OSINT Toolbox Talk: Investigating email addresses, usernames and WhatsApp groups

OSINT Tool Review

Extracting Instagram user data with 'Toutatis'

Extracting Instagram user data with 'Toutatis' Extracting Instagram user data with 'Toutatis' https://github.com/megadose/toutatis

The number of OSINT tools for Instagram is considerably high, to the extent where the number of tools listed in Github far exceeds the number listed for other social media platforms including Facebook, VKontakte and TikTok. Several factors account for this high volume of Instagram-focused tools. For example, Instagram’s source code makes it considerably easier to extract information and media, and the ratio of new users joining Instagram versus Facebook and others is quite significant. In this tool, we have sifted through the collection of Instagram-focused OSINT tools to show you ‘Toutatis’, a lightweight but extremely effective tool that can extract public user information from Instagram accounts. Now, when we say ‘public’ information, we are referring to user data that is visible to anyone, but also information that belongs to private accounts (provided that your sock puppet is following the target account).

Toutatis has been developed by the same individual behind ‘Holehe‘, a highly effective Python-based script that can verify email addresses against 200 online sources. Our review of ‘Holehe’ can most certainly be applied for ‘Toutatis’, the developer clearly has attention to detail and has developed this tool in such a way that is easy to deploy. One detail that is particularly liked about this script is that it does not require your username and password. Instead, the user has to obtain the sessionID code that can be found from the Application tab located within the Developer console window on Google Chrome or Mozilla Firefox. This code is then applied and executed within the command-line interface alongside the target username being searched. The method of applying the sessionID means that ‘Toutatis’ latches onto the Instagram session within your browser window, bypassing the need to input your username and password during each search.

The script was tested against an Instagram profile created for our new office Puppy – so by all means give him a follow! As you can see in the above image, the type of data extracted by the script was relatively comprehensive. Such data extracted by the tool include:

  • Username
  • Profile name
  • User ID
  • Whether the target is a verified account
  • Whether the target is a business account
  • Number of followers
  • Number of profiles following the target
  • Number of posts
  • Number of tags in the posts
  • Number of external URLs
  • Number of IGTV posts
  • Biography
  • Public Email (this can only be extracted provided that the privacy settings implemented by the user allow it)
  • Public Phone Number (again, this is dependent on the privacy settings or lack thereof for the target account)
  • Obfuscated Phone Number (this information is provided regardless of the privacy settings and consists of the country code and the last two digits of the number)
  • Profile Picture URL

To wrap up, ‘Toutatis’ is a really nice tool for Digital Investigators to include in their toolkit. The tool is lightweight, easy to install and also easy to deploy against target Instagram users. It goes without saying, the developer has done a great job with this tool and has clearly focused in such a way that does not become over-burdened with capabilities such as media extraction. It is worth noting that Instagram continuously refines its security safeguards to protect user data; such safeguards are usually aimed at preventing tools from scraping Instagram user media. Therefore, the fact that this tool is focused purely on user information as opposed to media is a good decision. All-in-all, ‘Toutatis’ is a great tool that delivers very good results!

Let's talk today Are you ready to begin discussing our range of training and capability development solutions?