#something_awsome

This is a little summary/submission post which links to all my other posts:

Proposal

Week 2

Week 3

Week 4

Week 5 + Private Blog

Week 6

Week 7

Week 8 

Youtube Presentation 

This week I’ve been finalizing the profile I’ve been putting together of Andrew, I created a video of my presentation, and I’ve been having some final reflective thoughts which I felt would be good to write down.  Did I learn OSINT?

Yes. I definitely think I achieved this aspect of the project. The amount of research I did in phase 1 was enough and the notes I took were something I could always go back to in case I was stuck. It was really helpful to also have the podcasts because it felt like I was learning something new each week (even if I couldn’t use it) in my 30mins commute.  I think this knowledge also came across in my project with how I had to think of creative ways to get access to public data. 

What tools from the industry helped best?

Honestly, Google + Creativity. With Dorking and literally having all the world’s (public) information at my fingertips, google was really really helpful. I think in the case of my target, the other tools found on tool aggregation sites like osintframework.com and in the bellingcat doc, weren’t that useful. This is because of 3 main things: 

Many tools are now dead (especially the social media ones): Tools are always being forgotten and unmaintained or the hosting for a site that the tool is on hasn’t been paid, etc. There’s a reason why OSINT is called the land of dead tools. Something that definitely had a big impact on my project was the Cambridge Analytica scandal, since then social media companies have tightened their data privacy and most social media tools have been rendered useless. 

Australian Data is not typically public: I found that many tools and sites were built specifically to serve targets in the US. A lot of their records are frequently being put online and made public, and there are sites that search across all categories of public records and make OSINT ‘easy’. However, that is not the case in Australia (thankfully).

Some tools have started off free, built up a user base and then moved to be paid subscriptions. In my case, some online sites and Maltego restrict certain functionality in their free tier software and it’s hard to say if this had a major impact on my work. As with all OSINT, one small piece of intel can open doors to new discoveries and if the paid tier software would help find that then yes, it would’ve made a big impact. 

Trusty google and logic became my primary tools of choice and I think they’ve served me well. Sometimes an OSINT investigation will focus on physical digital infrastructure, getting ip addresses of servers to exploit, etc I didn’t need to do that in my project so I didn’t need to use those tools. 

How would things be different if this was a real investigation?

I think there would be 3 primary differences if this were a real investigation:

Specific Goal, More Structure: Usually investigations (at least from what I’ve seen) focus on finding out specific information on a target, not trying to find out everything possible. While it’s been interesting to see what information I could find by being more general, I’d love to participate in a future CTF to see if I can put these new skills to use for achieving specific goals.

More Time: I’m not sure how long investigations typically run for (for if there even is a typical time frame), but I think in an actual investigation there would be more time to really go through all social media profiles of work colleagues, friends, suspected family members etc. In this project, I had to balance my thesis and another course but I’m hoping that what I’ve managed to find is enough.

So this is probably the final week where I will purely be doing information gathering, next week I will be putting together all the information found into a nice, easy to view profile of Andrew.

Since last week was a bit of a flop, I re-checked the Tracelab’s OSINT criteria (here) and I found that it’s valuable to find out employer, family, and any vehicle information. Up until now, I had only been focusing on Andrew himself. The site reminded me that, when building a detailed profile, you need to consider more than just personal information, the context of work/family is important too because they can provide opportunities for exploitation. 

Thus, the goals for this week are: 

Gather more detail on the employers (maybe limit to only the past 2 for relevance). 

Find relatives, but no stalking them. Just basic name and social media profile link if found. 

Current Vehicle Information. 

Employer Deep Dive

Finding PwC’s information was easy as expected. Just Google and Glassdoor.

Name: PricewaterhouseCoopers

Business: Consultancy

Website: https://www.pwc.com.au/

Address: One International Towers, Watermans Quay, Barangaroo NSW 2000

Phone: (02) 8266 0000

Social Media (Australian Accounts): Facebook, Twitter, LinkedIn, Youtube

Manager at the time: Unknown

Estimated Salary at the time: $28-$32/hr

I decided to add two more fields (Manager, Salary) because I think for an attacker this information is important. The Manager provides an authority which can be exploited via social engineering and knowing the Salary allows you to piece together an idea of the target’s financial situation. In intelligence gathering, if you need to sway a target onto your side it’s common to bribe them - but how much is enough? This is why it’s important to have an idea of how much the target earns so you can use this information to your advantage.

Next up was Tutor Doctor. 

Name: Tutor Doctor (Tutoring Franchise)

Business: Private Tutoring

Website: https://www.tutordoctor.com.au/, https://northshore.tutor-doctor.com.au/ 

Address: None (Tutoring is done in students home, possible no address at all)

Phone: 0490 177 441

Social Media: Facebook

Manager at the time: Hugh Moore

Phone: 0490 177 441, Email: [email protected]

Social Media: LinkedIn (with public photo), Facebook

Estimated Salary at the time: $25-$27/hr

I quickly found that there are actually multiple ‘regions’ the brand is split up in and each seems to run independently. Luckily I found contact details for each region on the website and it was clear that each region was run by 1 person with a listed mobile number and website. 

I used the fact that Andrew went to Barker to narrow down the regions to either Hornsby or North Shore. This is where I ran into a dead-end, I didn’t know how to verify which one Andrew worked in. I decided to call the mobile numbers and act as though I’m an enquiring parent who has been recommended Andrew specifically; one of them will have Andrew in their system. I called Hornsby first since Barker college is in Hornsby however the person didn’t pick up, so I tried Hugh Moore in North Shoore (forgive the pun, it's late). Hugh didn’t even have to use any system, he remembered Andrew (from like years ago...must have been a fine tutor).  SideNote: I realize that this is probably going too far for OSINT and walking the lines of Social Engineering (which I wasn’t cleared to do) but my aims were not to get Hugh to give me Andrew’s confidential, personal details such as an email/phone number. If I’ve crossed the line here, I understand if I dock marks for it - sorry :(. SideNote 2: This did give me an idea of how I would use social engineering (if I was meant to/cleared to) to get personal information. I would call up acting like a technical recruiting manager from a tech company with an obscure name (the types that you forget after a couple of minutes). I would claim that Andrew is applying for a job at the said obscure company and he has listed Hugh as a Referee. After the chit chat of getting his referral, I would ask Hugh if had Andrew’s number or email address - “He definitely seems like a very promising candidate and I’d be happy to progress his application forward with your referral. Um actually, for the next stage, I need to call him to organise the best time for an interview however I think he’s forgotten to put his number on his CV. I was wondering if you had a phone number for him? “ Why would this work? 

People want to help people they know (Hugh would want to help Andrew land this job)

A phone number is not really personal information to a recruiter, might not sound any mental alarm bells 

People operate in patterns: For the duration of the call, I would be asking questions (about Andrew’s personality, work ethic - things that are personal to his character) and Hugh would be answering. When I slip in the question about getting a phone number, Hugh might not think twice about it at this point. Especially if I've built good rapport with him thus far and sold him the recruiter story.   

Feels almost evil to think of such things. So let's get back to proper OSINT :D :D. 

Family + Relatives

In the past, I’ve seen mentions of a Glen R Carmichael in the UNSW Deans list under CSE. It seems very likely that this is a brother. When looking him up I found he had an ABN, his facebook was private and he too was on the HSC Distinguished Achievers list. Unfortunately, this is where I uncovered something that didn’t match my hypothesis. Glen R Carmichael went to Covenant Christian School not Barker College. Weirdly, I couldn’t find a LinkedIn profile, so I couldn’t try and use that to find more similarities between him and Andrew.  For now, I’m going to put him down as a possible relative/cousin. Vehicle 

Trying to find Glen’s information took some time so instead of trying to find more people in Andrew’s family, I decided to move on to trying to find some vehicle information.  I read an article a few months ago about a man who created an ML project to look up car registrations in Victoria in real-time. Surely, I could do the same in NSW and maybe I could look up driver information too? Turns out you can search for vehicle registration’s via the number plate, but there’s no way of finding out who owns the car, or searching up drivers and then getting cars. Makes sense, it is kinda personal and only the po po should have access to that info.  Ideally, if Andrew had a public facebook profile there may be a post of him showing off his shiny new red P’s (as so many Millenials do). Usually, these posts will include the car (and most of the time the number plate too!).  A registration check gives you the following information: 

Model

Make (inc. year)

Colour

Weight

Registration Expiry 

CTP (insurer details)

Any concessions listed

You can also get a vehicle history report for $22. Since I don’t have any photos of his car or knowledge of any immediate family, I’m pretty sure its rather impossible to find any information on any vehicles he drives. All the resources under osintframework.com or the bellingcat doc are either only useful in the US or not related to what I’m trying to find. Facebook Events & Photos I had a brainwave one day while walking out of my thesis meeting and checking a facebook event I was invited to. Facebook events allow you to view the guest list if the event isn’t private, so even though I can’t see Andrew’s events via his profile, I can try and find events he has been to/going to go to and check the guest list! This is actually not a bad idea, because he is the Wellbeing head at UNSW SecSoc and in my past experience of societies, the exec committee usually come to the events.  On the Events of SecSoc page, I checked all the events since April and found that Andrew has been to 3 events of which he has actually hosted one event! 

On the sidebar I noticed the photos tab. After going through all the photos (not that many anyway) I actually managed to find a few photos of Andrew at those events! 

AWWW YEAAAA :partyparrot: 

What’s interesting is that Andrew isn’t tagged in any of these photos, but by knowing enough information about him I was able to place him at these events (OSINT is legit y’all). 

What’s more, I would like to explain the significance of the second photo. Something I learned from the first phase of research is that photos of personal tech and devices are very valuable. Even though the photo may not be clear, this photo combined with one in the album which exposes part of the keyboard is enough for attackers to identify which model laptop Andrew owns. This opens him up to all the vulnerabilities and exploits this model has. It also gives attackers an idea of the computing power Andrew has access to on a daily basis. BINGOOOO :P 

What’s the impact of having this data?

Employer Details: Gives an attacker more context on the target and opens up the attack surface. Finding people the target worked with creates opportunities for social engineering and more social media profiles to analyse. Knowing the position and company also provides an idea of the kind of financial income the target may have and whether or not that is exploitable. 

Family/Relatives: Very similar to the above when it comes to social engineering and social media. OSINT professional’s have a term for family members who post their entire lives (and yours) on social media: Chatterboxes. 

Vehicle: Even though I didn’t find Andrew’s vehicle, having such information is very useful. It can be used for many things such as, confirming that the target was in a location by finding their vehicle there, knowing whether rego has expired or not, etc

Events & Photos: The events and photos show where the target has been, what they are interested in and where they like to go. Using this information, I can say with some confidence that Andrew will go to a UNSW SecSoc event at the end of the term once his thesis and other course requirements are cleared. 

Note on Time Management

“The world today abounds in open information to an extent unimaginable to intelligence officers of the Cold War.” - CIA

Welcome back for another week of stalking... Last week I managed to find some social profiles, evidence of exchange, usernames and Andrew’s Full Name! (surprisingly hard to find). This week I’m hoping to be able to find more email addresses and social profiles like github/bitbucket, tumblr, twitter, etc.  Google Dorking + Social Media Searching I started with trying to target the social profiles first via google. Literally, nothing came up. I tried each site’s own search engine with the emails I found earlier, the two user IDs from Facebook and LinkedIn and sensible variations of his name as a username but I couldn’t find a profile that matched Andrew’s.

At this point, I was getting a little worried, because I’m sure Andrew has a github profile, twitter and he has to have tumblr otherwise I’m not sure how he will mark our work, but I couldn’t find any such profiles. It is entirely possible that he has made his profiles unable to be found via search, but I had no way of confirming this.  I tried to get creative, I know he is the wellbeing head at UNSW SecSoc, so I tried checking the twitter followers of UNSW SecSoc, Lachlan Jones (caff), Adam Smallhorn, Richard Buckland and some others. I wasn’t just looking for an @andrewcarmichaelTwitter account, I had a feeling he would use a username that was obscure so I even checked out most of the accounts with obscure usernames to see if it was even remotely possible for them to be Andrew’s Account. Nothing.  In a similar fashion, I tried on github. I checked the followers of unswsecsoc’s github account, Lachlan Jone’s account, etc. I was hoping he had made a commit in some repo and that information would pop up but still nothing. It’s quite possible that he doesn’t actually use github/bitbucket but rather something like gitlab where everything is already private. If that is the case, then there's no way to find his account. What makes it even harder is that he doesn’t have a personal website, usually people who have a personal website will have the code on github somewhere and you can find their account via the commits for that repo.  :( 

I still had hope. There’s one thing left to check. Google Docs.  Andrew made the initial doc for the first chapter of the course textbook, maybe there’s a way, perhaps through comments or version history, of checking his profile and getting his gmail address. Sadly, the OSINT Gods are looking favorably upon Andrew - not me. Google Docs doesn’t expose the email address of the person making changes, only the full name.  Maltego (pls...help meh)

Since last week I have watched a couple of videos on how to use Maltego so this was the perfect time to give it a go. As I’ve explained in some previous blog, Maltego is a data mining and visualising software, you basically add information as nodes in a graph and Maltego runs little programs on each node trying to find out more information! I decided to start with Andrew’s full name. 

This gave me a set of companies (mainly based in the UK), some really arbitrary documents and some names of people (again mainly based in the UK) who could be associates of Andrew.  The documents were very random and definitely not related to Andrew. Since most of the people were registered in the UK, I felt that they weren’t relevant. They could have been some cousins/extended family but I didn’t have a way of confirming this. I tried to look up his name without the second middle name. 

While the connections with people were the same, this search yielded the same kind of results as the previous one. A bunch of random documents/records from the UK ranging from 1600s-1800s. Upon reflection, I realised that this is most likely because Maltego doesn’t have access to Australian records since our current records aren’t public.  Interestingly, I ran all transforms available on both names and neither one revealed a useful email/social media profile/phone number. Some of this could also be because I’m using the community (free) edition of the software, thus I expect that the search results are limited.  I tried to run direct searches on the LinkedIn and Facebook profiles, but the main transform required API keys for a paid service. My search resulted in no new information. 

Lastly, I tried to use the known emails so far to generate new information. This was finally getting interesting! 

As expected, I found links to UNSW and UNSW SecSoc. I also found links to ANZNN (Australia New Zealand Neonatal Network), a research organisation that seems to be managed by UNSW. I cross-checked the phone number and email addresses found to the contact us page on the ANZNN website.  Is Andrew involved in international neonatal research? Since he is a mechatronics/compsci student with a strong interest in security, it seems unlikely. I tried to check for Andrew’s name media or papers released from the organisation but as expected I found nothing. I think the only useful information I got from running all this was finding out that his emails haven’t been breached according to haveibeenpwned.com. Namechk

I hit up bellingcat’s online investiagation toolkit again to see what resources it had for social media information and found Namechk. It’s a site that lets you test usernames to see how many different social media profiles already have that username taken. I think it’s good for people who only want one username on all platforms, for me however, I can use it to see if any of Andrew’s known user Ids are used anywhere else.  andrew-rc-carmichael: Apparently invalid on all sites since its too long? andrew.carmichael.395: Apparently besides facebook, this username is invalid on all other services?? (is this site broken or is there actually a 12-15 char limit?) arc: There are a few sites I found which could have accounts that likely belong to Andrew:

Twitter: Account seems like a bot, only follows Japanese content, no likes, no security-related content. Not Andrew

Flickr: 1 Follower who I can’t check, but joined in 2004 (Andrew’s approx age at the time would’ve been 7-8 - who has an email at age 7/8?). Not Andrew

Steam: From Profile: Szymon Herman (Slaskie, Poland). Not Andrew

Soundcloud: Profile photo doesn’t match at all. Not Andrew

CoderWall: Account belongs to an Aaron Crane. Not Andrew

Disqus: Old account (2008 - seriously, Disqus has been around since then??), only 1 comment about getting some bank ID? Not Andrew

Codecademy: Of course, I’ve left the best to last. This account belongs to a ‘Michael’. This is significant because there’s no or names or identifiable information on the profile. There's only ‘Michael‘ with the username ‘arc’.  Given Andrew’s last name and experience with code, it’s possible that this account could be his!!! This could be Andrew!

tldr: Yo. I. Found. Some. Shiz.  ----------------------------------

I found some interesting stuff last week but I want to try and take this to another level this week using some more advanced osint strategies (Dorking and other tools).  Before that, a few ideas since last week:

What do parents do when you get an award? Get proud and send people photos (at least this is what Asian parents do to flex on other Asian parents). Andrew has won a lot of awards, maybe I can find photos of him online receiving said awards? or perhaps a relatives facebook or something.

Sometimes when I represented the school in something, my name would be published in the school newsletter and I remember being able to find that newsletter online. Should try and search something like “Andrew Carmichael Barker Newsletter”

Facebook

I realized I haven’t actually found Andrew’s facebook...I should start with that.  I used the search feature in facebook itself and found it pretty easily, only because Andrew actually has a profile photo on this, there isn’t one in his LinkedIn profile. (Facebook Profile Link - here).  A few things I gained from this: 

Photo: I could potentially use his photo to reverse image search on google and see if any other photos of him turn up. 

Alias/Username: The facebook profile link is https://www.facebook.com/andrew.carmichael.395. Note the ‘andrew.carmicheal.395’, this looks typical of a username that could be used elsewhere. I checked the LinkedIn one, ‘andrew-rc-carmichael’. Now I’m not too sure if one (or both) of these are auto-generated from the social media sites themselves but if they are not and they were made by Andrew, then it suggests that he isn’t the type of person who uses only one username everywhere for convenience. 

Scotland?: Now I know this is weird, but I have friends who have gone to Scotland and I’ve seen enough Skyfall to know what the Scottish highlands look like. The texture of the mountains, and green shades and the fact that he is wearing a huge weather-proof looking jacket seems to confirm that this photo was in fact taken in Scotland and that he was definitely on exchange. Facebook, unfortunately, doesn’t show any dates and removes EXIF data so there’s no way of 100% confirming but I am about 80% certain.  

I tried reverse image searching on just his face: 

Funny....but it didn’t help, unfortunately.  Google Dorking  I decided to try out some of the ideas I had thought of since last week. In order to search through newsletters online without actually going through all the newsletters myself, it seemed like google could do this using a specialised search query: `allintext: “Andrew Carmichael” “Barker”`. From this, I managed to find a photo of Andrew in 2015 at a school awards ceremony?  https://www.facebook.com/barkercollege/photos/nicholas-bennett-hayden-brooks-andrew-carmichael-isabelle-trayner-kate-fischer-r/10153001684152000/ I tried reverse image searching on this one too! 

Accurate....but also...mug shots?? I tried some other searches like “allintext: andrew carmichael unsw“ and that led me to find a dean’s honour list archive which had his full name: Andrew Robert Coulthard Carmichael. I was able to confirm that this is definitely him because I ended up searching “Andrew Carmichael distinguished achievers list 2014“. Surely with his high ATAR, he would’ve been placed on some list and I was correct. (Link) There is an Andrew Robert Carmichael from Barker college in 2014 who was recognized for two subjects.  Honestly, this felt huge! Seeing how private he is online and now having his full name meant that I had a better chance of figuring out his personal email.  osintframework.com & bellingcat & LinkedIn (again!) From osintframework.com I was able to find a tool called an Email Permutator (Link). Basically, you provide it a person’s first name, last name, domain (gmail in this case - he mentioned he has one), and optional fields for middle names and nicknames and it generates a list of possible common email permutations. I got 46 possible combinations :O. After doing some digging around, I managed to find out about the LinkedIn Sales Navigator. This tool is basically a URL that looks up LinkedIn user’s via their email (typically used by salespeople for lead generation). For example the following: https://www.linkedin.com/sales/gmail/profile/viewByEmail/a.carmichael395@gmail. It doesn’t work but if it did, it would bring up his profile. On osintframework.com & bellingcat they have listed some email verification tools but most of them only seem to work in the US. 

Note: This is where my findings took a weird turn, more info in my private blog... Unfortunately because of what I found (in private blog) and the time I took to verify the knowledge, I ran out of time this week to progress through the investigation. This is a little worrying because I only have 2-3 weeks left and I don’t even have a personal email or a phone number...and that’s meant to be basic stuff. I still haven’t used Maltego yet, mainly because I need to watch a few more tutorials, but hopefully, that will be really useful and I’ll be able to find more interesting information with it next week!  Why is having this data important?

Travel history: From the facebook and linkedIn data, I was able to gather that Andrew has been to Scotland on exchange. Not only does this give us an idea of where he has been, or places he would like to visit next, but it allows an attacker to exploit this for an attack. For example, let’s assume Andrew loved his time in Scotland (most of my friends who went on exchange share this sentiment so I think its a reasonable assumption) and he can’t wait to get to go back and visit again. An attacker could formulate a phishing email disguised as a “Qantas: Cheap Tickets To Scotland” email or something with a clickbaity title like “You won’t believe what this Sydney student found in the Scottish highlands”. 

Usernames: Using the potential usernames I found, I can look them up on other social media sites to try and find matches.

Photo: Having photos of targets is always valuable! Especially when you can’t access their facebook photos.

AW YEAH! It’s time to finally start actually doing OSINT :D :D :D 

So this week I want to start small and follow the OSINT Methodology by having goals to ‘find’. My goal for this week will simply be to find out what I can from basic google searches. In particular, I’m looking for social media accounts, personal websites, news articles etc. 

For easy reading later on, any information in bold (besides titles) is information that I can put in the final profile :D So let's begin!

Before we start searching, let's note down what we already know about Andrew:

Male < 25y old lives in Sydney, Australia 

Attends UNSW (probably a bachelor of computer science/software engineering)

Known Alias: Arc (from slack)

Known Email: [email protected] (he gave it out in the first tutorial)

Google searches

“Andrew Carmichael” is a rather common name apparently so just searching that doesn’t actually yield any results that match the target. “Andrew Carmichael unsw“ is much more specific and it leads us straight to his LinkedIn page. 

LinkedIn (https://www.linkedin.com/in/andrew-rc-carmichael/)

What’s relevant for the final profile? All LinkedIn Info. He keeps his linkedIn quite up to date, there’s his work experience, his volunteering positions, his education! Most notably, he is doing a dual degree in Mechatronics and CompSci, it seems he went on exchange to Edinburgh, Scotland in 2018 and he went to Barker College (Hornsby - he might live nearby). He also has listed all the courses he’s done thus far, awards he’s received and his ATAR and WAM. 

Online Forums

Google also showed some webcms course forums that Andrew has been active in! Seem’s like he didn’t like the disorganisation of one of the courses lol.

https://webcms3.cse.unsw.edu.au/COMP1531/17s2/forums/search?terms=&forum_choice=&user=5060054

https://webcms3.cse.unsw.edu.au/COMP6445/18s2/forums/search?terms=&forum_choice=&user=5060054

https://webcms3.cse.unsw.edu.au/COMP1927/17s1/forums/search?terms=&forum_choice=&user=5060054 From this, I got the idea of checking OpenLearning and Moodle profiles, but unfortunately, I couldn’t find any useful information there.

CSE  The findings from WebCMS made me wonder if I could find a list of all the current courses he is enrolled in. If I had that information, I could look up the class timings and build a basic calendar from that. I ssh’d into CSE and started guessing some commands to run, surely theres something to check current enrolments ?!? I had to do so much of that for the databases assignments.  I ran commands to print out what all the available commands are and instead of finding enrolments, I found two commands `finger` and `acc`. I found some others too but when running them with the --help flag I found that they weren’t useful for me.

Well, finger didn’t really highlight much, I was hoping for more information from it. Acc, on the other hand, exposed the UNSW Mail [email protected]. I tried cd’ing into the home directories but access was denied. What was interesting is that the User Classes section only listed Andrew as a COMP6441 tutor and a student doing the 3785 Program, it didn’t mention any other courses - I think this means that he might be doing non-cse courses.

Note: This information is probably not considered public since you need a CSE login, but we didn’t really find anything that we didn’t already know anyway. 

Slack

Knowing that he is a tutor made me think about his use of slack. I know that all the security tutors have slack so maybe there's a way to find out a personal email on slack if you have the username (arc). This is public! because anyone can join, but it does leave a trace. However, it’s fine for me since I’m in the course and already in the slack group. So I started poking around to see what I could find.  His profile doesn’t expose anything useful, it had his known email address but I could search all chat history for messages sent by him and any files he’s sent on slack. I looked through these files and the chat history to see if he shared any private information but there was none :( 

Why is all this data important? 

Not only did LinkedIn provide a lot of initial data, but it also provided data that could be used to find more. For example, I know that he went to school in Hornsby, so it’s likely that he lives around there (although I’m pretty sure Barker is also a boarding school so he could potentially live anywhere).

I know that he went on exchange in 2018, so perhaps there’s more information to be found about Andrew in Edinburgh. 

Even though I failed to find his current enrolments, as I mentioned before, If I had them I’d be able to build a partially complete personal schedule that would dictate where Andrew would be every week throughout this term (not including class). 

Just looking at his LinkedIn in general, It’s clear that he is very well versed in security awareness. This is especially evident from his certification as a ‘Professional Hacker’ in 2017. From an attackers viewpoint, this is very important information. It informs them of what kind of data and access Andrew might have in a company and how sophisticated their attack methods need to be. 

Last week I looked into a lot of theory regarding what OSINT is, why its good/bad (depending on who you are), who are the typical targets, etc. To properly understand how OSINT is done, we need to look into the world of tools. This week will focus on some of the most useful tools and search techniques for finding information. My aim for this week is to understand which ones will be useful for me when I’m gathering information on Andrew MUAUAHAHHHAAH (enough cringe for this week’s blog post? - let’s get going). 

“OSINT is the land of dead tools” - Josh Huff

In doing some searches online on forums, articles, and subreddits I found that there are actually so many tools that people actively try and maintain lists of them. This brings me to the first set of tools that have been highly recommended: osintframework.com and Bellingcat’s Online Investigation Toolkit.

osintframework.com

Expected Usefulness: 7/10

This website is a collection of online tools that make intel and data collection tasks easier. There are two key things from this site that look most beneficial for me.

1. Categorization by topics and goals: If I know I'm looking for an email address or to verify a phone number or to find out where a particular IP address is located geographically, I can easily find out tools and resources to help me do that. 

2. Show’s me what I haven’t even considered: Since I’m new to this world, the different categories have given me new ideas of what to look for and how to conduct investigations. In particular, there are categories for Public Record information (birth, marriage, death), Transportation and Metadata which I hadn’t even thought of! So this has widened my “attack?” surface. 

Additionally, the site has a category for creating a fake online presence (basic name, age, persona, email, usernames/passwords) that you can set up so that when you’re searching for information the trail you leave behind will point to this fake persona. I don’t think I’ll need to use one of these, Andrew knows I’ll be on the lookout for his info, but I definitely see the value in this for real investigations.

Unfortunately, however, there are some negatives:

1. A lot of tools listed have either moved to a paid model or are only useable in the USA

2. About 40% of the categories won’t be useful for me: I won’t need tools on Language translation, Dark Web, Terrorism (99.99999% sure I won’t need them).

Bellingcat’s Online Investigation Toolkit. Expected Usefulness: 7.5/10

This is very similar to osintframework.com except that its a google doc written like a book with a table of contents for convenience. Bellingcat is an online investigative journalism site that has had many notable cases such as the MH17 disaster, the war in Eastern Ukraine, and the Yemeni Civil War. This document captures all the useful tools that have aided in such investigations. This has two key positives as well!  1. Categorized: the same reasoning as above.

2. Pros/Cons: Each resource/tool is in a table with a description and more importantly a pros and cons list. This allows me to quickly identify which tool is the best for my purpose within a subcategory :D  

It’s not as user-friendly as the interactive flow chart on osintframework.com though :( and it also maintains the same negatives as the website.

Google Dorking (Googling...on steroids)

Expected Usefulness: 9/10

One of the most recommended sites over and over again was simply...google. Unless you block specific resources from your website using a robots.txt file, Google indexes all the information that is present on any website. You can specifically lookup all text on a page, titles, file types, caches, particular sites, links, etc. It’s actually insane because people unknowingly can expose private information and this has led to others finding usernames, passwords, public/private keys, etc online (legally!).  This article is something I’m going to revisit because it contains a lot of examples of how this is done.  https://securitytrails.com/blog/google-hacking-techniques  Maltego (Spy Software?)

Expected Usefulness: 8ish/10?

This was the other main tool that was recommended time and time again. It took a while to understand what this actually is, but I think I get it now. Maltego is a data mining and visualizing tool that allows you to step through the OSINT methodology (explained in the previous blog) easier using software.  TLDR: You store what you know as specifically typed nodes in a graph. Maltego will then analyse the nodes/connections and run ‘Transforms’ (scripts/mini-tools) to find out more information. Example: I can create a website node for a particular personal website and when I run transforms on it, Maltego will try and identify IP Addresses, DNS servers, Owners, phone numbers, companies, etc all tied to that website. This seems like a huge advantage!  Maltego will allow me to find information much faster and it seems like I won’t have to keep referring back to osintframework.com or bellingcat that often because Maltego will have it’s own tooling to run at the right times!  This seemed kinda hard to grasp initially because I haven’t heard of anything like it (some real magic shizz here - Houdini where you at?) so I watched a few video tutorials and read through some of their documentation.  The following video helped a lot! 

Others: 

Expected Usefulness: 5/10

While doing research and listening to the podcasts from last week I found out that there are particular Linux distributions that have been made for intel gathering like Kali Linux or Buscador Linux. Unfortunately, I only have one laptop and currently, it is pretty full (7.3gb memory left :/) so I don’t want to partition my drive or download something like VMWare. 

Another source of tooling is actually subreddits! r/OSINT and r/openintel sometimes have people promoting their own tooling that they’ve made, or people ask for reviews on some tools they’ve found. So if I’m in the need for something specific or want to know if something is legit, I can hit up those subreddits :D 

Summary:

Everyones doing CTFs and while they actually look awesome and loads of fun and I think I could do decently at them, I’ve decided to try something else. Open Source Intelligence (OSINT) is information collected from public sources such as those available on the Internet (social media, websites, articles, etc). This is apparently a real skill that cybersecurity analysts or intelligence officers use in the real world so this could be great exposure to practical skills. 

Concept

With Andrew’s (tutor) permission, I’d like to spend some time gathering as much information about him online. Since Andrew is already into security I hypothesize that there won’t be a lot of information about him online, as a result, I would like for this project to be an exploration of the process of OSINT.

Through this project, I hope to develop my Thinking like a software engineer and Problem-solving skills. 

Schedule

To complete this project well, I believe there are two parts: Research and Information Gathering. 

Part 1: Research (Weeks 2-3)

In this phase, I’d like to try and understand what OSINT actually is. What approaches people use. What OSINT Tools exist. Any influential blogs/podcasts to follow. Any tutorials etc. My hope is that after this phase I can do more than just use google.

Part 2: Information Gathering (Weeks 4-5, 6-7)

After completing the research phase I’d like to spend the next 3-4 weeks using that knowledge and actually gathering information on the subject (Andrew). Depending on how things go, I may have to add another subject (ie. another tutor) to profile because my current target is a security tutor at a university, I don’t expect there to be a lot of public information about him. 

Week 8 will be for finalizing the information found, writing up the profile(s), creating a presentation (if required) for submission.

Marking Criteria

Notes to the marker: I’m a little reluctant to include specifically what information found constitutes to which grade in case such information is not public in the first place. The below are suggestions and ideas for me to follow. The flags have been inspired by the list here https://www.tracelabs.org/getinvolved/ctf 

P: 

Some evidence of work being done each week

Shows basic understanding of what OSINT is

Basic information found the subject

C

Research Evidence of consistent blogging every week (wk 2, wk3), gathering knowledge from a range of source formats (videos, articles, blogs, books, etc)

Information Gathering: Information found includes one or more of the following: 

Email, Birthdate, usernames, places frequented, personal website(s)

D

All Credit requirements

Has used some OSINT Tools for information gathering

Information Gathering: Information found includes one or more of the following: 

Medical issue(s), Mobile Phone information (make, model, number), any other emails, travel history (in the last few years), work experience, professional memberships, home information (location, photo, etc)

HD

All Distinction requirements

Structured blogs showing the thinking behind how to find information, good understanding and comfort when using OSINT tools

Information Gathering: Information found includes one or more of the following: 

Location in the last 30d (not including secLab), personal timetable, private blogs, passwords, any information found that is confidential and should not be public. 

High Quality of final Writeup