Effective Use of a VPN in OSINT

It has been established for some time now, that to protect our privacy the use of a VPN is almost mandatory. For an OSINT practitioner their use is far more than that, yes there certainly is the OPSEC perspective, but can we manipulate then for the benefit of our OSINT work?

VPNs come in many shapes and forms. Some are more reputable than others, some more private, such as those who offer, “No logging” where they do not keep a record of your use of their service. Depending on where you sit as an OSINT practitioner, will probably dictate what VPN company you use and how you are able to use it as a tool to better undertake your OSINT tasks.

If you are hobbyist who likes the idea of being able to find out information about others or are just learning your trade-craft, you may not necessarily want the cost of purchasing a subscription. So you may chose a free VPN, this will inevitably come with restrictions and it will have its limitations. Never mind the potential privacy risks.

For professional OSINT practitioners such as those who work in private industry or Law Enforcement etc, the use of a free VPN service is simply not desirable or suitable. We also need to have consideration at all times as to what information we are leaking to other 3rd parties about the OSINT we are doing. Hence why a, “No Logs” provider may be beneficial.

Another factor we need to concern ourselves with is the DNS that we use. Does your VPN provider have its own DNS server. If it doesn’t we can still choose a DNS server in our Browser settings or maybe in our Firewall. We can choose a privacy focused DNS provider to avoid what is called, “DNS Leakage.” DNS leakage is where we still have to use out internet providers DNS servers, so they can still see our traffic.

Remember though a VPN is not bulletproof and is not a replacement for good OPSEC practices.

Check this link to compare VPN providers https://techlore.tech/vpnchart.html

We can use a VPN in the same vein as we would use a search engine to research subjects or entities that are not based in the country we are from. I am in the UK, but if the subject or entity is not UK based; is it realistic for me to just use the UK version of Google to research a subject or entity based say in the USA, no it isn’t. I would look to us the US version of Google too. Or we could even use a search engine native to the country we are interested in.

Check out Colossus https://www.searchenginecolossus.com/ to see a list of a Country’s native search engine(s).

This link will show you the different Google Country domains http://www.genealogyintime.com/articles/country-guide-to-google-search-engines-page3.html

We can combine using a native search engine along with a local IP to help us find more information and intelligence than by simply using google.co.uk and a UK IP address. Don’t forget, where is the information we are looking for stored, is on a server in our country of origin or is on a server in the country where our subject of entity is based, or one close by. Will utilising an IP in that country help us retrieve better results from those servers.

What about when we are creating sock puppet accounts, do we stop to think where is our subject or entity of interest based. Should we change our IP to that country and then create our accounts. This way we can potentially utilise the social media platforms own algorithms, that may assist us in finding our subject or information about them.

Remember social media platforms are in the main about networking, making it easy to find people we know or things of interest, one way that they will do this is by looking at our IP address when we create our account. Some will even default our location upon creating the account based of our IP.

Spoiler alert, I do not know how the popular social media platform algorithms work and I know the use of a VPN to create accounts can be difficult if not impossible. But it is something to consider, work smarter not harder, lets try and utilise the platforms own algorithms to do some work for us.

To demonstrate how we can make a VPN work for us, I did an initial search on the Google UK domain for Laura Steele who was involved in the storming of Capitol Hill on 6th January 2021.

The initial results I got on the first page were very generic mainly relating to possible social media accounts. It wasn’t until the bottom of page 2, did I start to see results for the Laura Steele I was interested in. I will assume that Google’s algorithm doesn’t associate my IP in the UK as being  particularly interested in events in the US. It wants to provide me with UK relevant results.

I have redacted some specific social media accounts for the privacy of the account holder as they were not related to the subject of interest.

Now compare the first page of results, when I change my VPN to a US server. Straight away I see results more relevant to my subject of interest.

If you were to click on the News tab you would see the above repeated. Using the US IP there is straight out of the box news item after news item relating to the subject.

And lets not forget that some VPN providers have multiple servers in a country, so in theory the closer we get to our subject, we can start to use server locations closer to them combined with internet data centres, which may give us even more bespoke results. Don’t forget we can also combine our local VPN IP with a native search engine too.

Below is a map of Internet Data Centres

Another little OPSEC trick you may want to utilise is also based on the above. If you are investigating a website that is abroad and is very localised in it’s appeal. Why not hide yourself amongst the crowd. Use a VPN IP and / or a native Google domain to research the site. We just don’t know if the owner of the site sits and reviews the logs, which will show them which country your IP is from.

As I have said, a VPN is not bulletproof and we always have to think about how we deploy them in our OSINT.

Posted in OPSEC, OSINT and tagged , .