Last updated on April 29, 2022
This blog serves as a companion post to my talk at the 2022 National Cyber Crimes Conference called “Advanced OSINT: The Art of Pivoting”
The conference audience is law enforcement and prosecutors, but even you OSINT super-gurus catching this blog version online might find something of use hidden inside, so read on!
While this will still serve plenty of value for those who did not attend the talk, it is a companion post after all, so this will not be my usual in-depth guide to a topic… caveat emptor! (even though it’s free) Bonus: if you’re reading this before the talk you can always decide to skip it and go watch someone much better!
The initial slides have some information about me, and about The National Child Protection Task Force, where I serve as the Deputy Director of Investigations & the OSINT Team Lead. Links from those:
https://ncptf.org
https://bit.ly/3j4YUD9 (The Ultimate OSINT Collection Start.me page)
https://twitter.com/hatless1der
And here’s the dessert before the meal, the workflow diagram I made to visualize what is probably more like a spaghetti-string trash patch floating in some remote corner of my head.
This approach to investigating is centered primarily around Open Source Intelligence techniques, however, in the setting of the NCCC talk there are portions directed specifically towards those who would have subpoena powers.
Within the world of investigations into missing, exploited, and trafficked children specifically… you often don’t start with much information. What I’ve experienced though, is that in many cases you can at least find yourself with some combination of an email, a phone number, or a user name. This can be the case in other types of investigations as well, so there’s a little something here for everyone in the crime-fighting world, no matter what’s your case du jour. For the purpose of this talk, we’re going to break down several aspects of my more common approaches to working an email address.
Now, if you’re wondering to yourself what you can really do with just an email address, you’re probably not alone.
An email address these days can be a vital part of ANY investigation. People keep them for years and years, connect them to accounts, devices, and more. They often name them in a way that makes them useful in finding other types of accounts, and if you’re one of those folks in the crowd with the power to compel companies to produce data by way of a court order… well an email might just solve your whole case.
But what can OSINT do here? When you have many other options as a police officer, prosecutor or the like, why care about what’s possible online? Well, the answer is pivoting of course! A simple email address can open an entire world of other places you can look for information on your victim, suspect, or person of interest. You can pivot from one information source to another using the common linking points, and the investigation might just break wide open.
This was the case for one such investigation I’ll outline in the talk (but not share the details of out here on the internet), where a teenage girl went missing in the middle of the night from her home, leaving her devices behind, and the traditional approaches to locating her had failed, despite significant quality efforts by the investigating agency. For this case, I used a person of interest profile provided to pivot through online accounts on several platforms, solidifying an identity, which led to police making contact. The POI ended up having a vital and previously unknown piece of information that immediately led to the rescue of that child… 28 hours away from her home.
So, as I prepared for this talk I started thinking about what my approach is for working with an email, and much like the first time I was married, I realized I didn’t have stuff on paper like I wish I had. I went to work writing it all down, and quickly realized I needed to refine this down quite a bit to something a little more manageable. What I ended up with is the workflow diagram, which breaks down the key components of what I’m typically trying to do with an email. Once again, not meant to be exhaustive, just representative of some things I would typically do.
First thing… I’m generally either validating it or researching it. From there I’m either finding it in use, connecting it to something, or finding mentions of it or something related to it. It’s a constant process of finding and flipping over rocks. Simple, right?
As you can see, the research side of this chart is heavy. Sorry about my brain, I get a little carried away when I get to thinking of all the ways I can dig into something. After some editing, what I tried to do here was break the email down into 3 parts and then focus on some of the main things I would do with each of those parts: the username portion, the domain portion, and the whole email. Each of these 3 things can take you on very different paths to finding new information you can pivot onto, but each of them offer a variety of options to explore.
The username portion of an email one of the most commonly leveraged pieces of information in OSINT research. Usernames follow us everywhere, and typically have some level of consistency across different platforms and timeframes. If I’m GriffinTheHandsome on Instagram, I might also be GriffinTheHandsome on Twitter (don’t take those). Of course a bunch of people smarter than I figured out ways to automate this type of search and create push-button solutions that save us time, and look in up to 2500 websites in one shot! In this talk I’m outlining some of these useful username tools & sites:
Username Sites:
https://whatsmyname.app – my preferred web-based option
https://usersearch.org
https://namechk.com
https://userhunt.co
https://instantusername.com
https://checkusernames.com
Username CLI Tools:
Sherlock – https://github.com/sherlock-project/sherlock
Maigret – https://github.com/soxoj/maigret
Social-Analyzer – https://github.com/qeeqbox/social-analyzer
Each of these offer different benefits over one another. My preferred web-based username search is webbreacher’s whatsmyname.app. It’s clean, easy to use, has well-constructed output options, and is always growing. As mentioned for some of the other sites, you may want to check for things like a website that is the username of your focus and some of those sites do that for you. You may also want to make quick adjustments to the text you’re searching (like going up or down a number if there is one), and a site like instantusername lets you do that while the results change on-screen without the need to resubmit. I recommend getting familiar with each and what they offer. If you’re a command-line tool fan, I’ve dropped a few of those in as well, Maigret being the one that checks the most sites (roughly 2500 total they say). However, I would caution you that before you jump in those CLI tools, you get familiar with the code and its creators, and make sure that is in line with your governance and policy.
Summary of a couple ideas we’ll cover for usernames beyond the traditional research:
-Using multiple search engines: Google, Bing, Yandex, Duck Duck Go, Regionally Specific SEs, etc.
-Using advanced search operators & time frame filters to refine your results.
-Searching for mentions or links to known account URLs.
Next up is working with the whole email.
If you aren’t familiar with https://tools.epieos.com by Sylvain Hajri, well then get out from under that rock because you’re in for a treat. Sylvain’s tool takes an email address, and using a process that used to be incredibly manual, finds an associated Google profile with some very pivotable information. (Tip: Even a non-gmail account, if linked to a Google profile, will produce the account.) In many cases, the person will have a profile photo (investigative topic for another day), their user-generated name, and the photos and reviews they’ve left on Google. When you’re talking about pivots, this tool has opened so many doors for me since its inception I’d say it’s probably one of my most used resources on a daily basis. The tool also incorporates a web version of Megadose’s HoleHe, which checks to see if the email is in use on more than 100 sites across the internet. (CLI version of that available at https://github.com/megadose/holehe)
We’re also covering the good ole contact exploit using an Outlook email (outlook.live.com) to expose a connected LinkedIn account. Just add the email you’re looking for, open their contact card, and check the LinkedIn tab!
Ok, in this next section we’re getting a little dicey. We’re talking about “account knocking”, which is basically going to a site and pretending you are the account owner and need to reset your password, in order to see what information (often heavily redacted) will be shown to you that potentially exposes other data points or helps to confirm something you may already have. This is a grey area, and I’ve written about it before here:
Most likely you haven’t read it (except you mom, I see you!) but it’s worth a few minutes to consider the legal and ethical implications of doing something like this, not to mention the potential risk of exposure or tip-off. Do your homework before grabbing this tool off the shelf folks! Great power, great responsibility and all that.
Tip! In one section, I give an example of how knocking a utility company account can produce different results when starting with different pieces of information, and even how some utility sites allow you to check for service at an address, letting you know an account could possibly exist for your focus subject who lives at that location. Stuff like that can be extremely valuable when you’re talking about a time-sensitive investigation and need new places to look for information.
Finally, we’re onto the domain portion of the email. For our purposes in this talk, that has been sub-categorized into two parts: provider domain (think emails with @yahoo.com) and owned domain (think emails with @hatless1der.com).
If you’re working with a provider domain, this is the part where you can be glad that you’re a subpoena-wielding person of the law, because that’s what you’re going to want to do. From the OSINT side, options are somewhat light beyond what we’ve covered, but you can try account knocking again (if that’s acceptable for you) to see if the knock on the account offers a backup email option to pivot onto, or perhaps try swapping out whatever domain you have for another commonly used one. For example give [email protected] a try instead of [email protected] and run some of these processes back on the new one you’re testing. You never know, I might have GriffinTheHandsome through a bunch of email providers, providing all new leads!
When you’re talking about an owned domain, that’s where we can start to really have some fun! If we’re looking at something like [email protected] where the domain is perhaps owned/controlled by your investigative focus, or their employer, or something of that type… there are a number of options to work with. I’ll break this next section down by topic so we can understand the approach to each part:
Who hosts the email service?
Ok, so here’s another one for you law enforcement folks out there. You may need to track down the email hosting provider to see where to send all that lovely paper. Many sites will tell you this information, but the two I’m showing are builtwith.com and mxtoolbox.com/mxlookup.aspx. I like them both for different reasons beyond just finding providers, and MX Toolbox offers a variety of other email tools including a headers analyzer that comes in handy at times. (Spammers make mistakes too) Speaking of spam, keep in mind that using these sites to find the email provider from an MX record may not always lead you to the ultimate source, for example you could be seeing the spam filter in front of what you’re really trying to reach. For the most part though, great place to get you going in the right direction.
WHOIS & WHOIS history.
This is where we try to find out who owns a site, or perhaps who owned it in the past looking at what is called WHOIS. Keep in mind, this can be populated with fake or intentionally misleading information. Recently, I was researching the WHOIS for a site made to smear a person in a powerful position, and the registrant information was also that person. Of course that was intentionally false information, not even I’m that self-deprecating!
Anyway, many options here but my favorite go-to is whoxy.com, which offers a look at current WHOIS records, but also has a robust database of historic records. While most sites nowadays seem to hide behind private domain registration or hosting services, you’d be surprised at how often a site wasn’t sent up that way in its infancy. If you owned elonmuskwillneverbuytwitter.com and registered it under your own personal information with no type of privacy safeguard in place… well, hiding it now so you won’t look stupid really won’t help, because as Abraham Lincoln famously said “Stuff on the internet is forever.”
What other domains have been registered using an email address with the same domain you’re researching?
For example, if you’re working with [email protected], what sites out there have been registered by someone using a @hatless1der.com email address? Turns out there’s a place to search for that! viewDNS.info offers a reverse WHOIS lookup box, and that box will accept the @domain as a search term, giving you for example, all the data they’ve found where someone using an @tesla.com email registered a site! Shout out to webbreacher once again, for demoing this on an old OSINTcurious stream.
Is there a site hosted there? By whom?
And finally, is there even a website on that domain? I could spend a whole day talking about what we could do to break down a website into delicious little investigative nuggets, but for the purpose of this talk we’re really just interested in who is the host. Again, I’m talking to the cops and prosecutors in the room who would want to track that kind of information down. A simple site to look this up is hostingchecker.com. One quick search and bada-bing, you now know that grumpycat.com is hosted by SEDO GmbH and off you go.
Now, if you’re reading along at home, you’ll notice I skipped a number of things on the chart, this was simply due to lack of time. A number of research tactics as well as the entire validation section is still sitting there waiting for you to print it all off and chuck it straight in the garbage. Actually, I’m hopeful that the viewers, listeners, and readers who are truly interested in learning more about growing or refining their own approach, might take the time to look this over in detail and see what else they can explore. I hope you had fun, maybe picked up a few new ideas or re-remembered some old ones. I could probably follow this up with a more in depth write up, but let’s be honest, no one reads blogs anyway. (except you mom, I know you’re still here!)