October 14, 2020
Disclaimer: This post was written to show a different way of thinking while participating in the Trace Labs CTF and really just enrich potential data key points, findings and any other OSINT investigations of analysts, within the OSINT community.
All methods described within the post, are entirely passive and do not speak or support of any active methods for gathering such information during our CTF’s.
All information has been modified and does not belong to a specific person.
You can see that often when companies within the OSINT and intelligence field look into assessment of an organization’s or an individual’s data breach or compromise history, in most cases these companies focus on the data breach itself. Meaning that they are not looking into the important details, the passwords.
Before diving into the analytical part of a password analysis, and how we can use this information for enriching our online investigation scope and findings.
Let’s first understand the real meaning behind passwords
Password is a unique combination of either words or numbers, that we choose based on something that we can associate ourselves with, like a movie, a person, or a memory of ours, or anything else in that matter.
Passwords are important just like any other piece of information that we might have collected during our reconnaissance stage, if not more. Because passwords often are unique to a person, and if unique enough then we might use this during our analysis and investigation of a missing person, or generally any OSINT case.
Let’s look into a case example, say we have a missing person named ‘Tracy’ (false name) and we found one of Tracy’s personal ‘GMAIL’ email addresses.
We would first identify if Tracy’s Gmail has been known to be part of any breached data bases over the years. After confirming that the email address has indeed been part of a data breach, let’s take a close look at the password.
We identified that Tracy’s email address is email@example.com and her password is ‘steve1337’ and that password is unique to Tracy’s Gmail account as we can see in the example below:
Next, what we want to understand is what else can we extract from here and what other information or leads can we get from Tracy’s leaked credentials.
One thing that can be most useful especially in any OSINT investigation but in particular Trace Labs CTF, is to understand how you can most efficiently maximize your search scope and queries.
This is where reversing the password comes in handy, meaning that we copy Tracy’s password and do a reverse search to extract additional compromised email domain names over the years, with the same name of “tracy” & the same password of “steve1337”, now... this could indicate to us as the analysts that we are most likely dealing with the same person’s different compromised accounts, let’s understand why this is important.
Looking into our search results we see that we have 4 additional results for our queries, as we can see below:
Looking at the results we see that Tracy (if indeed verified to be her accounts during the investigation), has accounts in other domains or companies potentially, organizations that she could be associated with.
Unlike Gmail, or similar private “email” providers, which are often used for personal use such as social media platforms like Twitter, Facebook, Instagram.
Finding a corporate domain, or a domain name that could give us as the analysts some indication of what company or website the missing person could be associated with is immensely important during investigation, because even the smallest piece of information could be very helpful.
This is especially interesting in the example case of ‘Tracy’ the missing person, not having any evidence or not providing any information of her being part of a specific company (e.g. working in mcdonalds and not mentioning this on her social media).
Let’s look at some interesting questions and key points to pay attention to and then move to the analysis part of passwords
Looking at this I would ask myself for example questions like: is this an employee account? If yes, did Tracy mention this in her social media? If not.. why?
Is ‘beautyshop’ similar to Sephora, does that mean the account might have a public facing profile to other registered users? Does that mean that they deliver to home address, could there be a different address used, who’s credit card was used for potential purchases, is there any information that can be extracted about Tracy’s last login?
Does this account fit to the profile of Tracy as the missing person, is this normal for her (depending on the age and other details) to have a profile in an online website selling guns for cheap, and many other questions like why does this domain stand out from the rest, when was the account registered ? long before disappearing or few days ?etc.
Why was this specific platform or email provider was chosen for communication, email providers are often chosen (depending on the person and their profile) based on “areas” of interest or environment, does “QQ” fit to this person’s profile, does QQ allow some features which Gmail does not? Perhaps encrypted communication just as an example, if yes? What for?
After we extracted and gathered the technical information such as relevant accounts of the missing person, let’s look closer into the password, what does it mean? What does it say about the person?
As mentioned earlier, we choose passwords based on something we like or want to associate ourselves with, taking a closer look at Tracy’s password “steve1337”, it is an interesting factor as to why throughout all these years of all these different compromised accounts, the password stayed the same, right?
Especially considering the meaning, now since our missing person’s user ID is “tracy” ..then who is “steve”.. and what is the connection between the two? This is where we’re taking a few steps back and trying to find clues of what or who Steve could be that he was important enough to use as a password of the missing person.
One of the things we could do is cross match information between objects “steve” & “tracy” doing that by inspecting existing social media or other known accounts that belong to Tracy, perhaps “steve” is a relative, a family member or someone that was really close to the missing person, yet no one was aware of it?
Now, after we extracted additional compromised accounts, made our analysis as to what organizations or potential platforms the missing person could be associated with, we don’t stop here.. we have more information to work with..
Let’s take a look at all these username search engines, we use them for looking up information about the person’s registered social media accounts, right? Then why not do the same with their password, if that is unique enough, we might as well find something else, that we wouldn’t any other way by searching only the person’s name.
Find additional hidden accounts such as telegram, public messages.. and other valuable hints for your investigations