What I learnt from Sector035’s annual quiz.

OSINT News
Jan 12 · 6 min read

Whatever your level of expertise with the OSINT skillset, it never hurts to stretch yourself a little, and apply your skills to a real set of problems.

Thanks to Sector035 of the Quiztime crew, we ended 2019 with a multi-part quiz that refreshed some rusty knowledge, and definitely taught me some new tricks. In this article I’ll try to pass on a few lessons I picked up in the hope that you may benefit. I’ve promised Sector035 there would be no spoilers, so I’ll keep any examples completely separate from specific questions in the quiz. However, if you’re stuck in the quiz, you may benefit from a technique here!

PS, If you’re wondering what the heck I’m talking about, here’s the tweet that started it all:

Reverse WHOIS Lookup

OSINT researchers very quickly learn about WHOIS, a service to find out who registered an internet resource, usually a domain name. However, we learn almost as quickly that the search is generally useless, as most companies registering domains offer a level of anonymity, and hide registrant details. For example, here is what you get if you enter “theguardian.com” at who.is:

WHOIS response for The Guardian’s main web domain
WHOIS response for The Guardian’s main web domain

However, it is possible to perform reverse searches on the WHOIS service, with tools readily available online. These tools allow you to search on email addresses and even simply names, to see if they are linked to any domain records. In the quiz I successfully used ViewDNS.info, but there are several tools available if you search for “reverse WHOIS”.

I was surprised to find that one of my own personal email addresses was linked to more than one domain, bought before I really knew anything about information security. As well as being a nifty trick, the ability to reverse search WHOIS means you should be very careful about what email address you use to register a web domain if you’re trying to keep it anonymous.

If you find yourself using the service a lot, many of the search providers also have an API. The API at ViewDNS has numerous paid levels, but there is also a free ‘Sandbox’ level which 250 searches per rolling month, which should be enough for most users.

Extracting EXIF data from stock photos

Believe it or not, some stock photos still have their EXIF data in them! If only you could get to the underlying image to run it through an EXIF viewer… turns out you usually can! Since most stock photo sites disable right-clicking, you just need to know how to get into developer mode on your browser. For Chrome, that’s F12, and in Firefox, guess what?? Also F12!

From then on it’s just a bit of creative clicking, there’s always an anchor link at some point…

Searching for Bluetooth MAC addresses

So we’ve all used WIGLE to search for MAC addresses, right? If not, stop reading this waffle and go and read a proper article — this piece by OSINTCurio.us is excellent: “Tracking All the WiFi Things”.

I thought I knew my way around WIGLE, but had not noticed that it’s possible to search for Bluetooth devices too! There’s a tab in the Basic search just for that:

Searching for Bluetooth devices on WIGLE
Searching for Bluetooth devices on WIGLE

As with other searches on WIGLE, you’re most likely to be starting with a location, but you can also search for specific network names, or even use wildcards.

One other useful resource I stumbled across while solving the relevant puzzle was a number of tools for looking up the MAC address prefixes for specific manufacturers. The prefix is the first octets in the MAC address, e.g. “88:53:D4”. This prefix is assigned to a specific manufacturer, so any MAC address starting with these three octets is from the same manufacturer (Huawei in this case). There are plenty of tools around to search in either direction; for example, if you want to find all the MAC prefixes allocated to Sony, click here.

Historic photos on Google Maps

Frankly, this was something that was literally staring me in the face, and I did not see it until it was pointed out. I had even read instructions on how to find older photos for locations in Google Maps without success. If, like me, you learn some things better visually, then here’s how to to it:

First, go to Google Maps and drop into a photo view. Here, I am in Street View outside a fairly well known London landmark:

Buckingham Palace, viewed from Google Maps
Buckingham Palace, viewed from Google Maps

Now, if there are older photos, there will be a little clock in the top left corner? Never seen it before? Me neither, because it’s TINY!

Detail from Google Maps
Detail from Google Maps

Clicking the arrow next to the clock brings up a draggable timeline of all the other views Google has of this location, which you can then click on to bring up the older imagery.

Google Maps timeline feature
Google Maps timeline feature

This was a complete revelation for me and I hope you find it useful. If you already knew about this feature, have a wry chuckle at my expense!

Thinking backwards

Along with the new tools I learned about in this quiz, I was also (forcibly) reminded that we don’t always have to think in one direction. There is a multi-part question in the quiz where I got well and truly stuck. However, after bashing my head against a brick wall for a while, I could see from a few steps ahead where I needed to end up. So, I eventually got the idea to work backwards from the endpoint and even with incomplete information I was able to put together a solution that worked.

There is a lot of lateral thinking involved in OSINT, and it’s good to step back and look at a problem from multiple angles from time to time. There is nothing original in this, it’s simply repeating the wisdom of one of my favourite writers and thinkers:

There is no doubt that creativity is the most important human resource of all. Without creativity, there would be no progress, and we would be forever repeating the same patterns. [Edward de Bono]

What’s next?

Well, after learning so much from the 2019 quiz, I decided to go back to Sector035’s 2017 quiz, which you can sign up for in much the same way as the 2019 version (send an email with the subject “start” to forensicquiz2017[at]gmail.com). It’s reputedly harder than the 2019 quiz, even with some extra hints, and predictably I’m stuck on Stage 2. But I have already learnt how to search train timetables in a second language, so every day’s a school day!

Thanks to Sector035 for the quizzes, and the Quiztime crew generally, for testing the quiz, and providing daily challenges and support!

OSINT News

Written by

Curated news from the OSINT world [@osint_news]

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade