Web Developer Tools – Key Findings

I love cars and I love OSINT. Sometimes I get to combine these passions. Not only for work, but also in little exercises that help sharpen my research skills.

A while back I posted a blog about using car spotting sites to find and track vehicles. The sites I discussed in that article where only the tip of the iceberg when it comes to finding information about specific vehicles online. Today, I want to walk you through other means of finding cars using unique identifiers such as license plates or VINs (vehicle identification numbers). There’s nothing fancy about what I’m going to show here. I’ll just follow the digital breadcrumbs using simple OSINT techniques.

For some reason I stumbled upon a Youtube video showing an Italian soccer player’s Ferrari. We’ve all been down that rabbit hole before. You start watching Youtube videos about cooking and end up somewhere completely different. Oh, the joys of the internet…

This video had a visible license plate and I was curious to see other places the car was spotted. My usual car spotter websites actually came up empty handed, no matter how I tried to enter the license plate number. So I took my search back to Google. Search engines actually OCR some of the images they index, so I entered the plate number and instantly received some results:

Next to the Youtube video that got me started, I found a blog in which the author posted multiple pictures of the car I was looking for. The plate number wasn’t listed anywhere as text on the website (checked through the developer tools as well: nothing came up), so Google must have OCRed it. Thumbs up to Google for this!

But wait, it gets even better. Google is not the only platform to OCR images, Facebook does so as well. So, I decided to take my search to Facebook and see if I could find further images of the vehicle there. Using the standard Facebook search, I entered the plate number. Keep in mind, throughout each search you might have to use different variations, adding spaces between characters or writing everything together.

The picture results are shown right away, as I have a direct hit in this query. Sometimes the picture results will not be shown in your main search results and you may have to click on the tab to the left to get to the image filter. Some guy on Facebook posted the Ferrari as his profile pic in April this year and this picture looks like it had the car at a repair shop or possibly a dealer.

Now, if this theory was right, the vehicle might not even belong to Leonardo Bonucci anymore. I could go looking for sales ads for such a vehicle and hope to find it. A lot of this would just be Googling and browsing through sales sites and would require a lot of tenacity and also a little bit of luck. Although, I still have an ace up my sleeve when it comes to Italian vehicles. This ace would allow me to find out more details on the Ferrari I was searching for.

I have a little app on my phone called iTarga. With this app, I can enter any Italian license plate and will receive further information on the vehicle. Here in Italy, vehicles are assigned license plates for life. Even if the car is sold, it keeps the plate numbers. Let’s see what iTarga tells me about Leonardo Bonucci’s Ferrari.

First date of registration, a VIN, insurance information (including insurance company and policy number) and the residence of the owner are among the things that can be found in the app. In our case, no insurance is listed. It is likely that the vehicle is not insured at the moment, adding to my suspicion that it is/was for sale. The owner’s residence is Milan, which happens to be the city Bonucci played in at the time most of the previously seen images were taken (he’s moved on to Juventus Turin now). These details give me further pivot points for my search. I could narrow down the results of sales ads to 2013 models and look in and around Milan or Turin (assuming it would be sold there). Or I could just simply Google the VIN.

Et voilà, I do receive results for sales ads. However, the vehicle offered here is a red Ferrari. I thought I was looking for a black one. And nowhere on the website can I find the VIN. See, zero results:

Yet again, a simple OSINT technique will help clear this up. Looking into the developer tools will enable you to search within parts of the website that aren’t directly visible to users. When checking the VIN there, I found that all uploaded images actually have the VIN in the file name.

Not only that, the URL also contains the VIN:

A little more research and everything makes sense. Bonucci originally drove the red Ferrari and had it wrapped in black foil. For the current sale, the black foil was apparently taken off again.

While this example utilized an Italian app, there are many similar sites for countries throughout the world (except in Germany…). The lesson to be learned here is to follow the digital bread crumbs. Sometimes seemingly simple OSINT techniques will lead you to your goal if you know how to combine them. And now you get an idea of how I spend my time when sitting in the passenger seat while my wife is driving. Googling license plates, checking car spotting sites and tracking the history of random exotic cars I see.

MW-OSINT / 16.10.2020

Ever wonder how to properly save a Google photo sphere image? Have you just been taking screenshots of them so far? Well, I have another solution for you.

During my investigations I often end up browsing through Google Maps and Google Street View. Besides the official imagery, Google allows users to upload their own 360° panoramic pictures, so-called photo spheres. These are georeferenced (most of the time) and can be found in the same way you access Street View. A while back I learned you didn’t have to pull the yellow dude onto the map and that you could just click on him. For more information on what you can do with Google Maps and where I actually learned the trick with the little yellow dude, just check out OSINT Techniques‘ great 10 Minute Tip on Youtube.

Now, lets assume we are looking into an area that doesn’t have proper Street View coverage. In this case I want to see if there any photo spheres in a small Syrian town just south of Idlib. I’m lucky and I can find three of them marked on the map.

By clicking on the sphere itself, it will open this individual image. Let’s click on the one furthest to the west (on the left).

Now I can change my point of view by pivoting the image and I can also see which user uploaded this image and when it was uploaded. So far, if I wanted to save a copy of this image I would take a screenshot (or rather multiple screenshots). However, there is way to gain access to the complete image and as a matter of fact to any image that is uploaded to Google Maps, including a larger version of the profile picture seen here.

For this, we need to open the developer tools in our browser. While it could also be done in Chrome or Chromium-based browsers, I prefer using the developer tools in Firefox. Just press Ctrl+Shift+C to access the developer console or you can access it from the Firefox menu (Web Developer/Inspector). It will then look like this:

I have the console located in the bottom half of the screen, the default value usually opens it on the right side of the screen. I’m not going to go into details on all the functionalities of this console, for more information check out Webbreacher‘s 10 Minute Tip on Youtube. I want to direct your attention to the network panel. Clicking on the network panel will show you all the queries performed when you access the page you are viewing. As you can see, Google loads several JPG files for the image displayed above.

Rather than viewing all the traffic, we could also drill down to just images. But again, watch Webbreacher’s video for more details on what can be done with web developer tools. I said Google was loading several JPGs; actually Google is just loading one JPG but defines what we see by subdividing the JPG into different sections. Each section is defined by basic coordinates, depending on where in the overall image this pic is located. By hovering the mouse over the entries, you can see which section it relates to.

Here we can see a 512×512 pixel excerpt of a larger image. The coordinates show where the section is located horizontally in the image (x-axis) vertically (y-axis) and how far we have zoomed in (z-axis/value). As you can see, hovering over the entry will also display the link to the image. By clicking on this network event, we can see further details in a new panel on the right and from here copy the image URL (I compressed the traffic view in the following screenshot).

The URL can then be opened in a new tab. But before I show you the results, let me alter the URL a bit. Instead of opening the image with the coordinate-extension (e.g. =x1-y0-z”), I’ll open the image with an extension that alters the size. In this case I will use “=s8000”, with the number 8000 being the number of horizontal pixels (Google will auto-adjust the vertical pixel-number accordingly). Fairly high quality photo spheres may even allow larger resolutions.

Now just right-click and download the image just as you would download any other picture. Here’s what I’ve downloaded, a 8000×4000 pixel complete photo sphere. This size will easily enable me to zoom in and have a look at further details.

Seeing that we can download images from Google maps this way, let’s try out what else could be downloaded in higher resolutions. Remember the icon of the Google user that uploaded this picture? It is possible to download this icon in a larger resolution as well, and in fact any other picture that this person uploaded. For that, let’s just look the user’s “Local Guide” profile by clicking on his username.

On the “Local Guide” profile you can finds reviews and further images. To access them and the profile pic, just click on an image and open it. Again we will access the developer tools and have a look at the network traffic. Hovering over the entries will give us a preview and we can quickly identify the profile pic.

Copy the URL and manipulate the extension that defines the size or erase this extension completely. Then it usually displays the image at a standard 512×512 resolution or the original resolution (if smaller than 512×512). This is especially useful for profile pictures of people, as the enhanced image might allow you to do a proper reverse image search.

The shown techniques will enable you to download any picture from Google Maps, whether it is a photo sphere or an image posted by a “Local Guide”.

MW-OSINT / 01.07.2020

Tag: Web Developer Tools

Where is Leonardo’s Car – Using OSINT to trace vehicles

Saving Images from Google Maps and Street View