Another week, another set of OSINT tools. This week we'll be looking at tools for OSINT investigations using metadata, archives, and downloading ephemeral content. The goal is to expand your mindset on what's possible using tools, increase your efficiency, and amplify your outcomes. Let's get started.
Metadata is an incredibly important, yet underrated, aspect of OSINT investigations. In order to collect evidence that can be authenticated, you must understand the role metadata has in the process. A great way to get started with learning about metadata, and forensics in general, is to use Metaforge by Chris Morris. This tool will analyze the metadata of any file you feed it and generate a clean report.
What Metaforge is doing behind the scenes is running exiftool on all media you place into a folder. It'll actually generate a HTML to show your results. Here's an example.
You'll be able to look at some more of the details by clicking "All Metadata" or "Hexadecimal View". I don't see Metaforge being a must-have tool in your toolkit; however, it's an excellent environment to learn Git, Python, and metadata all at once!
Carbon Dating the Web
When you're analyzing a webpage online, it's important to ensure you're checking any archives of that page. This includes checking multiple archives for different variations of the page as any mentions of that page on social media. This can give you a ton of insight on any changes made to the site, any conversations about the content, or changes in information like email addresses, social media profiles, etc.
Old Dominion University made a tool to "carbon date" the web. It does an analysis of all archives to tell you how old a webpage is and give you all of that information, including date/timestamps all in one location. If you're restricted from using browser extensions like Web Archives, I definitely recommend giving this a shot.
If you'd like to turn this process into a bookmarklet, check out this reference for making it into a shortcut.
Ephemeral data is becoming the new normal on social media. It started with Snapchat and quickly spread to Instagram with stories. Soon to follow was Facebook, LinkedIn, and now Twitter. There are also rumors of YouTube stories in beta. Because the nature of this data is temporary, it's important to capture it as soon as it's available.
If you're familiar with developer tools then downloading these stories is as simple as isolating the video and downloading the source file; however, if you're not familiar or you run into trouble, check out this browser extension called Story Saver.
Story Saver allows you to download a story to your local drive with a single click. If you're looking to download multiple stories within one investigation, this tool can be invaluable. It works on Facebook, Instagram, and Whatsapp. Once you've downloaded the source file, you can easily hash the content and store it for later use in the investigation.
Remember, OSINT != tools. OSINT tools help you plan and collect data, but the end result of that tool is not OSINT. You have to analyze, verify, receive feedback, refine, and produce a final, actionable product of value before it can be intelligence.
Thanks for reading. If you enjoyed this post, make sure to subscribe. A new one just like this will be posted every Tuesday at 6:00 PM UTC-5:00.