This is our second weekly OSINT Toolbox Talk featuring a selection of OSINT tool reviews we have done throughout the course of the week. This week, we will look at three effective tools that Digital Investigators should add to their toolbox. The first is Reddit Analyzer, a neat Python-based script that easily acquires information concerning Reddit user accounts. The second is GHunt, an impressive Python script used to extract information from Google Accounts and Google Documents – a must-have tool in my opinion! Lastly, we will look at the Java-based application called YouTube Comment Suite and show how it can be used to scrape user comments from YouTube videos, playlists and channels.
I stumbled on Reddit Analyzer when a Digital Investigation that I was undertaking required that I be able to collect as much information from a single Reddit user account as possible. In my view, this tool is quite underrated for the simple fact that it is very easy to install and deploy through Python. Once it has been installed, the investigator is only required to input the target Reddit account and then let the tool do the rest of the work. The tool obtains the following information from a single account:
- Creation date and time
- Last user activity date and time
- Verification status and by what means
- Total number of comments
- Total number of ‘comment karma’ – the score you get for posting and commenting on Reddit – a good indicator of the account’s reputation amongst other Reddit users
- Total number of links shared
- Total number of ‘link karma’
Whilst the above is considered very useful information for an investigator in itself, the most useful feature is the tool’s ability to present in a graphical format the location and number of comments that the target has posted within different Sub-Reddits – user-created areas of interest or chat forums where discussions are organized.
Whilst Reddit Analyzer is a very useful and easy-to-use tool, the output from which I consider to be very actionable, I do believe that there is a lot of space for tools of this kind to be further developed. For example, in the case of Reddit, the capability to extract comments associated with a user account and providing a timeline or time/date visualisation of comments across Sub-Reddits would be highly valuable intelligence.
GHunt is quite a neat script that evolved quite considerably since September 2020. What is immediately evident is that it has been consistently maintained by the developers, who themselves are very responsive when addressing bugs.
The script itself is a modulable OSINT tool that enables Digital Investigators to information that lies behind a Google email account and Google document. The Email module enables the discovery of:
- Account owner’s name
- Google ID
- The last time that the profile was edited – This is quite useful when attempting to discover whether a target account is active
- Profile picture – Please note that this feature is limited when using the script in Docker
- Google Hangout Bots discovery
- Activated Google services such as YouTube, Google Maps, Google News360 and others)
- Possible YouTube channel – This is somewhat useful, though the search process behind this feature appears to be based on the account owner’s name and other possible usernames (as indicated below). In my experience, the tool could benefit from basing the search on other identified metrics or allowing the Digital Investigator to input custom search parameters.
- Possible other usernames
- Google Map reviews – This is useful with regards to investigations that require geolocations. However, this feature naturally only works if the reviews are set to public (which they are by default)
- Possible physical location – This feature appears to be based on the aggregation of Google Map reviews and providing the Digital Investigator with a range of most reviewed places
- Google Calendar Events – This feature also requires the user to have this feature set on public
With regards to the Google Documents module that exists on the script and allows Digital Investigators to discover documents associated with the Google Account, GHunt enables the following information to be collected:
- Document owner’s name
- Document owner’s Google ID
- Document owner’s profile picture – Again, this feature is not available when using the script on Docker
- Document creation date
- Document last edited date
As acknowledged by the script’s contributors, GHunt has lost the capability to search for Google Photos albums. This issue is currently being addressed though it remains unsure whether this issue is attributed to a bug or a new security feature implemented by Google.
Installation of this script is somewhat straightforward either on Python or Docker. For this review, I opted to use Docker to automatically build and deploy GHunt. The process was seamless with no issues whatsoever. However, the tool requires five Cookies from Google to generate an authentication token. Finding these cookies was very easy by logging into my Google Account then using the ‘Inspect / F12’ feature on Google Chrome and navigating to ‘Applications’. From here, I could copy and paste the required Cookies into the authenticator generator script named ‘check_and_gen.py’. After this, deploying the tool against a target was flawless with instant results – as the image above shows.
In summary, I would recommend the use of this tool in Digital Investigations. Whilst it would be a shame if the tool loses the capability to identify Google Photos albums associated with a Google Account, I do believe that the remaining features are more than effective.
YouTube Comment Suite is a Java-based application that enables Digital Investigators to aggregate user comments from YouTube videos, playlists and channels. The tool offers quite an effective capability when conducting investigations on YouTube. For example, YouTube online grooming remains an issue as more young people use the video-sharing platform to create video content. With this tool, Investigators can quickly and efficiently identify suspicious comments on videos. More importantly, the tool can allow you to group videos and continuously scrape for newer comments. Additionally, the tool provides actionable outputs by enabling you to search through a user’s comment history over single or multiple channels. The main features of the tool include:
- An in-built search tool that allows you to search across the library of YouTube videos.
- A video group management feature that provides an easy interface to add or remove videos from groups.
- An effective search capability that enables you to search across comments by video, type, username, keyword, length, and date.
- An export function that enables comments to be exported to JSON.
- A comprehensive display that outputs statistics concerning individual videos including posts per week, most active posters, most popular posters.
Installing the tool is very easy. Users need to download and install Java 8 or higher to run YouTube Comment Suite. Once running, the tool is very self-explanatory and easy to use – certainly a must-have in my opinion!