Another week, another workflow. This week is going to be about automating content extraction on Facebook using free OSINT tools. We'll look at auto-scrollers, comment and reply expanders, and full page screenshot tools. Let's get started.
Step 1: Scroll the entire Facebook Profile
Facebook profiles load with an infinite scroll. This means in order to render the entire page, you have to scroll all the way down to the bottom. Now, you can do this by simply holding down the space bar until the infinite scroll is complete, but that's not very efficient and won't work well with larger profiles. The key to collecting open source information at scale is automation, so that's exactly what we're going to do.
For autoscrolling, I use 2 tools; however, the one I recommend for this use case is called Scroll Buddy. Why? It allows you to control the speed of your scroll. Sound simple and unimportant, but it'll come in handy during step 2 of this process.
Simply download this browser extension, start with 100px by 100ms and test it out on a few Facebook profiles. I use Mark Zuckerberg's as a stress test for this entire process.
Step 2: Expand all Comments and Replies
In order to capture the entirety of a Facebook profile in one image or document, you have to make sure all hidden comments and replies are expanded. Some profiles have tons of user engagement with tens or hundreds of comments and replies. Because of this variation, the customization of Scroll Buddy is key. The more engagements there are, the longer it'll take to expand them, and the slow you'll need to scroll if you want to review the profile while you collect.
We've talked quite a bit about expanding comments and replies, but we have to automate the process if we hope to get anything done. Fortunately, there's another free tool that will do just that and it's updated on a regular basis to keep up with the changes on Facebook. The tool is a bookmarklet called "Expand All" and it's created by Jens Farley. Simply drag and drop the bookmarklet to your bookmark bar, head over to Mark Zuckerberg's Facebook profile, and start expanding.
The value will be self evident.
Here's a quick note before moving on:
You can choose to scroll the entire page first, then Expand All if you want; however, if you adjust the scroll speed just right, you'll be able to scroll and expand simultaneously so you can review the content, begin your analysis, and define the direction of your investigation. The less time you spend on review, the more time you'll have for other tasks.
Step 3: Full Page Screenshot
Now that you've scrolled the entire page, it's time to document that evidence. There are a variety of ways of doing this, but I prefer to capture both a PNG and a PDF. The PNG is helpful for adding to reports or as standalone evidence. PDFs are great for sharing via email and among teammates. To capture both of these, I use a tool called GoFullPage. It's a free browser extension that gives you the option to output both formats in one dashboard. Although they have a paid option ($1/mo), they don't spam you to upgrade or restrict essential features to try to convert you. The team behind it is also very receptive to the OSINT community!
Step 4: MTML Capture
Even if you have the PNG and PDF of a page, the authenticity of your evidence can still be called into question. You want to ensure, in the best way possible, that your evidence is forensically sound. As an aid in the process, I use a tool called Save as MHTML. It's another browser extension that downloads the entire page you're viewing as an MHTML file, capturing the source code, outbound links, and other valuable information along the way. While this addition isn't a 1 stop shop for OSINT forensics, it's an easy add on to your process, costs nothing, and won't suck time.
Using this 4 step process, you can capture the majority of a Facebook timeline without much effort, have a digital record of that evidence, and have all of the money you have still in your pocket. Because of automation, your workload should be cut down dramatically.
Thanks for reading. If you enjoyed this post, make sure to subscribe. A new one just like this will be posted every Wednesday at 6:00 PM UTC-5:00.