OSINT Workflow Wednesday - Deconstructing Social Media Platforms
7 min read

OSINT Workflow Wednesday - Deconstructing Social Media Platforms

When doing investigations with OSINT, social media platforms can't be ignored. Here's how you can deconstruct them.
OSINT Workflow Wednesday - Deconstructing Social Media Platforms

When doing investigations with OSINT, social media platforms can't be ignored. In order to make the most of the OSINT available on social media, you have to understand how to deconstruct a platform. This will allow you to target specific types of data with greater ease and weed out a lot of the noise social media intelligence is known for having. Here's how I deconstruct social media platforms for intelligence gathering.

Make sure to subscribe to get the latest and greatest every Wednesday.

Step 1: Check Search Indexes

A lot of social media platforms require you to register before viewing content. Additionally, most don't have a readily available sitemap for easy review. Because of this, you have to map things out manually. You can do this by using a few Google Dorks, analyzing the results, and applying the necessary filters. Here are a few to try:

site:tiktok.com

This will give you search results for pages that come from TikTok. Simple enough, right? Well, it's not very useful. We have to keep unpacking and tailoring our query in order to get real value out of this process. Here's what I'm seeing so far:

Screenshot from a Google Dork on TikTok

You'll notice a few subdomains are listed. I'm seeing developers.tiktok.com, creatormarketplace.tiktok.com. If we're looking for specific individuals, we need to make sure that we weed those results out of our query and eliminate the noise.

site:tiktok.com -site:developers.tiktok.com

By adding the -site:developers.tiktok.com command, we're able to remove all results containing that subdomain. You can continue to sift through the results and add more exclusions, but that can get tedious and you might not add everything that's necessary. We need more information.

Step 2: Find all Subdomains

If you know all of the subdomains of a social media platform, you can quickly eliminate or isolate any and all subdomains of your choosing. To find this list, head on over to SecurityTrails and search for the social media platform you're investigating on. Here's the link for TikTok. You'll have to create a login for SecurityTrails to see the full list, but the ungated list provided can quickly expedite your process.

Screenshot of subdomain results for TikTok

site:tiktok.com -site:vm.tiktok.com -site:newsroom.tiktok.com -site:ads.tiktok.com

This new abbreviated query contains 3 subdomains I didn't find on the first page of my Google search results.

Step 3: Understand the Platform's Privacy Policies and Other Fine Print

You want to see what the risks are before you register for an account, which will be the next step in our process. Things you want to look out for is how they collect your information, what they do with that information, if EXIF data is cleansed on the front and back end, what types of content users can see, what types of privacy settings they have, etc. Here's a quick snapshot from Parler's privacy policy.

How Parler uses Your Information

You're going to want to create a sock puppet account for any social media profile you sign up for so you'll also need to understand how sophisticated of a sock puppet you need to make. For Facebook, it's much more difficult. For Twitter or Gab, much easier.

Step 4: Register for an Account and Pay Attention

After you've collected all of the assets required to build a good sock puppet, it's time to register for an account. When I say pay attention, I mean that from the first step. Ask yourself some of these questions:

What types of data do they ask you for during the sign up process?

The more data they ask for during registration, the more information they likely collect from their users. Make sure you spoof birthdates and security questions but don't forget them.

What are the default privacy settings?

The default privacy settings upon registration are likely the privacy settings of most users. If you understand what can and can't be seen from the default privacy settings, you'll be better able to understand what types of information you're likely to come across on other profiles.

During registration, does the platform generate a username, or do you specify one?

Platforms often take your email address and check to see if that username is available. If it is, they'll assign it to your account and give you the option to change it if you want. If a platform does this, such as Parler, then reversing an email address into a Parler profile is a very viable method for OSINT.

What follow up emails do you get?

Follow up emails, such as email verifications, can give you a good insight into the user. If account verification is required, which it is in the case of most social media platforms, then you know that users have an email address on their account they have access too. Of course, it's possible they used a disposable email; however, typical users of social media normally don't have that level of OPSEC.

What happens when you trigger a password reset?

A common, yet grey, OSINT technique for identifying what email is registered to a social media profile is to initiate a password reset to get a hint at what email was used. You want to test this out on your own profile to see what information is available and what type of alert is triggered when doing so.

Step 5: Understand How the Platform Works

In order to understand how the platform works, you have to intimately understand each feature of the platform as well as how top influencers are using those features. This understanding will allow you to know which data points to prioritize and what types of information you're unlikely to find.

A good example of this is with Instagram stories. You can tag other people in stories as well as a location. If you didn't know to look within stories, you'd only be able to analyze a social network within Instagram posts and you'd likely miss out on a good skiptracing opportunity within story location tags.

Location Tagging on Instagram Stories

Another example is original sounds on TikTok. You can quickly build out a social network by looking at the first people to repurpose the audio from a video your target posted. Without this knowledge, you'd only be looking for mentions within video posts.

List of people using Terry Crews' original sound on TikTok

Step 6: Study the Platform Using DevTools

A lot of content that can be extracted from social media platforms is difficult to get to. If you try to simply right click on it and save it, you won't have much luck. This is why you have to be familiar with how to use developer tools and when to use them. There's also a significant amount of data available on some platforms, such as Unux date/time stamps, that's available in the source code but not on the front end.

An example of content extraction that can only be done with developer tools is TikTok and Instagram. Sure, you can screenshot your findings but this won't be the original photo/video which makes it difficult to prove authenticity.

Developer Tools View of TikTok Video

An example of date/time stamps that are only available in developer tools can be found when looking at Gab. If you hover over a date stamp on the front end, you'll be able to see the time stamp but you won't be able to copy it. If you need to establish a very accurate timeline for a user's activity, you'll have to pull that Unix timestamp using developer tools.

Developer Tools View of Gab Timestamp

Step 7: Extract a Sample Dataset

Another way to extract content from social media is to use automation. Whether it's a Python script or a browser extension like Instant Data Scraper, collecting content at scale can be very useful and very time efficient. It's important to note that many social media platforms are implementing anti-scraping countermeasures so try not to get too reliant on tools. Here are a few examples of use cases.

If you find a Telegram channel of interest, you can quickly use Instant Data Scraper to download all posts since the channel was created. Using frequency analysis, you can quickly find which websites are referenced most often, what other channels content is forwarded from most frequently, as well as a variety of other use cases.

Example of Instant Data Scraper on a antisemitic Telegram Channel

Another good example would be using a tool like Instagram-Scraper to extract all photos and videos from a targeted Instagram profile. You can  Python scripts are very helpful when browser real estate is scarce in your investigation.

View of Instagram-Scraper in terminal

Step 8: Share your Findings

This last part is important. The landscape for open source intelligence changes in real time. If tools, tactics, and techniques aren't shared within the OSINT community, that puts us all one step behind in countering fraud, abuse, criminal activity, and other nefarious action. If you discover a new tool or method while researching, determine the risk of sharing that method with the masses. If the threat is high, whether it's platform or threat actor adjustment, engage within the deep web on Slack, Discord, osint.team, or another method; however, if the risk is low, the more white hat people in the OSINT world, the better.

Thanks for reading. If you enjoyed this post, make sure to subscribe. A new one just like this will be posted every Wednesday at 6:00 PM UTC-5:00.

Enjoying these posts? Subscribe for more