Telegram Fundamentals

It is 2 years since I did my first blog relating to messenger apps and what from an OSINT perspective we could find from them. In OSINT you will hear a lot said about false, positives, well what about false negatives.

I have decided to do a short follow up blog on Telegram and how it has changed over time just like Twitter and Facebook have done to embrace privacy and how this may affect OSINT research. I have used Telegram 8.4, an I-Phone iOS 15 and an Android 9 device  for this blog.

Telegram has divided opinion within the privacy community as to its merits, most hardcore privacy enthusiasts I believe would not recommend it. From an OSINT perspective it has been a rich source of intelligence but times have moved towards a more privacy focused platform now.

Telegram originated in St Petersburg, Russia, the development team is now based in Dubai. The servers are apparently based in different locations around the globe. You can chose to store your data locally or on Telegram’s servers. It had an uplift in popularity last year when there was the furore over WhatsApp’s new ToS.

Personally I wouldn’t use it just as a means of communication but I can see its appeal. It does offer a kind of end to end encryption (E2EE) through its secret chat facility but there has to be user interaction as opposed to enabled by default and there has been some debate as to whether Telegram have the back door encryption keys and how secure the encryption actually is.

But even Telegram in these new times of the privacy conscious user, has had to adapt to the times and this will have an effect on how Telegram is used and also researched from OSINT perspective. Certainly since I wrote my previous blog on messenger apps in Jan 2020, Telegram has changed. Telegram has very flexible, privacy and security options which I will outline later in more details.

How to Access Telegram

Telegram is very practical to use and has three ways in which to access it, app, desktop or if you do not want to download any software direct to your computer, you can use the web access through a browser; which can be achieved by either the mobile number you used to sign up or by scanning the QR code using the Telegram app. I have noticed that the desktop client can record the fact that is in a VM if you chose to use one.

OPSEC alert, if you chose to use the above method to see if a number is on Telegram, it will send a code or SMS to the  user of the account and in any case even if you input a number not linked to a Telegram account it will still tell you that it has sent a code, so you would be none the wiser as to whether the number was linked to an account.

A Telegram user cannot have multiple numbers on one Telegram account. Each number will represent a different account. On Signal you can lock a number to an account, there does not appear to be this option on Telegram however If you try to use a number already assigned to a Telegram account, you cannot use the number until that other account is deleted.

The above may well be an alternative way to see if a number is linked to a Telegram account where  a POI has locked down their privacy and security settings. I haven’t seen any indications that the other account is notified that an attempt has been made to use their number on a new account.

Most of what I discuss below is based on the Privacy & Security option within Telegram’s Settings menu.

Once over a user was automatically discoverable to everyone by their mobile number however this is now disabled by default. For the OSINT investigator this may lead them to think that the subject of interest is not using Telegram, if they have chosen to use a mobile number as a search operator, as in syncing contacts for example.

The methodology now may dictate that you try and find a username or display name linked to another platform where the subject mobile has been used and then search Telegram that way.

The Basics

I will cover first what steps you have to take once you have downloaded Telegram from the Google Play Store.

A new user will need a mobile number to enable them to create an account, as they will be sent a verification code. The mobile number does not have to be the users real number. I have had success with VOIP numbers but remember some VOIP numbers are not able to process short codes, so you have to wait for the SMS verification to time out and Telegram will then ring you with the verification code.

The next screen takes you through to where to input a name, a first name is mandatory, a last name is optional. Needless to say a person can use whatever name or random characters they like.

Then the user has to accept the ToS. The next screen will then show them which of their contacts are also on Telegram. This is why it is important from an OPSEC perspective that you use a clean phone for the install, using a personal phone will create OPSEC issues for you. You are able to stop Telegram syncing your contacts.

You can follow the steps below but turn off the Contact sync.

Sometimes contact sync does not work on Android, so if this does occur you can follow the below steps: –
•    Reinstall the app (do not open yet)
•    Go into Android Settings > Accounts > Telegram and enabled Contact sync
•    Open the app and check Contacts

If the above does not work for turning off contact sync on your particular flavour of Android or on Apple then you can deny Telegram access to your contacts via the permission manager before you open the app. For those who are researching Telegram and do not have the luxury of a fresh phone and clean install the above maybe advisable as you do not want Telegram telling all your contacts, who are there that you are now on the platform.

Default Settings

I am not sure how many people rush to the settings as soon as they have downloaded an app, but it is one for the first things I do, especially the privacy and security settings. Below is the default privacy settings from the Android.

By opening the settings the user can create a username, bio and upload a profile photo. The display name will be the name that was provided at the above activation stage.

A username is not mandatory to be able to use Telegram however if they do chose one then they are public and they cannot be hidden. The advantage however for a user by setting up a username is that they can share this with other users on Telegram and avoid having to share their telephone number.

Usernames are also searchable on the web, https://t.me/USERNAME.

A display name does not have to be unique but a username does.

Some of the ways to search Telegram are by display name or username in the search bar. You can see a user’s profile photo, and bio along with their last seen, depending on their privacy and security settings.

Being able to, ‘See’ a number is not the same as searching for that telephone number. The only way you could, ‘See,’ a number of a POI, is if they have altered their privacy settings, or if you were mutual contacts, syncing a number will not necessarily allow you to see who that number belongs to.

You will also be notified if a contact joins Telegram, although this can be disabled in the settings.

When I did my original blog, when you deleted a number from your contacts that you had synced with Telegram, you would be able to see the name the person had provided when they created their account that was held on Telegram server, this is no longer possible.

I will now take you through various settings that will effect not only your OPSEC but your ability to find subjects on Telegram.

A user can restrict who can see their phone number. By default it is now set to, “My Contacts,” you can restrict it even from your contacts. Once over it was set to, “Everybody.” A POI would have to change the default setting to, ‘Everyone,’ for the phone sync to work.

They can choose one of the following, Everyone, Contacts or Nobody. If you wanted however you can added exceptions from your contacts, so you can choose which of your contacts can see your number.

If they choose, Nobody, even their contacts will only be able to see their Telegram username and not their phone number. If they choose, ‘Nobody,’ they are then presented with a further option of who can find their number, Everybody or Contacts.

So their number is not exactly 100% not searchable but it is limited as you need to be mutual contacts and this is where from an OSINT perspective you mustn’t think just because you cannot find a number that you are interested in, that it does not necessarily mean that user of the number is not on Telegram.

There are other privacy settings that may make your OSINT research less fruitful. Telegram users can also restrict, last seen online, profile picture, voice calls and who can add then to a group or channel.

A Telegram user can restrict who can see their profile photo to their contacts and even then they can add exceptions as to who can and cannot see it.

Online Monitoring

Last seen has always been an interesting OSINT consideration and from an OPSEC perspective we wouldn’t want to be seen online, however if you want to see whether a POI is online then you must not change your settings to disable it, as this will stop you from seeing your POI’s online status.

If your POI has altered their online privacy settings this is what you may see: –

•    Last seen recently — covers anything between 1 second and 2-3 days
•    Last seen within a week — between 2-3 and seven days
•    Last seen within a month — between 6-7 days and a month
•    Last seen a long time ago — more than a month (this is also always shown to blocked users)

As an OSINT investigator if we see any of the above behavior all is not lost, yes we haven’t been able to find what we expected but It does potentially tell something about the POI that we are researching in that they may be OPSEC aware themselves, so therefore we have to adjust our methodology accordingly. Don’t think just because you cannot find someone or information about someone that they are not on Telegram.

A Telegram user can also restrict who can phone them on Telegram, the choices being, Everyone, Contacts & Nobody. Again they are able to add exceptions. A user has a choice of whether to use peer-to-peer to route their calls through Telegrams servers too. They may also disable iOS call integration as this will stop their call history from being shared with Apple, this facility did not appear to be available on the Android version I was using.

Built-in OSINT Tools

A nice little OSINT tool within Telegram that will assist you with translations in app when you are reading a message. Go to Settings – Language, you can then add a Translate Button to the context menu when selecting a message. Translation is available on all Android devices and iOS 15+. When you press and hold in a message the below box will present itself, click Translate.

The below example is from an I-Phone, where you can choose to translate off-line by going to Apple Settings – Translate – (toggle on) – On-Device Mode. If you don’t chose this method then the data is sent to Apple to translate online.

It appears that Telegram is also rolling out its own OCR for iPhone & Mac that allows you to strip out text from an image, say a copy of a letter for instance and then Telegram will re format it as text for you.

Dutch OSINT Guy has an excellent video, which explains how Telegram works and how to investigate it: –
https://www.youtube.com/watch?v=e_aXQYq2l6U

One of my favorite specialist OSINT teams Aware-Online have a good article on how to use the, ‘Nearby’ facility on Telegram: –
https://www.aware-online.com/en/search-for-telegram-groups-based-on-location/

The article is based on the use of a emulator, you can achieve the same results on a regular mobile phone by using a location spoofer app.

Finally, Telegram users can also enable further privacy and security features, that may be of interest to LE: –

•    In the device settings they can terminate sessions based on inactivity from 1 week through to 6 months.
•    They can set up the account to be deleted after a certain amount of inactivity, from 1 month up until 12 months.
•    Two step verification is by way of a password that you must use in addition to a SMS verification code if they want to set up a new device. This may be not be as good as a random generated software token or hardware device tokens but it is better than nothing at all. They can also set a recovery email address too if they wish. Telegram will notify them in app if any logon attempts are made on the account.
•    They can set up a six digit passcode to access the app. Once this is done they can then use the touch id or facial id to unlock the account. They can chose to lock the account after certain amount of inactivity too.

I hope the above goes someway to explaining how Telegram’s privacy and security settings may potentially limit your ability to research a POI and how we as OSINT researchers may need to adapt. I am a firm believer that an OSINT practitioner needs to understand the privacy & security settings of the platform they are investigating to avoid false, negatives.

What’s Up, with WhatsApp

I have been posting about WhatsApp recently so I thought I would make them all into a small blog.

I was surprised (Or maybe I wasn’t) that It was recently revealed that the Prime Minister was using WhatsApp to communicate with his cabinet. The Digital Exposure vulnerabilities to the PM, would immediately be apparent to a Hostile Threat.

The reason why a High Value Target such as the PM should consider moving to a more privacy focused alternative I would have thought would have been obvious.

Yes of course we know WhatsApp is encrypted, (they borrowed it from Signal) but it obtains a lot of metadata about the user, such as location information, contact information, user content, purchases, diagnostic information and more.

If you back your WhatsApp messages up to iCloud they are not encrypted, you may not even know you are backing your chats up to the iCloud if you haven’t taken the time to lock your mobile phone down.

Unless you know the work around you can only use WhatsApp by syncing your contacts. This is a massive OPSEC & Privacy vulnerability for a High Value Target. 89.6% of all phishing attacks carried on messenger apps are delivered using WhatsApp, the Israeli cyber intelligence company NSO use WhatsApp to deliver its spyware, Pegasus, which is aimed at people who would be considered High Value Targets and can infect both Android and iPhones.

Further reading: –

https://www.bbc.com/news/technology-57910355

https://www.techrepublic.com/article/the-most-dangerous-messaging-apps-on-android/#:~:text=New%20data%20from%20Kaspersky%20reveals,whopping%2089.6%25%20of%20detected%20attacks

https://www.theverge.com/2021/3/8/22319136/whatsapp-cloud-backups-icloud-google-drive-password-encryption-security

https://www.androidpolice.com/2020/04/08/3-ways-to-message-a-number-on-whatsapp-without-adding-them-as-a-contact-first/?amp

WhatsApp was founded in 2009 and bought by Facebook in 2014 for $19 billion, a figure that valued each of the app’s 450 million users at around $42 a head. Facebook’s biggest property is now WhatsApp. The price may seem astonishing but in reality $42 a head, is a small price to pay for all the metadata that they receive on a daily basis from users, data that could be monetised by Facebook itself or by selling the information to third parties.

The latest WhatsApp statistics show that two billion of its users access the messaging app every month (Statista, 2021). That’s 0.7 billion (or approximately 54 percent) more than its closest rival and parent company’s Facebook Messenger.

Don’t forget WhatsApp is rolling out a new Terms of Service globally which faced an initial backlash form users in relation to what information it would be sharing with its parent company.

Just think of how many people use WhatsApp to create groups, some will work in sensitive roles, so they can communicate when at work or outside of work with colleagues. WhatsApp won’t know what the text is in the message, but they could be able to work out who these people are, or buildings they work from etc, the metadata will not be anonymous.

For further reading on this subject https://www.wired.co.uk/article/whatsapp-instagram-facebook-data

I have also read articles that the PM’s mobile number was available online, it doesn’t appear he has been practicing good mobile hygiene or OPSEC.  If I was a, Hostile Threat, this would provide me with numerous opportunities and pivot points to exploit the number further.

If I was a, Hostile Threat, and I knew your mobile number, then I can gain a certain amount of access to your WhatsApp account. Better still if you leave your phone unattended I could either steal your account or duplicate it on my device, depending on what counter measures you have deployed.

I have recently read that WhatsApp is going to make syncing your WhatsApp account to other devices more seamless an experience. Maybe not the best option from a privacy and security perspective.

At least there is a certain amount of security currently, if someone does sync your account without your knowledge to the desktop app, it is reliant on your mobile phone having a stable internet connection, when you lose internet it breaks the connection to the desktop which means a Hostile Threat would need to re-sync your account. You should always check the, ‘Linked Devices’ in your settings.

I totally understand that WhatsApp is convenient and all your friends and family are probably using it. In reality it is a personal choice and what you consider your own personal Threat Model to be. There is always a balance to be struck between, Privacy, Security and Usability.

Check out my other blog at https://www.cqcore.uk/something-a-little-different/ if you are interested in having more private, secure communications.

© cqcore 2021

Something a Little Different

(First Published on Medium September 2020)

Now, I thought I would write about something not totally OSINT related but maybe of use in some instances. As you know I like a bit of privacy too, so I thought I would do a little article on how we can achieve a little more privacy. We appear to spend vast sums on the latest super-duper mobile devices but then either don’t consider or don’t want to spend extra on safeguarding our privacy. Yes, it can cost, but I want to demonstrate how you can still buy a good quality mobile phone and afford to spend a little on your privacy too. Don’t forget simply locking your mobile phone’s privacy settings down doesn’t cost penny.

A caveat here, this is just one way you can approach this subject and not everything contained within may be suitable or desirable for everyone. This is a non technical guide using everyday apps and services (I don’t do technical really well). Take what you want, leave what don’t want.

Modern Apple & Android phones for example now offer imbedded eSIMs so it is now possible to have 2 mobile numbers for a device. This we see with some other types of phones that can accept two physical SIMS one which tended to be a throwaway. A user can now have an eSIM as their main service provider number but then use a pay as you go physical SIM as a throwaway, that they can share with friends and family. Once its been truly compromised it can be easily changed.

It is also possible for anyone to have control of a second number for verification to apps etc, such as WhatsApp or even use for verification for none essential services, such as junk email accounts. By buying a second phone for as little as £10 and putting a TopUp of £10 on it you have a second number used only for authenticating apps and thus avoiding the need to share your real mobile number. The reason for topping the phone up, is not because a user requires call data, it is simply so the network does not reclaim the number. Tesco currently sell an Alcetal mobile for £4.99 if you also top up with £10. Buy for cash and no personal details required.

There are many privacy & operational security benefits to the above examples. The actual second phone and SIM could be stored at your home address and never leave. It also stops others storing your real mobile on their own device when using messenger Apps thus obfuscating your real mobile number. We know that the apps that others have on their devices suck up their contact list. So that fresh new phone number you have, is pretty much busted as soon as you start sharing it with friends and family.

Once you have obtained your second number it can then be used to verify messenger apps such as WhatsApp or Signal. Both these Apps are end to end encrypted. Apps such as Facebook Messenger and Telegram are not true E2E as there has to be some interaction on the part of the user to start a, “Secret Chat,” for instance. It is believed that Telegram have the encryption key which would enable them to unencrypt any messages.

Other E2E messenger Apps that are not as well known are Threema & Session. These apps do not require a mobile number to verify and are considered more secure and private than the previous ones mentioned. They rely on the user generating a secret key or Id, this is then shared via a QR code when two people or a group meet and verify each other as being genuine contacts. A mobile number will always be a weakness.

Some of these messenger apps have the capability to auto delete messages after a certain time or when the conversation reaches a certain length. Usability differs between iPhones and Android phones. Messenger apps are also capable of VOIP calling, in the main only to other users of the app.

VOIP (Voice Over IP) also known as VoLTE (Voice over 4G) is another way of making phone calls from a mobile. It does not rely on the traditional mobile carrier method that provides cellular connectivity, instead it uses a wireless network or 4G. There are many third party Apps available on both iPhone and Android that would allow you to use VOIP and they are sometimes marketed as temporary or disposable numbers.

Onoff is a French company that offers British VOIP numbers as does Hushed which is an American company. With Onoff you can buy a number with limitless call allowance for £50 a year. On both platforms you can have numerous disposable mobile numbers. If you’re a journalist or business person for example that travels abroad these apps maybe very useful.

Buy a temporary number share it whilst you are away and keep your personal number private. I read an article by a journalist who went to a country in Africa ordered a taxi and when it arrived the taxi driver knew her name as he had used, “Truecaller.” She had shared her personal mobile number that much it had been sucked up by Truecaller. We simply do not know how our mobile number is being shared and compromised.

Another popular privacy focused VOIP provider is MySudo which offers up to 9 alias phone numbers and email addresses for £450 pounds a year however other pricing plans are available. All these Apps can be purchased through the App Store or Google Play using their own gift cards which can be purchased with cash from any Supermarket.

Another benefit of using an app like MySudo is that the user can store all their contacts in the app and not in the phones default contacts and stop any calls from appearing in the devices own call records.

https://hushed.com/

https://www.onoff.app/home/

https://mysudo.com/

Onoff & Hushed do offer a certain degree of privacy / anonymity however you have to open an account to purchase a number(s) and they also capture other data from the user, MySudo however is a zero logging company, you do not need to create an account to use their services. At the time of this write up MySudo is only available on Apple in the UK however it is planned to be launched on Android.

In the privacy policy of Onoff they state for instances that they log call data, usage and also SMS & MMS content, along with geolocation data, device identifiers and standard identifier of detected Wi-Fi networks. Hushed have a similar privacy policy but also retain voicemail messages. MySudo does not capture any of this information but there are still small tweaks that you can make such as switching off the submission or crash and anonymised analytically data reports.

It is important to understand that the providers of VOIP numbers are in fact buying the numbers from Twillio an American company that provides VOIP services, they then resell to commercial customers. In general terms VOIP numbers cannot be used for verifying accounts but there are exceptions to thar rule. I tried recently to use a VOIP number for Signal by ignoring the SMS verification option and opting for the phone call verification instead but that failed too.

It is possible then for you to obtain more zero knowledge non traceable communication on an everyday modern mobile phone. I say, more, because I truly do not know exactly how or what companies such as, Apple, Google, Facebook etc are able to capture and how they link it all together but if anyone knows I would love to know too! (I have previously written about UUIDs and collection of personal data.)

On top of any measure you take you still need to consider the basics of locking down the privacy settings of the phone, this will also limit any information Apple or Google obtain for instance, pertaining to location data for example. You could lock your privacy settings down, turn off your location data but then use Apple Pay or Google Pay and still give away location information when you are purchasing goods or services.

So to try and make sense of it all, lets try and put this into practice.

An iPhone SE costs £420 pounds and can be purchased for cash. It uses the same chipset as the more expensive iPhone 11 but at a fraction of the price. To set your iPhone up, you can acquire 40GB of data on a Tesco pay as you go SIM costing £20 a month and this can be purchased again for cash. If the user does not use their own Wi-fi and uses 4G away from their home address then the crucial IP on creation that are valued will be near worthless. You may also choose to use free Wi-Fi for instance at Tesco or Asda as neither ask for authentication details, such as, mobile number, email, or other PII (personal identifiable information).

You do not have to provide genuine PII for setting up the iPhone either to enable you to use gift cards to pay for services thought the App Store.

Apple SE 2020 edition.

To purchase 3 VOIP numbers and 3 emails addresses and associated minutes and texts from MySudo will cost £100 for 12 months and can be paid for using Apple gift cards, again paid for using cash. On top of that the use of a zero knowledge no logs VPN (Virtual Private Network) from ProtonVPN will further hide a users IP and will cost another £100 again paid for using Apple gift cards.

Then you have the cost of a second phone and top up for £15 pounds, the overall cost is £655 and you will now begin to see that the cost of a more private, secure phone is not that expensive.

Using Apple and MySudo would enable a user to sandbox their communications not just from the actual physical phone but also between the different apps and elements of their life to ensure there is no contamination different parts of your life. By using secure messaging platforms such as, Signal, Session or Threema, along with MySudo a contact may never potentially see that the original Tesco mobile number that is used to provide 4G.

It is true that more effort is required on behalf of the user to ensure that they follow strict operational security and privacy practices. Even with a VPN I never use my home Wi-Fi, 4G allows you to blend with numerous other users, sharing the same IP in case your VPN ever fails. If your not up to any naughtiness no one should be interested in trying find you in the crowd.

When looking closer at the iPhone SE for instances we should look to see if the following have been disabled in the settings menu. Android phones have similar settings but I have to say Apple is easier to lockdown. Android appears to have settings within settings and drives me nuts at times.

I have disabled Facetime as it is searchable via mobile number or email so anyone with an Apple device can see if their contact is on Facetime and contact them. Frustratingly I haven’t found a way to completely disable the search functionality, even if you delete the app. You can only stop people contacting you. (If anyone knows how to disable it completely please reach out). If I had an Android phone I could delete Google Duo, end of!

• Wi-Fi

• Bluetooth

• Personal Hotspot

• Siri

• Facetime

• Location Services

• Health

• Motion & Fitness

• Analytics & Improvements

• iCloud• iCloud Drive

• Find My Phone

Also annoying, you can only update the OS over Wi-Fi. It’s easily achievable on your travels using free non PII Wi-Fi on your travels.

All the above can easily be achieved using an Android phone. In fact Android is a more flexible OS and as such it is also possible to hide the existence of the apps on your home screen from prying eyes (but not completely) There are many apps that will help you hide apps, such as Nova Launcher. Probably the easiest way is to delete the app from the home screen(s) and from the app tray. Which ever way you hide your apps they are still easy to find. They have to exist in the Google Play Store of installed apps so you can find then there. I tend to watch how people look after their mobile devices in public. It is not hard to see what apps are on person’s mobile.

Apple’s iPhone isn’t as easy to disguise apps, you can do this natively with some of Apple’s preloaded apps by using the Screen Time options in the Settings menu and there are also apps you can download but I don’t like the idea of introducing another / unnecessary app and so I haven’t tried this.

Samsung offers a very intriguing app called, Secure Folder, the easiest way to explain what Secure Folder is, is to say it is like having a phone within a phone. You can either copy your existing apps into Secure Folder where they will be sandboxed from the original apps with the own files & cache or you can download new ones from the Google Play store and create new accounts.

By using Secure Folder unlike the Android example above you would not be able to see the Secure Folder apps in the main phones Google Play Store as it has it’s own. To access Secure Folder you would need a PIN or Fingerprint authentication. The app icon can be hidden from the home screen altogether using Quick Panel. This is something I intend to explore using a dual eSIM device.

Hopefully the above helps people improve your privacy, if you only alter the settings of the device you are using, it is still a win.

My Journey Into The World of OSINT

(First Published on Medium February 2020)

My journey into the world of OSINT is now just over one year old. OSINT is not the main area of my work, I don’t get to learn or practice anywhere near as much as I would like but it is certainly the work I enjoy the most.

Following on from my previous Blogs in relation to leveraging messaging apps for OSINT I thought I would share how I conducted the research.

I’m still working on the project which I hope will help me increase my research potential in relation to mobile (cell) phone numbers and email addresses. Most of what I will write about can be done using free resources. It isn’t overly technically and it’s something I thought I would share for those like me who are still learning. There are many tutorials also available to assist with how to leverage the apps I am going to talk about.

The problem was how can I research mobile numbers and email addresses without relying upon the use of sites that require payment. Everything that happened in the summer of 2019 appears to have focused people’s attentions on creating their own OSINT tools. So what could I do with the platforms that people use everyday?

My first consideration as always is operational security. I won’t write about that as this would then become a lengthy article. Needless to say @dutch_osintguy has this covered for us with some great articles.

Next up is a sock puppet, @technisette and @jakecreps have some very good articles. My sock would only be used on this setup.

One part of my operational security was the use of a Virtual Machine to host what was going to be my OSINT set-up. There are free flavours from both VMware & Virtual Box. My VM was going to be completely separate from any other OSINT VMs I have created and I was going to use a clean install of Windows 10. Next up was precuring myself an old Android phone. Family and friends are always upgrading phones so it wasn’t to hard getting my hands on one for free.

The phone was then factory reset and would only be used alongside my new VM. Setting the Android up is solely for the purposes of leveraging social media apps and messenger apps. You can use Wi-Fi (with VPN) to download the apps but you will need a SIM for verification purposes. In the UK a SIM will set you back £1 pound but you can pick them up for as little as a penny.

Needless to say this is an on-going project which can be expanded upon however the apps I started off with were, the usual suspects you may say but I did expanded it to include less well known apps.

Next up was replicating this on my VM, so downloading the desktop applications.

Desktop Clients

You will see on the left hand side the desktop applications available for the messengering apps from my previous blog. In the Bookmarks you will see which website applications are in use.

This way I can link these apps to my Android phone and enjoy the desktop experience. Then you can use the websites for the other social media sites. I also find that this is an easier setup for functionality, flexibility, recording and evidencing what I do.

You may have wondered why Android, (People don’t seem to mind giving you old ones, which is a starter), you can use an I-Phone which I have done too however the next part of the set up is not Apple friendly, the use of Vysor. Vysor is a clever little application that enables you to control your smartphone from your computer as if it were just another window via a Chrome extension or desktop app. There is a free version of Vysor too, bonus! The paid version is better though, which you would expect. You could in fact not use Vysor at all and rely on the desktop environment you have created or you could just use Vysor full stop.

If you don’t like the idea of Android then cool go with an Apple I-Phone without using Vysor. You can still mirror I-Phones on to your desktop you just can’t control them using your mouse and keyboard like you can with Vysor. The above set up takes a little longer to setup than an emulator but I find it is easier and seamless to work with.The benefits are numerous including the ability to seamlessly copy a profile picture and reverse image search it.

Now before I go any further I think it is important that we understand the risks of using any app to do our research. Truecaller for example will suck up your contacts as that is what their business is. So you have to be very careful and decide on a case by case basis whether you want your subject’s mobile number / email being harvested by all these companies. Privacy polices are boring but an essential read.

Disclaimer everything we do, the results are dependent upon our subject’s own Opsec and Privacy settings.

On WhatsApp our luck is in and our subject has not bothered about their privacy. We have a nice profile picture that we can do reverses image search on and see where else on the web they appear. The bonus of having the desktop application is you can access the full profile picture and save it straight to your VM. Last seen is another nice touch, if you are keeping tabs on them you can watch when they are using WhatsApp there are also apps that will monitor the account for you. Even if, Last Seen, is disabled you can still see when your subject is on-line. This could help you work out their patterns and determine where in the world they may be and the times they operate on-line.You may get really lucky if someone has updated their status and maybe provided an alternative means of contact because they are off-line. Don’t forget to check their About Me either.

I have also used an Android emulator inspired by @aware-online and their excellent tutorial on how to geolocate groups on Telegram.

Needless to say this is not for nefarious purposes and it should also be used to understand the information you are giving away, from a privacy & OPSEC perspective.