Social media is dead, long live social media!

Is your intelligence target under 25 and not on Facebook? You might want to check the social media that kids nowadays are actually using!

My daughter always says: “Dad, Facebook is for old people!” It’s true, I’ve noticed that many people under the age of 25 aren’t on ‘traditional’ social media anymore. They are not on Facebook and they may give a confused look if confront them MySpace, GooglePlus or walkmans.

So, how and where do you find Generation Z on social media. Clearly, they still feel the urge to express themselves on the internet and they’re still out there, but mostly not with their real names. This makes OSINT much more challenging. On Facebook we could search for real names, we could search by phone number and in some cases we could find people through email addresses. Some of these techniques work on other social media platforms, some won’t. In any case, if you find a profile linked to one of your targets, you might come across further social media profiles that your intelligence target has backlinked on the one you have found.

I’ve noticed that many young people use TikTok, an app designer to share short music videos. It contains likes, friends and comments, similar to what we know from ‘traditional’ social media. Luckily, the TikTok app allows you to find profiles linked to phone numbers. For this, you need to install the app either on your burner phone or in an AndroidVM, then go to the profile page and tap the ‘add contact’ button on the top left. The red dot indicates that new contacts have been found.


Next up, choose the option in the middle, stating that would like to find contacts from your phone book. This of course means you have to add the phone numbers of your intelligence targets to the phone book first and give TikTok access to it.


Tapping ‘find contacts’ will show the amount of phone numbers that are linked to  TikTok accounts and it also gives you the choice to follow them. It looks like some of my contacts are actually using TikTok.


If you have a nickname, even one derived from other platforms, these can be looked up in the app itself too. TikTok will only allow you to search for the beginning of the nickname and not for parts in the middle or last portion of the name. In the following screenshot I looked for nicknames containing ‘James’ and I was only shown names starting with ‘James’. The reason this is relevant, is that I have often found TikTok accounts to use prefixes or suffixes on their regular nicknames. So instead of just ‘James’, you might find the user as ‘xyz.james’ or ‘james.1982’.                                       4.png

However, there is a workaround for this. Just like with Instagram, there are many sites that scrape TikTok and display the accounts and in many cases the content as well. One of the ones I like to use is PlayTik. PlayTik allows you to search for hashtags and accounts. Let’s find an account that somehow uses ‘f1nd1ng’ in the nickname.


There we go, two accounts containing the searchterm. Now you can have a look at the profile and check out any videos this profile has uploaded (and publically disclosed). It looks like this particular profile also links to further social media and websites, like I had mentioned before. Plus, the profile contains a video. Feel free to watch it!


Facebook may be fading (soon), but others platforms will replace it. Thus: Social media is dead, long live social media! The new platforms are not just for young people, so go and try them out (research them) yourselves!

Matthias Wilson / 13.09.2019


Building a Hells Angels Database with Hunchly

Today I will teach you about Hells Angels and Hunchly and how one of these two is useful when looking into the other.

In the past year, I have worked two cases in which I stumbled upon links to Hells Angels while investigating individuals. I was surprised how much information people affiliated with this group shared publically on Facebook and other social media sites. Whether they were just supporters or full members, it became quite clear that they did not care about data privacy. Most profiles had open friend lists, some of them displaying thousands of friends. Hells Angels affiliates are not hard to find. You will likely stumble across one of the following acronyms and/or terms on their profiles: AFFA (Angels forever, forever angels), HAMC (Hells Angels Motorcycle Club), Support 81 (8 = H, 1 = A), SYL81 (Support your local Hells Angels), Eightyone.

There are a couple more, but this article is not about the Hells Angels per se. Since these individuals have so much open information on Facebook, their profiles are the perfect playground to try out Michael Bazzel’s Facebook tool on IntelTechniques.

I had just finished working on the first case and subsequently erased all the data linked to that case, when a second case soon revealed links to Hells Angels as well. If only I had saved some data from my first case. I roughly knew where I could start off, but most of this knowledge came off the top of my head and was sketchy. Before I started the second investigation, I made sure I wouldn’t make the same mistake again and decided to use Hunchly to save my findings. That way, if a third case with the same links should ever occur, I will have a great starting point. For those of you who do not know, Hunchly is a web capture tool. It automatically collects and documents every web page you visit. The best part is that it indexes everything, so you can search within the data afterwards. Using this amazing tool allowed me to create a fully searchable Hells Angels database!

First off, I created a new casefile and then let Hunchly collect Facebook friends lists of people affiliated with my target or any Hells Angels in the area my target originated from. As some of the profiles had thousands of friends, I used a little Chrome extension (Simple Auto Scroll) to automatically scroll down friends lists, so they would be captured in whole. Whenever I looked at profiles and found information that could not be automatically indexed, I would take notes in Hunchly or tag (caption) pictures. I have learned that a lot of intelligence can be obtained by closely looking at pictures on social media. In the following example, one Hells Angels member had obscured the tags on his vest. Based on the information in his profile, it became clear that he must belong to the Aarhus chapter in Denmark. I tagged this picture, meaning it would pop up if I ever searched for “Aarhus” in Hunchly.


I ended up tagging all pictures that included chapter names, functions, nicknames or general indications on the location. If I am interested in finding the security chiefs and weapons masters, all I have to do now is search for “Sergeant at Arms” or known abbreviations. Looking for “arms” gives me several results in Hunchly.


The first two are displayed because I manually tagged these pictures and added a caption. The third result is from a webpage that Hunchly captured, in which the person actually listed “SGT At Arms” as his current occupation. Hunchly also allows you to refine searches. I can narrow these results down and, for example, only search for Sergeants at Arms in a specific chapter. Searching for “arms + sacramento” only reveals one result, which I had captioned with the information I saw in the picture. As you see, the picture is actually mirrored.


All collected data is saved offline. Should the online profile ever change, be locked down or deleted, I still have a version to work with. By using Hunchly and remembering to tag pictures with captions and also take notes on webpages, I have created a useful database on Hells Angels Facebook profiles. From here on, it is also always possible to go to the live versions of webpages, so any updates can also be captured within the same casefile.

If you are not using Hunchly yet, I suggest you have a look at it. The use case described above is just one of many. Furthermore, if you ever come across friendship requests from people named “AFFA” or “HAMC”, you might want to think twice before accepting them. Or else you might wind up in my Hells Angels database.

Matthias Wilson / 07.03.2019

Sieben Praxistipps für Jedermann

“Googeln können wir selbst!”. Diesen Satz hört man häufig, wenn man mit Kunden über OSINT-Recherchen spricht. Dass zu einer umfänglichen Recherche ein bisschen mehr als “googeln” gehört, wollen wir heute anhand einiger Beispiele aus dem Ermittleralltag darstellen.

  1. Pseudonyme in sozialen Netzwerken identifizieren

Immer mehr Personen nutzen in den sozialen Netzwerken Pseudonyme, so dass eine direkte Suche nach ihnen nicht möglich ist. Anstatt die Personen direkt zu identifizieren, hilft es häufig, die Zielperson indirekt über bekannte Familienangehörige oder Freunde zu recherchieren. Dazu versuche ich, eine befreundete Person mit offener Kontaktliste zu identifizieren, die ich dann nach der gesuchten Person durchsuche.

  1. Recherche in der Landessprache

Ermittler neigen dazu, nur in ihrer jeweiligen Muttersprache oder mit englischen Suchbegriffen zu recherchieren. Dies beschränkt das Suchergebnis erheblich. Wenn ich meine Recherche aber um Suchbegriffe in der jeweiligen Landessprache erweitere, kann ich meine Trefferanzahl um ein Vielfaches erhöhen. Sprachdefizite behebe ich mit diversen Übersetzungsprogrammen wie Google Translate und Co.

  1. Einsatz von OCR-Software

Häufig stoßen wir bei Recherchen auf Dokumente, die nicht durchsuchbar sind, weil sie beispielsweise eingescannt wurden. Insbesondere bei mehreren tausend Seiten kann dies sehr hinderlich sein. Dafür empfiehlt sich der Einsatz einer sogenannten OCR-Software (optical character recognition), die die Zeichen in dem Dokument erkennt und dieses in ein durchsuchbares Dokument umwandelt. Je besser die Qualität des Ausgangsdokumentes ist, desto besser ist auch das Ergebnis.

  1. E-Mail-Adressen über Passwortzurücksetzung bei sozialen Netzwerken recherchieren

Bei mehreren sozialen Netzwerken lassen sich über die Passwortzurücksetzungs-Funktion die E-Mail Adressen recherchieren, mit denen das jeweilige Profil angemeldet wurde. Dazu benötigt man lediglich den Benutzernamen. Teile der dann angezeigten E-Mail-Adresse werden zwar durch Sternchen weitgehend unkenntlich gemacht, dennoch lassen sich die E-Mail-Adressen meistens aus den erkennbaren Mustern rekonstruieren.

  1. Firmen-E-Mail-Adressen rekonstruieren

Fast jedes Unternehmen verfügt über eine Webseite mit entsprechender E-Mail-Systematik. Das am häufigsten genutzte Muster dürfte wohl sein. Bei Dienstleistern wie z.B. lassen sich die Muster der E-Mail-Adressen zu den dazugehörigen Domains ganz einfach recherchieren. Kenne ich den Namen einer Person eines Unternehmens, sei es aus einem persönlichen Gespräch oder einer Recherche in sozialen Netzwerken, kann ich die E-Mail-Adresse nach der Firmensystematik mit hoher Trefferwahrscheinlichkeit rekonstruieren.

  1. WhatsApp Profilfoto

Im Rahmen von Recherchen stößt man häufig auf Nummern von Mobiltelefonen. Wenn man die Nummer in seinen Kontakten abspeichert, ist es ggf. möglich, bei WhatsApp das dazugehörige Profilfoto der Nummer zu sehen. Schon häufig konnten wir so weitere Erkenntnisse aus dem Foto ziehen.

  1. Geburtsdaten über Stayfriends recherchieren

Das Schulfreundenetzwerk ist besonders in Deutschland bei den 30 –  60-jährigen populär. Wenn ein Profil zu einer Person vorhanden ist, ist es auch sehr wahrscheinlich, dass das Geburtsdatum hinterlegt wurde.

Ingmar Heinrich / 31.10.2018

I2PO: OSINT in Support of HUMINT Operations

In a previous post I explained a concept I named ‘Interdisciplinary Intelligence Preparation of Operations’ and how this could be used to support military operations.

This post will concentrate on the use of OSINT to prepare and monitor HUMINT operations. I will not distinguish between military intelligence HUMINT and sources used by law enforcement agencies or journalists. In both cases, getting access to a source and the preparatory work needed for this are quite similar. Each HUMINT operation starts with the identification and selection of a potential source, thus finding someone in vicinity of our actual intelligence target, who is able to consistently report key intelligence. In the past, even the acquisition of a source was accomplished by HUMINT means. A case officer heard or knew of someone who might have access to specific information and he then talked his way around to finally approach the potential source.

With more and more information being available online, especially through social networks, this approach can be done virtually in some cases. Scavenging Facebook, VKontakte, Instagram, but also LinkedIn and Xing can prove very valuable when searching for potential sources. Of course, this always depends on how outgoing a potential source is on the internet. Sometimes an approach solely through social media could be sufficient, at other times this will not produce any results at all.

The following diagram in theory depicts the steps for OSINT support to a HUMINT case. This scheme is roughly based on the general intelligence cycle with its different stages. We have planning & preparation, collection, processing and evaluation and lastly dissemination covered. In our case the information will be disseminated to the HUMINT operation, which itself will start the whole intelligence cycle over again.


For a better understanding, I have created a fictive case (well, some of it is true…). Let us assume we are part of police special commission in Hamburg focused on the Albanian mafia. The recent shooting of an Albanian national and member of the local Hells Angels, with ties to the Albanian mafia, caused an upstir among different mafia groups operating in the area. So far, no information has emerged on the background of the shooting and existing police sources struggle to provide any intelligence on this topic. The Key Intelligence Questions (KIQ) are ‘What are the current activities of the Albanian mafia in Hamburg?’ and ‘Are there signs of an uprising conflict between different mafia groups?’

Therefore, our special commission has decided to attempt to win additional sources within this network of mafia groups. The higher leadership in a mafia network will not easily cooperate, so someone on the perimeter, with insight into the core, has to be found. Instead of the traditional approach on the streets, we will use OSINT to pave the way ahead of any physical approach.

This leaves us with our initial intelligence objective: Recruiting a HUMINT source within this network to answer the KIQs. Before we start our hunt for sources there are a couple of things we need to know. Who are the key players, do they have nicknames? We should have in-depth knowledge about our targets, e.g. is there target-specific behavior or a specific language used? Having this information gives us a baseline, which we can use to start our OSINT research. Our first step is to identify the known key players and their online profiles. Luckily, most of them are active on Facebook and Instagram and they like showing off their flamboyant life style. Clubbing, exotic cars, girls and champagne seem to be a vital part of the thug life in Hamburg.


This chart depicts the results of the OSINT research on the core network of Albanian mafia in Hamburg, as it is visible on Facebook and Instagram. Now that we have found our potential intelligence targets online, we can survey their activities and figure out who is linked to them. There are many people surrounding this core network, so how can we identify someone who might be worth recruiting as a HUMINT source?

While reading comments to the pictures that these guys post, we stumble upon an individual who constantly idolizes the mafia leadership and their henchman und who frequently asks when he will be a part of ‘the inner circle’. ‘Soon’ is the most common reply and over the course of time he seems to get annoyed. Furthermore, a quick check in police databases reveals that he was registered  on minor crimes and was not yet linked to the Albanian mafia. Let us draw a quick conclusion: We have a person with a criminal record, who has contact to senior leadership of the Albanian mafia and is increasingly aggravated on the fact that he is not fully accepted in the organization yet. That sounds like a promising HUMINT source to me!

Keep in mind that this whole procedure, especially the actual HUMINT work done afterwards, takes time. No quick success will come from this. Once we have acquired the source and he is reporting from within the network, our OSINT work does not stop. Now is the time to evaluate the HUMINT information with OSINT. As we have already seen, our targets are very active on social media and this also applies to our source. If our source tells us he had met with one of the bosses on a specific date or time, it could be validated through a Facebook or Instagram post.

One day our source tells us, that in the aftermath of the shooting, the Albanian mafia leadership had met with Chechen mafia leadership the previous evening. At first, this seems unbelievable, as we had assumed that these two groups were currently opposed to each other. One of the Albanian leaders posted about this the following day on Facebook:


This picture not only shows the Captains of the Albanian mafia, but also senior leadership of the Chechen mafia and our HUMINT source. We now know the meeting took place and we have the statement of our source on the topics of the meeting. It is vital that the source does not know we are tracking him and others on social media. We would not want any of this to be staged to back his statements and purposely give us false leads.

This short and fictive case shows how to use OSINT to enable HUMINT and to support HUMINT while an operation is ongoing. Of course, these techniques could also be applied by military HUMINT as well as journalists, as long as the targets and the potential sources are able to be located online.

OSINT supporting HUMINT: Another example of ‘Interdisciplinary Intelligence Preparation of Operations’, I2PO in short.

Matthias Wilson / 03.09.2018

Finding Facebook Profiles through Phone Numbers

Although previously posted by me on another blog, I’ve decided to add it here as well.

Unfortunately Facebook has removed the feature to find other Facebook users by searching for their phone number directly in Facebook. However, you can still do it by using the Facebook Messenger app, provided the phone number is linked to a Facebook account.

If you’d like to do this on your PC or Laptop, you can use an Android emulation such as Bluestacks to get the Messenger app running. As the Messenger requires a phone number to register, feel free to use a burner phone or a website which enables you to receive free text messages (SMS) if you just want to try this out without linking it to any of your personal accounts.

The Messenger app does not require an existing Facebook account for login. (But we are pretty sure Facebook will create a ‚ghost account‘ for you.) Of course you’ll have to allow access to your contacts.

As soon as all of this is set up, just add the phone number you’re trying to look up to your contacts and the Messenger app will inform you if this number is linked to any Facebook account. It will even provide the Facebook profile picture, general information such as the person’s employer and location as well as the Facebook UserID (the name, not the number).

The following screenshot shows a typical result after adding a phone number to the Messenger (or to the contacts in your phone).


Voilá, the person you were looking for has a Facebook account!

Have fun trying this out.

Matthias Wilson / 14.08.2018