OSINT Toolbox Talk: Investigating Telegram users / user-groups and extracting YouTube Metadata

OSINT Workflow

Developing and deploying effective Sock Puppets on social media


A Sock Puppet is a very important capability in the Digital Investigator’s arsenal. Whether it is to add a greater layer of anonymity to the Investigator’s online research or enable the covert gathering of evidence from target/s, the need for effective Sock Puppets is well established. However, to develop an effective Sock Puppet intended to conduct Covert Internet Investigation, the following tips are highly recommended:

  • Establish the scope of the investigation and design the Sock Puppet around it
  • Analyse your target/s thoroughly, take your time and build a profile of their interests and social network
  • Unless you seek to conduct soft / indirect research, avoid using an AI-generated persona
  • Develop your persona, be creative by creating convincing images that can be posted
  • Generate as much personal information as possible, but avoid publicising information that can be easily debunked
  • Be vigilant, apply the right amount of OPSEC required within the scope of the investigation and the environment you are working in
  • Pay attention to detail, research common names within the target/s locale and develop an intrinsic understanding of the area and local issues
  • Don’t rush, be patient, and develop connections amongst the target/s first and secondhand connections
  • Manoeuvre yourself tactically. Use your research to gradually position yourself within the target/s social circle
  • Log, collect and document everything that you do according to best practice evidence management processes
  • Protect your Sock Puppet by applying commonsense, become the person you are pretending to be

WHAT IS A SOCK PUPPET

Citing the web, a Sock Puppet is an online identity used for purposes of deception. However, it can be argued that Sock Puppets are more commonly used by Digital Investigators to maintain anonymity. That said, the use of Sock Puppets for deception – for example, in Covert Internet Investigations and Social Engineering – is a well-established, but a strictly controlled tactic employed by Private Investigators, Law Enforcement and other security agencies.

Now that we have established what a Sock Puppet is, we will now focus on the topic of this OSINT Workflow article and discuss the reasons as to why Digital Investigators should use Sock Puppets on social media and how they should be developed according to the scope of their investigation.

Please note, the use of Sock Puppets in this manner and within official settings (Law Enforcement / Government / Military) is often strictly regulated by legislation. Investigators should direct their attention to their national legislation before undertaking any activities on social media. The information in this article is for information / educational / research purposes only and should not be interpreted in any other way.

GETTING STARTED

Before jumping right in and creating a Sock Puppet social media account, you should assess the scope of the investigation, its desired outcomes and the personalities of the target/s. For example, if the scope of the investigation requires only a soft / indirect reconnaissance of subjects, not so much detail is required with regards to the development of the Sock Puppet. However, in special circumstances where Investigators are required to connect with a target/s, a significant amount of development is needed. For this OSINT Workflow article, we will focus on the latter.

RECONNAISANCE

The Investigator should analyse the target/s social media network, but to do so, a generic Sock Puppet that provides a good amount of anonymity should be used. Some social media platforms only require an email to create an account. Therefore, it is recommended that an email account be created on ProtonMail, then used to create a basic Sock Puppet account on social media. With the basic Sock Puppet now created, you can now analyse the target/s and get an understanding of their interests, potential shared connections and locations.

GENERATING THE PERSONA

Details, details, details. Pay attention to detail and spend extra time to develop a convincing persona.

With the focus of the digital investigation now firmly placed within the scope of connecting with the target/s to gather evidence, you should now focus on developing a credible persona from which to base the Sock Puppet on. Armed with information obtained by conducting research, you should create a name that is consistent with the location of the target. For example, if my target is located in my hometown of Llanfairpwll (the place with the longest name!), I would want to ensure that my surname is consistent with the local population. To do so, I will use Forebears to look at common names within that area.

Forebears showing common surnames in Llanfairpwll, UK

Forebears showing common surnames in Llanfairpwll, UK

It is a practice amongst some Investigators to use online persona generators such as Faker.js, Fake Name Generator and Random User Generator. Whilst I believe that these resources can be somewhat useful in investigations that require a soft or indirect approach, investigations that require a more direct and covert approach should be conducted by a more detailed and bespoke Sock Puppet. Also, it is a practice by some Investigators to use a single AI-generated profile picture on their Sock Puppet – in my experience, this a huge mistake and defeats the very object of what the Investigator should set out to achieve. Indeed, some social media platforms can detect when an AI-generated image has been uploaded to an account – this is very likely to trigger a red flag.

A previous Private Investigation that I undertook required that I connect with several environmental activists associated with attacks against business owners. The sole purpose of the investigation was to identify potentially incriminating evidence. To create the persona, a close friend and I altered our looks by growing our hair and facial hair, dressed according to the style of an environmental activist, then set out to create images of ourselves in different settings – paying particular attention to avoid objects and places that are easily identifiable. Using Adobe Photoshop, the images were altered to change or remove distinguishable features from our faces. The images were then ready to be used as uploads on social media – ensuring that the Sock Puppet was convincing enough. The key point of the anecdote is to ensure that you spend your time creating content that is convincing to the target.

CREATING THE SOCK PUPPET

In short, the trick is to ensure that a reasonable amount of convincing information is placed on the Sock Puppet, but it is kept as vague as possible.

Using the persona that we have created, including a convincing backstory, it is now time to create the Sock Puppet by repeating the process of using ProtonMail to create an email address and using it to register an account on social media. A small selection of media that should have been created by yourself can now be uploaded conservatively and used as a profile picture, cover image and status updates etc. Personal details which conform to the backstory should also be indicated on the profile; for example, name, date of birth, hometown, birthplace, education and occupation. It should be stressed that specific information such as workplace names should not be specified because a target/s could undertake their searches and quickly uncover this information to be a falsehood. Be sure to protect your Sock Puppet profile, make much of it private (including friends lists) – a public profile will give your target more time to study it and assess whether it is genuine or not.

One issue that is often presented to Investigators is the requirement by some social media platforms to have users verify their accounts by mobile phone number before they can be used. In many countries where the provision of mobile phone numbers for commercial and private use is strictly controlled, this can present a significant challenge. Some Voice over IP (VoIP) solutions such as Twilio have proven to be effective in this regard. However, it is always worth obtaining a burner phone – preferably with a SIM Card and number that cannot be easily traced to you.

OPERATIONAL SECURITY (OPSEC)

The biggest mistake that an Investigator can make is applying a ‘one-size-fits-all’ level of OPSEC which is often far too complex and too secure for most digital investigations.

You should apply commonsense and tailor your level of OPSEC according to the scope of the investigation and the environment from where it is being conducted. For example, in an investigation that may be politically or geopolitically sensitive, the utmost level of OPSEC is recommended. However, an investigation concerning Sexual Exploitation / Online Grooming will not require the same level of OPSEC; however, Investigators should ensure that they mirror the same level of OPSEC and associated processes as their target/s.

Another consideration for digital investigations is the use of VPNs. It is recommended that a VPN is not used to create a Sock Puppet as many VPN servers will have already been flagged by the social media platform. Also, it is recommended that the Sock Puppet is used consistently for at least 24 hours after account creation to ensure that it survives the first contact and does not get flagged for unusual activity. Thereafter, the use of a VPN is thoroughly recommended, especially if an investigation is being conducted from a different country to the target.

MANOEUVRING WITH MILITARY PRECISION

Do not go straight ahead and attempt to connect with your targets. Be patient, take your time, and manoeuvre..smartly.

Using the research we have obtained on our target/s during the reconnaissance stage, it is now time to begin positioning yourself close to them. Using the target/s interests, select some which appear somewhat relevant to the investigation. For example, if the target/s all like a social media page that is dedicated to their hometown; you should also like and follow that page. Spend your time to like and comment on posts – but remember, don’t provide specific information. Where a friendship naturally begins to evolve between yourself and another user, do not be afraid to connect with that individual. Over time, this strategy should begin to result in the creation of your social network – preferably with individuals who are mutual friends with the target/s. Also, make a point of looking at your target/s connections, should you identify connections who themselves have a network of over 1000 connections, it can be assumed that they are more likely to accept a connection request without proper due diligence. In this instance, it is recommended to send a connection request. The overall aim of this strategy is to build a substantial network of individuals who are connected with your target/s. Once you are confident that you have established your persona, backstory and social network; now is the time to attempt to connect with your target.

EVIDENCE COLLECTION AND AUDIT TRAILS

If in doubt, capture every minute activity that is undertaken, it is better to be safe than sorry.

Especially for official organisations, a detailed and comprehensive audit trail should be maintained throughout the course of the Digital Investigation. This should include dates and times covering the following key activities:

  • Email creation
  • Social media profile creation
  • Log-ons and log-offs
  • All interactions (likes, comments, direct messaging and connection requests)
  • Activities associated with the target/s

All of the above in addition to the Audit Log itself should be processed as evidence. Depending on the national rules and regulations specific to your country, it should ensure that evidence is collected, processed and stored accordingly. As a minimum, evidence should be captured, hashed and logged within a Chain of Custody log.


Let's talk today Are you ready to begin discussing our range of training and capability development solutions?