Telegram OSINT VM Part 1

Telegram OSINT VM Part 1

For my next blog I have decided to share my Telegram OSINT Virtual Machine. When I have a Telegram deployment I always use a dedicated virtual machine. I will never undertake research on Telegram using my perosnal device(s), accounts or personal identifiable information, either using  the Telegram Web or Telegram Desktop is preferred over using a mobile.

What I am about to explain may not apply to everyone depending on what the aims, objectives are of your deployment and the people or groups that are of interest to you. I will start at the beginning of my process but feel free to take the parts that best suit your deployment. Don’t just copy what I do because it may not be suitable for you. This was going to be one blog however it ended up being longer than I had originally anticipated, so I decided to create 2 separate blogs.

I build my Telegram OSINT VM using Ubuntu 22.04 LTS, this can be download from the official Ubuntu website. Do not be tempted to download it from other third party sites.

Whether you choose to use VMware of Virtual Box, it matters not and that can be a personal decision based on what resources you have available to you. These are the only two virtualisation software that I use. I am sure that what follows will differ little, if you use a different virtualisation software.

I am not going to run through how to install Ubuntu, but feel free to view the below video links, for VMware and Virtual Box:-

·    VMware –
·    Virtual Box –

If English is your first or second language this provides us with a perfect OPSEC opportunity. That said other international languages also provide similar opportunities. French, Spanish & Russian etc are spoken all over the world. I always obfuscate my location. It is no secret that I am based in the UK. I will tend to use an IP, time zone and keyboard settings from an English speaking country for setting up my VM. I use similar obfuscation methods when using a mobile.

For this deployment I have decided that I am going to use the USA as my obfuscation country. It is important that you have an active VPN. Again this is a personal choice depending on the resources you have. A paid for subscription with a no logs provider is the preferred choice.

I suppose it goes without saying that we need to pick a USA server in my case, Fig 1.0.

Fig 1.0

As you can see from the below screen captures, Fig 1.1, when I go through the installation process the default setting is the USA keyboard. This is perfect and suits my obfuscation needs.

Fig 1.1

In Fig, 1.2, I set my time zone as, Chicago in the US.

Fig 1.2

Once you have installed Ubuntu and rebooted the machine the rest of the settings I ignore with the exception of location and Canonical feedback which I disable.

We have installed our fresh Ubuntu desktop. Even though we told Ubuntu to adhere to certain privacy setting during the set-up, we should double check them. When I went through the set-up process I disabled the following setting Fig 1.3.

Fig 1.3

However within the privacy settings the diagnostic setting is set to manual, so we will turn that off completely, Fig 1.4.

Fig 1.4

A few more settings that I alter are:-

I alter my file history deletion to 7 days.

I enable automatically deleting of the trash content and temporary files. (Sometimes I do not always automatically empty the trash, it really depends on my deployment. I have been known to go looking back through my trash for something I thought was irrelevant at the time but now has meaning.

I disable connectivity checking.

I double check that location settings are turned off.

I disable lock screen notifications – this setting will depend on your working environment.

Consider altering the screen lock settings – this setting will depend on your working environment too.

Generally as a stock OSINT capability, I like to use Google Chrome and Google’s search engine for my OSINT, I do play around with the browser but it tends to be a Chromium one.

The default browser on Ubuntu is Firefox and that will suit our purposes for this Telegram VM. I want to use it because of the Firefox Containers. There are two extensions I tend to use out of the box, Firefox Containers and UBlock Origin. Both of this can be found in the Add-Ons Manager in settings. Feel free of course to use any extensions you find useful for your OSINT work. I tend to add extensions as I go as and when I need them, you may find that extensions on Chrome are not always available on Firefox.You can check out my GitHub repository for Chrome extensions I have used over the years: –

I manage my containers from within Firefox’s settings menu, under general settings. I enable the tick box, “Select a container for each new tab,” Fig 1.5, as sometimes I am on auto pilot and forget my OPSEC, so when I open a new tab I  am automatically presented with my container options.

Fig 1.5

Below is how I set out my containers, adapt the below that best suits how you work. You are initially given 4 containers and I max out and have 9, Fig 1.6. As you can see I have created myself a Telegram container straight away.

Fig 1.6

Okay, lets look at the other Firefox browser settings. I tend to treat OSINT & Privacy differently when it comes to my privacy settings. If this was a browser I was using for Privacy I would lock it down as much as I could, however this could affect how useful it is for OSINT.

As an example, I will not set my search history or my cookie sessions to automatically delete. I sometimes rely on my session history to see where I have been and to give me access back. Also if you are logging into websites, rather than the browser deleting my cookie session every time I close my browser, I find it more efficient to keep the session alive for access to the accounts.

My other considerations are keeping sock accounts alive as well as potentially using the algorithms we know are used in the background to maybe help me with my OSINT. One thing we know about algorithms, is that one use is, that they can learn what you are looking for and present relevant information or data.

This is where I rely on the Firefox Containers to give me a certain degree of control over cross pollination, hence why I max them out at the beginning. I will tend to rename them as I go, if I find myself visiting a certain website often and I want to seperate it from my other browsing.

A few more settings that you may want to consider altering. I am happy using Google as my OSINT search engine, however I also install Yandex. Yandex is not a default search engine on Firefox. I find Yandex is very good for researching Telegram. The Web & Desktop  versions of Telegram do not have the Translate capability that the App has. The following instruction will show you how to add it, if you want. the choice of search engine is yours to make.

First you have to browse your way to Yandex so it displays as a search engine. Then right click on the URL and you will see the option,  Add “Yandex,” Fig 1.7.

Fig 1.7

Once you have selected Add “Yandex,” return to the browser settings menu. Go to the, Search Option and find the, Default Search Engine menu, click on the down menu and you will see that Yandex has been added, Fig 1.8.

Fig 1.8

I also add Startpage, which is a privacy focused search engine that obtains its results from Google. Similar to how DuckDuckGo gets its results from Bing.

Some other settings that I alter are below and they are specific to to this particular VM that I am building. From an OPSEC perspective I would review these on a case by case basis, and even during the deployment. It will depend on the sensitivity of my deployment or how it develops.

General Settings:-

In General settings I ensure, the Language setting is set at English (US).

I  also click the, ‘Always ask you where to save files’ this is as a precaution in an attempt to stop files being automatically downloaded from Telegram.

If you are using a VPN, (Which I highly suggest you do), depending on your service provider you may not be protected against DNS leaks. If you scroll to the bottom of the General settings page you will see a menu called Network Settings. In that setting you can enable DNS over HTTPS, You can select one of the default options or a custom option. If you wanted to you could use Quad 9.

Home Settings,

I like to remove all the noise from the Firefox home page. In the home page settings, I disable all the Firefox Home Content settings, accept web search.

Search Settings,

If I was using this VM for Privacy I would disable all the Search Suggestions, however this is an OSINT VM so for now I am happy to leave them un-ticked.

Privacy & Security.

I enable Strict Tracking protection.

I disable all Login and Password options. (Use a password manager)

In the permissions menu I disable the following, location, camera, microphone & notifications. These settings could have an affect on whether social media sites, determine you to be suspicious when setting up your sock accounts, so it maybe preferable to disable them after you have created your sock accounts.

I also disable Firefox Data Collection and Use tabs.

I will keep the Security settings in play in relation blocking dangerous sites of downloads, for the time being. This is purely an OPSEC measure, you can override them when you are browsing. Telegram has dangerous content on it, so it’s worth having this in play.

I also enable HTTPS in all windows, this is again for when I am on autopilot, that I don’t accidentally find my way to site that I didn’t really want to go to. You can override this setting when browsing. You can click through the warning spalsh screen when it presents itself.

And finally I will add the menu bar to the top of Firefox, right click in the tab menu bar and you will be presented with the below, Fig 1.9. Then select Menu Bar, this will populate a new set of menus at the top of the browser. One useful feature is that it allows you to work offline, which maybe beneficial for your OPSEC, Fig 2.0.

Fig 1.9

Fig 2.0

That covers part one of this blog. in the next blog I will go throw the resources I use for researching Telegram and how to set them up.


Introduction to Digital Exposure

I suppose there is a certain paradox in relation to having content about OSINT, OPSEC & Privacy on the same website. Why would someone who is involved in OSINT care about a person’s Privacy or why would someone who is keen on their Privacy care about OSINT or OPSEC.

I hope from the explanation below you will see how  OSINT, OPSEC and Privacy are so closely linked and if we practice one discipline we should have a good working knowledge of the others.

An OSINT practitioner needs to understand the limitations of their work if they do not know how Privacy or OPSEC practices deployed by a subject may affect  their ability to capture information or intelligence. Can they see this, understand it and can they circumnavigate it?  They also need to understand the risk of being compromised by  their own OPSEC practices. Do they understand that if they deploy tight Privacy practices on their accounts that this may effect what they can see of their subject.

A person who cherishes their Privacy needs to understand how it can be exploited by OSINT practitioners. What are the risks to people who do not practice Privacy or OPSEC.


OSINT, stands for Open-Source Intelligence, which is a methodical driven approach to collecting, analysing and making decisions about data accessible in publicly available sources which is to form an intelligence picture of a subject, group, company, organisation or country.

It is probably true to say that OSINT has been around as long as it has been necessary to obtain information or intelligence. Certainly after both World Wars and the onset of the Cold War there was an uplift in the necessity to collect Open-Source Intelligence. As we have moved into the digital age, more information is publicly accessible and as our digital footprint expands so do the opportunities to obtain Open-Source Intelligence.


Operational security looks at what digital footprint risks we leave and  how we can mitigate those risks. It encourages us to view our habits  from the perspective of an adversary in order to protect sensitive  information about ourselves or the fact that we are looking at them.  What are our vulnerabilities and can they be discovered or exploited. It  is not that we are trying to hide it is that we are trying not to be  discovered. It is not just about social media, it includes, IP bleed, metadata bleed, how smart phones are constantly probing for connections that leave their own digital footprint.

Some measures we can take are free, some we will have to pay for, some  measures are simple to implement some require more knowledge and  application. The important point however is that we can increase our  OPSEC and still enjoy our smart phones.


The above two have their history firmly planted in the military and intelligence worlds however with the advance of the digital age Privacy is also an important factor now.

I am not sure that while we use and carry around a smart phone, or other device that transmits and receives data that we can ever be 100% private. Can we really be expected to know what our smart phones and the apps on them are really doing. What we can do however is take steps either reasonable or extreme to reduce our digital footprint and increase our privacy.

What information we openly share or have to provide to be able to use a service can be potentially important personal identifiable information. We need to have some control over how our personal information is collected and used. The next data breach could expose you.


Putting all the above together, we can begin to see how individuals may be susceptible to hostile threat profiling. For people in positions of authority or influence this could be a vulnerability.

“Once effectively gathered, this intelligence can be used to locate an individual, identify patterns of life and target them accordingly. Many people are unaware of how they are sharing their personal details and what types of data may appear online. This is a particular risk for law enforcement, military, security services, diplomats and high profile people.”

David Benford, Hostile Threat Trainer.

“A high-valued target can be anyone with privileged access and organizational influence, with access to sensitive information, or anyone with high levels of exposure and influence”

“Social exposure will inevitably lead to security & personal information leaks, especially when the high-valued target is not aware of essential security guidelines”

Christina Lekati, Social Engineer

Ideally in the below image we would want the circles not to interlink  however this is not realistic given the digital age we live in. We need to make the area where they do interlink as small as possible. We also need to understand that the circles may not interlink evenly and as a result we can assess where our vulnerabilities lie more accurately.

In the below image we can look at what we want from our digital devices in terms of Usability, Security & Privacy. I have chosen a more Secure and Private approach by placing a dot in the lower left corner, I have scarifised  Usability. This may not be suitable for all, by moving the dot around the triangle you can see what is important to you and then you can be to work out how reasonable or extreme you strategy needs to be to achieve better Security and Privacy.