OSINT Toolbox Talk: Extracting online media and investigating ProtonMail and Twitter

OSINT Toolbox Talk

Extracting online media and investigating ProtonMail and Twitter

This is the first of many OSINT Toolbox Talks by OS2INT; for our first, we will be taking a close look at three effective tools. The first is an effective extension-based media extractor called DownThemAll; which I have personally put to use during several Digital Investigations concerning illegal and CSE material. The second tool we will look at is tinfoleak, a very comprehensive Twitter analysis tools that enables investigators to scrape content from individual accounts, hashtags or geolocations; then output a detailed report based on collected data. Lastly, we will talk about Protosint, an easy-to-use Python-based script that allows investigators to test the validity of a ProtonMail account, obtain account creation dates and indicate whether an IP address is associated with ProtonVPN.

ProtOSINT: Investigate ProtonMail accounts and ProtonVPN IP addresses ProtOSINT: Investigate ProtonMail accounts and ProtonVPN IP addresses https://github.com/pixelbubble/ProtOSINT

ProtOSINT is a nice and easy-to-use Python tool that provides investigators with three important capabilities. The first capability allows the investigator to test the validity of a single ProtonMail account, providing a clear true or false response. The second capability requires the investigator to input the first and last name of a target in addition to a series of Pseudos; the tool then returns a series of possible accounts which match the inputted details and indicates whether the accounts are active and when they were created. The final capability that this tool provides is the ability for the investigator to identify whether an IP address is currently affiliated with a ProtonVPN.

The one downside to this tool is that it does not always give you the creation time of the ProtonMail account itself. The timestamp returned by ProtonMail API is the time and date when the primary PGP key for the email was created. That said, it is very easy to install and deploy – more importantly, it does not require much user input.

tinfoleak: Twitter analysis tool tinfoleak: Twitter analysis tool https://github.com/vaguileradiaz/tinfoleak

Tinfoleak is a very impressive tool used to automate the extraction of information from Twitter and enable OSINT practitioners to conduct essential analysis against extracted data in addition to Twitter accounts. The tool is well equipped to scrape user accounts and Tweets within a set geolocation. The tool outputs a comprehensive report which includes the following key information:

  • Account info / User Activity / Protected Accounts / User Relations
  • Source Applications / User Devices / Use Frequency
  • Hashtags / Mentions / Likes
  • Text Analysis / Words Frequency / Media / Metadata
  • User Visited Places / User Routes / User Top Locations
  • Social Networks / Digital Identities
  • Geolocated Users / Tagged Users
  • Followers / Friends
  • Lists / Collections
  • Conversations

Installation of the tool is very straightforward on Python, the only time consuming and frustrating process is opening a Twitter Developer Account and obtaining API keys. Once the keys are assigned to the tinfoleak config file, the program is very straightforward to execute and deploy. The results of which are very impressive.

DownThemAll: Media extraction tool DownThemAll: Media extraction tool https://www.downthemall.net/

DownThemAll is a browser Add-On that I have put to good use during several Digital Investigations. Initially, the Add-On was exclusive for Mozilla Firefox, but is now available for Google Chrome and Opera, which is good (depending on your browser of choice of course!). I personally prefer using Mozilla Firefox due to the range of effective Add-Ons that can be used for OSINT purposes. DownThemAll is a bulk media downloader that lets you download all content from a website in a few clicks. Unlike other bulk media downloaders, it is configured so that it can parse through images which are contained within linked pages. For example, not too long ago, I led with an investigation of several old Geocities (yes, Geocities!) webpages that had been archived on the WayBackMachine. HTML markups which were dreadfully common in the late 1990s and early 2000’s included embedding single images on a separate HTML page – adding to the complexity, the images were also wrapped within an tag which redirected on itself. Using DownThemAll – especially on archived Geocities pages – was very effective and enabled me to extract batches of images from target pages.

When using DownThemAll on a target webpage, the Add-On will also provide some meta data including ‘Title’ and ‘Description’ assigned to the image. The tool also has a simplified and advanced filtering capability, allowing the investigator to select Images, Videos or other media through the use of Regular Expressions.

DownThemAll is particularly effective for Digital Investigations that requires bulk media to be collected – this is especially the case when dealing with cases concerning offensive or illegal material. However, the main drawback to this tool is that it is not effective on popular social media platforms including Facebook, Instagram and VKontakte. However, in upcoming reviews, we will look at media collection tools that can be easily deployed on target social media profiles.

Let's talk today Are you ready to begin discussing our range of training and capability development solutions?