October 27, 2020
It has been a while since my last blog post, so I thought I would come back with one which I hope people can learn some new resources from. To help me with this, Trace Labs kindly sent me a full list of websites from the submissions of one of their Global OSINT Search Party CTFs.
Trace Labs stripped the links down to just domains so that I could see what websites people were using to find information, but it means they weren’t revealing all of the intelligence found about the missing persons and specific pages visited.
From the 459 unique websites used in the submissions, I have picked out eight to talk about here and I hope that these will allow you to explore new avenues in your investigations. A lot of flags are often found through social media, but sometimes it is important to search other sources to find the information that isn’t on social media. For example, using public records to find addresses and phone numbers, or breached data to find IP addresses, usernames, and emails. There may be cases where you can’t find a social media profile because the person may not own one or you don’t have enough information to locate it. These sources will often allow you to find information even if the person doesn’t have social media or it will give you more information that can be used to locate the profiles.
I hope that you will be able to use these resources for some of your own future OSINT Search Party CTF submissions.
Services discussed in this post:
This is one of the resources that I feel may be known by many people already but I saw it in the list of submissions and thought it has so much data that I just had to show it.
By just entering a name and a state, it will search through data for marketing vehicle sales, businesses, domain WHOIS, voter registration, campaign contributions, White House visitors, and more. This website can work better if your target has a more unique name as you can’t seem to filter down any more than just a name and state.
The screenshot below is a search for “John Smith” in all states so you can see there are clearly some limits to the search results. If you do know more information about your target, you can expand all the returned sections, and use your browser’s search function (CTRL + F for example) to search for more specific cities, emails, relatives, or anything else that may show up in the results. Also, if your target does have a more unique name, it is worth searching it in all states because they could have data in other states even if they don’t currently live there.
This website gives you a lot of possibilities for pivoting as you could be given a phone number or an email, both of which could be used to find connected social media accounts or can be searched on other public records websites to find more information. It may give you an address which you can view in mapping applications or it is common in CTF’s for people to use NSOPW to find registered sex offenders living around that address. You could be given a VIN for a vehicle so you can search the VIN to find specific details about it and find old sales pages that show detailed pictures inside and outside of the car. Depending on the results that are returned, there are a lot of ways to pivot from the data you find here.
Echovita is a site that allows you to search for obituaries. These can help you to find family networks. Sometimes it can be hard to locate some family members because they could be living in another country or they may not be old enough to be shown in public records etc, but obituaries will list them all there together.
By default, Echovita will search for obituaries in the United States, however, you can change this at the top of the website by clicking the drop down and changing it to Australia, Canada, or New Zealand.
Below is an example of a search done on Echovita for “John Doe”. It shows some general details at first like a location and the date that they passed away, then when you click “View obituary” it will often show other details talking about their lives and family.
Some other common websites to find obituaries are:
If you don’t find what you are looking for on any of these websites, another technique is to use Google. You can type in their full name in quotes along with the keyword “obituary” and you should see results from different websites like location specific funeral services etc. If you know any relatives names, you can add their first name too because you know they will be mentioned in it. For example:
“John Example Doe” “obituary” “Jane” “David” “Elizabeth”
After reading an obituary, you should have the names of all the immediate family and sometimes it will also show what area they live in. You can search these names to find more information in public records or if you were having trouble finding social media profiles, you can try to find profiles for their family members first and look at their connections to try find the person you are looking for.
qPublic allows searches for data by just entering a state and a county. It will show you what options you have for your chosen location such as in Bay County, Florida where we can do a property search through a form or we can view a map which shows property data and other location data like lakes, railways, aerial images from different years, and more.
Using the form, you can search for a house owners name, home address, or parcel number. There is also a note under the address search saying you can search ranges so if you want data from just certain houses on a street, you can do so here. This example will just be searching for the name “John Smith”.
Below are some of the results for “John Smith”. It gives full home addresses and usually full names. An interesting column is the “Last Sale” one because sometimes you will find an address on a public record site and it will say they have lived there since 2012, but then you can see here that it was sold in 2018 for example so it is more likely to be an old address.
The map view is really interesting because you can just click on any property you want and see who the registered owner is along with data on when the property has previously been sold and more.
Many public records sites show addresses but it doesn’t always specify the exact date in which the property was last sold. If you use one source and it shows a current address that they have been living in for the last 5 years but here it shows that the property was sold 2 years ago, it is worth considering that they may have moved out of that house. This website also makes it extremely easy to find out who else is living in the same area as your target but it only gives a name, so you can take these names and addresses and search them on other public record sites to gather more details on them.
Progressive is an insurance company in America that wouldn’t initially be seen as an OSINT resource, but they do reveal some data which makes it very useful. The first time I heard about this technique was in one of Michael Bazzell’s books probably over a year ago now. So it was nice to see this still working and being used in the Trace Labs CTF.
After going to the website, you can click on “Auto” to start a quote. It will then ask you to enter your ZIP code. Here you can enter the ZIP code of your target if you know their home address. Then click “Get a quote”.
Next it will ask you to enter some data. You can enter random characters into the names and date of birth. Then under the mailing address, enter your target’s real address. The ZIP code and city should already be filled by default so you only have to enter the house number and road name, and an apartment number if necessary.
It will then search that address to see if there are any registered vehicles there. If there are, it will return the make, model, and year of the vehicle. You don’t need to proceed further after this point as it will just ask for more details on how these vehicles are used so it can make the quote, so you can just take this data about what cars they own and close the page.
In regards to missing persons, reports sometimes state that they were seen getting into a particular kind of car but they can’t always identify the driver. Therefore, if you were to find a suspect and you did this technique and found that they own that same kind of car, that is certainly worth noting down. This can be useful in other ways too such as if you see a picture on social media which has many cars in the background, they could belong to anyone, but if you know the type of car your target owns, that will help you to identify it and you can then note down their license plate if it is visible.
This website allows you to search for people in a variety of ways. You can do basic searches by name and phone number, or you can also just search for a ZIP code and it will show you pages full of data containing names, phone numbers, and home addresses. To search by name or phone number, you can click those options in the navigation bar at the top of the website, but for searching by ZIP code, you first just have to click on a state from the home page.
Once you select a state, you can narrow it down more. You can type in a city and it will show all the ZIP codes there, so you can pick the ones you want from the list. You can also enter a specific ZIP code if you know it.
I like the way this site shows the results. While on some sites you may be able to search for all people living in an area, it can often be more broad and you usually have to switch to another page for every 10 results for example. However with this site, the first page for this example ZIP code has 2208 results on it, and then you can go to another page to see thousands more again. You can use CTRL + F on Windows to search on the page for names or if you know a partial phone number, you can search for those here. The screenshot below has businesses on the left which I decided not to blur but on the right was data on residents so I blurred these.
What makes this website special is the way it displays the data. In regards to pivoting, it is similar to some of the previous websites as this only reveals names, phone numbers and addresses. Therefore, you can take these to find more details on other public records websites or use the names and phone numbers to find any associated social media profiles.
LeakPeek allows you to search emails, usernames, and passwords to see if they are in any breached data. They currently have over 8 billion records indexed in their system. This is a smaller amount than services like Dehashed have but there are some benefits to LeakPeek.
You can run a search straight away without signing up or paying and it will show you some partial data. When searching an email, it will show you partial passwords if it finds any connected to the email. It will also show the sources so you can see where the data is breached. Sometimes the passwords will be easy to guess and then you can search for them with the password search on LeakPeek or on other sources.
When you search a password, it will show partial data for both emails and usernames. Once again, although they are partials, it can still be helpful. The emails will sometimes show some of the ending characters or sometimes only the domain which won’t be too helpful for ones like Gmail, but if they have their own website, this could reveal that. Sometimes usernames will be easy to guess or you could match it up to ones that are already known in the investigation and it can confirm that the password is associated with the person.
To see unredacted results, the website requires you to pay so if you trust the service, you can go to their prices page to see if this is worth it to you for your needs.
If you use this resource to search an email address and it does return results, then it will show you the sources of the breaches. Therefore, you can often go to that source website and try to find your target’s profile using known usernames or other identifiers. You can also use the data you find in the results and search those on LeakPeak to find more breached data. However, this will only apply if you can guess the full email from the partial one or if you purchase premium access.
Nitter is a website on the dark web which is why it ends in .onion and you will need to access it through software such as the Tor browser. You can use this for searching content on Twitter.
I did a search for my profile and as you can see, it shows all the basic details almost in the same way as Twitter does. I believe some things work in the same way as if you were logged out of Twitter, for example you cannot click on ‘Following’ or ‘Followers’ to see their lists. One difference is, although on Twitter, you can’t view the ‘Media’ tab while logged out, Nitter will allow you to see that. You can also use the ‘Search’ tab to search keywords that are in their tweets.
Their main search page also has lots of filters available. Lots of them are ones included in Twitter’s advanced search options, and I believe some aren’t but they are still possible to do on Twitter if you know the operators to use. But Nitter seems to make some of these searches easier by just ticking a box.
For example, the search below is for tweets that contain “OSINT”, they must contain a link and be tweeted from a verified account, and all retweets will be excluded from the results so it will just show tweets from their original posters. Results are returned almost instantly too.
As this is simply an alternative interface for Twitter, you can do anything here that you would do on the normal interface. For example, you can look through posts to find new information, you can view the images and videos they have uploaded, and more. However, as you aren’t logged in while using Nitter, you cannot see who their followers or who they follow so it is worth using the normal interface to view that. While there isn’t a lot to say here, Nitter is more focused on giving you privacy and a better experience of searching Twitter data, the scope for pivoting depends on the data shown on your targets profile.
‘pwndb’ is another dark web site and this one allows you to search for breached data. You can search for emails or passwords. The email search also allows you to search with wildcards by using the % character, but also you can easily search for any emails under a specific domain by entering it into the box after the @ sign, or you can enter a username into the first box and leave the domain box blank and it will search for emails with any domains and that username.
Below is an example of just entering a username and it shows up with emails from mail.ru and lots of other results were returned too with domains like verizon.net. Although this website doesn’t appear to have as much data as services like Dehashed, it does show you the full emails and passwords for free without needing to sign up, so it can definitely be worth checking.
Pivoting from this resource is similar to LeakPeak as they both deal with breached data. You can run your searches for emails to find any associated passwords, and pivot by then searching that password to find if they used it along with any different emails which may have more breached data or that you can use to find social media profiles.
Hopefully at least some of these websites will be new to you and I hope they will be able to assist you in your OSINT investigations and in future CTFs for Trace Labs. Thanks again to Trace Labs for allowing me to do this, I discovered a lot of new websites through this and I hope this selection that I chose will also help others now too.