Telegram OSINT VM Part 1
For my next blog I have decided to share my Telegram OSINT Virtual Machine. When I have a Telegram deployment I always use a dedicated virtual machine. I will never undertake research on Telegram using my perosnal device(s), accounts or personal identifiable information, either using the Telegram Web or Telegram Desktop is preferred over using a mobile.
What I am about to explain may not apply to everyone depending on what the aims, objectives are of your deployment and the people or groups that are of interest to you. I will start at the beginning of my process but feel free to take the parts that best suit your deployment. Don’t just copy what I do because it may not be suitable for you. This was going to be one blog however it ended up being longer than I had originally anticipated, so I decided to create 2 separate blogs.
I build my Telegram OSINT VM using Ubuntu 22.04 LTS, this can be download from the official Ubuntu website. https://ubuntu.com/download/desktop. Do not be tempted to download it from other third party sites.
Whether you choose to use VMware of Virtual Box, it matters not and that can be a personal decision based on what resources you have available to you. These are the only two virtualisation software that I use. I am sure that what follows will differ little, if you use a different virtualisation software.
I am not going to run through how to install Ubuntu, but feel free to view the below video links, for VMware and Virtual Box:-
· VMware – https://www.youtube.com/watch?v=cjO_hiocu30
· Virtual Box – https://www.youtube.com/watch?v=zHwFtyxJsog
If English is your first or second language this provides us with a perfect OPSEC opportunity. That said other international languages also provide similar opportunities. French, Spanish & Russian etc are spoken all over the world. I always obfuscate my location. It is no secret that I am based in the UK. I will tend to use an IP, time zone and keyboard settings from an English speaking country for setting up my VM. I use similar obfuscation methods when using a mobile.
For this deployment I have decided that I am going to use the USA as my obfuscation country. It is important that you have an active VPN. Again this is a personal choice depending on the resources you have. A paid for subscription with a no logs provider is the preferred choice.
I suppose it goes without saying that we need to pick a USA server in my case, Fig 1.0.
As you can see from the below screen captures, Fig 1.1, when I go through the installation process the default setting is the USA keyboard. This is perfect and suits my obfuscation needs.
In Fig, 1.2, I set my time zone as, Chicago in the US.
Once you have installed Ubuntu and rebooted the machine the rest of the settings I ignore with the exception of location and Canonical feedback which I disable.
We have installed our fresh Ubuntu desktop. Even though we told Ubuntu to adhere to certain privacy setting during the set-up, we should double check them. When I went through the set-up process I disabled the following setting Fig 1.3.
However within the privacy settings the diagnostic setting is set to manual, so we will turn that off completely, Fig 1.4.
A few more settings that I alter are:-
I alter my file history deletion to 7 days.
I enable automatically deleting of the trash content and temporary files. (Sometimes I do not always automatically empty the trash, it really depends on my deployment. I have been known to go looking back through my trash for something I thought was irrelevant at the time but now has meaning.
I disable connectivity checking.
I double check that location settings are turned off.
I disable lock screen notifications – this setting will depend on your working environment.
Consider altering the screen lock settings – this setting will depend on your working environment too.
Generally as a stock OSINT capability, I like to use Google Chrome and Google’s search engine for my OSINT, I do play around with the browser but it tends to be a Chromium one.
The default browser on Ubuntu is Firefox and that will suit our purposes for this Telegram VM. I want to use it because of the Firefox Containers. There are two extensions I tend to use out of the box, Firefox Containers and UBlock Origin. Both of this can be found in the Add-Ons Manager in settings. Feel free of course to use any extensions you find useful for your OSINT work. I tend to add extensions as I go as and when I need them, you may find that extensions on Chrome are not always available on Firefox.You can check out my GitHub repository for Chrome extensions I have used over the years: –
I manage my containers from within Firefox’s settings menu, under general settings. I enable the tick box, “Select a container for each new tab,” Fig 1.5, as sometimes I am on auto pilot and forget my OPSEC, so when I open a new tab I am automatically presented with my container options.
Below is how I set out my containers, adapt the below that best suits how you work. You are initially given 4 containers and I max out and have 9, Fig 1.6. As you can see I have created myself a Telegram container straight away.
Okay, lets look at the other Firefox browser settings. I tend to treat OSINT & Privacy differently when it comes to my privacy settings. If this was a browser I was using for Privacy I would lock it down as much as I could, however this could affect how useful it is for OSINT.
As an example, I will not set my search history or my cookie sessions to automatically delete. I sometimes rely on my session history to see where I have been and to give me access back. Also if you are logging into websites, rather than the browser deleting my cookie session every time I close my browser, I find it more efficient to keep the session alive for access to the accounts.
My other considerations are keeping sock accounts alive as well as potentially using the algorithms we know are used in the background to maybe help me with my OSINT. One thing we know about algorithms, is that one use is, that they can learn what you are looking for and present relevant information or data.
This is where I rely on the Firefox Containers to give me a certain degree of control over cross pollination, hence why I max them out at the beginning. I will tend to rename them as I go, if I find myself visiting a certain website often and I want to seperate it from my other browsing.
A few more settings that you may want to consider altering. I am happy using Google as my OSINT search engine, however I also install Yandex. Yandex is not a default search engine on Firefox. I find Yandex is very good for researching Telegram. The Web & Desktop versions of Telegram do not have the Translate capability that the App has. The following instruction will show you how to add it, if you want. the choice of search engine is yours to make.
First you have to browse your way to Yandex so it displays as a search engine. Then right click on the URL and you will see the option, Add “Yandex,” Fig 1.7.
Once you have selected Add “Yandex,” return to the browser settings menu. Go to the, Search Option and find the, Default Search Engine menu, click on the down menu and you will see that Yandex has been added, Fig 1.8.
I also add Startpage, which is a privacy focused search engine that obtains its results from Google. Similar to how DuckDuckGo gets its results from Bing.
Some other settings that I alter are below and they are specific to to this particular VM that I am building. From an OPSEC perspective I would review these on a case by case basis, and even during the deployment. It will depend on the sensitivity of my deployment or how it develops.
In General settings I ensure, the Language setting is set at English (US).
I also click the, ‘Always ask you where to save files’ this is as a precaution in an attempt to stop files being automatically downloaded from Telegram.
If you are using a VPN, (Which I highly suggest you do), depending on your service provider you may not be protected against DNS leaks. If you scroll to the bottom of the General settings page you will see a menu called Network Settings. In that setting you can enable DNS over HTTPS, You can select one of the default options or a custom option. If you wanted to you could use Quad 9.
I like to remove all the noise from the Firefox home page. In the home page settings, I disable all the Firefox Home Content settings, accept web search.
If I was using this VM for Privacy I would disable all the Search Suggestions, however this is an OSINT VM so for now I am happy to leave them un-ticked.
Privacy & Security.
I enable Strict Tracking protection.
I disable all Login and Password options. (Use a password manager)
In the permissions menu I disable the following, location, camera, microphone & notifications. These settings could have an affect on whether social media sites, determine you to be suspicious when setting up your sock accounts, so it maybe preferable to disable them after you have created your sock accounts.
I also disable Firefox Data Collection and Use tabs.
I will keep the Security settings in play in relation blocking dangerous sites of downloads, for the time being. This is purely an OPSEC measure, you can override them when you are browsing. Telegram has dangerous content on it, so it’s worth having this in play.
I also enable HTTPS in all windows, this is again for when I am on autopilot, that I don’t accidentally find my way to site that I didn’t really want to go to. You can override this setting when browsing. You can click through the warning spalsh screen when it presents itself.
And finally I will add the menu bar to the top of Firefox, right click in the tab menu bar and you will be presented with the below, Fig 1.9. Then select Menu Bar, this will populate a new set of menus at the top of the browser. One useful feature is that it allows you to work offline, which maybe beneficial for your OPSEC, Fig 2.0.
That covers part one of this blog. in the next blog I will go throw the resources I use for researching Telegram and how to set them up.