Telegram OSINT VM Part 3

Telegram OSINT VM Part 3

Thank you for returning to read the final part of the Telegram OSINT VM trilogy. This Blog is more my methodology of how I think when it comes to organising my work environment and some safeguards I take.  I have my own methods that suit me as a person and how I work. As always take the bits that suit you and add your own flavours. I am a big believer of not just copying what some else has done but incorporating it into your own methodology and ideas.

To give you some context to what follows. I use a Window host, this can be either Windows 10 or 11 depending on the device I have chosen. According to statista.com as of January 2023 Windows has just over a 74% share of the global OS market for desktop. Different websites will give you different figures but the one take away is that it is the most used OS globally.

Again using statista.com Windows is the most targeted OS, 91% share of ransomware infections, ransomware is a form of malware, Fig 1.0

Fig 1.0

When we are using Telegram, depending on our deployment the above creates issues for Windows users. The following are the steps that I take to try and mitigate the risk. It is not 100% bulletproof. I would always encourage the use of malware / anti-virus protection software, for both your VM & host.

I talked in the previous blogs how we can try and protect ourselves by disabling any form of auto-download on Telegram. If you ever download your full Telegram account, you maybe surprised to see what is in there. If you don’t take precautions there maybe malware in your account download.

I know Linux and Mac users will be saying, well don’t use Windows, that unfortunately is not an option for the majority, either through restrictions at work, financial considerations or a lack of confidence to use Linux. This is also the case when considering using a device that can be reformatted. This would be a good option, that way if you do get infected you can reformat the device. You may consider just using a Windows VM for the same purposes, instead of relying on the Linux AV to scan for malware on your VM. Which ever route you take, ensure you have malware / antivirus software installed on both your host and VM.

You must also remember neither Linux or MacOS are bulletproof and it would be a massive risk on the behalf of the user to think so.

You have to make a decision as to whether you want to enable features that employ file sharing, like shared clipboard, as these are capable of spreading viruses between your virtual machine and host machine. It goes without saying that if you transfer files from your VM to your host then the malware will travel along for the ride.

I set my Windows host up with an Admin & User account. I do not use the Admin account, I only use the User account. The reason being is that an admin account does not in the main require the password to execute programs whereas the User account ordinarily will. Some malware requires Admin privileges to run, so this is potentially our first line of defense.

In File Explorer on Windows I would enable, ‘File Name Extensions’ so that you can see the full file name, this is to ensure there are no hidden .exe files. I also enable view hidden items.

Fig 1.1 Windows 11: –

Fig 1.1

Fig 1.2 Windows 10: –

Fig 1.2

One good aspect of VMs is that you can create snapshots, a moment in time of how your VM was. I do not create snapshots of my Telegram OSINT VM. I create a master copy and then I will clone that creating a deployment VM. All my recording / auditing software for my deployment is on my host. At the end of each deployment session, anything I download / capture on my VM that I think is important I will transfer to my host.*

*Whether you use snapshots or clone VMs, you need to be extremely careful of what you copy to your host make sure you have antivirus / malware protection on both your VM & host and ensure you scan before / after you transfer any files.

If my deployment VM is compromised, I will spin up another VM from cloning my Master.

The way I set out my VM files is illustrated below, Fig 1.3: –

·    Back Up VMs where I store my Master VMs.
·    Live VMs, VMs that I am currently using on a deployment.
·    Filed VMs, VMs that are no longer active on a deployment.

Fig 1.3

There are numerous ways of organising your work environment and software that you use. Hunchly is a good example of an auditing software however this may not be a option for everyone due to organisational or monetary constraints. I like to have a system where material is separated as sometimes I can’t see the wood for the trees.

Below is how I set out my folders on both the host and VM. I create a desktop file, with various sub-folders. This is fluid and depends on my deployment specifics, Fig 1.4: –

Fig 1.4

At the end of that days deployment I will move what I need onto my host for safekeeping. I never delete anything from my VM as you never know if something you initially dismissed as not relevant becomes of interest but also if you work in Law Enforcement it maybe required for disclosure / discovery.

I now have in place a system that I am confident that I can build a report from and that I am also able to bear witness to my work.

The last consideration is how you safe-keep your work, do you leave it on your host, store in the Cloud or remove it from your host to an encrypted storage device offline. This will depend on your personal or organisational requirements. My preference is to store my work offline on an encrypted device. This may not be best for everyone, people who work from multiple locations, need to share their work with colleagues, Cloud storage maybe the best solution. Whichever solution you choose, like everything with OSINT make sure their is a methodology to your thinking. Don’t do something because that is the way it has always been done or because other people do it that way.

What started out as one Blog ended up being a trilogy, I wanted to do justice to the subject matter. I hope that you have found my Telegram blogs useful, and thank you for staying with me. I always reach out to someone in the OSINT community to proof read my work, it is a great community and very supportive. I  would like to take one last opportunity to say thank you to Griffin @hatless1der who was kind enough to proof read my work I give me some other ideas to consider.

 

 

Element – The New(ish) Kid On The Block

Element – The New(ish) Kid On The Block

Element came to my attention a few years ago. I had heard people in the privacy community talking about it. I wanted to see from both an OSINT and Privacy perspective what I could find out, what was freely available to be discovered.

Since 2016, Element has been known in other guises such as, Riot & Vector and is a client based on the Matrix protocol. Matrix operates on a decentralised network and can be self hosted or fully managed. Element now appears to have settled on its name and has been gaining popularity.

Element is available on the Web, Android, iOS, Mac, Windows & Linux desktop. It is aimed towards organisations / businesses in a similar way to Slack and like Slack it is free for personal use. Element uses the encryption implemented within the Matrix open standard, this enables personal E2EE messaging. You can encrypt a room however this does not appear to be recommended.

I am going to talk about the free version of Element mainly the matrix.org server. When you sign up you’ll need to choose a server, the default is matrix.org. You only need to provide a username and password when signing up. You can provide an email to sign up for account recovery and it is then optionally whether you make it discoverable to your contacts. You may be asked as part of the sign up to provide an email for verification purposes, but you can delete it as soon as you are set up. You cannot use a mobile number to sign up but you can add one to your account if you so wish and make that discoverable too.

You can use Element to communicate with other chat platforms, including Slack, Signal, Telegram, Facebook Messenger, Google Hangouts, Skype, Discord, Signal, Twitter and even iMessage.

For the purpose of this blog I used a mixture of, Linux, Windows, Android & iOS, as I wanted to see the differences in functionality.

Researching Element outside of an account is not as easy as it is with Telegram or Discord.

I liken the layout & usability of Element as similar to Telegram, which I use quite a bit. If you have ever used the web version or desktop app of Telegram then you will be at home searching on Element.

You can search via, keyword, name, user-id, email address or mobile number, albeit, as I explain later, it isn’t always straight forward. You can also search for rooms and search within a room. You are able to search globally for people and rooms and it does differ depending on which device and OS you use.

When searching for a room via a keyword, the rooms are ranked in order of how many members a room has. Once in a room you can then start exploring, however this setting will determine whether you can see the history of the room.

You are able to explore the settings of a room, so you would be able to see who has been banned from a room for instance.

You will see that you can discover people on other platforms who may not actually be on Element. t2bot.io is  a public bot for Matrix which allows it to bridge to Telegram & Discord etc. So you won’t  be surprised to hear that you can find similar groups and content on Element as you can find on Telegram and Discord. Element is also integrated with Gitter, which is the messenger app for Gitlab & Github. The owner’s of Element also own Gitter.

If you wanted you could use Element as a search engine for Discord, Gitter, Telegram, Twitter etc. Something else to remember is that room owners can implement their own bridges that are not based on t2.bot.io.

Within the account settings, is a setting called Discovery and this is where users will find the Identity Server. This allows a user to be discoverable by their email or mobile number if they have linked them to Element. Discovery is disabled by default, the default server is vector.im. Turning Discovery on will not automatically mean that a user’s email and mobile are discoverable, the account holder must give separate permissions for this, as tested on an Android device.

On both Android & iOS you can sync your contacts with the identity server. The following explains how the identity server works,

‘You can look up a Matrix ID by searching for its associated Third Party Identifiers. You cannot look up Third Party Identifiers by searching for their associated Matrix ID. For example: if Alice has used the Identity Server to link her email, alice@example.com with her Matrix ID, @example:matrix.org, other users can look up her Matrix ID by querying the Identity Server with her email address, but they cannot discover her email address by querying the service with her Matrix ID.’

You are able to search across servers for people and rooms. As mentioned matrix.org is the default server. It is worth noting the below, when you search within your account you will see the below servers user-ids.

When logged into an account you can use the the global search bar or the search options of either searching for a room or a person.

I didn’t find the global search function for people particularly effective on the web or desktop version. You can search Element for rooms or people, in the person options you can search by keyword too. Good if you are looking for a user who may have a keyword like Osint in their display name or user-id.

Below is an example of how the t2bot.io has found users on Twitter & Discord using Osint as a keyword.

Along with the display name, username, and profile image you will also see a user-id. What I can say is that the user-id, is correct for the Twitter & Discord accounts.

Searching for rooms offered more consistent results and was straight forward, however I noticed that only my iOS showed me the status of people in a room.

The native search facility on Element I found poor and it does not always show you the person you are looking for, you can see profile images, display names and usernames. If you know the username or email address of the person then Element will let you send them a DM, if they have enabled Discovery.

As I say, inputting an identifier into the global search bar will not necessarily find the user you are looking for. You will frequently be presented with the below: –

I believe that this reflects potentially the privacy settings, especially for those on matrix.org who have not enabled, Discovery.

In a personal chat you are able to share you location with someone and vice-versa. I haven’t explored this side of Element yet.

You can read more about location sharing here: –

https://element.io/blog/element-launches-e2ee-location-sharing/#:~:text=To%20share%20your%20location%2C%20click,a%20map%20displaying%20your%20location

When you join a room there is a drop down menu that contains the following:-

·    People lets you see who is already in the room, with the option to invite others to join.

·    Files gives you instant access to the shared files in the room.

·    Export chat lets you download the conversation in a room and export it to HTML, Plain Text and JSON formats.

·    Share room gives you a way to invite multiple people to the room, via a QR  code or social media.

·    Room settings gives you a series of advanced room setting options.

Please note, as a room member you can only amend a few settings of a room, such as notifications.

In the room you can look at the members, some will have some interesting details available, as in their logged in sessions.

You can also see those sessions which contain some interesting OSINT information.

What you can see from the above is the session(s) that a user is logged in to. Not all the session maybe live though, they may have simply forgot to delete old sessions from their settings menu. Due to the way Element will ask you to log-in after a period of inactivity, you can end up with numerous  sessions. The information you see will also be determined by this setting, which is off by default: –

I have noticed in my own settings that the device I am currently using appears as the top device, however I have not been able to determine how they are ranked when looking at my sessions form another account.

One matter to note, users can rename their sessions, so bear that in mind when you see information such as the name of an device or OS.

In a room you can also see a member’s, profile image, display name & user-id. A user can change their profile name but not user-id.

You can also search the chat / room you are currently in or across all of the chats / rooms you are a member of. You just need to select the spyglass icon in the top right hand menu and the search by your chosen keyword.

If we know how the URL is structured then we can access rooms that are public from a browser without being logged in. The below room setting will determine whether you can access a room in this way, this is set by the admin.

You will be shown as a guest when not logged in. Always double check that you have the URL correct for any query, as Element will prompt you to sign in and you may not realise that you have made a mistake with the URL.

As I have said not all rooms that are publicly visible, will have, guest access enabled, and you may be asked to sign-in. You also need to check that Element simply hasn’t noted your behaviour as suspicious. This would mean starting afresh, with a new browser, IP and maybe device.

The URL structure for searching rooms is: –

https://app.element.io/#/room/#/NAME-OF-ROOM:matrix.org

However the last part, : will depend on the name of the server, the above example is matrix.org. The URL is not necessarily the same as the actual room name, it all depends how the admin has created their, ‘Published Addresses.’

If you do not know the name of a room, type in, https://app.element.io/#/room/#/:matrix.org into the address bar and it will still bring up the global search bar, where you are able to search by keyword.

Sometimes rooms that are public, that I was able to access from the web one day, I have suddenly been presented with the sign-up / sign-in prompt. That said, if you come across this you will still be presented with the facility to search for public rooms and you can then just use the global search bar to find the room you initially wanted but was stopped by the sign in prompt. If this fails, think of refreshing your session and look at any OPSEC measures such as a VPN, change your server location if necessary.

Even though the below gives you the facility to search for people, selecting this option will present you with the sign-in / create an account prompt.

My initial research theory is that Element doesn’t want you to be able to search for users without being logged in. The URL structure for a user appears like this: –

The numbers at the end appear to be random but what I did notice, when I inserted a user-id I knew existed into the URL, I was shown the circle of doom and a log-out prompt. When I tried a username that I had absolutely no idea, existed or not I was shown a 404 error.

As a guest on the web version you are still able to see most of what you could if you were signed in. A couple of things I have found is that you are not able to access the files and there is no spy glass. As you can see from the below image, it is still the same menu as the one I showed you earlier, when I was logged in. You can export the chat as a guest.

When you are logged in, and in a room or a chat you will see these icons in the top right.

If you are not logged in and using the browser you only see these icons.

Element rooms and members profile images do not appear to be consistent in size, if you access then from the group chat, what I have found is that you able to manipulate the URL structure. The below is for image that is 30 x 30. You can enlarge these to 100 x 100.