This OSINT Toolbox Talk is our most interesting yet as we roundup three awesome OSINT tools that come highly recommended. The tools include Holehe, a powerful Python script that enables Digital Investigators to verify email addresses across a substantial number of websites and social media platforms. What we particularly like about Holehe is that it has been further developed into a Maltego transform – adding greater flexibility for investigators who prefer to base the majority of their OSINT activity through Maltego. We will also introduce IG Follower Export, a neat Google Chrome extension that provides investigators with the capability to extract Instagram user follower and following data and export it into a CSV. Last, but not least, we look closely at DumpItBlue+, a very impressive Google Chrome extension that provides investigators with the capability to export Facebook friend lists; parse comments, reactions and likes; extract follower lists; parse Messenger contact lists.
Before getting started with DumpItBlue+, it should be pointed out that this extension was introduced to us by one of our followers on LinkedIn after we had published our OSINT Workflow article discussing how to extract and visualise Facebook friend lists. Therefore, a special thank you goes out to him for contributing to the OSINT community!
Therefore, this OSINT Tool Review builds on our OSINT Workflow article by presenting an alternative tool that can be used effectively parse through Facebook friend lists. However, a challenge that is quite often encountered by many Digital Investigators and OSINT Analysts is when Facebook targets do not have a public friends list. In that event, Investigators rely on other methods that can be used to generate a possible friend list for that target. Such methods include parsing through comments and reactions that are visible on the target’s profile in addition to their so-called follower list.
DumpItBlue+ enables Investigators to efficiently and effectively parse through such data and present it to us in such a way that can be used to create the necessary Comma-Separated Value (CSV) lists and subsequent visual graphs. The extension itself comes equipped with several features:
- Flexible scrolling: This feature is far more effective when compared to other extensions such as ‘Webpage Auto Scrolldown’. With DumpItBlue+, the user can specify the type of window that it is required to scroll and adjust its behaviour accordingly. For example, the user can indicate that the page to scroll is a popup window containing a post’s likes / reactions or a Facebook Messenger contact list. Therefore, in the event that a Digital Investigator has conducted a Covert Internet Investigation and needs to export Facebook Messenger data to an effective analysis tool such as Paliscope YOSE, DumpItBlue+ provides this capability very easily. Additionally, the user can also specify a scrolling limit (by count or by date) – ensuring that the data that is collected is relevant to the investigation.
- Expanding: Here, the Investigator can specify whether DumpItBlue+ should expand on all posts, comments / replies and additional posts. Again, this feature is very useful as it saves a lot of time by ensuring that the Investigator does not have to manually click on each post / comment to reveal more potentially crucial information.
- Removing: This is also a handy feature that enables the Investigator to remove information that holds no real value from being displayed on the screen such as the Top Bar and Write Comment Boxes.
- Dumping: Undoubtedly, this is the feature we are most interested in. Here, DumpItBlue+ will parse through the target profile, extract it, and present it to us within a separate browser window. The data can then be transformed into a CSV list either by copying / pasting or by using another extension. The dumping feature is the most flexible extension-based data extraction tool by far. DumpItBlue+ enables the user to specify the target page and adjust its behaviour accordingly. Currently, it recognises friend lists, page contributors, newsfeed likes, mutual friend lists, group member lists, messenger contacts and image albums. The data that DumpItBlue+ extracts can then be used within a visual analysis tool. During our test, we used the highly powerful data analysis tool Paliscope YOSE.
Additional features offered by DumpItBlue+ includes the capability to isolate the scroll function to certain page types. Lastly, users can also input a time delay to ensure that investigative activity avoids being flagged by Facebook.
As for visualising the data extracted by DumpItBlue+, we opted to use the new YOSE beta version by Paliscope. Using multiple data extracts such as Facebook friend lists, group member lists and chat extracts, YOSE was able to present all of the data in a very smooth visual intelligence interface; the results of which were out-of-this-world! If you haven’t tried the products by Paliscope yet, then we certainly recommend doing so by contacting the team directly: firstname.lastname@example.org.
Following on from our previous review of a highly effective Google Chrome extension that can extract Facebook friend lists alongside a wide array of data of intelligence value, this latest OSINT Tool Review will focus on a similar tool that can be deployed against public Instagram profiles. IG Follower Export is one of several Google Chrome extensions that provides Digital Investigators with the capability to extract information from public Instagram profiles. The extracted data can be used in a variety of ways, though it can undoubtedly be used within a data visualisation interface such as Paliscope YOSE.
The extension’s developers indicate on the Google Chrome Web Store that it provides a range of capabilities including:
- Export followers lists to CSV
- Export following lists to CSV
- Extract user profile data including follower and following count, biography and public Email
- Verify whether follower and following users are verified
As is normally the case when dealing with private profiles, the extension can be used to extract information from such profiles provided that the sock puppet account used with the extension is connected with the target. Therefore, the use of an effective Sock Puppet is certainly recommended for Digital Investigators that require the capability to extract data from private Instagram profiles – a very useful guide can be viewed here.
Using the extension was somewhat effective. In terms of main output – namely follower and following lists – the extension was capable of extracting this type of data from Instagram profiles. However, a word of warning, the tool has no real mechanism to avoid being detected by Instagram’s security features; this means that if you are extracting data from more than a couple of profiles, it is very likely that Instagram will detect suspicious behaviour and lock your account. During our tests of the extension, our Sock Puppet was locked out on several occasions. On each occasion, the extension would display a ‘time-out error’. At first glance, it appeared as though there was a glitch in the extension itself. However, the source code showed that the error was attributed to profile lock-outs instead.
All in all, IG Follower Export Tool provided some very useful outputs that were subsequently processed through Paliscope YOSE in order to produce quality visual intelligence. The extension itself is not packed with features when compared to other social media data extraction tools such as DumpItBlue+. That aside, IG Follower Export Tool is let down by the enhanced security features that exist on Instagram; these security features have undoubtedly been developed very comprehensively to an extent that Digital Investigations on Instagram has become very difficult indeed.
Manually investigating email addresses can be a tedious task especially when faced with the prospect of manually verifying whether an email address has been registered on individual websites. At the same time, this process is fraught with a very serious risk – one wrong move can trigger a red flag and warn the target. One solution to this problem is Holehe, a very neat Python-based script that enables Digital Investigators to check whether an email address is used across several online sources such as social media, shopping and adult-oriented websites. The full list is quite extensive, but it includes:
Cyber / Software-Related
- Code Igniter (Forum)
- Code Academy
- Office 365
Installing and deploying Holehe within a Command-Line Interface environment is very easy – making this one of the more easy-to-use, but highly powerful Python scripts available. The script works by taking the email address that the user has specified and verifies the address through the ‘lost password’ function. The target is not warned of this action; for example, the target will not receive a password reset email. Many readers will now be wondering as to why popular social media such as Facebook is not included within Holehe’s list of online sources; this is because a ‘lost password’ request on Facebook will naturally trigger a warning to the user. For other webpages, they are likely to have enhanced privacy measures which means that a ‘lost password’ submission will not verify an email address. For example, if we were to submit a ‘lost password’ request to codecanyon.com, the website will respond with something like “If a matching account was found, an email was sent to email@example.com to allow you to reset your password”. In this instance, this is not ideal for Holehe – or us, the Digital Investigators – due to the website’s response neither confirming nor denying the existence of an account registered to our target email address.
So, what we like about Holehe: it is easy to install and deploy. For such an easy installation, Holehe packs quite a lot of power and provides users with very useful results. The tool has been further developed into a Maltego transform – this is certainly ideal for Digital Investigators who use Maltego. There are downsides to using the tool – none of which are the fault of the developers. For example, many web pages have now implement rate-limiting mechanisms that prevent scripts such as Holehe from obtaining user data. To address this, the developers suggest that users simply use a VPN and change the IP address during each scanning cycle. Another downside is the eventual prospect that most web pages will implement additional safeguards concerning password resets, such as the example indicated in the preceding paragraph. All that aside, Holehe is a great tool, it has been well-crafted and delivers the results that Digital Investigators expect. It is easy to install, quick to use and very powerful in terms of results. Most certainly, Holehe is a highly recommended tool for any OSINT toolkit.