Intelligence Gathering with Open-Source Tools
Intelligence gathering is becoming increasingly important to organizations today. In addition to the Internet, they are also using the Deep Web and Dark Web to gather the kind of information that would help them gain an edge over their competitors. But what exactly is intelligence?
The term intelligence simply refers to gathering raw data (i.e. text, image, video, etc.) and processing the data to form an intelligent data set.
How would you define intelligent data? With the help of intelligent data, an organization can come up with a decision.
The aim of this blog is to discuss gathering intelligence from the Internet, what the different types of intelligence are, and how and from where we can gather the information. In addition to the discussion, I’ll list some challenges that readers can undertake on their own by searching online but also, I’ll demonstrate how intelligence practitioners can apply specific investigative techniques.
Let’s get started.
What is Intelligence?
Data and information come in many forms, from official foreign government meetings and open source internet articles to satellite imagery and highly technical equipment specifications.
Intelligence can be described as information concerning about anything of interest, the evaluated conclusions drawn from such information to facilitate the decision making and we can also say that for organizations, it would act as protection of process and product as well as persons and organizations concerned with unauthorized disclosure of sensitive data.
Different types of Intelligence Gathering
Note: Definitions taken from Wikipedia.
- Threat Intelligence: Threat intelligence is knowledge, skills and experience-based information concerning the occurrence and assessment of both cyber and physical threats and threat actors that is intended to help mitigate potential attacks and harmful events occurring in cyberspace
- Human Intelligence (HUMINT): Human intelligence is intelligence gathered by means of interpersonal contact, as opposed to the more technical intelligence gathering disciplines such as signals intelligence, imagery intelligence and measurement and signature intelligence
- Geographical Intelligence (GEOINT): Geographical intelligence is intelligence about the human activity on earth derived from the exploitation and analysis of imagery and geospatial information that describes, assesses, and visually depicts physical features and geographically referenced activities on the Earth.
- Measurement and Signature Intelligence (MASINT): Measurement and signature intelligence is a technical branch of intelligence gathering, which serves to detect, track, identify or describe the distinctive characteristics of fixed or dynamic target source
- Open-Source Intelligence (OSINT): Open-source intelligence is the collection and analysis of data gathered from open sources to produce actionable intelligence
- Technical Intelligence (TECHINT): Technical Intelligence is intelligence about weapons and equipment used by the armed forces of foreign nations. The related term, scientific and technical intelligence, addresses information collected or analyzed about the broad range of foreign science, technology, and weapon systems
- Signals Intelligence (SIGINT): Signals intelligence is intelligence-gathering by interception of signals, whether communications between people or from electronic signals not directly used in communication
- Financial Intelligence (FININT): Financial intelligence is the gathering of information about the financial affairs of entities of interest, to understand their nature and capabilities, and predict their intentions
- Social Media Intelligence (SOCINT): Social media intelligence refers to the collective tools and solutions that allow organizations to analyze conversations, respond to social signals and synthesize social data points into meaningful trends and analysis, based on the user’s needs
Main focus in this blog would be towards OSINT, GEOINT, HUMINT. In future, I’ll try to gather much information about other Intelligence techniques with some practical database to provide the readers with much greater insights.
Objectives of Intelligence Gathering
- Planning, direction and identifying the organizations requirement and time frame
- Collection and acquisition as well as identifying the source of the information
- Processing integration, data into information and verify different sources
- Exploitation, analysis and production, information that becomes intelligence
- Support decision and policy making processes
- Final output to the client
Intelligence Gathering Process
- Passive Method: The method emphasize on gathering information without leaving any traces directly. For e.g., without logging in or directly interacting, we are able to gather the data
- Active Method: It relies on directly interacting with the resource. Let’s say, we have to create an account to view the full content.
Basic Requirements to get Started
- Puppet Accounts (Necessary, as don’t want to reveal the true identity)
- An objective
- Analytical and Observational Skills
- Surfing the Internet with free but alert mind
- Search extensively
As you practice, you learn
I wouldn’t like to discuss the theoretical part and then go with the demonstration. The best way of understanding would be learning while seeing the demonstration cause gathering Intelligence is something that would require your full focus on what the steps are performed and how.
Challenges are taken from website https://www.cia-ctf.com/. This is an OSINT CTF learning platform to find a flag based on OSINT skills. But not only OSINT, they provide other Intelligence challenges as well. I’ll be covering the sections that would clear the basics of Intelligence techniques.
So let’s begin with our first challenge.
Challenge 1: The Weakest Link
As mentioned in the Challenge 1 objective, company named “Equifax Moderna” is doing something phishy.
Before this, let’s learn about Google Dorking.
Google Dorking? … Advanced Searching method via Google
I would say Google is the best tool for any OSINT or Intelligence practitioner. With its vast search index engine and powerful keyword searching facility, allows to search my precisely but HOW?
When you hit google.com in your browser, the home page of Google appears. But what is actually not quite visible is the Advanced Searching Method that is provided by Google. At the Rightmost-Bottom of the page, there is an option “Settings” which has an option of “Advanced Search”. Select that option and that would display a page like this
Google Dorking is actually using the “Advanced Searching” facility of Google search engine but with help of some predefined keywords. Let’s take an example:
Suppose I want to search all the websites with Indian domain i.e. www.domain.in. So, in the Google search bar I would write as:
Taking a step further, notice that every Indian government website ends with gov.in. So we can search for all the Indian government websites like:
Other than this, there’s whole set of Google Dorking keywords that are mentioned in Google Hacking Database by ExploitDB
Offensive Security's Exploit Database Archive
The GHDB is an index of search queries (we call them dorks) used to find publicly available information, intended for…
Now, if we look at the Challenge 1, it is saying that “Equifax Moderna” is up to something suspicious and we have to find it out. So let’s type the company name in Google search bar but within double quotes
Double quotes add the functionality of specific searching. For e.g., every search result provided via Google will have an instance of this word. Let’s open the LinkedIn profile of Peter Hanks that says he’s the CEO of that company.
Note: When you are trying to access any social media account, login with a puppet account. This would ensure that your real identity is not displayed as well as information provided after you login is much more rather just looking it as guest.
We found a twitter url from Peter Hanks LinkedIn account, browse to the provided url and check his Twitter account.
As Peter Hanks tweet says, he hass provided Bitcoin address to pay for his company’s product. And below that, there’s the flag to this challenge.
Challenge 2: Photo Data
This is clear that this is a case of steganography. There’s a hidden message inside the image file. The sample of the image file is shown below
First let’s talk about EXIF Metadata.
Metadata is digital information stored within an image that describes the photo itself. EXIF stands for ‘Exchangeable Image File Format’ that refers to the basic metadata that is generated and stored by camera. Great example would be taking photo from an iPhone. Whenever we click a photo from an iPhone, there’s location, time, and now categorization based on facial recognition linked to each photo. All this refers to metadata of that image file.
Now heading back to our challenge, I would like praise one website that do all the required analysis that we can think of on any type of image file.
What is this ? Aperi'Solve is an online platform which performs layer analysis on image. The platform also uses zsteg…
This platform performs layer analysis on image using different set of tools for e.g., zsteg, outguess, exiftool, binwalk, foremost etc. Let’s upload the image file to the platform and look over the output.
Within the ExifTool section, you’ll find the flag for our challenge
Case Solved !!
Challenge 3: Time Traveller
The challenge says to look for the third featured video on YouTube homepage from September 6, 2006.
What is Wayback Machine?
“The Wayback Machine is a digital archive of the World Wide Web founded by the Internet Archive. Aim of the archive to build a digital library of Internet sites and artifacts in digital form.”
Internet Archive: Digital Library of Free & Borrowable Books, Movies, Music & Wayback Machine
Internet Archive is a non-profit digital library offering free universal access to books, movies & music, as well as…
Search for youtube.com within the Wayback Machine and head over to date September 6, 2006.
Select the date of September 6 and look for the featured videos.
Quite clear, the video we were looking for is “Impression Skills”..
Challenge 4: Personal Lookup
This challenge provides us with a photograph of a man and asks us to find out some information. Also mentions that this man was targeted by Aliens in the past.
Now, What is Reverse Image Searching?
“Reverse Image Search is a content-based image retrieval query technique that involves providing the Content Based Image Retrieval system with sample image that will then based upon its search upon;” -Wikipedia
If you’re using Firefox browser, then I would recommend to install an extension “Search By Image”. The extension includes all the Reverse Image search engines that can be useful.
Using the extension, capture the image and use TinEye search engine or you can upload the image directly to TinEye website
TinEye provided 2 results based on the reverse image search
The name of the person in the image is “Jose Diaz Linares”. That is the answer to the first part of this challenge. Solving this challenge opens the second part.
Let’s type the name of this person on Google under double quotations. The search result would give a link to website https://mapadelterror.com. On the website, it’s mentioned the concerned person was killed by terrorist group “ETA” (Answer to the 2nd part)
The pain in my head is this 3rd part of this challenge. Still I’ll discuss about this cause maybe any of my reader would help me with this.
The last part of this challenge asks for the location where the target was assassinated. The previous url which describes the details of the concerned person also has a map which shows the location where the person was executed. The location provided was “Egia Kalea, Donostia, Gipuzkoa, España”. This is a place in Spain. I would recommend using Google Earth for this as we are going to deal with Longitudes and Latitudes.
Aw snap! Google Earth isn't supported on your browser. You may need to update your browser or use a different browser…
Search for the place and get the latitudes and longitudes of the place where the person was executed. If you see the rightmost-bottom section of the page, you’ll find the co-ordinates in Degrees, Minutes and Seconds format. Or else, you can copy from the Decimal degrees from the url or you can use the converter for which the link is provided below:
Coordinate Converter - Polar Geospatial Center
Enter values into the coordinate tool and the values will automatically update. For decimal degrees, remember to…
At last, I have used the hint and that said to look for terrorists section under OSINT Framework.
(T) - Indicates a link to a tool that must be installed and run locally (D) - Google Dork, for more information: Google…
That opens the Global Terrorism Database.
Now, if I searched for the range between the execution happened and with the name of the terrorist group (Basque Homeland and Liberty), you’ll find these results
As John was a police man, so open the GTD_ID 197503290001, that also mentioned about the same place “Donostia-San Sebastian”. I have tried the co-ordinates for “Donostia”,”Gipuzkoa” and for “Spain” as well but couldn’t get through. If any of the reader is able to do it, then would love to know the co-ordinates.
Last Challenge: Find Location from Image
The challenge is to find the city from the given image. With use of the extension “Search By Image”, capture the image and perform search on all the platforms.
From Shutterstock, you’ll find that the image is referred to “Wall of Roman Amphitheater” that is in “Croatia, Pula”.
How can we end without a Blockchain Challenge?
The challenge has provided us with a Ethereum Ropsten Testnet Address. And they want information on the outgoing transactions. Advantage with Blockchain transactions is they all are recorded and are open to search as well. Disadvantage is that we only get to know the address but not the identity of the holder of that address.
Still, typing “Ethereum Ropsten Testnet Address” on google provided us with a link to Etherscan website
Searching for the mentioned ethereum address provided us with 2 outgoing transactions
We’ll not be checking the Block address, cause on those blocks, several transactions must have happened and we are concerned about the outgoing transactions only to the address. There are 2 outgoing address on the same address “0x1407948eea54dcA7883aE0E2Aa0A365cd8eeaCB8”.
Let have a look on the outgoing address and check for further information.
The address has only received 2 transactions and those are from the test address given to us in the challenge. Now let’s take a look at the Transaction Hashes which has a value for 4 Ether.
If you scroll down and click on the “See More” option, you’ll find Input Data. Change the input to UTF-8 and find a url to a jpeg file.
Copy the link and view the jpeg file, we have our flag for the challenge.
Collection of Resources to Learn & Practice
The Ultimate OSINT Collection - start.me
A collection of the very best OSINT related materials, resources, trainings, guides, sites, tool collections, and more…
Bellingcat's Online Investigation Toolkit [bit.ly/bcattools]
Home Bellingcat's Online Investigation Toolkit bit.ly/bcattools | version 6.8 (November 10, 2021) Welcome to…
SOCMINT - start.me
A startpage with online resources about SOCMINT, created by Bruno Mortier.
GitHub - cipher387/osint_stuff_tool_collection: A collection of several hundred online tools for…
Hello! On my Twitter account @cyb_detective I post different services, techniques, tricks and notes about OSINT and…
FAROS OSINT Resources - start.me
A startpage with online resources about FAROS OSINT Resources, created by Open Source Resources.
ctf-challenges/osint at master · csivitu/ctf-challenges
An aggregation of CTF challenges and write-ups for csictf 2020! - ctf-challenges/osint at master ·…
Have you been compromised? DeHashed provides free deep-web scans and protection against credential leaks. A modern…
Spyse - A Cyber Security Search Engine
Spyse is a search engine which can be used to identify internet assets and perform external reconnaissance easily…
iHUNT OSINT FRAMEWORK | Nitin Pandey
iHUNT OSINT FRAMEWORK focuses on gathering information from free and open-source tools or resources. The intention is…
Intelligence X is a search engine and data archive. Search Tor, I2P, data leaks and the public web by email, domain…
Blockchain.com Explorer | BTC | ETH | BCH
The most popular and trusted block explorer and crypto transaction search engine.
Bitcoin Abuse Database
BitcoinAbuse Do not pay ransoms. Extortion emails are 100% fake. More information " Tracking bitcoin addresses used by…
Bitcoin Address Lookup
Bitcoin Address Lookup Search and Alerts. View and research bitcoin ownership, transactions and balance checker by…
I hope that through the above challenges, you would have got the idea what Intelligence is and how Intelligence to be gathered. Intelligence itself is quite interesting and this can become a hobby if you know what you are searching for and follow the right steps, then there’s no barrier. Never stop searching for anything you have in mind cause I believe if you are thinking for it then some one, somewhere would have already done it. What’s required is just a connection.
I will try to post on other Intelligence gathering as well with some challenges cause Intelligence is only understood when we are learning while practicing. Until then, any comments or suggestions on this would be appreciated to create some new content for you in the future.
#intelligence #osint #osintdojo