In our previous OSINT Tool Review, we took a close look at Instahunter, and how it can be used to extract user and post data from public Instagram profiles. That same article further indicated that the Python-based script was not able to extract media data from Instagram. In this OSINT Tool Review, we build on the last article by presenting Instaloader, another Python-based script that provides Digital Investigators and OSINT practitioners with the capability to extract media from Instagram profiles and output the media within a separate folder on your system.

Citing Instaloader’s Github repository, the contributors to the script indicate that it provides the following capabilities:

• Download public and private profiles, hashtags, user stories, feeds and saved media
• Download comments, geotags and captions of each post
• Automatically detect profile name changes and renames the target directory accordingly
• Allow fine-grained customisation of filters and where to store downloaded media
• Automatically resume previously interrupted download iterations

While the script itself does have the capability to extract media from private Instagram profiles, this is only possible if, for instance, you have a Sock Puppet account that is following the private profile. For insight with regards to developing effective Sock Puppets for investigative uses, you can read our OSINT Workflow article which discusses this topic at great length.

Deploying Instaloader within your Python environment is incredibly easy. The script itself is very flexible; for example, users can instruct the script what data to extract such as geotags, stories, hashtags, IGTV posts and tagged media. The default setting for the script is to extract all of the aforementioned data and output it as a JSON file alongside the corresponding media file. Where you need to extract media and associated data from a target profile that has been updated, Instaloader is flexible enough to enable you to do this by invoking the ‘–fast-update’ command. Returning to the subject of private profiles, Instaloader will require you to input your username and password in order to extract the target media. However, when logging in the first time around, Instaloader stores the session cookies in a file in your temporary directory. This session cookie will then be reused later the next time the ‘–login’ command is invoked. This means that you can extract media from private profiles non-interactively when you already have a valid session cookie file.

One issue that constantly arises with regards to the use of tools and scripts against Instagram targets is the rate-limiting feature that exists on the platform, this ultimately prevents us from extracting media in bulk. To address this, Instaloader has a logic to keep track of its requests to Instagram and defer subsequent ones – ensuring that Instaloader does not reach Instagram’s rate limits. However, as indicated in our previous article regarding Instahunter, Facebook continuously seeks to implement features designed to prevent us from collecting data from its platforms, including Instagram. This often means that programmers who produce quality tools and scripts such as Instaloader are faced with the constant need to address, or sometimes circumvent such features.

That aside, Instaloader is very easy to install, quick to deploy and does exactly what it is intended to do. During my tests, I found no issues in using the tool against public and private profiles. Looking through the Instaloader’s Github repository, it is clear to see that the contributors have consistently updated the script to account for various safeguards that Instagram has implemented since 2016. Therefore, I have every confidence that the Instaloader team will continue to maintain the script for its users. All-in-all, I highly recommend this tool for all Digital Investigators and OSINT practitioners.