Whatever your level of expertise with the OSINT skillset, it never hurts to stretch yourself a little, and apply your skills to a real set of problems.
Thanks to Sector035 of the Quiztime crew, we ended 2019 with a multi-part quiz that refreshed some rusty knowledge, and definitely taught me some new tricks. In this article I’ll try to pass on a few lessons I picked up in the hope that you may benefit. I’ve promised Sector035 there would be no spoilers, so I’ll keep any examples completely separate from specific questions in the quiz. However, if you’re stuck in the quiz, you may benefit from a technique here!
PS, If you’re wondering what the heck I’m talking about, here’s the tweet that started it all:
Reverse WHOIS Lookup
OSINT researchers very quickly learn about WHOIS, a service to find out who registered an internet resource, usually a domain name. However, we learn almost as quickly that the search is generally useless, as most companies registering domains offer a level of anonymity, and hide registrant details. For example, here is what you get if you enter “theguardian.com” at who.is:
However, it is possible to perform reverse searches on the WHOIS service, with tools readily available online. These tools allow you to search on email addresses and even simply names, to see if they are linked to any domain records. In the quiz I successfully used ViewDNS.info, but there are several tools available if you search for “reverse WHOIS”.
I was surprised to find that one of my own personal email addresses was linked to more than one domain, bought before I really knew anything about information security. As well as being a nifty trick, the ability to reverse search WHOIS means you should be very careful about what email address you use to register a web domain if you’re trying to keep it anonymous.
If you find yourself using the service a lot, many of the search providers also have an API. The API at ViewDNS has numerous paid levels, but there is also a free ‘Sandbox’ level which 250 searches per rolling month, which should be enough for most users.
Extracting EXIF data from stock photos
Believe it or not, some stock photos still have their EXIF data in them! If only you could get to the underlying image to run it through an EXIF viewer… turns out you usually can! Since most stock photo sites disable right-clicking, you just need to know how to get into developer mode on your browser. For Chrome, that’s F12, and in Firefox, guess what?? Also F12!
From then on it’s just a bit of creative clicking, there’s always an anchor link at some point…
Searching for Bluetooth MAC addresses
So we’ve all used WIGLE to search for MAC addresses, right? If not, stop reading this waffle and go and read a proper article — this piece by OSINTCurio.us is excellent: “Tracking All the WiFi Things”.
I thought I knew my way around WIGLE, but had not noticed that it’s possible to search for Bluetooth devices too! There’s a tab in the Basic search just for that:
As with other searches on WIGLE, you’re most likely to be starting with a location, but you can also search for specific network names, or even use wildcards.
One other useful resource I stumbled across while solving the relevant puzzle was a number of tools for looking up the MAC address prefixes for specific manufacturers. The prefix is the first octets in the MAC address, e.g. “88:53:D4”. This prefix is assigned to a specific manufacturer, so any MAC address starting with these three octets is from the same manufacturer (Huawei in this case). There are plenty of tools around to search in either direction; for example, if you want to find all the MAC prefixes allocated to Sony, click here.
Historic photos on Google Maps
Frankly, this was something that was literally staring me in the face, and I did not see it until it was pointed out. I had even read instructions on how to find older photos for locations in Google Maps without success. If, like me, you learn some things better visually, then here’s how to to it:
First, go to Google Maps and drop into a photo view. Here, I am in Street View outside a fairly well known London landmark:
Now, if there are older photos, there will be a little clock in the top left corner? Never seen it before? Me neither, because it’s TINY!
Clicking the arrow next to the clock brings up a draggable timeline of all the other views Google has of this location, which you can then click on to bring up the older imagery.
This was a complete revelation for me and I hope you find it useful. If you already knew about this feature, have a wry chuckle at my expense!
Along with the new tools I learned about in this quiz, I was also (forcibly) reminded that we don’t always have to think in one direction. There is a multi-part question in the quiz where I got well and truly stuck. However, after bashing my head against a brick wall for a while, I could see from a few steps ahead where I needed to end up. So, I eventually got the idea to work backwards from the endpoint and even with incomplete information I was able to put together a solution that worked.
There is a lot of lateral thinking involved in OSINT, and it’s good to step back and look at a problem from multiple angles from time to time. There is nothing original in this, it’s simply repeating the wisdom of one of my favourite writers and thinkers:
There is no doubt that creativity is the most important human resource of all. Without creativity, there would be no progress, and we would be forever repeating the same patterns. [Edward de Bono]
Well, after learning so much from the 2019 quiz, I decided to go back to Sector035’s 2017 quiz, which you can sign up for in much the same way as the 2019 version (send an email with the subject “start” to forensicquiz2017[at]gmail.com). It’s reputedly harder than the 2019 quiz, even with some extra hints, and predictably I’m stuck on Stage 2. But I have already learnt how to search train timetables in a second language, so every day’s a school day!
Thanks to Sector035 for the quizzes, and the Quiztime crew generally, for testing the quiz, and providing daily challenges and support!