Telegram OSINT VM Part 3

Telegram OSINT VM Part 3

Thank you for returning to read the final part of the Telegram OSINT VM trilogy. This Blog is more my methodology of how I think when it comes to organising my work environment and some safeguards I take.  I have my own methods that suit me as a person and how I work. As always take the bits that suit you and add your own flavours. I am a big believer of not just copying what some else has done but incorporating it into your own methodology and ideas.

To give you some context to what follows. I use a Window host, this can be either Windows 10 or 11 depending on the device I have chosen. According to as of January 2023 Windows has just over a 74% share of the global OS market for desktop. Different websites will give you different figures but the one take away is that it is the most used OS globally.

Again using Windows is the most targeted OS, 91% share of ransomware infections, ransomware is a form of malware, Fig 1.0

Fig 1.0

When we are using Telegram, depending on our deployment the above creates issues for Windows users. The following are the steps that I take to try and mitigate the risk. It is not 100% bulletproof. I would always encourage the use of malware / anti-virus protection software, for both your VM & host.

I talked in the previous blogs how we can try and protect ourselves by disabling any form of auto-download on Telegram. If you ever download your full Telegram account, you maybe surprised to see what is in there. If you don’t take precautions there maybe malware in your account download.

I know Linux and Mac users will be saying, well don’t use Windows, that unfortunately is not an option for the majority, either through restrictions at work, financial considerations or a lack of confidence to use Linux. This is also the case when considering using a device that can be reformatted. This would be a good option, that way if you do get infected you can reformat the device. You may consider just using a Windows VM for the same purposes, instead of relying on the Linux AV to scan for malware on your VM. Which ever route you take, ensure you have malware / antivirus software installed on both your host and VM.

You must also remember neither Linux or MacOS are bulletproof and it would be a massive risk on the behalf of the user to think so.

You have to make a decision as to whether you want to enable features that employ file sharing, like shared clipboard, as these are capable of spreading viruses between your virtual machine and host machine. It goes without saying that if you transfer files from your VM to your host then the malware will travel along for the ride.

I set my Windows host up with an Admin & User account. I do not use the Admin account, I only use the User account. The reason being is that an admin account does not in the main require the password to execute programs whereas the User account ordinarily will. Some malware requires Admin privileges to run, so this is potentially our first line of defense.

In File Explorer on Windows I would enable, ‘File Name Extensions’ so that you can see the full file name, this is to ensure there are no hidden .exe files. I also enable view hidden items.

Fig 1.1 Windows 11: –

Fig 1.1

Fig 1.2 Windows 10: –

Fig 1.2

One good aspect of VMs is that you can create snapshots, a moment in time of how your VM was. I do not create snapshots of my Telegram OSINT VM. I create a master copy and then I will clone that creating a deployment VM. All my recording / auditing software for my deployment is on my host. At the end of each deployment session, anything I download / capture on my VM that I think is important I will transfer to my host.*

*Whether you use snapshots or clone VMs, you need to be extremely careful of what you copy to your host make sure you have antivirus / malware protection on both your VM & host and ensure you scan before / after you transfer any files.

If my deployment VM is compromised, I will spin up another VM from cloning my Master.

The way I set out my VM files is illustrated below, Fig 1.3: –

·    Back Up VMs where I store my Master VMs.
·    Live VMs, VMs that I am currently using on a deployment.
·    Filed VMs, VMs that are no longer active on a deployment.

Fig 1.3

There are numerous ways of organising your work environment and software that you use. Hunchly is a good example of an auditing software however this may not be a option for everyone due to organisational or monetary constraints. I like to have a system where material is separated as sometimes I can’t see the wood for the trees.

Below is how I set out my folders on both the host and VM. I create a desktop file, with various sub-folders. This is fluid and depends on my deployment specifics, Fig 1.4: –

Fig 1.4

At the end of that days deployment I will move what I need onto my host for safekeeping. I never delete anything from my VM as you never know if something you initially dismissed as not relevant becomes of interest but also if you work in Law Enforcement it maybe required for disclosure / discovery.

I now have in place a system that I am confident that I can build a report from and that I am also able to bear witness to my work.

The last consideration is how you safe-keep your work, do you leave it on your host, store in the Cloud or remove it from your host to an encrypted storage device offline. This will depend on your personal or organisational requirements. My preference is to store my work offline on an encrypted device. This may not be best for everyone, people who work from multiple locations, need to share their work with colleagues, Cloud storage maybe the best solution. Whichever solution you choose, like everything with OSINT make sure their is a methodology to your thinking. Don’t do something because that is the way it has always been done or because other people do it that way.

What started out as one Blog ended up being a trilogy, I wanted to do justice to the subject matter. I hope that you have found my Telegram blogs useful, and thank you for staying with me. I always reach out to someone in the OSINT community to proof read my work, it is a great community and very supportive. I  would like to take one last opportunity to say thank you to Griffin @hatless1der who was kind enough to proof read my work I give me some other ideas to consider.



Telegram OSINT VM Part 2

Telegram OSINT VM Part 2

Thank you for returning to read part two of my Telegram OSINT VM, in this second blog I am going to walk through the resources I use to research Telegram.

If you didn’t catch Part 1, you can find it here: –

As with Part 1, you do not have to copy everything from this blog for your VM. I would always advise, assess what you need and what you are comfortable working with.

I will start by listing what I use as my base: –

Telegram Web

Telegram Desktop



Telegram Tracker

I will talk through and illustrate the installation of the above. I will then move on to the other resources that I install and these in the whole will be bookmarks and useful links.

We will start with the installation of Telegram Web and desktop. Open your Telegram container, where we can save the Telegram Web bookmark. Once you have the below screen, Fig 2.1, right click and you will be presented with Fig 2.2, this is where you can save Telegram Web to your Telegram Container.

Fig 2.1

Fig 2.2

You can now save Telegram Web as a bookmark in your bookmark menu. The first time you open the Telegram bookmark you will be asked to confirm that you want to use the Telegram container from now on to open Telegram Web.

Now it’s time to download Telegram Desktop, navigate your way to where you can download the application. The default option will be for Linux x64. Once downloaded you can extract the files and run the program and you will then be presented with the below, Fig 2.3 .

Fig 2.3

You maybe asking yourself why do I need both Telegram Web and Desktop? Well, they both do things different, offer flexibility and resilience. You do not have to use both at the same time.

Now we are in a position to log into our Telegram sock account as we will need an API key for the other resources I mentioned earlier.

Once logged in, lets look at some settings that will be beneficial to our OPSEC and security,

In Data & Storage, disable Auto-Download Media, Fig 2.4: –

Fig 2.4

Then we can look at the Privacy settings, Fig 2.5. You will see that I have set the profile picture to everybody. This is due to Geogramint requiring you to have your profile pictures on view. You can disable this when you are not using Geogramint. Only premium users can disable voice or video messages.

Fig 2.5.

Annoyingly the settings from Telegram Web do not carry over to Telegram Desktop, in relation to the automatic media downloads.

In Advanced settings, I enable, ‘Ask download path for each file’

In each of the Private Chats, Groups, Channel, I disable. ‘Automatically download, videos & file,’ Fig 2.6.

Fig 2.6

If you are using a mobile, I would also disable the People Nearby option. You will find it by navigating to Contacts – Find People Nearby. I would like see to Find People Nearby come to the Web and Desktop app, so I could use a location spoofing extension, however this is why we have Geogramint.

The above settings will really depend on the nature of your deployment. Experience has shown me that files can be automatically downloaded in the background to your device, without you knowing,  just take the added precaution of choosing what I want to view. I like to have a look at the channel or group first.

I will walk you through how to obtain your API-id and API-hash. You need to log-in to your Telegram account on Telegram Web, you then need to navigate to the API development tools at the following URL:

Then you will need to enter the number that you used to sign up to Telegram, Fig 2.7. You will  then be sent a confirmation code to your Telegram account. You need this code to access the, ‘Your Telegram Core,’ where you will select the API development tools option.

Fig 2.7

You will be taken to the following screen, Fig 2.8.

Fig 2.8


In the default fields, typing, ‘Anything” should enable you to obtain your API. You will be taken to the next page where you will obtain your API-id & API-Hash.

This short video is a good tutorial on how to obtain your API-id & API-Hash.

Once you have your API-id & API-Hash, keep it safe in your password manager.
You may have gathered that there is an OPSEC issue in how we have obfuscated our Ubuntu setup earlier. We have to use a mobile number that is not necessarily from the same country as we set our VM to, not only that the next step requires you to use an IP address for the country of the number too, otherwise Telegram will not provide you with your API key and Hash.

If you have no intention of using the cmd line tools then you do not need to concern yourself with obtaining the API key and Hash. Alternatively like I have done in the past, obtain a SIM from your obfuscation country. It all depends on what our deployment entails and the risks involved.

With OSINT, there is always a balance to be had between, OPSEC, Privacy and usability versus reward. We can lock ourselves down but this will affect our ability to carry out OSINT.

Before moving on to installing the cmd line tools I am going to create two more bookmarks.

I am going to create a custom bookmarklet that has been created by @Webbreacher based on a blog by @hatless1der. I have included a link to the blog below so that you can read up on how this bookmarklet works.

Copy the text below, go into your browser bookmarks, create a new bookmark, and paste the text where you would normally put the URL for a bookmark and save. Give it a name you will remember, i’ll call mine Bookmarklet: –

javascript:(function()%7Bvar a %3D document.getElementsByClassName(‘tgme_page_description’)%5B0%5D%3B alert(a.innerText)%7D)()

The link to @hatless1der blog is here: –

I am now going to add my own GitHub repo bookmark where I have collected my Telegram OSINT toolkit. You now have access to my GitHub repo where you can access the numerous, blogs, bots, CSE, extensions, resources and videos, to help you with your research of Telegram. Feel free to add your resources toolkit of choice, @Cyb_Detective has a good GitHub repo too. I will allocate my GitHub repo to a container.

It is a good idea to add a Yandex bookmark too. I add the following in a bookmark folder, called Yandex: –

At the same time I am going to allocate them a container named Yandex, Fig 2.9


Fig 2.9

*I said earlier, I add extensions as I go, you have the option here to add a ‘Translate’ extension. In Firefox’s Add-Ons there are couple of recommended ‘Google Translate’ extensions. Firefox has its own Translate extension, however it is limited in the languages available to translate.

*Next I am going to a create a bookmark folder for the following website resources: –

*As with everything related to the internet ensure that you are happy with the resources you use. Ensure that you are using the appropriate OPSEC for your deployment.

Now is the time to download from GitHub our cmd line tools. We have created the cqcore GitHub container and we can use the same container to install the cmd line tools we are going use. You will find tutorials on my GitHub Telegram Repository on how to use the below tools. As I go, I create text documents on my VM for each tool, which contains the installation instructions and also the commands for its deployment.



Telegram Tracker

First we will start with Geogrmint: –

git clone

(If you don’t have git – sudo apt install git)

cd Geogramint

pip3 install -r requirements.txt

(If you don’t have pip3 – sudo apt install python3-pip)


This will then launch the GUI. In the bottom left corner is the settings cog, click this and the below image will be launched, where you can input your Telegram API-id, API-Hash and telephone number, Fig 3.0.

Ensure you have the + and your country code, minus the first 0, +44(number here) format.

Fig 3.0

Next is Telepathy: –

pip3 install telepathy

cd telepathy

When you first run Telepathy you will be asked to enter your, API-id, API-Hash & phone number.

We will use a default cmd, the target is one of the inventors of Telegram, Fig 3.1.