Using social media sites for OSINT

- [Instructor] Social networking sites are littered with some of the most valuable OSINT information on the internet. Finding a target or employee for an organization that's active on social media is like looking through a one-way mirror at your target. Even those individuals who are not on modern popular social media sites today are likely to have some form of footprint on older social media platforms such as MySpace. Because each social media site is used differently and privacy settings may be higher or lower person by person, the interaction available for your OSINT investigation will differ case by case. Regardless of the social media platform, you'll typically see a few categories of social media content that may be of use to you, the author's post or comment, a reply from the author or friend, social interactions, such as a like or connection, video or images, and metadata, such as a timestamp. The main commonality across most social media sites is the ability to share and connect with others. Whether a short tweet or a length rant on Facebook, people are posting things that are important to them. I've seen social media posts from family and friends reveal useful information for OSINT investigations, such as their location, pet's name, kid's name, home address, email address, phone number, who they bank with, and so much more. From my experience, junior OSINT investigators sometimes focus too much on their target's posts and forget to look at the replies and comments, and these are really important. Sometimes even those who are cautious about privacy can be betrayed by their friends. Once during an OSINT investigation, I found my target's Facebook page. However, the privacy settings were turned up pretty high, and basic information like birthday was not made public. During my OSINT investigation, I found a newspaper article and police report relating to an altercation at a grocery store, and it mentioned my target's name. However, he had a common name, and I wasn't sure if it was the same person. The police report and newspaper article both had the man's date of birth, so I was disappointed when Facebook didn't list the day or month of his birthdate. Even though my target was careful about not disclosing his birthdate, his friends didn't have the same privacy mindset when they all wished him a happy birthday on the same day in March the past three years. These seemingly harmless birthday wishes confirmed the Facebook profile belonged to the same person referenced in the newspaper article and police report. When performing social media OSINT, remember to dig deep into threads. You'll often find more relevant information to your investigation than just looking at the original post. Social interactions can consist of many different activities. However, personally I consider activities such as likes, retweets, check-ins, and investigations as data that highlights user preferences. Unlike posts, comments, and replies where we get explicit words written by our target, social interactions are more subtle and require us to make inferences and use critical thinking skills. To better illustrate the benefits of social interactions on a penetration test, let's assume you saw your target liked several posts from the Los Angeles Lakers, an American basketball team. You even find a few check-ins at Lakers games last season. While this behavior is not an explicit post to social media saying the Lakers is your target's favorite sports team, you can make inference and use keywords like players' names to guess passwords. As you perform your own social media OSINT investigations, parsing posts, replies, interactions, multimedia, and metadata, keep asking yourself, what does this data tell you about the target, and how do the bits of information fit in the puzzle? Every person is different, and each target will have their own story to tell you if you let the data speak to you.