Skip to content

@hatless1der | Blog Posts

A Tremendously Valuable OSINT Tip For Pinterest. (Yes Seriously, Pinterest)

If you follow this blog, (hi mom!) you might think I’m somehow picking the most obscure platforms and coming up with some even more obscure OSINT tips for them (and you might be right), but if you follow this blog you probably also know that most of these tips are $$$. This tip on Pinterest is no exception, trust me.

It’s simple, it’s super useful, and it’s something I’ve successfully leveraged dozens and dozens of times over the years while investigating missing children online to discover case-breaking leads.

We’ll get to it in just a second, but first, for the sake of SEO and maintaining my spot on page 14 of OSINT blog search results, I need to say a few words…

Wait! Is this one of those blogs written like an annoying recipe website, where you have to read 10 pages of the author’s boring-ass life story before you find out how much canned chicken to put in the casserole your kids will be throwing in the trash in 45 minutes?

No, but now that I have your attention – the whole point of tricks like this one is that you’ve prioritized taking the time to actually understand the platforms you’re doing your investigative work on. Knowing their features and functions are vital to figuring out little wonders like this.

By the way it’s 1 can of chicken to go with the 1/2c mayo, and 2 cooking soups you mix with the cooked noodles.

So anyway… Pinterest? Yes, the… um… social media website pin-board thing [Googles “what is a Pinterest”]

According to data that I definitely knew off the top of my head and did not just look up using the aforementioned search engine: Pinterest is the 15th most used social media platform with 550M+ monthly users. For people using it, again definitely without looking any of this up, Pinterest is the 5th most popular social commerce platform.

So a lot of people use it, so what?

Well, our username research very often uncovers a seemingly useless Pinterest profile whose tab is promptly closed and ignored in most investigations. This is a huge mistake, let me tell you why…

Pinterest has a feature for signing up that allows you to sign up using your Google account, which does something magical for us in the OSINT world.

See, when you use the log in using Google feature (as many, many, many users do), Pinterest does something fantastic: they take the username portion of your email address, and make it your Pinterest username by default!

What does this mean, Griffin??? Why are you so excited about this??? Why does your generation think using 3 repeating question marks is ok???

It means in some cases we can reverse-engineer our target’s email address by putting it in front of the @emaildomain.com of our choice, and doing our email validation work to… well, validate it.

Boom!

Now, before I get too far along and the comment police come for me, let’s also discuss the limitations of this trick, because there are a few.

Like so many great tips:

First, Pinterest users can change their username in their settings (but really, who has time to do that when there are so many [checks notes] pins to… pin?)
Second, not everyone signs up this way. Some people with infinite free time may want to create an account the old fashioned way with a login and password like a maniac.
Third, I would assume username collisions happen with an app of this size and though I haven’t tested it, I also assume they make you pick or assign you a different username. (one of the infinite free time people can feel free to test that out)


Finally – remember that you always have to VALIDATE. Just because you get a positive result with the email address you’ve guessed, does not necessarily mean it belongs to your target. (See 1, 2, and 3 above)

Hopefully, this idea has opened your mind to thinking about what other applications who offer this function might provide you with a similar investigative opportunity. I have no doubt there are others out there!

If you’re not quite sure how to work with an email address to validate it, discover its use, or connect it to user accounts… I recommend reading this other very wordy and very poorly written blog: Advanced OSINT: The Art of Pivoting.

That’s it! That’s the tip for this one. Small, but oh so very mighty. I hope it helps you do some good out there in the world, it definitely has for me.

Bake at 350 for 25 minutes, then add cheese for the last 5 minutes.

Threads.net Is Hiding Some OSINT Secrets You Definitely Need To Know

Threads, you say? The Dane Cook of social media???
(Shout out to the Archer fans out there who got that obscure joke)

If you’ve been on Instagram over the past year, you’ve no doubt seen some profiles sporting that strange, extra squiggly looking @ symbol and perhaps you’ve even accidentally waded into Meta’s head-scratching approach to microblogging (think Twitter. yes I know it’s X, no one cares).

That little symbol on a persons Insta serves as a gateway to Threads.net and while you may have ignored it in the past, I’m going to tell you several really important reasons you’ll want to make is a part of your next SOCMINT adventure. I won’t be taking the time to fully break down the platform for you, apologies to everyone who anxiously awaits my next long-winded blog post (hi mom). For this write-up, it’s just the hits.

Clicking on the Threads icon on an Instagram profile will take you to a page that looks something like this, without requiring login to access:


Tip #1: Just because you don’t see the @ symbol linked on an Instagram profile, doesn’t mean the user doesn’t have Threads.

That’s right! Users need not link to Threads on their Instagram profile, and I’m finding more and more that users do in fact have a Threads account, yet nothing is shown on their IG. Now I check for Threads every time I see an IG account. This revelation is more important than you might realize. (More on why in the following tips)

So how do we get there when no link exists? The simple way is to append the Instagram username to the following URL:

https://threads.net/@___________________

Not simple enough for you? Ok fine, in the true spirit of Midwest Nice, I went ahead and made a push-button solution for you, a simple bookmarklet you can place in your browsers bookmark bar and click any time you’re on an Instagram profile. This will grab the IG username and open a Threads tab to check for the presence of an account there for you at the push of a button.
You’re welcome, and I’d better see a 2 finger steering-wheel wave out of you if we ever pass each other on a gravel road someday.

Access the bookmarklet and instructions for using it, alongside our library of other awesome OSINT bookmarklets at https://tools.myosint.training OR copy and paste the below code into a bookmark you add to your browser:

javascript:(function(){var url=window.location.href;if(url.includes("instagram.com/")){var username=url.split("instagram.com/")[1].split("/")[0];var newUrl="https://threads.net/@"+username;window.open(newUrl,"_blank");}else{alert("This is not an Instagram page.");}})();

Tip #2: Despite sharing the same username as the person’s IG profile, Threads DOES NOT have to have the same pic or bio.

This is big! Those of you conducing online research know that it can be the smallest digital breadcrumb that breaks open your investigation. User supplied information is the centerpiece of successful pivoting, and knowing there’s another bio hiding on Threads can be an absolute game changer and in some cases, can help with validating that you have the right user on Insta, when that profile was set to private.

On top of all this, when an Instagram profile photo doesn’t reveal anything useful, there might be a much more helpful photo just a click away in Threads. Like here:

Bonus tip for you…
Wondering how you can easily access the full Instagram profile photo without having to right click on the page, Inspect, and work your way around the source code? We’ve got a free bookmarklet for that too! One click and the profile photo, in full size, is opened in a new tab enabling you to save it.


Tip #3: Follower/following lists on Threads are set to public by default, regardless of the person’s Instagram privacy settings.

These days more and more I run into private Instagram accounts where the follower/following lists are not clickable and therefore not searchable. Threads, on the other had, I’ve found to be most often public. Being able to examine the connections to someone’s social media account is a HUGE benefit for our investigations. I could probably write a whole blog just on different stories of times where a public list of connections opened otherwise completely unfindable doors.

Now, follower/following lists on Threads are not apples to apples vs a user’s Instagram follower/following, of course. I consider the Threads connections to be (mostly) a subset of the person’s IG connections. Here I’m making an inference, but what this allows me to do is pivot off to other users on the Instagram platform who may have more publicly available profile info or have more uncommon names, making my subject’s circle of friends and family more easy to find on other platforms. And in the absence of public access to IG followers, well I’ll take anything I can get. There’s an art to this, my friends!

Bonus tip for you…
When an IG follower/following list is publicly viewable, remember that the accounts appear in the order they were added, meaning the first account followed is all the way at the bottom. Why is this important? Well, when I’m looking for someone’s 2nd, 3rd, or beyond social media account, or when I need to find a more current account for someone and only have an old one… knowing who they first followed can give me a short list of accounts who may be important enough in my subject’s life that any additional accounts they might have would also follow some of those same people.

Oh, I do need to add at least 1 disappointing thing, lest the internet trolls come complaining in the comments… In order to view the follower/following lists on Threads, you do have to be logged in. The rest of what I mentioned is all wide open, at least for now. One thing you can ALWAYS count on with Meta is that something on their platforms will change, the moment you start to like it.

That’s it for this one. Sorry for the long delays between blogs, but hopefully you’ve caught some of the other OSINT community things I’ve been doing these days. Never enough hours in the day (he says, while writing a hobby blog in the middle of the night).

OSINT Quick Tips: That CashApp QR Code on The Web Might Actually Be Hiding a Profile Photo!

If you do a lot of web-based OSINT research like I do, you’ve most likely conducted username searches using a powerful tool like https://whatsmyname.app that scurry out onto hundreds of websites in search of profiles bearing the username you’re interested in. In doing so, you may have come across CashApp user pages that usually bear a few common things: a cashtag (username), a display name, and most of the time… a seemingly useless QR code.

Or is it?

You see, while it is the case sometimes that the account holder hasn’t actually populated a profile photo, and therefore just displays a QR code, recently I noticed that the web version of profiles seems to display QR codes even when a profile photo is actually present for the mobile version of the account. Finding the photo (if one exists) from the web is quite simple if you know to look for it, and I’ll give you 2 different ways of doing it…

Note for the extra tenacious investigators out there: While what I’m going to show you works on the CashApp website, the thought process and application may be something you find useful elsewhere in your work too. Be curious, and see where it leads you!

Option 1 – Get Your Hands Dirty

The first, and more manual way, is to go to a profile page like https://cash.app/$JaneDoe (I made this one up so we’re not actually showing someone real here), and drill down in the source code of the page to the place where the profile photo is hiding, should one exist. I’m going to explain this as a Chrome user by the way, and yes, I am well aware of all the “Chrome sucks!” drums that some people like to beat for anyone that will listen.

Start by right clicking somewhere on the QR code and selecting “Inspect” from the menu of options that appear. This will open your browsers developer tools so you can have a look under the hood. The line you’re dropped on will be just a few above the one you’re actually looking for. Look down a few lines for the words:

<div class="mobile-only">

Expand this section by clicking the little triangle to the left of the line and keep doing this for the subsequent drop-downs that appear until you see (if one exists for the profile you’re on) a line that reads:

<img src="https://____________________________________.jpg

Now you can right click on the hyperlink for where the image is being delivered from in CashApp’s content delivery network (CDN), and open it in a new tab to view! Hovering over the hyperlink will show you a preview as well. It looks like this:

Great success!! (just kidding, I hated the movie Borat)


Option 2 – The Easy Button

I’m willing to be that several of you are smart cookies and probably thought of this second option as soon as you started reading the first one and saw “mobile-only”, but for the rest of us who just mash keys for a living, perhaps it wasn’t super obvious…

Open your developer tools using “Inspect” or a hotkey, then leverage that little icon near the top left corner of those developer tools to toggle your browser right on over to the mobile view. (This is something we use in OSINT all the time when we know that the display and/or functionality of a site will change to our benefit. I’m looking at you, Instagram follower lists!) Simply clicking that little button takes us right on over to the mobile view for CashApp and immediately confirms the presence of that image we’re looking for, without the need to invest our hard earned free time for the extra clicks!

Use this “mobile view” method first, and then take all the time you’ve saved to instead click share on this blog post. #shameless


Option 3 – The Easier Button

Easier??? Yep!

Ok, so you may already know that Micah (webbreacher) and I do a whole bunch of cool OSINT stuff over at our company, My OSINT Training. One of our favorite projects is our extensive library of (free) OSINT bookmarklets designed to make certain online tasks we do all the time much much easier.

To that end, we created a simple bookmarklet to grab and display the profile image of a CashApp profile on the web, at the literal push of a button. Visit our library of bookmarklets at: https://tools.myosint.training and follow the instructions to drag and drop the bookmark right into your browser!

For those of you who reeeeeeeally like bookmarklets (or really like Micah and I), we actually did an hour long webinar once on how to use them, and put that up on our YouTube. Enjoy that video here: https://www.youtube.com/watch?v=XmG-OQMyDtQ

OSINT Quick Tips: 2 Simple Methods of Getting Around Twitter’s Annoying Login Wall

Based on how often Twitter, oh sorry… I mean X, is changing these days, there’s a pretty good chance this blog will be obsolete by the time you read it but here goes anyway…

Have you recently found yourself trying to visit a Twitter profile (when not logged in), and while it may initially load on the page, instantly you’re met with an annoying pop up after being redirected to a login prompt? Without a sock puppet account (which is getting harder to create and hang onto), you’re unable to get beyond that unexpected barrier.

ANNOYING.

Annoying, but not impossible.

That is, if all we need to see is the top portion of the profile page where the bio, location, links and other useful information is stored. If that’s all you need from the target’s page, here are a couple of easy options for you…

1. View Google’s cached result

Simple but effective. Google is allowed to crawl and index the profile, without falling victim to the dreaded redirect to a login page. Take advantage of that in one of two ways…

Locate the profile via Google search and simply right click the 3 dot menu next to the result. If Google has a cached version, you’ll find the button for “Cached” as an option in the resulting pop up.

The result is displayed in a way that most users will recognize as different than how the platform is designed to look, but the important part is that the profile information you need is there. This won’t load any posts, replies, media, or likes, but it will get you a look at everything appearing above.

Secondarily, you can try using Google’s “cache:” operator to query your way directly to the cached version of the profile page by typing in the text as shown here, replacing this username with the one you’re searching for:

2. Enter the profile via an indexed post from Google results.

If Google has crawled and indexed content that includes a status written by your target profile, or perhaps a comment they were @ mentioned in by someone else, you can visit the link to that post directly from Google and no login wall will appear. In a second, I’ll show you how to get to a clear version of the profile from there. First, we need to find a post/status/reply with our user in it.

There are lots of ways you can ask Google to find you these kinds of posts from the platform that contain the linked profile name of your target, here is just one example:

twitter.com/fatusfee inurl:status

Simply click one of the results and head right on into the platform.

Now we’re in, we just need to click on the target’s name here in order to be directed to their profile page.
NOTE: Do not right click and open the profile in a new tab! This will trigger the redirect to a login page. Simply click right on their profile name and load in the same window you’re in.

GRIFFIN YOU LIED TO ME! THERE’S A DAMN LOGIN BOX ON THE SCREEN!

Deep breath.

Unfortunately, you can’t just “X” out of the box and view the page (see what I did there?). So if you are one of those overachievers who tried to run on ahead, welcome back.

While on the page like the one above, open your browser’s developer tools. It’s easiest just to right click on that login pop up box and choose “Inspect” from the options.

This will open the dev tools, and you can (while in the Elements tab), hover over the various lines and see the corresponding elements on the screen being highlighted. Just go up a handful of lines from where you are until your hovering is causing the entire pop up box to be highlighted, like you see here:

Right click and choose “Delete Element”. Poof!

Now you can close the developer tools and freely view the page, though as before, this will not include the profile’s posts, replies media or likes. You’re simply viewing the profile details, photo, banner and other user-supplied information.

Bonus tip… If you’re a bit of a perfectionist, like I am, and you hate that the opaque overlay is still over top of the entire the web page making the screen appear a bit greyed out, well you can delete that element as well. It’ll be the line just above where we previously deleted the box. Delete that and you’ll be viewing a beautifully clear page like the one below.

If you get a little too deletion happy and accidentally delete something important, never fear! Just reload the page and start again until you get it right.

OSINT Quick Tips: Beyond WHOIS

In this Quick Tips blog post (yep, that’s a thing now), I’ll be showing you a couple additional (and quite useful) functions of my favorite WHOIS Lookup site, and hopefully adding a little something new to your ever-growing OSINT methodology.

Much like my desire to stay in college, this blog is going to be over just about as soon as it starts.

Disclaimer/Warning: WHOIS records can be falsified, outdated, and in the case of things like common names they may not even be same person you’re investigating.
Stop saying “I learned it from the internet” when you get in trouble for not exercising your own critical thinking skills 🙂

Performing a WHOIS lookup can be a pretty hit-or-miss tactic in OSINT investigations, let’s be honest. These days, it’s becoming exceedingly rare to find useful contact information in a website’s historic WHOIS records (though you should always check). Unfortunately for those of us hunting for digital clues, the use of privacy-guard features are pretty much the standard when you register a domain now.

You can’t escape your digital past though, and my favorite site to perform WHOIS history searches to find those OPSEC mistakes is Whoxy. A lot of you are probably familiar with the site already, but did you know it offers more than just a query using a domain name? Have a look…

Clicking the dropdown menu next to the search field on the top of the page reveals multiple options.

Searching by a person’s name is possible:

Click the drop down menu and select “Owner Name” before typing.

There are lots of places on the internet you can be searching the name of your target, from search engines to social media and everything between, but when was the last time you checked to see if the name you’re interested in comes in as registering a website? Selecting “Owner Name” from the dropdown and typing in a name will search for a match.

Searching by a company name is possible:

Click the drop down menu and select “Company Name” before typing.

Investigating a business? Good chance they’ve got some kind of web presence, and that can mean registering domains! A tip here, since you do not know how their company name will appear, you may need to try a number of variants based on what you’re seeing in other business records to find just the right search terms.

Searching by an email address is possible:

Click the drop down menu and select “Email Address” before typing.

Next time you find yourself with an email address, either work or personal, why not give Whoxy a try and see if there’s a website registered with it? You just never know, maybe your clever online criminal forgot about that time he registered a domain back in the day using his gmail, which you cleverly discover using this trick and then pivot over to captures of his old website on Archive.org to amaze your coworkers!

Searching by a domain keyword is also possible:

Click the drop down menu and select “Domain Keyword” before typing.

This one is by far my favorite! Think of how much we love using the inurl: Google search operator to look for keywords or phrases in URLs Google has indexed, and then think of just how much is being missed when we do that search. Domains that no longer exist, webpages with directives asking Google not to index them, domains who didn’t have any web pages on them at all but maybe had other uses, like email services running on them. Well, the “Domain Keyword” lookup is one hell of a powerful tool in those cases. Does your target have a username? Search it! Do you know their real name? Run it! Do you know their business name, telegram group, club name, or something else unique to them? RUN THEM ALL! Any of those things may appear in a domain name that Whoxy has some data on. The only thing limiting you here is your own creativity.

That’s it! That’s the blog. I sure hope this sparked some new ideas for you, and next time you’re doing OSINT research, remember… go beyond WHOIS!

A Veteran’s Day Plea: How OSINT Reunited 2 Long-Lost Soldiers.

The faces and names shown in this blog are real, and are being used with their permission. Some details have been redacted or obscured to protect the privacy of others.

Every Veteran’s Day for nearly a decade, my friend Bill Stevens has attempted to locate and reconnect with a very special Army battle buddy of his from more than 20 years prior. For a number of those years, Bill has aired his pleas publicly via Facebook, accompanied by photos of this bygone era, in hopes that somehow his plea would go viral and word would reach his long-lost friend… but it never did.

Now, I’ve known Bill for a really long time, and for the past several years I have read these increasingly frustrated posts asking for someone to help him. Each year I wondered to myself if I might have any luck, should I try to help with the search. After all, I do find people online for a living, but finding an “Eric Garcia” with a last-known location from more than 20 years ago? Talk about looking for a needle in a stack of needles!

On November 11, 2022, Bill’s plea once again appeared in my Facebook feed. Incidentally, the fall of 2022 was the 5 year anniversary of the death of my best friend and Army veteran, Chad Jolson. Chad and I spent our formative years as 2 inseparable peas in a pod, and the 2 times I’ve cried the hardest in my entire life were the day he left for basic training and the day I eulogized him. I’ve carried this well-worn photo of him in my wallet every single day for nearly a quarter-century, and I still think of him all the time.

Perhaps it was the timing, perhaps just fate, but this time around I decided to reach out to Bill with an offer to have a go at tracking down his long lost friend. I know how close the bonds are that these brave men and women form in our military, and it’s clear that this person meant a great deal to Bill. It’s a total long shot, but if I can somehow help bring them back together, well… I want to try.

I reached out to Bill and asked for anything at all that he could remember that might help me in tracking down “Eric Garcia”, because you just never know when the smallest detail may be of significant importance when it comes to OSINT work. Unfortunately, I was starting out this search with very, very little information:

  • Name: Eric Garcia
  • Location: Ft. Gordon, Ga (1998-99)
  • Prior Location: Colorado
  • Company: Foxtrot 369

That’s it. That’s all we have to work with here.

It would be impossible for me to understate the amount of failure that followed, as I trudged through hours and hours of fruitless searching.

I started out the easy way, asking some friends in the military if some sort of public database exists and got a big fat no. Then I began focusing on Foxtrot 369, scouring military unit pages, Facebook groups, online articles, and anything I could get my hands on. After hours of going this route, nothing had paid off at all.

From there, I went the typical people-search website route, reviewing the contact information of every single “Eric Garcia” I could find with ties to either Ft. Gordon, GA or the State of Colorado who was born in or around 1980. Do you know how many people that is?? Spoiler alert… IT’S A SHIT-TON.

Now, it’s been well documented that I am stubborn at a nearly Olympic-level, but at this point in the process I’m thinking I might actually have to throw in the towel and admit defeat. I’m really not seeing how this is going to be possible with what little I have to work with. Having exhausted pretty much everything I could think of, I’m afraid this one seems to have gotten the best of me.

That pisses me off.

I hate failing, and I REALLY hate quitting. Time to dig deep.

Whenever I get stuck during an investigation, I always take the same approach… I back up and take stock of what I started with, looking for any ways I’ve missed that I can work with whatever information I have available. It occurs to me in that moment that I have one piece of information I’ve not yet explored at all…

The photo itself!

More specifically, the face of “Eric Garcia”. Yes, these photos are old, and yes they are a picture of a picture and not very high quality, but these days there are a number of free, open-source options for doing facial recognition** and also for upscaling low-quality photos. Some of these FR sites target images scraped from one specific platform, while others search their much wider, scraped databases. In rare cases, you can have some sort of success with search engines looking for a face, though they’re not great.
**Before you visit or use any of these sites, please understand the risks, laws, and policies that may govern your access or use of them. I am not your lawyer or your boss! (but go ahead and take tomorrow off)**

I search several of these open-source facial rec options, including search engines, and BOOM… one of them gives me some very promising results!!

Holy shit!!! Is that?

No way!

To my untrained eye, this certainly looks like a promising result, but these days we don’t need to rely upon my useless opinion, we have the benefit of a number of free AI-powered facial comparison tools like Amazon’s “Rekognition“. Let’s see what artificial intelligence says about whether this is a match to the “Eric” we are looking for…

99.8%? Ok then!

After countless frustrating hours, and nearly throwing in the towel on something that I REAALLLLYYYY wanted to solve, I’ve finally got something to work with!

There’s just one problem.

The URLs for the photos are cut off, intentionally. You see, this site is only willing to give me a teaser for free, but they want me to sign up for their service and pay them for the full results. SHIT!

It’s time to do what we do best. Get creative…

The part of the URL I can see tells me the domain begins with “hitched”. Based on the look of these photos, I’m thinking they’re from some kind of formal event… naturally, the kind where people get “hitched”. I suppose it could be that he’s just a very dapper dresser in everyday life, but even I (whose personal style is best described as “middle-aged, nostalgic, Midwestern dad) can tell that these are probably from a wedding and not how people dress in their day to day lives. Although I can’t discount the possibility that he’s gone on to become a famous menswear model, I decide to go with the wedding photo idea first.

I need to find these photos in the wild, but how? Instantly I wonder… could these results have been indexed by a search engine? Without the full website name, do I even have enough to find them?

Using the most fundamental OSINT skill of Google dorking, I craft query after query using the inurl: search operator coupled with the word hitched, and tack on a few potential keywords that I’m hoping might lead me to the site in question. By using this search operator, I’m asking Google to restrict the results to only URLs containing the word I specified (hitched), and combine that with a search for those other keywords I am interested in. These searches would look similar to something like this:

inurl:hitched wedding photography

As I begin to look through the results, I realize it’s inefficient for me to scroll through their entire websites as I find ones I’m interested in. I really need to be thorough here if I’m going to find that needle I’m looking for though! What if I ask Google to do the hard work again for me? Perhaps a dork that directs Google to query just what they have indexed from each of these sites I’m interested in, focusing on the keyword Eric. That would look something like this (for a site called hitched.com which was not the name of the site):

site:hitched.com eric

This is where being absolutely unassuming in your work will sometimes pay off. If you’ve noticed, I have been putting “Eric” in quotes throughout this blog. Did you wonder why?

The reason is that when I research something, I start broad, making the fewest assumptions I can because several times over the years something like this has happened:

While reviewing the Google results for one particular photographer’s site, I noticed something… One of the entries was for Erik + [Bride]

(I’ve removed her name for privacy, and from here on out will just type [Bride])

Could it be? I take a closer look…

Hell. Yeah!

As it turns out… I’d been given an incorrect spelling of the person’s name that I was looking for. It’s Erik, not Eric. How do you like that for an added layer of complexity?

But seriously… Hell. Yeah!

Ok, tv timeout here for a little soapbox moment. Let this be a helpful lesson for those of you crafting really complex Google dorks in order to find precisely what you’re looking for… It’s a double-edged sword at times. When you’re dorking, consider if it’s best to only be as restrictive as you need to be in order to get the result. I could have easily put the name Eric in quotes in my queries, asking Google to return only results with that particular name, however, I may have accidentally missed what I was looking for by having the Erik result filtered out. Google is doing me a favor here with something called “fuzzy searching” where they provide similar results. Annoying at times, but helpful in cases like this!
You can always add on more specificity in your searches as you go, and in this case I only needed to be completely restrictive about the site: portion of my request.

So let’s take stock of what I have so far…

After reviewing the wedding photos, I have the names Erik & [Bride] Garcia, I know what they look like, I know their August 3rd, 2013 wedding was at a well known venue in San Pedro, CA, I know the name of the Los Angeles photography company who did their pictures, aaaaaand… not much else. Do you know how many Erik Garcia and [Bride] Garcias are in and around the Los Angeles, CA area?

You guessed it! A SHIT-TON.

My first instinct was to take a look at the photographer’s social media. Surely, the bride or groom would have liked or followed one of the photographer’s social accounts, right? Wrong. More time wasted.

I wonder to myself if the photographer made a 2013 post touting their beautiful photography and the happy couple. That’s definitely the sort of thing that a bride and groom might like, right? Let’s find that! I hit the photographer’s Facebook, use the timeline filter feature to head back in time to 2013 and just like that, find the post I was hoping for:

Only… they didn’t like it. Or comment. Neither did their friends. Damn!

At this point in the story I’m back to doing a lot of spinning my wheels. A lot. I’m looking at online reviews of the photography business, the wedding venue, looking at social media pages, scouring posts and comments and shares. I’m grasping and grasping and grasping and nothing I’m trying is paying off.

Remember what to do when you get stuck?

Back up.

So I go back to the photographer’s post above and ask myself what else do I possibly have to work with? What is pivotable? What is unique? What have I overlooked? And then I see it…

#TheSepulvedaHome

The venue has a hashtag! This opens an entirely new set of doors for me because now I’m hunting the wider social media landscape looking for not necessarily just Erik & [Bride], but rather any of their wedding guests who posted photos using the hashtag #TheSepulvedaHome on August 3rd, 2013. If I can find just one wedding guest, maybe I can back into one of their social media profiles!

So I hit Facebook with a hashtag search, look back to 2013 and find this post…

There it is. Just exactly what I was hoping for! A perfectly preserved memory from just the right date, with just the right hashtag, and a mention of just the right couple. Oh, and several guests tagged as an added bonus. Jackpot!

Sidenote, this ends up being a sort of right place/right time situation in retrospect because doing that hashtag search on Facebook now only gives you a handful of results and no filtering by year options like it once had. If I was doing this research today I would have potentially dead-ended right there. Thanks Facebook, for constantly changing all of your best OSINT-use features! #RIPgraphsearch

Alright, so even looking back on this while I write it I’m still kinda feeling myself, so I’m just going to drop this little meme here:

I mean come on… Backing into an associate using the wedding venue hashtag??? If I live to be 1,000 years old I might never use that one again! But the thought process that caused me to back up, take stock of what I had to work with, and find another angle? Hell, I’ll probably do that again tomorrow, hopefully you will too.

At this point I’m expecting to begin my typical social media exploration research, find accounts for Erik & [Bride}, and leverage them to drum up ways for Bill to make contact. Easy enough, right?

I shouldn’t be surprised that this turned out to be harder than expected as well.

Exploring the profiles of the wedding guests for publicly available information eventually leads me to several wedding photo posts that @ mention an interesting username in the text. A username somewhat similar to the bride’s name, or what could be a nickname. Hmm… These aren’t tags like what you normally see on Facebook where a person’s name is hyperlinked to their profile, instead they probably came from the linked Instagram profile of the wedding guest posted them. This is a feature of these two Meta-owned companies, where you can cross-post content in both places. Since Instagram uses @ mentioned usernames in their posts, I head over there and find [Bride]’s Instagram account using the username mentioned in the Facebook post.

The profile (which is now private), had a great many photos on it from over the years but as I scrolled farther and farther down, something was missing… Erik. Now, I felt pretty confident that I had the right [Bride], she is in the wedding photos after all, but she is using a different last name in her social media and I’m beginning to suspect that perhaps the marriage ended at some point and that’s why I’m not seeing him. Could this end up being a dead end after all?

With this in mind, I go back to posts around the fall of 2013, looking to see if anyone who could be Erik comments or if any friend mentions Erik or tags an account that may no longer be hyperlinked, because that could still be viable for me to explore. Once again, tenacity pays off…

Following the tagged profiles in the comments on this post from just weeks after the wedding I come to tagged Instagram user @h8[redacted]

The profile photo is not great, but it sure looks a lot like the Erik I’m looking for. Now that I know he might be a Journeyman Lineman with Local 47, perhaps I can find other sites with information on him that I can pass along to Bill. Returning to Google for some keyword searches does the trick!

WAIT JUST ONE DAMN MINUTE!

Shaun??? You’ve gotta be kidding me. Not only did I start with an incorrect spelling of Erik’s name, but now it appears this wasn’t even his first name at all? If someone came to me and said hey I’d like you to find this person from 20 years ago, but I’m only going to give you their middle name and last name, and I’m going to spell one of them wrong I’d say…

And yet, lining up the original photo with the wedding photo and the LinkedIn photo, I see the truth, right there on the screen. Bill’s long lost friend “Eric Garcia” is really Shaun Erik Garcia.

I’ve found my needle.

From here I have more than enough to go on, and start hitting the usual people search sites with Erik’s name, age, hometowns, etc. It’s not long before I’ve drummed up a couple email addresses, physical addresses, and phone numbers to try. All of this is packaged up with the social media accounts and sent off to what I can only assume was a completely stunned, and very happy Bill.

Several months after I shared all of this information with Bill, I learned that he had successfully leveraged it to make the long overdue reconnection he’d started seeking so very long ago.

Once again, the power of OSINT saves the day.

I’d like to wrap this up by taking a moment to thank Bill & Erik for letting me tell this story, and also recognize Bill, Erik, Chad, and every single brave and selfless person who has courageously put their own lives on the line for the freedoms we enjoy.

An Overseas Businessman Died and Left Me $4.6M, So I Used OSINT & Social Engineering to Scam a Scammer.

I received this email to my business back in 2022, and it landed directly in my spam folder, exactly as it should have…

It’s a scam so old it has become cliché in much of the world. The overseas millionaire, perhaps a Prince, or in this case a rich & dead businessman whose living proxy has miraculously plucked me from the masses of all the email-owning people on earth to be the sole benefactor of an oddly specific fortune! What luck!
I mean, never mind the fact that I can’t even conjure up enough luck to win the monthly business card raffle at my local Subway restaurant, looks like things are finally turning around for me!

You ever wonder who’s on the other side of one of these emails?

Well I did, and although it seemed like an impossible feat at the time, I decided to take a swing at exposing the fraudster on the other end of the line and see what kind of end game they had in mind for me, their hapless and less privileged victim. What resulted was a wild OSINT and social engineering ride I’ll never forget!

To start off, I take a moment to define a goal. While things may change as we move along, at the outset I know that I want to elicit information from the scammer that may help me identify them in real life. Ok great, how do I do that? I need to think of the kinds of people the scammer expects to engage with when he or she is successful. Not very savvy? Perhaps unwise about technology? Maybe greedy? I’ll definitely need to play a role in order to accomplish my goal and I figure the more I act like like what they’ve experienced from prior victims, the more likely it is that I might draw something out of them.

How will this all go? Well I don’t know quite yet.

Although I am almost completely certain that I’m dealing with a freshly created throwaway email address, I can’t just assume they’ve not made some kind of mistake and not do the research on it. So I check all the usual boxes to start: run the email through breach data tools, https://haveibeenpwned.com, https://emailrep.io, Google, check the username portion in https://whatsmyname.app, etc etc etc. If you’ve spent any time doing OSINT work, you know those angles quite well, but if not, I would encourage you to check out my prior blog on pivoting off an email address HERE.

All of that was a bust, as expected. Now I know I’m going to need to start the active engagement at this point, so I fire up the VM, open a sock-puppet Gmail, and get to work. I’m not going to email them back from my work account and expose anything about me so this will be done under my favorite alias. (Bonus points to anyone who recognizes where the name Tommy Gemcity comes from) Hint: It may be spelled differently than the actual origin.

So I’m basically cold-emailing them from a new account they’ve never seen before, but given the fact that I’m sure they spammed countless email addresses in their quest for a victim, I doubted they’d notice at all. I was right. You might also notice my email signature where I’m actually taking a stab at (harmlessly) phishing them right back. The Treasure Hunter’s Club? Does that sound interesting enough to click on the link in my signature? If it did, their IP address would be instantaneously captured before they were redirected to a completely normal and harmless website I’ve pre-programmed to be the final destination. How you might ask? There are a number of sites and tools who shall remain nameless, that can help you set something like this up and may even let you choose from some pre-made URLs or use a link shortener to help make your IP-grabbing link look just a little bit more legit. (Blah, blah, don’t break laws, blah, blah, don’t violate policy, blah.

Now I will admit I started out a bit greedy here, and at this early stage of the game, our adversary was too wise to click on my tricky signature link. Let’s carry on.

A few days pass, and I receive a reply with good news! All they need in order to transfer my millions is: my full name, my address, my phone number, and a copy of my passport or ID. AMAZING!
Suddenly though, I get cold feet. You see, I’m a little leery about giving out my information online. Or so I say…

I’m hoping that my need for reassurance will result in the scammer giving me something I can work with. Let’s see what they come back with…

BRILLIANT! Turns out they had some concerns about me as well, but I’ve now proven myself the worthy recipient of this “legal and risk free” fortune, which is coincidentally my favorite kind of fortune! Let’s have a look at these OFFICIAL documents:

Now I’m no bank fraud investigator but I could tell these documents were authentic right when I noticed they used at least 6 different kinds of fonts. And while I’ve never actually seen what kind of paperwork you have to do when you drop that kind of coin in the bank, I definitely imagine there being lots of stamps and signatures, so check and check! Looking good to me! [rolls eyes]

The scammers are still waiting for my personal information, so I oblige, providing them with the address and phone number for the largest apartment complex in the United States and of course a link that will take them directly to the web page of Google files, while conveniently grabbing whatever IP address they might be using at the time. Yes, I’m trying that trick again. What have I got to lose?

I’m really starting to wonder though… what is their end game here? It can’t be just simple identity theft, can it? Perhaps more will reveal itself as we carry on.

As you can see, I’m being passed off to a new and much more official sounding email address. I will fast forward over this part of the story because it involves multiple email exchanges with them assuring me they are ready to transfer the money but need my ID photo, and me fumbling through various reasons why I can’t manage to attach a simple JPG to my email, trying to keep them on the line to expose something useful.

But in the meantime, something amazing happened… they clicked the link!

I’ve got an IP address to work with! Of course, I’m not holding my breath that this is going to be someone’s actual IP and not one of the zillions of easily accessible VPN IPs available to literally anyone with even the slightest ability to Google, but I’m still going to check…

I see that the Internet Service Provider (ISP) is Orange, from the Ivory Coast area in Africa, and I check it in several tools like https://maxmind.com, https://ipinfo.io, and https://dnslytics.com to see what they can tell me. All say Orange is the ISP, general area is Abidjan in Cote D’Ivoire, and now I’m seeing it’s negative for VPN/proxy/TOR/relay. This is looking really promising!

One other thing I like to look at for someone’s IP is a site called https://iknowwhatyoudownload.com, which checks for torrent download and distributions. In many parts of the world, this is still popular and while it might not offer me any value in terms of identifying someone, I can use this to get a sense of whether an IP might be from a VPN or not by looking at the volume. Many VPN IPs, when checked through this site, will reveal a very long list of torrents (often X-rated), that would be more than a typical household would consume on its own. In this case, the IP in question had just a handful of results for some TV shows, not what I would expect from a commercial VPN IP.

You might be saying to yourself, “all of this is great, Griffin, but it’s not getting us any closer to identifying someone!” You’d be right. Without a legal order or some kind of special access, finding the person behind that IP isn’t going to happen. Or is it?

You see, we have one hail mary left to throw here, and its our good old friend breach data. I call it a hail mary because it has only worked for me a handful of times over the years with IPs due to a number of factors around how they can be changed as well as the move to IPv6 from IPv4, but it’s still something worth checking. As it turns out, this IP address HAD been part of a data breach, and it was connected to someone’s account. Someone we’ll call “PB” from here on out.

This is (potentially) great news! I say potentially because there are a ton of asterisks that should accompany information like this. For one, it does not put this person behind the keyboard in my situation. For another, we do not know if this IP address from the breach is still with this person. The list goes on, but for the moment we’re going to call “PB” a person of interest and see where things go.

Now we get to the fun part, OSINT! We’re working with an email and a name, and we want to see who this person is, what they’re about, and where they are in the world.

Finding a foothold in this person’s online life was a challenge at first, because they do not go by their (presumed real) “PB” name in social media handles, they go by a version of what I will call “Bright Man”. Here’s a little tip for you… I was able to locate a Facebook profile for this person by letting Google do the work for me, creating a Google dork to view results indexed from Facebook specifically that included parts of the “PB” name in the URL. Something along the lines of site:facebook.com "TERM1" AND "TERM2". You see, a lot of Facebook users may start out an account using their full name, and then adjust the display name to something new like Mr Bright Man did, but they never change the URL (yes that’s a feature). So when John Smith starts a Facebook account at facebook.com/john.smith and then changes his display name to Jethro Gibbs, well his URL will remain unchanged. I can’t even count the number of times I’ve found someone’s Facebook account by just trying firstname.lastname in the URL, try it out sometime!

OK, so Mr. Bright Man is merely a person of interest here, and may very well be unrelated to the scam so I’m going to blur him out, but I will say he had quite the online presence to explore:

I was also able to gather up several phone numbers and email addresses from clues left in his online posts and videos, as well as determine roughly where he lives by geolocating a few of his YouTube videos. So now I’ve got a decent handle on who this person of interest is, should that become helpful down the road.

All the while I’m researching Mr. Bright Man there’s still one question burning in my brain… what is the scammer’s end game? Obviously, scams are for money, but so far the worst thing they’ve tried to do is get a copy of my passport, address, and phone number. Could they monetize that? Sure. Is it more work than just getting me to send them money somehow? Yup.

And just then, the answer finally arrives in my inbox. It’s a bit small to read in the picture below, so let me just spoil the surprise for you now… it’s an advance fee scam. I’m being advised that the account holding my $4.6M is a “suspense account” which requires reactivation by way of paying a fee before they are able to release the full funds. I am offered two options: 1 reactivate the account and claim the very substantial interest accrued for the fee of $1260, OR reactivate the account and forego the accrued interest for a smaller fee of $860. Classic!

What kind of a money-hating idiot would turn down hundreds of thousands of dollars in accrued interest just to save $400 on fees? NOT THIS SOON-TO-BE MILLIONAIRE!! Sign me up for that $1260 fee right away please and thank you very much!

Is this the end then? That’s really all there was? Well, no. I’m not ready for this to be over. Much like Ted Lasso, I know the end will come eventually, but I won’t let myself think about it being over until the last possible moment. Goldfish memory!

I’m going to take one more stab at getting information from the scammers and see where it leads. If I assess what’s happened, I know they want me to send them money, I know they must have a way to get that money, and I know that their banking information may reveal new clues for me, so I press on. I’m ready to send the money, just tell me where…

Ah crap! Thomas Smith??? That just screams obviously fake.

But wait.

Aren’t they expecting me to send them money to this account? So that means they intend to get it. There must be more to this that what I though. Maybe Thomas Smith is actually a real person. Maybe Thomas Smith is a victim as well! You see, there’s this thing called a money mule, essentially a middle person usually uninvolved in the actual scam who facilitates movement of the funds involved. In some cases they are tricked, in some cases coerced, and in other cases they may actually get a cut of the money for performing services like cashing out and sending the balance elsewhere. (Work from home job scams anyone?)

I need a plan. Finding a Thomas Smith somewhere in the world is going to be impossible without some other kind of information, so I play the helpless, bumbling victim angle in hopes of gaining something I can use. I tell the scammer that my bank won’t allow me to transfer the money despite my best efforts, but let them know that I do have access to PayPal and Venmo instead if only they’d be willing to provide an email address or phone number for me to look up their account. But will they fall for it?

More has been revealed! Let’s get to work on finding Mr. Smith, and seeing what he’s all about. First, we check the PayPal profile using the search by email feature of the mobile app and see what appears.

A face! It’s a start, and we still have the email. If you’ve read any of my other blogs, you know how much I love the https://epieos.com tool for researching email accounts. In this case, I find that the email is connected to a Google account for Thomas, and that Thomas has left a number of reviews of businesses in a fairly tight geographic area.

Using Thomas’ very common name, and some of the names of towns near the area where he left those restaurant reviews, I start hitting the Facebook advance search feature. Combining his name with various town names, it doesn’t take me long to find an account with a face that looks remarkably similar to the PayPal I was referred to by the scammer.

Success!! As I look more into Thomas’ life, I realize that he’s most certainly not someone wrapped up in an international wire fraud scheme, he’s most likely an innocent victim himself, either being preyed upon or compromised in some way. I’d like to see if I can locate his contact information or residence now, because I have every intention of passing him off to local authorities who can help him. I return to his online life in order to gather more information. Part of what I do is read the many different business reviews Thomas has written looking for clues, and I discover one for a church. This particular review leads me to believe that Thomas is very active at this church and I wonder if their social media may have other photos or information about him.

Bingo! I read on and find other posts mentioning him, explaining his background, and listing his family members including his wife by name. This is more than enough information for me to hit some people search sites like https://truepeoplesearch.com and begin researching the addresses. I locate an address that appears to be current, but just to be extra sure I Google for the County GIS portal in order to research property tax information on the property address. You’d be surprised how many US Counties have these kinds of sites and searches available.

Just the thing I was hoping for. Thomas and his wife are both still listed on the property, and through the people search sites I was able to gather information for them as well as locate additional social media. More than enough information for someone to make contact with Thomas and help him out of the situation he may stuck in. Elder scams are sadly quite prevalent, and often extremely detrimental to their victims who can unwittingly lose large sums of money in a short period of time before even realizing something is not right. My hope for a happy ending here is that someone can help Thomas, and I know just the folks to do it.

My findings get packaged up into a report, and despite the fact that I never actually proved that Bright Man was behind the scam, I provided more than enough information to the authorities to demonstrate what was occurring and compel them to at least help Thomas. This was all delivered to a friend at a US agency who deals specifically with these types of crimes and who happened to have a fellow agent and friend right in Thomas’ area that would follow up.

Wow, what a journey that was! By playing the part of a clueless victim, I was able to take a run of the mill scam email, elicit potentially identifiable information from a person or persons halfway around the world, and by utilizing OSINT I was able to put together a significant amount of intelligence on a person of interest, and most importantly identify and lead authorities to a likely victim who may have really needed help. I’d say all in all that’s a pretty impressive result!

Thanks for sticking with me till the end. I hope you enjoyed the story, maybe picked up a few things, and most importantly became just a little more aware of the dangers lurking out there online.

A Snapchat OSINT Tip: Viewing Bitmoji Changes

In today’s episode of “Blogs That Should Have Been a Tweet”, I want to give you a tip about Snapchat. More specifically, a tip about Bitmoji users on Snapchat. First though, let’s back up a few steps… Bitmoji is an app that allows users to create a cartoon representation of themselves by picking everything from features to accessories to clothing. You can use this “cartoon you” in many places online and in apps, but it’s most commonly associated with use in Snapchat (the company who bought Bitmoji back in 2016). An estimated 3/4 of all Snapchat users use Bitmoji!

It’s hard to overstate the value of posted photos in OSINT work. When people post photos of themselves, they’re giving you a glimpse at a moment in time, and seeing them with your own eyes can sometimes be the key to answering other investigative questions about your subject. (We are of course excluding that photo of me at the age of 12 standing outside Busch Gardens, sporting a Terminator wanna-be flat top haircut, tight-rolled acid washed jeans, a fanny pack, and glasses with the strap on the back while a parrot perches casually on my hand. No questions went unanswered in that masterpiece)

What about Bitmoji though? Can there be investigative value in viewing a person’s self-generated and self-depicting cartoon? Of course there can! Depending on the context in which you receive the image, it may help you to narrow a search pool of similarly-named individuals, refine your research based on certain visual factors, or even help you make comparisons to known social media accounts that are using or have posted the Bitmoji. Many users will make an effort to ensure their cartoon self is at least recognizably close to the look of their real self.

Now, before we go any farther, I know there’s at least one of you sitting at home shaking your head because there are soooo many variables here. After all, we are talking about someone making their own digital persona in any way, shape or form, using a robust but still finite set of features. Even users who are trying to stay true to form might just give themselves a little esthetic help where they’d like it. I mean, you should see the waistline on my Bitmoji, I haven’t been that thin since… well, the infamous Busch Gardens photo. Anyway, I get it. Like everything we do in OSINT though, in the proper context, it can be a clue.

Let’s say you have found your subject online in one social media site, and you’ve moved on to finding their accounts on other platforms. You’ve decided to start at Snapchat since you see they’ve posted a Bitmoji of themselves, and you know that chances are good that they may also have a Snap. You’ve got a real name and a username from the profile you’ve found, so you’re running username queries using the web version of Snapchat, but you’re just not sure if you’ve found the right person. The name is right, but the cartoon character smiling back at you… is not a match for the one posted by your known account. If you’re like me, you don’t take anything at face value! You probably wonder how long it’s looked this way, and what it may have looked like before.

Snapchat users with a Bitmoji avatar can make changes to the appearance of their cartoon persona any time they want, as much as they want, directly from Snapchat. When someone searched for them moments ago, they looked one way, but now… they may look completely different. Like this guy who used to be cool but eventually turned his life around:

This guy can’t wait for his high school reunion.

If only you could access a prior Bitmoji to compare with the one you’ve found in your earlier research, you could be that much more confident about the potential of your findings… well it turns out that sometimes you can, with a simple URL manipulation.

When you visit someone’s Snapchat profile page via the web URL, by adding their username to the end of: “https://snapchat.com/add/” you land on a page that can look a few different ways depending on the user. Some will simply be a Snap code or a recent Story, while others may contain no avatar at all or perhaps just the face, and those aren’t going to be our focus here. The one we want is one of the more common landing page possibilities, a full-body avatar image of their beloved Bitmoji that looks something like this:

Now you’re in business! When you find yourself on a profile that looks like this, and you want to view the looks of some of their prior Bitmoji, here’s what you do:

1. Right click on the Bitmoji image and select “Open image in new tab” – you’ll get a page that looks like this, which is serving you just their current avatar:

2. Review the last few characters of the URL preceding the .webp extension, they’ll look something like this:

3. When reviewing the URL of the image, you’re looking for that number immediately following the underscore (in the above case it’s 51). That number represents the version of Bitmoji you’re currently viewing. I wonder if the prior versions are stored there as well?
If you simply start changing those digits to lower numbers, refreshing the page and working your way back, you’ll see that they are! In this case, if you work back through the prior versions of their avatar you’ll see numerous changes, and when you get to version 35 you see this:

Interesting…
So does this previously stylish cartoon persona simply enjoy the comfort and freedom offered by wearing scrubs? Perhaps!
Or do they love hospital-themed, early 2000’s sitcoms featuring a prime Zach Braff? Trick question! Everyone loved that show.
More importantly, could they work in some type of medical position, and could that information align with other findings? It’s entirely possible.

There is a limit to this backward research, and at some point you’ll roll back to a number and suddenly the avatar will reverts to the current one. In the case of the above person, that happened after image 33. Anything 32 and prior will just show me the same current Bitmoji I started with at 51, but if my math is correct (and it rarely is) that means I was able to see 18 versions of this person’s digital self!

URL manipulation in OSINT research is nothing new, many of you will already know how to do things like view a higher resolution or larger sized profile image in certain social media sites by changing a few characters in the image URL. If not, I hope this idea sparked a bit of creativity for you and is something you’ll add to your thought process going forward, because it has a wide variety of use.

Ok, so there are a couple of takeaways here, allow me to summarize them:

  1. When Snapchat serves you up a profile page with a full Bitmoji avatar on it, there may be value in rolling back to previous versions for more information.
  2. Paying attention to where on-site content is delivered from on any site can be potentially valuable in your research.
  3. Manipulating the URL of media content can sometimes provide unexpected results.
  4. If you can’t laugh at yourself, then you’re doing life all wrong…
Don’t you dare put this on the internet!

UPDATE: Introducing The Backmoji Tool!

Following the release of this blog, THE Micah Hoffman aka @webbreacher on an internet near you, whipped up a quick UI tool that allows a user to follow the process outlined above, input a couple of variables from the Bitmoji URL they’ve discovered, and view an output of all available versions of the user’s Bitmoji all on a single page! Fantastic work my friend, as always!

To read his explanation of the tool, visit: https://webbreacher.com/2022/10/24/grabbing-old-bitmoji-outfits-with-backmoji/

To jump straight over to Backmoji, visit: https://webbreacher.github.io/osinttools/

Telegram OSINT Basics: 5 Tips Anyone Can Do Right Now

A while back I posted a companion blog that was mostly a list of links from a talk I did on Telegram OSINT at the 2022 National Child Protection Task Force conference. The idea behind the talk was approaching Telegram for an OSINT investigation in the lowest-barrier ways possible, meaning not having an actual account on the platform, and utilizing a web browser rather than using the app on a mobile device. Is that you?
Many investigators either can’t get an account on Telegram (it does require a phone number) or only utilize a web browser for their investigative work, and while it’s not the most revealing approach… there are still plenty of things you can do to research Telegram “from the outside” and I’ve listed 5 big ones here. This should help get you started if Telegram is new to you or you find yourself restricted in your access.

A very quick primer on Telegram for the non-users… At the core of its purpose, it is simply an app for messaging and disseminating information. That can (most often) be from user to user, from user to an audience via a Channel, or from multiple users in a Group amongst each other. There are other features and nuances, but this is what you’ll find at the core.
Now let’s get down to some OSINT business…

  • Dorks! (Advanced Search Operators)

Whether you’re looking for Users, Bots, Channels, Groups, or something else… Good ole’ fashioned Dorks are your best friend. All you really need to know is the Telegram URL structure to craft your site-specific search, and some key words of interest. You’ll find Telegram content indexed by Google and other search engines in a couple common domains: t.me and telegram.me, which you can ask your search engine of choice to limit their results to when querying your little heart away. For example:

In Google, Bing, and DuckDuckGo –> site:t.me cryptocurrency
In Yandex –> url:t.me cryptocurrency

Each of these searches will return results in the respective search engines that have been indexed specifically from t.me URLs and have the word cryptocurrency on the page. Changing t.me to telegram.me would provide you with results found under the telegram.me domain name. I show several variations because there’s ALWAYS a chance that what you’re looking for may not be in the first place you look, so keep flipping those rocks!

When you think about the kinds of things people share in the bio or description section of their profiles, you may not be surprised to know that I’ve found names, emails, phone numbers, crypto wallets, websites, links to other socials, and many other potentially useful things. Get creative with what you seek!

There are several Google Custom Search Engines (CSEs) that are pre-built to search for Telegram content specifically and return them in an easy to navigate result. These are some of my favorite, and there are more in the prior blog post:
CSE “Telegago”:
https://cse.google.com/cse?q=%2B&cx=006368593537057042503%3Aefxu7xprihg
CSE by Francesco Poldi:
https://cse.google.com/cse?cx=004805129374225513871%3Ap8lhfo0g3hg
CSE “Commentgram”:
https://cse.google.com/cse?cx=006368593537057042503:ig4r3rz35qi#gsc.tab=0

  • View Full Description

OK, this is a fun one. Probably my favorite one. When you find yourself on a profile of interest, or perhaps a private group page that you can’t join, and you’re only collecting/analyzing what you can see from the public description… do you realize that there might actually be more than meets the eye? Have a look at this example:

So if you’ve reviewed the photo and just said to yourself “Griffin, you moron, everyone on planet earth already knows how to get the rest of that linked profile followed by the 3 dots. This is the most worthless advice you’ve ever given me!” First of all… I’ve no doubt given way worse advice that this, even just today. Second of all… of course that’s not the thing!

The amount of information that can be in one of those descriptions is much bigger than what you can see in the browser, and there’s actually a decent chance that you’re missing out on something useful, even beyond the obvious. But how do you get to the rest? You right click, right click, right click your way to victory™ of course!
Right click on and inspect the element which contains that text, and have a look at what’s in the code. As you hover over the different elements in the inspector, you might notice that the corresponding parts of the page are being highlighted, making it easier to find the piece you’re looking for. You may have to click on some of those little triangles to expand the drop-down details, but eventually you’ll find the element for “tgme_page_description” just like below:

Boom! What was previously unseen is now perfectly available to your investigative curiosity. Say it with me… MOAR WORDS! Yep, there’s more words than what you could see or even what you thought you were going to see. Much more in fact!

What if I told you I had an example where you’ve landed on a private group, and hidden on the page are their Instagram account, their Facebook account, and their custom bit.ly join-group link?? (that’s the kind of thing they probably post around the internet on other platforms you may wish to find them by the way) Well, of course it’s true:

So now you see that there may be more than meets the eye, and that’s very exciting, but I can literally hear some of you while I’m typing this saying to yourselves “Inspecting elements? Code? What do I look like, that guy from Mr. Robot?” Never fear! My good friend and fellow OSINT smart-guy webbreacher crafted a simple one-liner bookmarklet to make viewing the contents of this element as simple as the push of a button. Literally!

All you do is copy the following text, go into your browser bookmarks, create a new bookmark, and paste the text where you would normally put the URL for a bookmark and save. Give it a name you will remember and ba-da-bing:

javascript:(function()%7Bvar a %3D document.getElementsByClassName('tgme_page_description')%5B0%5D%3B alert(a.innerText)%7D)()

So now, when you’re on a Telegram profile, like the one above at https://t.me/joinchat/C-bhhEwufsxZaUsv0TiSdA, you just click that bookmarklet in your bookmarks bar and there you go! The element pops up on your screen for easy viewing like so:

  • Channel Preview URL Edits

When you preview a channel by clicking on the option available on the channel page you’ve located, if you’re lucky, you’ll find yourself in a sea of messages, beginning with the most recent. Exciting, right? Well, we all know that even the dumbest of us are smarter today than we were yesterday, so when was the most likely time that someone in a Telegram channel made an opsec mistake and leaked useful information? The beginning of course! So let’s say you’ve landed yourself here, alllllll the way at message #6,692 (see URL):

As you can see, the URL you’re starting on is t.me/areaofhacking/s/6692. Now, it’s obvious to you astute readers at home that changing that number on the end will immediately take you to a different post, but here’s a quick edit you can make to help in breaking down your research and review into manageable bites:

t.me/areaofhacking?before=100

This gives you the first 100 channel messages starting at 100, 500, 1000… what ever number you stick on the end. Great for when you have to break your review down into parts as you go on beer runs throughout the course of the day.

  • Getting The Exact Date & Time

When previewing a channel or (while logged in) looking at a specific message, you may need to find the exact date and time it was posted. Down in the lower right corner of the message you’ll see (while previewing a channel for example) a time. If you click that time, you’ll be taken to a static URL for that particular message, where you will then find the date added, like below:

Now, this isn’t EXACT, as you are no doubt ready to tell me… and when it comes to details, you and I are very concerned with being exact, so we’re going to dig deeper. Once again, we’re going to right click our way to victory and by right clicking on the time/date stamp & choosing inspect, we’ll be looking at the element “tgme_widget_message_date”, something like this:

If you’re paying close attention, which of course I know you are, you’ve noticed that there are 2 different times there. This may seem confusing, but never fear! The first time is in UTC, and the second time is translated to your (suspected) local time. If you’re doing things to obscure your machine, browser, location, etc… well that 2nd time may not be accurate, but you can always bet on UTC to be correct, which is exactly why Al Gore invented it!

  • Using Archives

Last tip for ya here, and it just might be the one that makes or breaks your next Telegram investigation. Don’t forget about the archives! When you find yourself reviewing Telegram content, you might just be surprised to find that the channel you’re reviewing has been archived in the past using everybody’s 2 favorite archive (yes, I know there are others) sites- archive.org and archive.ph (or archive.today or archive.is or whatever the hell tld they’re using at the moment). Each one of those sites will allow you to search for the Telegram URL you’re interested in and see what’s in their archives. Don’t forget about trying t.me and telegram.me when you search!
One final little bonus tip along the same lines… Try checking the Google cache version of a page to see if it may have been recently changed. Here’s an example of a user who has no text content in their bio, but a quick search using either a cache: search operator followed by their URL or by clicking the 3 little dots next to them in Google search results to view the Cache button shows us that the bio recently had some text in it after all, and that was captured by Google before it was changed! See the side-by-side comparison:

Well, I said 5 tips and we got through 5 tips. I hope you picked up something new, or perhaps picked up an idea you can try elsewhere in your investigative work, even if it’s not in Telegram! Some of things things are concepts that are useful across a wide variety of investigative work. Remember, nothing beats relentless curiosity, so keep looking and keep flipping over those rocks!

Telegram OSINT From The Outside

This blog is simply a placeholder for the links and related content for a talk of mine at the 2022 National Child Protection Task Force conference about the many different OSINT approaches you can take to Telegram without needing to be logged in. Many investigators are unable to join Telegram for one reason or another, but there’s still plenty of clues that might be found if you know how to look.
This post will make sense if you saw the talk, and if you haven’t it might seem a bit cryptic but you can still probably pick a thing or two up.

Telegram OSINT From The Outside
Links List!

Basic Telegram Dorks:
site:t.me
site:telegram.me
inurl:[usergroupchannelbotname]

Bio/Description Search Examples:
Website URL
Crypto Wallet
Phone/WhatsApp
Other Socials
Real Name
Email
Affiliations
Emojis

Username Search Tool Site:
https://whatsmyname.app

Seeing “Hidden” Description/Bio Content:
Right Click, Inspect
Find the: “tgme_page_description” element
Expand to see all content

OR use a bookmarklet! (s/o Webbreacher)
Copy & Paste This Text As a Bookmark In Your Browser, Click When You Have a Telegram Profile Page Open:

javascript:(function()%7Bvar a %3D document.getElementsByClassName('tgme_page_description')%5B0%5D%3B alert(a.innerText)%7D)()

Group/Channel Join Links:
Format: t.me/joinchat/******** and telegram.me/joinchat/*******
Add to your search operators to make:
site:t.me/joinchat OR site:telegram.me/joinchat

Finding Exact Time/Date From Message:
Click on time element in lower right corner to open message solo
Right click on the date/time, Inspect
Find the “tgme_widget_message_date” element
Displays 2 times – First: UTC, Second: Your Timezone

Channel Preview URL Edits:
Edit # at the end of a message URL to visit different messages specifically
OR
add ?before=100 to view the first 100 messages in a channel
OR
add ?q=[searchterm] to search a channel – can search any text including file names & even extension types like PDF, XLS, etc

Archived Versions For Changed or Newly Hidden Content:
https://archive.org (Internet Archive – Wayback Machine)
https://archive.today (or archive.is or archive.ph)
Google Cache via cache:https://t.me/[userchannelgroupbotname]

Telegram CSEs To Leverage:
CSE Telegago:
https://cse.google.com/cse?q=%2B&cx=006368593537057042503%3Aefxu7xprihg
CSE by Francesco Poldi:
https://cse.google.com/cse?cx=004805129374225513871%3Ap8lhfo0g3hg
CSE Commentgram:
https://cse.google.com/cse?cx=006368593537057042503:ig4r3rz35qi#gsc.tab=0
CSE by Bosintblanc:
https://cse.google.com/cse?cx=f22644e7cf7c34e97
Both Francesco’s & Telegago at IntelX:
https://intelx.io/tools?tab=telegram
CSE by WeVerify:
https://cse.google.com/cse?cx=006976128084956795641:ad1xj14zfap

Telegram Search Sites – Warning! Privacy/Safety Concerns
TGStat – tgstat.com
Telegram Channels – telegramchannels.me
Telegram Group Search – tg-me.com
Telegram Group Link – hottg.com
Telegram Discovery Search – tlgrm.eu
Telegram Directory – tdirectory.me

About Telegra.ph
site:telegra.ph
telegcrack.com – Warning! Privacy/Safety Concerns

Reverse Image Searches:
Browser Extension: https://github.com/dessant/search-by-image

Telegram Learning Resources I’ve Enjoyed:

Nico Dekens (@dutch_OSINTguy) video from SANS:
https://www.youtube.com/watch?v=e_aXQYq2l6U

Micah Hoffman (@webbreacher) myosint.training course: https://www.myosint.training/courses/telegram

@Cyb_detective resource page: https://cipher387.github.io/osint_stuff_tool_collection/#telegram

Ginger T (@cqcore) blog:
https://www.cqcore.uk/telegram-fundamentals/

Reddit’s r/telegram subreddit:
https://www.reddit.com/r/Telegram/