OSINT Toolbox Talk: Investigating email addresses, usernames and WhatsApp groups

OSINT Toolbox Talk

Investigating email addresses, usernames and WhatsApp groups

In this latest OSINT Toolbox Talk, we will review three of the most effective OSINT tools tested by the OS2INT team over the course of the previous week. We will start with the amazing iKy, a slick tool that can be installed and deployed using Docker in order to investigate email addresses – this tool is most certainly a must-have! Next, we will look at ‘UserFinder’ a Unix Shell Script that can enable Digital Investigators to analyse usernames across several useful online sources. Lastly, we will introduce ‘WhatScraper’, a lightweight Python-based script that can enable users to find WhatsApp groups through a series of searches. Stay tuned for next week when we will look at additional tools including Scrummage, a powerful web application that can streamline OSINT workflows!

Advancing your email investigations using iKy Advancing your email investigations using iKy https://github.com/kennbroorg/iKy

At OS2INT, we only review the most impressive OSINT and Digital Investigations tools. However, for this article, we bring our readers something truly awesome – iKy – a heavyweight multi-framework tool that packs an enormous punch with its impressive frontend user interface in addition to its range of OSINT modules included within the framework. In short, iKy is a tool that collects information from an email and shows results in a nice visual interface. According to its Github repository and its own webpage, iKy was created as a Proof Of Concept for Ekoparty 2013. As interest in the tool increased, the developers released the source code intending to develop the tool even further.

The tool’s design is based on ngx-admin that is driven on an Angular 7 framework – making the user interface very fast and clean in the overall construction. The tool’s backend is written in Python whilst NodeJS is used to manage the source code. Generally, installing and deploying the tool from scratch is considerably quite complicated for novice OSINT’ers. However, the developers have gone the extra step to make the tool compatible with Docker – enabling users to quickly and effectively install and deploy the tool through the Docker interface. Once the tool is installed, users can configure a range of API keys from the following resources:

  • Fullcontact
  • PeopleDataLabs
  • LinkedIn
  • Instagram
  • HaveIBeenPwned
  • Emailrep.io
  • Leaklookup
  • Twitter
  • Spotify
  • Twitch

With the APIs configured, the tool can investigate email addresses and verify whether a target email address is associated with the aforementioned resources. What makes this tool even more powerful is its integration with other highly effective Email OSINT tools including Holehe, SocialScan and Sherlock. Going even further, the user interface presents the user with a link analysis-based visual interface for each target search. Adding to the tool’s analysis capabilities, another section of iKy allows comparisons to be made between Twitter accounts (with the possibility of repeating the same one) in different time periods.

We could spend all day writing about iKy and all of its awesome features, but we strongly feel that Digital Investigators should try out the tool themselves and make their own conclusion. This tool combines the powerful capabilities of three separate Email OSINT tools in addition to several advanced native search functions, then displays the results in a very neat analysis-focused user interface. Overall, this tool comes with our highest recommendation.

Investigating usernames across 30 online sources with 'User Finder' Investigating usernames across 30 online sources with 'User Finder' https://github.com/machine1337/userfinder

Username search tools are considerably varied in numbers and capabilities. In fact, the majority of OSINT tools hosted on Github are focused on investigating and verifying usernames. However, in the case of ‘User Finder’, the focus of this latest OSINT Tool Review, the sources that this tool searches against are considerably different to those found on other scripts. Another feature that is also different with regards to ‘User Finder’ is that it is a lightweight Unix Shell Script that can be installed and deployed through any Unix operating system such as Kali. This alone can make the tool appear less attractive for Digital Investigators who are not so comfortable with working within a Unix environment. However, in this OSINT Tool Review, we will show how we used this script within Windows via a Kali command-line interface.

So, what do we like about this tool? It is comparatively faster than Python-based scripts. Also, it searches across 30 online sources (many of which are unique to this script) including:

  • Social Media: Facebook, Instagram, Twitter, YouTube. Reddit, LiveJournal and Blogger
  • Video Streaming: Vimeo and Dailymotion
  • Project Management and Communications: Basecamp, Slack and KeyBase
  • Travel: TripIt and Tracky
  • Software / Development: Github, IFTTTM, ColourLovers and CodeMentor
  • Tech: HackerNews
  • Writing: Hubpages, Scribd, Medium and SlideShare
  • Art: Ello
  • Dating: OKCupid
  • Commerce: Ebay
  • Music: Spotify and Bandcamp
  • General: Wikipedia and Pastebin

Deploying ‘User Finder’ can be achieved by downloading, installing and running the script natively within a Unix operating system such as Kali or one of its associated distributions. Understandably, this can be unchartered territory for many Digital Investigators who are uncomfortable at the prospect of using a completely different operating system to Windows. Instead, Digital Investigators can download and install the Kali shell framework directly from the Microsoft Store. Once installed, the only prerequisite that needs to be downloaded is Git, which can be achieved by invoking sudo apt-get install git  then cloning ‘User Finder’ with the command git clone https://github.com/machine1337/userfinder. Installing and deploying ‘User Finder’ can then be achieved by following the instructions indicated within the script’s Github repository.

To sum up, ‘User Finder’ is a fast and effective tool that can be used to effectively verify usernames across a wide range of sources that are not featured within other comparable tools. However, what we particularly like about this script is that it most certainly shows great potential to an extent where additional sources can be added to the script very soon. Whilst it can be argued whether or not the tool should be developed within a Python framework, we believe that as a Unix Shell Script, the tool is much faster and somewhat easier to deploy.

Identifying WhatsApp groups with WhatScraper Identifying WhatsApp groups with WhatScraper https://github.com/TheSpeedX/WhatScraper

OSINT tools that can be used to discover and investigate WhatsApp groups are few and far between. This is somewhat due to WhatsApp maintaining a high level of privacy controls for its users. This is most certainly a sticking point for our partners in EU Law Enforcement to conduct investigations on WhatsApp and Telegram. Whilst some services can effectively scrape data from public Telegram groups – WebIQ being one highly effective provider – there remain significant issues with regards to investigations against WhatsApp groups and private Telegram groups. The primary question our readers may ask is ‘why does this matter?’, a LinkedIn article by Carolina C, a Child Sexual Abuse Material (CSAM) Independent Researcher and CSAM Compliance expert rightly points out that the distribution of CSAM via instant messaging platforms such as WhatsApp and Telegram is on the increase. Explaining this increase is the general view by abusers and paedophiles that the Dark Web has become an unsafe space due to increased successes amongst several Law Enforcement authorities take-down platforms used in this regard.

Moving forward to the focus of this OSINT Tool Review, we introduce WhatScraper, a lightweight Python-based script that remains in development. As of now, it has the capability to scrape WhatsApp group links from Google search results and output those links into a file. To date, the tool can:

  1. Search and identify groups
  2. Scrape from links within Google searches
  3. Multithread search results

Some of our readers will by now be thinking that this tool does not provide any special capabilities. However, I would argue that it does enable the Digital Investigator to establish a starting point for any investigation into nefarious groups that exist on WhatsApp. Additionally, it should also be pointed out that the tool’s developer intends to add additional features to the tool in due course. These features will include:

  1. Enabling users to add proxies to the search
  2. Generalise searches based on keywords
  3. Add additional search engines – we most certainly recommend the developers to include DuckDuckGo and several regional search engines in this tool
  4. Improve the tool’s user-friendliness
  5. Develop a graphical user interface to the tool

So, it is clear that the developers are only just getting started with this tool and we certainly look forward to keeping a close eye on their progress! In terms of output, we were generally quite impressed with what the tool can achieve so far – by conducting several searches, we were able to identify several groups we suspected to be involved in the distribution of CSAM in addition to other potential nefarious groups. Most certainly, these group links can be used as a starting point for any Law Enforcement effort to investigate such groups. Overall, we recommend this tool based on its long-term potential and its capability to provide users with a comprehensive list of WhatsApp groups that can be subject to investigation.

Let's talk today Are you ready to begin discussing our range of training and capability development solutions?