Skip to content

Month: August 2020

Mining OSINT Gold… From Video Game Forums

Published by hatless1der on August 23, 2020

When a child is missing, every single minute counts. If you’re someone who practices #OSINTforgood (I’m looking at you, Trace Labs CTF participants), you know that the more recent the information is, the more valuable it can be. You also know that searching for information on younger folks in places like people search engines is nearly a total waste of time. So off you go to trusty, old social media… the land of screen names and acronym-speak. Well, next time you fire up your VM and hit the social network bricks, I want you to think beyond Facebook and Instagram, or even Snapchat and TikTok.

Studies have shown that roughly 3 out of every 4 US children & young adults play video games, and that mobile remains the most popular gaming platform, especially for the tweens and teens demographic. It’s not just kids though… in 2017, more than 192 million US citizens played games on their mobile devices. Another 86 million were monthly console or PC gamers. Many young people these days have a gamer handle well before they have a driver’s license, and on top of that, tens of millions worldwide take to the internet to join in discussions, trade ideas, even barter for accounts and upgrades over hundreds of forums and social communities. These communities can be a veritable gold mine of OSINT information, often including one tremendous piece of information… the last date/time a user was active online. 

Now, if your childhood video gaming experience involved the iron-clad-science-backed tradition of artfully blowing life into (and dust out of) the circuitry of clunky, plastic game cartridges, you’re probably wondering where to even begin with all this. Well, as it turns out, so was I!
So, I did what I always do when I find out there’s something new for me to learn, I grabbed a couple beers, opened up a notepad, and went to Google for some research! Come on, let’s take a ride…

In my opinion, this first point is a very important one in terms of investigative approach so try to make sure it goes with you today when you leave… Many of the forum websites dedicated to video games are often uniquely categorized based on some overarching theme like: a specific console type, a certain game genre, a group of games made by one developer, an individual game, or the geography of an audience. 

Why is this so important? Well, if the information you’ve been provided about your target, or your impressively robust SOCMINT research has led you to learn about their specific gaming interests, you can really dial in on searching key sites by querying Google for the forums dedicated to the games they like, what console they use, or what genre they’re into. In my opinion, that kind of thought process is what separates the great investigators (like you), from the good investigators (like not you). 

How much information can you expect to find on these sites exactly? Depending on the particular site, a lot actually. Of the 30 sites I focused on for this blog, all but 1 offered a place for users to provide some or all of the following: real name, location, birthday, join date, last active date/time, contact information, social media links, personal website links, or a written bio. The one that didn’t have any of that information? It gives a complete username history (pivot points!) including the date of change, for players of one of the biggest MMOG (massively multiplayer online game) on the planet, boasting 112 million monthly players… Minecraft.
In one case, I came across a forum user who linked his PayPal account for donations. One click later… instant email address! When you go beyond basic profile tags, and start reviewing thread comments and written bios, well the sky’s the limit for what kind of information you might find. Many of the forums even had an “Introduce Yourself” type subforum, and still others offered custom signature options that often include self-disclosed personal info as well. The moral of this and every SOCMINT story is… GO OUT AND GET INTO THE WEEDS! Here, look:

This 28 year old Leo would like you to know his real name, visit his website, and probably hates Carole Baskin.

Eli from Denmark was kind enough to post a photo of himself and tell you where he works and goes to school, along with a URL link to his personal website!

This aspiring game developer would like you to give him a donation, or have his email address.

Now, if you’re one of those crusty, old “tools don’t always work!” and “get off my lawn!” kind of people (like me), well… below is a list of those 30 sites I mentioned, each of them marked for whether they have a built-in user search function, if you need to be logged in, what profile information could be available, and if they are indexed by Google. There are plenty of other forum sites you can find, but these were some of the biggest and best, and are a great place to start. A little recon on the front end as mentioned above will help point you to the sites most useful for your search. In the last column I provided a Google dork (if one works for that site) where you can replace the word “username” with your particular target’s username. (seriously, get off my lawn) Not all of the parent sites are indexed, however, so you may need to navigate to them and use their onboard search tool. 

Available via Google Drive – click photo

Some of these forums contain thread-counts in the millions, and have an active user base well into the 6 figures

Now, before you jump over to my Twitter and start screaming at me through your still-cool LED backlit keyboard, I already know some of these sites are covered by all-in-one username search engines, but many are not, and beyond that, some sites use a combination of both the username and a unique userID in the URL, making a plug and play search solution challenging. Plus, we’re only scraping the surface there, and scraping the surface is not what great investigators like yourself do! 

All that being said, I do still encourage you to use the incredible username search sites and tools available to make your searching faster and easier, but I also wanted to stress the importance of developing an investigative thought process that takes you beyond just knowing where you can go to push a button that says “search”. 

Username Search Engines –
These all-in-one web tools can be a tremendous OSINT springboard, and a massive time saver, but I’d still encourage you to spend some time getting to know what sites they cover so you can decide where you may want to put some more manual effort in later on.

Since no one wants to read a theoretical blog with no links to any tools, three of my favorites, in alphabetical order are:
namechk.com – traditional, functional, and very easy to use.
usersearch.org – categorized searches, easy to use, already searches over 600 sites, and has offered to work on adding in these gaming forums to their searches! More to come on that!
whatsmyname.app (shout out to Micah WebBreacher Hoffman of OSINTCurio.us and Chris Poulter of OSINT Combine) nice clean web interface with a search by category feature.

All 3 of these offer different searches with some expected crossover, and are well worth having in your OSINT bookmarks as a first-stop site when you get to work on a case. Remember though, the best open source intelligence might still be elsewhere, and the one tool you can always count on is that mushy grey one, sloshing around between your ears! Happy hunting.

Think Private Facebook Profiles Pages Are A Dead End? Think Again!

Published by hatless1der on August 13, 2020

As the old saying goes… Facebook giveth, and Facebook taketh away (RIP graph search #neverforget).

Well, in late 2019, Facebook did a little bit (a lotta bit, actually) of both, with their facelift and feature overhaul, creating “new Facebook”. Different search options, new buttons, and an all-around different feel, sent many of us change-resistant folk into angry fits. After all, we’ve been betrayed before! Is this the Decline of Facebook Civilization part 2? (obscure 80s hair-metal movie reference)

If you’re using “new Facebook” perhaps not…

Let’s say you’ve finally arrived, after much strategic pivoting and searching, at your target’s personal profile page. Sweet success! You click excitedly and reach for the champagne as the page loads, but just as you’re about to get your Dom Perignon buzz on, you see it… their wall is blank. No photos, no posts, nothing but a single profile photo set atop a banner with empty boxes underneath. An investigative slap in the face for sure, especially when you’d been expecting to find troves of delightful SOCMINT goodness. How could this be? You had plans! You had dreams!

Now, before you pack up your investigative bags and head for Instagram, I have a little something you might want to see. “New” Facebook added a handy little feature that just might open some doors you weren’t expecting, doors that might remind you of the glorious graph search of old (seriously, #neverforget). That little search button on side of the profile page? It’s not just for what you can see. Here, let me show you…

Notice the profile page is of no use to us at all. Locked down… No photos, no friends, nothing. (profile photo and banner photo are redacted). Well… why don’t we click on that search button and type in the profile owner’s first name as it appears on the page:

BOOM! Suddenly, we’ve got something to look at besides an empty wall! Not only do we get several new photos of our target, but we’ve also acquired new pivot points, namely an account we’ll refer to as “A” who posted “family photos on a beautiful day”. But we’re not done yet…
Let’s try searching for the full first and last name as it appears on the profile:

Different photos! Not only that, but we have a potential fiancée’s name thanks to the photographer’s captions, and since the posts are several years old, let’s suppose they might have tied the knot and now we have the name of this person’s potential wife. Another pivot point!

A quick search for just the target profile’s last name by itself yields yet another unique photo and a business check in:

Now, before we get too far along with searches on our target profile, let’s pivot to the “A” account page on a new tab, and try searching there for our target’s first name:

You guessed it, more photos! Not only that, we see our target is being called Uncle, and his fiancée is being called Aunt. From there, we can surmise the marriage likely took place, and we now have a spouse, and another source of potential intel to work from.
Moving back to our target’s profile page, there are a number of other things worth searching that may yield even more new results. How about searching happy birthday?

Just like that, we have a potential birth date for our target profile owner, and the name of a brother, along with a (redacted) photo of both.

From this point we can go on and on, but I think you get the idea. Pivot to the other profile pages, search their walls for the target profile’s name, find more photos, find more names, search those names on the wall, and continue to expand this person’s network. The possibilities are limited only by your imagination. (and Facebook’s AI, but who understands that stuff anyway?) What about searching words like: mother, father, family, Christmas, Thanksgiving, work, love…?

Remember a few minutes ago when we were frustrated and ready to walk away from this account, and mark it as stone cold? Instead, we used this handy little trick and in just a few minutes, we’ve developed photos, a birthday, a spouse, a brother, some associates, and several other places to look for even more information. It went from a dead end to a small gold mine in just a matter of minutes because we knew where to look!

Next time you find yourself arriving at a target profile page, give this trick a try.  
Even those pages which are already more open will still yield information you didn’t expect, or would have had to dig, and dig, and dig to find. Let Facebook’s AI turn your searches to intelligence and click that button! We’ll call it graph search junior, for as long as it lasts.