT on intelligence targets that don’t speak English.

In OSINT investigations we often end up scavenging social media to find information on our intelligence targets. Who are they connected to? Where have they been? What are their interests? These and many more questions can be answered by having a look a person’s profile. However, social media is constantly evolving and platforms that were relevant yesterday may not be relevant tomorrow. When I ask my daughter about Facebook, she says: “Facebook is for old people”. Thus, she does not have an account there. You would most likely find her dancing in TikTok videos, as with many other Generation Z youths. So age clearly defines which social media platforms are used. Another defining factor is the cultural background someone has. Maybe Facebook was never that big in that person’s country. The following graphic shows the evolution of social media worldwide and how Facebook became the most used platform. However, in some countries other platforms still have the upper hand and not all ‘legacy’ platforms overtaken by Facebook have been shut down. In this article I would like to give a brief overview of some of the lesser known platforms that may be useful for OSINT investigations.

VKontakte & Odnoklassniki

If your intelligence target is from a Russian-speaking country or has a Russian cultural background (or is a right-wing idiot that thinks he is being censored on Facebook), chances are high you might find this person on one of the Russian Facebook clones. The platforms VKontake (‘in contact’) and Odnoklassniki (‘classmates’) are very similar to Facebook when it comes to the functionality offered and the basic OSINT research techniques that can be applied here.

Above you can see a VKontakte profile. A profile picture, some more detailed information including a birthdate and current residence city, a friend list as well as posts and pictures. Pretty much what you can find on an average Facebook profile. As with other social media platforms, a user can choose to alter the privacy settings to hide information, so some profiles may not have an open friend list or may not share all posts with the overall public. An interesting feature on VKontakte is in the top right of the image: information when the profile was last active. In OSINT this is really helpful to figure out if a user is still active on the platform, even if no current content is posted. In many cases this last activity will lead back to the use of VKontakte as a messenger. People might not post content anymore, but will stay В Контакте (in contact) with others through this platform. The search functionality of VKontake is in some ways superior to what we now have on Facebook. At the top of the page is a search box. Filling in a search term here will enable us to browse through different categories of results and narrow these down by adding additional filters.

As you can see, you can filter people by age range, birth date information and even their views on smoking an alcohol. Posts can be sorted by the number of likes or the mentioning of specific links. All in all, there are some pretty neat filters in here.

Odnoklassniki is very similar, having friend lists, a date of birth on most profiles and information when the user was last active. The good thing with both VKontakte and Odnoklassniki, is that they accept multiple language settings, so you can use the platform in English and also a couple of other languages. If you search for names in Latin script, it will also show you corresponding results in Cyrillic script.

The last activity is right underneath the profile name and the searches in Odnoklassniki offer filters just like in VKontakte. They even allow users to add holiday destinations, which are also a filter criteria.

As I mentioned, this article is just a quick overview of some foreign social media platforms. There lots of other cool OSINT techniques that can help research here, including third-party sites to search by profile pics or sites that help with geo-referenced searches. But let’s leave that for future blog posts. Another example I want to show is very popular in the Persian-speaking community.

Facenama

Facenama is a big social media platform mainly used in Iran. At quick glance on SimilarWeb shows that this site is also accessed from other countries, as there are Iranian communities throughout the world.

Facenama looks very much like Facebook. Even the coloring scheme is identical (to the old Facebook UI).

Unfortunately, there is no way to change the language settings, but luckily the Google translate browser extension works quite well here.

The search bar in the top right of the page will enable you to search for user profiles. Just remember that the default language is Farsi, so most profiles will be in Arabic script (including profile names) and typing will occur from right to left.

The profiles will have the same type of information we have seen in the Russian sites: date of birth, friends, posts and much more (if these aren’t hidden due to privacy settings). Remember that dates will be shown in Persian, so you’ll probably have to use a calendar converter to make sense of these dates.

I could go on for hours listing and showing social media platforms: Gab for right wing nut jobs, Stayfriends for old German people, NK for Polish people and don’t even get me started on Chinese social media. The bottom line is, that there is more out there than just the ‘Big 3’ (Facebook, Instagram, Twitter). Before you start investigating someone, you should figure out where you might find these people online. Their age, culture, language, country of origin and personal taste will affect their choice of which web platforms they use and these might not always be in English. So, in the ongoing discussion of what I would like to get better at in OSINT, I didn’t choose to learn programming languages such as Python to automate tasks. I’d rather get a better grasp of languages (Arabic, Farsi, Russian, etc.) in general and master tools that help translate to help bolster by research efforts.

Matthias Wilson / 04.10.2020

Social media is dead, long live social media!

Is your intelligence target under 25 and not on Facebook? You might want to check the social media that kids nowadays are actually using!

My daughter always says: “Dad, Facebook is for old people!” It’s true, I’ve noticed that many people under the age of 25 aren’t on ‘traditional’ social media anymore. They are not on Facebook and they may give a confused look if confront them MySpace, GooglePlus or walkmans.

So, how and where do you find Generation Z on social media. Clearly, they still feel the urge to express themselves on the internet and they’re still out there, but mostly not with their real names. This makes OSINT much more challenging. On Facebook we could search for real names, we could search by phone number and in some cases we could find people through email addresses. Some of these techniques work on other social media platforms, some won’t. In any case, if you find a profile linked to one of your targets, you might come across further social media profiles that your intelligence target has backlinked on the one you have found.

I’ve noticed that many young people use TikTok, an app designer to share short music videos. It contains likes, friends and comments, similar to what we know from ‘traditional’ social media. Luckily, the TikTok app allows you to find profiles linked to phone numbers. For this, you need to install the app either on your burner phone or in an AndroidVM, then go to the profile page and tap the ‘add contact’ button on the top left. The red dot indicates that new contacts have been found.

1

Next up, choose the option in the middle, stating that would like to find contacts from your phone book. This of course means you have to add the phone numbers of your intelligence targets to the phone book first and give TikTok access to it.

2

Tapping ‘find contacts’ will show the amount of phone numbers that are linked to  TikTok accounts and it also gives you the choice to follow them. It looks like some of my contacts are actually using TikTok.

3.png

If you have a nickname, even one derived from other platforms, these can be looked up in the app itself too. TikTok will only allow you to search for the beginning of the nickname and not for parts in the middle or last portion of the name. In the following screenshot I looked for nicknames containing ‘James’ and I was only shown names starting with ‘James’. The reason this is relevant, is that I have often found TikTok accounts to use prefixes or suffixes on their regular nicknames. So instead of just ‘James’, you might find the user as ‘xyz.james’ or ‘james.1982’.                                       4.png

However, there is a workaround for this. Just like with Instagram, there are many sites that scrape TikTok and display the accounts and in many cases the content as well. One of the ones I like to use is PlayTik. PlayTik allows you to search for hashtags and accounts. Let’s find an account that somehow uses ‘f1nd1ng’ in the nickname.

6

There we go, two accounts containing the searchterm. Now you can have a look at the profile and check out any videos this profile has uploaded (and publically disclosed). It looks like this particular profile also links to further social media and websites, like I had mentioned before. Plus, the profile contains a video. Feel free to watch it!

7.png

Facebook may be fading (soon), but others platforms will replace it. Thus: Social media is dead, long live social media! The new platforms are not just for young people, so go and try them out (research them) yourselves!

Matthias Wilson / 13.09.2019

 

Building a Hells Angels Database with Hunchly

Today I will teach you about Hells Angels and Hunchly and how one of these two is useful when looking into the other.

In the past year, I have worked two cases in which I stumbled upon links to Hells Angels while investigating individuals. I was surprised how much information people affiliated with this group shared publically on Facebook and other social media sites. Whether they were just supporters or full members, it became quite clear that they did not care about data privacy. Most profiles had open friend lists, some of them displaying thousands of friends. Hells Angels affiliates are not hard to find. You will likely stumble across one of the following acronyms and/or terms on their profiles: AFFA (Angels forever, forever angels), HAMC (Hells Angels Motorcycle Club), Support 81 (8 = H, 1 = A), SYL81 (Support your local Hells Angels), Eightyone.

There are a couple more, but this article is not about the Hells Angels per se. Since these individuals have so much open information on Facebook, their profiles are the perfect playground to try out Michael Bazzel’s Facebook tool on IntelTechniques.

I had just finished working on the first case and subsequently erased all the data linked to that case, when a second case soon revealed links to Hells Angels as well. If only I had saved some data from my first case. I roughly knew where I could start off, but most of this knowledge came off the top of my head and was sketchy. Before I started the second investigation, I made sure I wouldn’t make the same mistake again and decided to use Hunchly to save my findings. That way, if a third case with the same links should ever occur, I will have a great starting point. For those of you who do not know, Hunchly is a web capture tool. It automatically collects and documents every web page you visit. The best part is that it indexes everything, so you can search within the data afterwards. Using this amazing tool allowed me to create a fully searchable Hells Angels database!

First off, I created a new casefile and then let Hunchly collect Facebook friends lists of people affiliated with my target or any Hells Angels in the area my target originated from. As some of the profiles had thousands of friends, I used a little Chrome extension (Simple Auto Scroll) to automatically scroll down friends lists, so they would be captured in whole. Whenever I looked at profiles and found information that could not be automatically indexed, I would take notes in Hunchly or tag (caption) pictures. I have learned that a lot of intelligence can be obtained by closely looking at pictures on social media. In the following example, one Hells Angels member had obscured the tags on his vest. Based on the information in his profile, it became clear that he must belong to the Aarhus chapter in Denmark. I tagged this picture, meaning it would pop up if I ever searched for “Aarhus” in Hunchly.

1

I ended up tagging all pictures that included chapter names, functions, nicknames or general indications on the location. If I am interested in finding the security chiefs and weapons masters, all I have to do now is search for “Sergeant at Arms” or known abbreviations. Looking for “arms” gives me several results in Hunchly.

2

The first two are displayed because I manually tagged these pictures and added a caption. The third result is from a webpage that Hunchly captured, in which the person actually listed “SGT At Arms” as his current occupation. Hunchly also allows you to refine searches. I can narrow these results down and, for example, only search for Sergeants at Arms in a specific chapter. Searching for “arms + sacramento” only reveals one result, which I had captioned with the information I saw in the picture. As you see, the picture is actually mirrored.

3

All collected data is saved offline. Should the online profile ever change, be locked down or deleted, I still have a version to work with. By using Hunchly and remembering to tag pictures with captions and also take notes on webpages, I have created a useful database on Hells Angels Facebook profiles. From here on, it is also always possible to go to the live versions of webpages, so any updates can also be captured within the same casefile.

If you are not using Hunchly yet, I suggest you have a look at it. The use case described above is just one of many. Furthermore, if you ever come across friendship requests from people named “AFFA” or “HAMC”, you might want to think twice before accepting them. Or else you might wind up in my Hells Angels database.

Matthias Wilson / 07.03.2019

Sieben Praxistipps für Jedermann

“Googeln können wir selbst!”. Diesen Satz hört man häufig, wenn man mit Kunden über OSINT-Recherchen spricht. Dass zu einer umfänglichen Recherche ein bisschen mehr als “googeln” gehört, wollen wir heute anhand einiger Beispiele aus dem Ermittleralltag darstellen.

  1. Pseudonyme in sozialen Netzwerken identifizieren

Immer mehr Personen nutzen in den sozialen Netzwerken Pseudonyme, so dass eine direkte Suche nach ihnen nicht möglich ist. Anstatt die Personen direkt zu identifizieren, hilft es häufig, die Zielperson indirekt über bekannte Familienangehörige oder Freunde zu recherchieren. Dazu versuche ich, eine befreundete Person mit offener Kontaktliste zu identifizieren, die ich dann nach der gesuchten Person durchsuche.

  1. Recherche in der Landessprache

Ermittler neigen dazu, nur in ihrer jeweiligen Muttersprache oder mit englischen Suchbegriffen zu recherchieren. Dies beschränkt das Suchergebnis erheblich. Wenn ich meine Recherche aber um Suchbegriffe in der jeweiligen Landessprache erweitere, kann ich meine Trefferanzahl um ein Vielfaches erhöhen. Sprachdefizite behebe ich mit diversen Übersetzungsprogrammen wie Google Translate und Co.

  1. Einsatz von OCR-Software

Häufig stoßen wir bei Recherchen auf Dokumente, die nicht durchsuchbar sind, weil sie beispielsweise eingescannt wurden. Insbesondere bei mehreren tausend Seiten kann dies sehr hinderlich sein. Dafür empfiehlt sich der Einsatz einer sogenannten OCR-Software (optical character recognition), die die Zeichen in dem Dokument erkennt und dieses in ein durchsuchbares Dokument umwandelt. Je besser die Qualität des Ausgangsdokumentes ist, desto besser ist auch das Ergebnis.

  1. E-Mail-Adressen über Passwortzurücksetzung bei sozialen Netzwerken recherchieren

Bei mehreren sozialen Netzwerken lassen sich über die Passwortzurücksetzungs-Funktion die E-Mail Adressen recherchieren, mit denen das jeweilige Profil angemeldet wurde. Dazu benötigt man lediglich den Benutzernamen. Teile der dann angezeigten E-Mail-Adresse werden zwar durch Sternchen weitgehend unkenntlich gemacht, dennoch lassen sich die E-Mail-Adressen meistens aus den erkennbaren Mustern rekonstruieren.

  1. Firmen-E-Mail-Adressen rekonstruieren

Fast jedes Unternehmen verfügt über eine Webseite mit entsprechender E-Mail-Systematik. Das am häufigsten genutzte Muster dürfte wohl vorname.nachname@domain.com sein. Bei Dienstleistern wie z.B. www.hunter.io lassen sich die Muster der E-Mail-Adressen zu den dazugehörigen Domains ganz einfach recherchieren. Kenne ich den Namen einer Person eines Unternehmens, sei es aus einem persönlichen Gespräch oder einer Recherche in sozialen Netzwerken, kann ich die E-Mail-Adresse nach der Firmensystematik mit hoher Trefferwahrscheinlichkeit rekonstruieren.

  1. WhatsApp Profilfoto

Im Rahmen von Recherchen stößt man häufig auf Nummern von Mobiltelefonen. Wenn man die Nummer in seinen Kontakten abspeichert, ist es ggf. möglich, bei WhatsApp das dazugehörige Profilfoto der Nummer zu sehen. Schon häufig konnten wir so weitere Erkenntnisse aus dem Foto ziehen.

  1. Geburtsdaten über Stayfriends recherchieren

Das Schulfreundenetzwerk www.stayfriends.de ist besonders in Deutschland bei den 30 –  60-jährigen populär. Wenn ein Profil zu einer Person vorhanden ist, ist es auch sehr wahrscheinlich, dass das Geburtsdatum hinterlegt wurde.

Ingmar Heinrich / 31.10.2018

I2PO: OSINT in Support of HUMINT Operations

In a previous post I explained a concept I named ‘Interdisciplinary Intelligence Preparation of Operations’ and how this could be used to support military operations.

This post will concentrate on the use of OSINT to prepare and monitor HUMINT operations. I will not distinguish between military intelligence HUMINT and sources used by law enforcement agencies or journalists. In both cases, getting access to a source and the preparatory work needed for this are quite similar. Each HUMINT operation starts with the identification and selection of a potential source, thus finding someone in vicinity of our actual intelligence target, who is able to consistently report key intelligence. In the past, even the acquisition of a source was accomplished by HUMINT means. A case officer heard or knew of someone who might have access to specific information and he then talked his way around to finally approach the potential source.

With more and more information being available online, especially through social networks, this approach can be done virtually in some cases. Scavenging Facebook, VKontakte, Instagram, but also LinkedIn and Xing can prove very valuable when searching for potential sources. Of course, this always depends on how outgoing a potential source is on the internet. Sometimes an approach solely through social media could be sufficient, at other times this will not produce any results at all.

The following diagram in theory depicts the steps for OSINT support to a HUMINT case. This scheme is roughly based on the general intelligence cycle with its different stages. We have planning & preparation, collection, processing and evaluation and lastly dissemination covered. In our case the information will be disseminated to the HUMINT operation, which itself will start the whole intelligence cycle over again.

HUMINT-OSINT-Intel-Cycle

For a better understanding, I have created a fictive case (well, some of it is true…). Let us assume we are part of police special commission in Hamburg focused on the Albanian mafia. The recent shooting of an Albanian national and member of the local Hells Angels, with ties to the Albanian mafia, caused an upstir among different mafia groups operating in the area. So far, no information has emerged on the background of the shooting and existing police sources struggle to provide any intelligence on this topic. The Key Intelligence Questions (KIQ) are ‘What are the current activities of the Albanian mafia in Hamburg?’ and ‘Are there signs of an uprising conflict between different mafia groups?’

Therefore, our special commission has decided to attempt to win additional sources within this network of mafia groups. The higher leadership in a mafia network will not easily cooperate, so someone on the perimeter, with insight into the core, has to be found. Instead of the traditional approach on the streets, we will use OSINT to pave the way ahead of any physical approach.

This leaves us with our initial intelligence objective: Recruiting a HUMINT source within this network to answer the KIQs. Before we start our hunt for sources there are a couple of things we need to know. Who are the key players, do they have nicknames? We should have in-depth knowledge about our targets, e.g. is there target-specific behavior or a specific language used? Having this information gives us a baseline, which we can use to start our OSINT research. Our first step is to identify the known key players and their online profiles. Luckily, most of them are active on Facebook and Instagram and they like showing off their flamboyant life style. Clubbing, exotic cars, girls and champagne seem to be a vital part of the thug life in Hamburg.

Hamburg-Network

This chart depicts the results of the OSINT research on the core network of Albanian mafia in Hamburg, as it is visible on Facebook and Instagram. Now that we have found our potential intelligence targets online, we can survey their activities and figure out who is linked to them. There are many people surrounding this core network, so how can we identify someone who might be worth recruiting as a HUMINT source?

While reading comments to the pictures that these guys post, we stumble upon an individual who constantly idolizes the mafia leadership and their henchman und who frequently asks when he will be a part of ‘the inner circle’. ‘Soon’ is the most common reply and over the course of time he seems to get annoyed. Furthermore, a quick check in police databases reveals that he was registered  on minor crimes and was not yet linked to the Albanian mafia. Let us draw a quick conclusion: We have a person with a criminal record, who has contact to senior leadership of the Albanian mafia and is increasingly aggravated on the fact that he is not fully accepted in the organization yet. That sounds like a promising HUMINT source to me!

Keep in mind that this whole procedure, especially the actual HUMINT work done afterwards, takes time. No quick success will come from this. Once we have acquired the source and he is reporting from within the network, our OSINT work does not stop. Now is the time to evaluate the HUMINT information with OSINT. As we have already seen, our targets are very active on social media and this also applies to our source. If our source tells us he had met with one of the bosses on a specific date or time, it could be validated through a Facebook or Instagram post.

One day our source tells us, that in the aftermath of the shooting, the Albanian mafia leadership had met with Chechen mafia leadership the previous evening. At first, this seems unbelievable, as we had assumed that these two groups were currently opposed to each other. One of the Albanian leaders posted about this the following day on Facebook:

Hamburg-Meeting

This picture not only shows the Captains of the Albanian mafia, but also senior leadership of the Chechen mafia and our HUMINT source. We now know the meeting took place and we have the statement of our source on the topics of the meeting. It is vital that the source does not know we are tracking him and others on social media. We would not want any of this to be staged to back his statements and purposely give us false leads.

This short and fictive case shows how to use OSINT to enable HUMINT and to support HUMINT while an operation is ongoing. Of course, these techniques could also be applied by military HUMINT as well as journalists, as long as the targets and the potential sources are able to be located online.

OSINT supporting HUMINT: Another example of ‘Interdisciplinary Intelligence Preparation of Operations’, I2PO in short.

Matthias Wilson / 03.09.2018

Finding Facebook Profiles through Phone Numbers

Although previously posted by me on another blog, I’ve decided to add it here as well.

Unfortunately Facebook has removed the feature to find other Facebook users by searching for their phone number directly in Facebook. However, you can still do it by using the Facebook Messenger app, provided the phone number is linked to a Facebook account.

If you’d like to do this on your PC or Laptop, you can use an Android emulation such as Bluestacks to get the Messenger app running. As the Messenger requires a phone number to register, feel free to use a burner phone or a website which enables you to receive free text messages (SMS) if you just want to try this out without linking it to any of your personal accounts.

The Messenger app does not require an existing Facebook account for login. (But we are pretty sure Facebook will create a ‚ghost account‘ for you.) Of course you’ll have to allow access to your contacts.

As soon as all of this is set up, just add the phone number you’re trying to look up to your contacts and the Messenger app will inform you if this number is linked to any Facebook account. It will even provide the Facebook profile picture, general information such as the person’s employer and location as well as the Facebook UserID (the name, not the number).

The following screenshot shows a typical result after adding a phone number to the Messenger (or to the contacts in your phone).

facebook

Voilá, the person you were looking for has a Facebook account!

Have fun trying this out.

Matthias Wilson / 14.08.2018