Another week, another set of OSINT tools. This week we'll be looking at tools for OSINT investigations including breach data, link extraction, and downloading images in bulk. The goal is to expand your mindset on what's possible using tools, increase your efficiency, and amplify your outcomes. Let's get started.
When doing an email-based investigation, one common way to pivot from the information you know into the information you don't is to check if an email address has been a part of a major or minor data breach. This can be helpful for a few reasons.
The first is understanding how commonly used the email address is. If you find that an email is included in 20+ breaches, it's likely that the owner of that email often uses it; alternatively, it could be a burner email or spam email that the owner uses to avoid advertising or for security.
The second is understanding what types of profiles a user might have that are linked to that email. For example, if the email you're investigating was part of the Facebook email breach, you know it's associated to a Facebook account. If you can verify the owner of that email, you can assess whether the email in hand was used to register an account in question.
Breachchecker is a very user friendly web app that allows you to check not only if an email was breached, but what breaches it was included in. It also lets you know when the leak occured to give you a timeline of events. This can help you determine how old an email was. If you're finding breaches from before 2016, for example, you know the owner of the email has had it for a long time. Likewise, if you find the email breached from companies that either weren't large or didn't exist after 2016 (in this example), you can assess how actively used an email is.
When investigating a web page or a social media account, it's often usedful to extract all internal and external links from the page. This allows you to see what types of people or pages a website interacts with, giving you a better idea of how the subject of your investigation behaves online or who the target audience of the page is.
For example, if you're investigating a mis/disinformation campaign and you find a website spreading propaganda, extracting all of the links from the page will let you know other websites that might list similar content; likewise, if those links lead to specific individuals, it would illuminate who is the target of the propaganda or who might be involved in spreading it.
LinkGopher is an oldie, but a goodie. A simple Firefox add-on, LinkeGopher allows you to download all links on a page in one click and view them in a separate tab. It also makes sure to remove duplicates to ensure you're not getting a ton of noise.
If you're in the OSINT world, you likely do a lot of web scraping. Whether you're using Python scripts or browser extensions like Instant Data Scraper, you've likely come across a ton of image links in your experience. I found myself often scraping a list of images from a page, having to open the links and download them one by one, or using a third party tool to do it. When working on a project where I was building an image classifier, I decided to write my own script to simplify this process without any extra features. ImageSwipe was born.
ImageSwipe is a script that takes an csv of image links you feed it and it downloads the images of those links into the ImageSwipe folder. Unlike browser extensions that will download all images on a page, ImageSwipe only downloads what you feed it, so you don't have to worry about removing icons or other unwanted images on the page. Use it in conjunction with Instant Data Scraper for the best results.
Remember OSINT != tools. Tools help you plan and collect data, but the end result of that tool is not OSINT. You have to analyze, receive feedback, refine, and produce a final, actionable product of value before you can call it intelligence.
Thanks for reading. If you enjoyed this post, make sure to subscribe. A new one just like this will be posted every Tuesday at 6:00 PM UTC-5:00.