Tag Archives: Investigative Mindset

Telegram OSINT VM Part 3

Posted on by

Telegram OSINT VM Part 3

Thank you for returning to read the final part of the Telegram OSINT VM trilogy. This Blog is more my methodology of how I think when it comes to organising my work environment and some safeguards I take.  I have my own methods that suit me as a person and how I work. As always take the bits that suit you and add your own flavours. I am a big believer of not just copying what some else has done but incorporating it into your own methodology and ideas.

To give you some context to what follows. I use a Window host, this can be either Windows 10 or 11 depending on the device I have chosen. According to statista.com as of January 2023 Windows has just over a 74% share of the global OS market for desktop. Different websites will give you different figures but the one take away is that it is the most used OS globally.

Again using statista.com Windows is the most targeted OS, 91% share of ransomware infections, ransomware is a form of malware, Fig 1.0

Fig 1.0

When we are using Telegram, depending on our deployment the above creates issues for Windows users. The following are the steps that I take to try and mitigate the risk. It is not 100% bulletproof. I would always encourage the use of malware / anti-virus protection software, for both your VM & host.

I talked in the previous blogs how we can try and protect ourselves by disabling any form of auto-download on Telegram. If you ever download your full Telegram account, you maybe surprised to see what is in there. If you don’t take precautions there maybe malware in your account download.

I know Linux and Mac users will be saying, well don’t use Windows, that unfortunately is not an option for the majority, either through restrictions at work, financial considerations or a lack of confidence to use Linux. This is also the case when considering using a device that can be reformatted. This would be a good option, that way if you do get infected you can reformat the device. You may consider just using a Windows VM for the same purposes, instead of relying on the Linux AV to scan for malware on your VM. Which ever route you take, ensure you have malware / antivirus software installed on both your host and VM.

You must also remember neither Linux or MacOS are bulletproof and it would be a massive risk on the behalf of the user to think so.

You have to make a decision as to whether you want to enable features that employ file sharing, like shared clipboard, as these are capable of spreading viruses between your virtual machine and host machine. It goes without saying that if you transfer files from your VM to your host then the malware will travel along for the ride.

I set my Windows host up with an Admin & User account. I do not use the Admin account, I only use the User account. The reason being is that an admin account does not in the main require the password to execute programs whereas the User account ordinarily will. Some malware requires Admin privileges to run, so this is potentially our first line of defense.

In File Explorer on Windows I would enable, ‘File Name Extensions’ so that you can see the full file name, this is to ensure there are no hidden .exe files. I also enable view hidden items.

Fig 1.1 Windows 11: –

Fig 1.1

Fig 1.2 Windows 10: –

Fig 1.2

One good aspect of VMs is that you can create snapshots, a moment in time of how your VM was. I do not create snapshots of my Telegram OSINT VM. I create a master copy and then I will clone that creating a deployment VM. All my recording / auditing software for my deployment is on my host. At the end of each deployment session, anything I download / capture on my VM that I think is important I will transfer to my host.*

*Whether you use snapshots or clone VMs, you need to be extremely careful of what you copy to your host make sure you have antivirus / malware protection on both your VM & host and ensure you scan before / after you transfer any files.

If my deployment VM is compromised, I will spin up another VM from cloning my Master.

The way I set out my VM files is illustrated below, Fig 1.3: –

·    Back Up VMs where I store my Master VMs.
·    Live VMs, VMs that I am currently using on a deployment.
·    Filed VMs, VMs that are no longer active on a deployment.

Fig 1.3

There are numerous ways of organising your work environment and software that you use. Hunchly is a good example of an auditing software however this may not be a option for everyone due to organisational or monetary constraints. I like to have a system where material is separated as sometimes I can’t see the wood for the trees.

Below is how I set out my folders on both the host and VM. I create a desktop file, with various sub-folders. This is fluid and depends on my deployment specifics, Fig 1.4: –

Fig 1.4

At the end of that days deployment I will move what I need onto my host for safekeeping. I never delete anything from my VM as you never know if something you initially dismissed as not relevant becomes of interest but also if you work in Law Enforcement it maybe required for disclosure / discovery.

I now have in place a system that I am confident that I can build a report from and that I am also able to bear witness to my work.

The last consideration is how you safe-keep your work, do you leave it on your host, store in the Cloud or remove it from your host to an encrypted storage device offline. This will depend on your personal or organisational requirements. My preference is to store my work offline on an encrypted device. This may not be best for everyone, people who work from multiple locations, need to share their work with colleagues, Cloud storage maybe the best solution. Whichever solution you choose, like everything with OSINT make sure their is a methodology to your thinking. Don’t do something because that is the way it has always been done or because other people do it that way.

What started out as one Blog ended up being a trilogy, I wanted to do justice to the subject matter. I hope that you have found my Telegram blogs useful, and thank you for staying with me. I always reach out to someone in the OSINT community to proof read my work, it is a great community and very supportive. I  would like to take one last opportunity to say thank you to Griffin @hatless1der who was kind enough to proof read my work I give me some other ideas to consider.

 

 

The World of Wigle

Posted on by

I first became interested in the potential of Wigle (Wireless Geographic Logging Engine) and Wardriving for the purpose of OSINT just short of 3 years ago after reading Micah’s (@WebBreacher) excellent blog on it, which you can read here,  https://osintcurio.us/2019/01/15/tracking-all-the-wifi-things/. Since then it has become one of my go to tools for OSINT.

I would encourage you to read Micah’s blog as my blog does not aim to replace it. It will also help you understand how Wigle works, which means I don’t need to do as much writing. What I want to do is share my experience of how Wigle has helped me with my OSINT research.

At the same time I was writing this Blog one of OSINT’s unsung heroes GONZO (@GONZOs_int) released a thread on Twitter, https://twitter.com/GONZOs_int/status/1466872414470651917 add this to your Wigle arsenal too.

You can use Wigle without an account but I would recommend creating one as you will then have more options available, such as being able to use the advanced search options. No need to provide anything other than, an email address, username and password to create your account.

I have never received another email from Wigle since I authenticated my account, which we like, I don’t see much activity from my uBlock Origin extension, which we also like. Wigle will ask permission to access you location, which you can block and the site will still work fine.

From an OPSEC perspective you should not have your browser set up, so websites can automatically access your webcams, microphones or location etc. Remember I tweeted a Top Tip about how a VPN may not be enough to hide your location due to what websites can access on your computer, check here to see if you are protected, z0ccc.github.io/LocateJS/

I do not usually use Wigle as my first port of call when I am carrying out an OSINT investigation. I like to build up as much information as I can about a subject as this can make searching Wigle more productive but I have had times where I have struggled with my research so have turned to Wigle.

There are three main search tools I feel you need to remember when using Wigle:-

BSSID – Device / Network Name
SSID – MAC Address
Location – Country, City, Street or even a postcode (ZIP)

Below is a screenshot of the advanced search options. The highlighted red boxes are what I use the most.

Micah demonstrated in his blog how easy it is to search for Apple iPhones because of the way Apple names the phone using your own name after you have set up your profile.

What if we only had a first name and a town or city where our subject lived. Can we search Wigle and find a physical address?
In the below image I know my subject is called David and that he lives in Derby in the UK. I have used the % wildcard after the name so that Wigle will return everything it has saved with the name David in it, in Derby.

Wigle has returned 35 results, which I do not think is an amount that we cannot research further.

In the next image below I picked an SSID that I am interested in. What you have to remember is how the coordinates are recorded on Wigle is subject to different variants and as you can see from Wigle’s own map, the location of the SSID we are interested in may not be plotted 100% accurately. The grey area is where Wigle has plotted the device / network location. The locations shown will be of the person who is doing the Wardriving at the time the device / network was recorded.

From a privacy perspective I have tried to anonymize the results without spoiling the methodology or result.

I am not a massive fan of Wigle’s own interactive map but we have to appreciate that Wigle is a community and they do not have infinite resources. For continuity purposes I have used the mapping site that Micah recommended https://www.mapcustomizer.com/ and I have plotted all the longitude and latitude coordinates that Wigle has provided.

It appears from the above map that our subject may live in or around the above area of Derby. In the UK we have a very useful data aggregation website called 192.com. It will give you a taster of the information it holds. You would need to create an account and pay for full access.

For our purposes the partial details it provides will suffice as we can use what it does give us to pivot into other areas, social media etc. I can tell you DE1 is the postcode of the above area. I initially searched on the above location, which gave me a list of people who lived on the Road of interest.

I then clicked through the results until I found one called David, which then brought up the full name, as below.

I used David%, don’t forget though that David could be david, Davy, davy, Dave or dave, etc, so you may need to do more than one search.

The example I have done above is purely fictitious however using the above methodology and plenty of tenacity has brought me good results. I have turned a first name and city into potential a home address as well as obtaining a last name and partner’s name. This opens up other avenues for us to explore.

It is by no way a forgone conclusion that you will find what you are looking for but Wigle is a powerful OSINT tool that cannot be ignored.

In this second  scenario I only know my subject’s name and where they work and I know very little else. If you remember from a previous blog that myself and Ritu Gill (@OSINTtechniques) did, which you can read here,  https://www.cqcore.uk/are-you-linked-in/  how easy it is to search LinkedIn for your subject. Well work places are subject to Wardriving too.

In this example we will say that our subject works at Television Centre, London. All the purple spots represent a device / network. By zooming in you can see the individual BSSID & SSID or you could scroll down the list of devices in the table of results.