OSINT Toolbox Talk: Investigating Minecraft users and extracting company employee data from LinkedIn

OSINT Toolbox Talk

Investigating Minecraft users and extracting company employee data from LinkedIn

In this latest OSINT Toolbox Talk, we look closely at three very neat tools that can be used by Digital Investigators to extract data from a variety of social media platforms including Facebook, Instagram, LinkedIn and Minecraft. Our first tool, ‘CrossLinked’ is a lightweight Python-based script that enumerates company employee data by extracting LinkedIn information from search engines. Our next tool is IRIS-OSINT, another Python-based script that shows great potential in reducing investigation workloads because it can run multiple searches simultaneously. What we really like about IRIS-OSINT is its capability to search Minecraft usernames – which is particularly useful since Minecraft has been used to distribute illegal content. Lastly, we will introduce ‘Facebook and Instagram OSINT’, a Firefox plugin that makes investigations on Facebook and Instagram much easier.

Enumerating company employee data from LinkedIn company pages with 'CrossLinked' Enumerating company employee data from LinkedIn company pages with 'CrossLinked' https://github.com/m8r0wn/CrossLinked

LinkedIn remains a treasure trove of highly valuable information regarding businesses and businesspeople. Digital Investigators often use LinkedIn as their starting point for any investigation of a corporate / financial crimes nature. Whilst there are several OSINT resources available from the Github repositories that can help investigators with regards to LinkedIn – they vary considerably in capabilities. At the same time, Microsoft has taken steps to apply greater security restrictions such as rate-limiting to prevent user data from being harvested by third-party tools. However, in this OSINT Tool Review, we will introduce ‘CrossLinked’, a lightweight Python-based script that has somewhat of an effective capability concerning investigations on LinkedIn.

CrossLinked is a LinkedIn enumeration tool that conducts searches on search engines and scrapes relevant information from results. This means that the script itself does not access nor scrape directly from LinkedIn – thus avoiding detection from the platform’s security systems. The script outputs its results in a TXT file which can of course be used as a starting point for individual investigations.

The script itself is relatively flexible, it can allow the user to apply timeouts per search, apply jitters between each request, customise search arguments by adding a header, specify which search engine to use and only parse names that contain the company name in the title. What we especially like is that the script’s developer has implemented proxy support, enabling users to mask their traffic with a single proxy by adding a --proxy argument within the command-line interface. For users that want to use multiple proxies and rotate through them, this can be achieved by creating a proxies.txt file and adding that file to the aforementioned argument.

Overall, the script is lightweight, simple to use and very straightforward to deploy against targets. The output is somewhat effective – inevitably several false positives were contained within the output file. However, our tests found that the script successfully identified the majority of employees working across several medium-sized enterprises – indicating that the script is relatively accurate and can be used to establish a starting point for an investigation against a particular company. Admittedly, the false positives produced by the script is essentially a trade-off when taking into account that it does not directly communicate with LinkedIn. Nevertheless, for what the tool aims to do, it is quite effective.

Investigating usernames, people, emails and domains with IRIS-OSINT Investigating usernames, people, emails and domains with IRIS-OSINT https://github.com/IRIS-Team/IRIS

Multipurpose OSINT tools are considerably varied with regards to capabilities, and many of them can also be very tricky to install, configure and deploy through command-line interfaces. This is certainly a positive feature for novice Python users.

IRIS-OSINT is a very new OSINT tool that caught our eye after we were researching OSINT solutions that could identify and extract Minecraft usernames. After several tests of this Python-based script, it became very apparent that it provides a very broad range of investigative capabilities. Indeed, it is apparent that the tool will continue to grow in terms of features. Currently, this tool can:

  • Get Minecraft account information by username/UUID
  • Get NameMC profile information by Minecraft username/UUID
  • Get Plancke account information by Minecraft username/UUID
  • Look up an email or username with the WeLeakInfo API
  • Lookup names and addresses by domain name
  • Lookup published doxxes from the DoxBin site
  • Extract IP-addresses from Ome.TV
  • Extract email-addresses of Typeracer users by username
  • Query the Canadian 411 service and lookup Canadian citizens’ public information by name/address/phone number
  • Query the 118 service and lookup Danish citizens’ public information by name/address/phone number
  • Query ‘Krak’ and lookup Danish citizens’ public information by name/address/phone number
  • Extract Discord account information by token
  • Extract GitHub account information by username
  • Extract Keybase account information by username
  • Identify and extract information from profiles on solo.to
  • Extract Twitter account email and phone number from usernames

Undoubtedly, the capabilities of this tool are considerably extensive and varied. What we particularly like is its capability to extract a wide range of account information from Minecraft, which remains a space used by sex offenders seeking to groom children and vulnerable people. Another feature we like is the tool’s capability to easily extract information from Discord, Github and Twitter profiles. Whilst its capability to query public listing services in Canada and Denmark is somewhat useful as it removes the need for the Digital Investigator to run searches from the browser, we do believe that this capability could be better served.

Positive aspects aside, the script’s Github repository does not contain detailed instructions for users. Whilst the script is incredibly easy to install and configure through the command-line interface, the developers should prioritise the production of instructions before expanding the tool’s investigative capabilities further. To understand how to use the tool and view all of the available modules, we queried the tool’s help index using the ‘help’ command.

Overall, IRIS-OSINT is an effective multipurpose script that provides a good range of investigative capabilities. Unfortunately, the tool isn’t easy to deploy when taking into account the absence of user instructions on Github. That aside, we believe that this tool has great potential and should be included in every Digital Investigator’s toolkit.

Identifying and extracting data with the 'Facebook and Instagram OSINT' add-on Identifying and extracting data with the 'Facebook and Instagram OSINT' add-on https://addons.mozilla.org/en-US/firefox/addon/facebook-instagram-osint/

There is an abundance of OSINT Tools that are focused exclusively on Facebook and Instagram; however, their capabilities are generally quite varied. In our more recent articles, we looked closely at browser extensions including ‘DumpItBlue+‘ and ‘IG Follower Export Tool‘, each provided an effective capability for Digital Investigators and OSINT Analysts to obtain a good amount of data from Facebook and Instagram respectively. In this OSINT Tool Review, we look at another browser extension – ‘Facebook and Instagram OSINT’ – a lightweight Mozilla Firefox-based add-on that is designed to work against Facebook and Instagram profiles.

The add-on itself is very simple to use and comes with clear instructions with regards to how it can be used against Facebook and Instagram profiles. According to the Mozilla Firefox add-on repository, it has the following features / capabilities:

Facebook :

  • Copy current Facebook ID to the clipboard
  • Get any Facebook ID
  • Get mutual friends between two accounts
  • Inject ID directly into the webpage

Instagram :

  • Get Instagram ID
  • Get public email and phone number
  • Get obfuscated email and phone number
  • Inject user information directly into the webpage

During our test, we found that the add-on does lack the punch that we have found with other plugins such as ‘DumpItBlue+‘ and ‘IG Follower Export Tool‘. However, what we do like about this add-on is its capability to let investigators easily view mutual connections that exist between two Facebook profiles. At this point, we should make it clear that this feature only works either on public Facebook profiles, or profiles that are directly connected to the investigator’s sock puppet account. At the same time, identifying Facebook user ID’s can be somewhat of a long-winded task for investigators – especially when target profiles have their own custom URL. However, this tool certainly makes it much easier for investigators to identify and extract Facebook user ID’s.

To conclude, ‘Facebook and Instagram OSINT’ is a neat browser extension that provides investigators with a few useful capabilities that can be used to enhance social media investigations and identify relationships between two Facebook user profiles. This add-on can easily be used alongside other tools such Instant Data Scraper and Gephi – allowing investigators to extract data from Facebook and graphically visualise relationships. At the same time, its ability to extract data from Instagram certainly places it on par with some comparable browser extensions, enabling investigators to obtain data that may well be of investigative significance. All-in-all, ‘Facebook and Instagram OSINT’ is a useful tool that can certainly add value in the context of a social media-based investigation.

Let's talk today Are you ready to begin discussing our range of training and capability development solutions?