In our first listeners live episode, Matt and Jeff take questions from our live audience. They cover resources that can be useful in finding the best OSINT tools; advantages to using native-language search engines in international research; free training for OSINT analysts; and managing attribution to access the information you need.
MATT ASHBURN
Welcome to NeedleStack, the podcast for professional online research. I'm your host, Matt Ashburn, former CIA cybersecurity officer with a passion for open source research.
JEFF PHILLIPS
And I'm Jeff Phillips, tech industry veteran, and curious to a fault.
MATT ASHBURN
Today is a special episode of NeedleStack, where we're taking your questions and answering them as we go. In our past few episodes, we've covered the concept of a digital fingerprint, including how it can affect your online research. We try to keep the show as interactive as possible, given that it's a podcast, but we want it to dedicate a little time each episode to Q& A, but today it's all Q& A. So, we're going to answer your questions today.
JEFF PHILLIPS
I'm super excited about this, Matt. Now for folks that are attending, we're going to try to get to as many questions as we can live. We do have a few additional members of the NeedleStack team that are standing by in the chat that'll try to answer some of those questions directly, because I don't think we're going to be able to get to all of them.
Now for our listeners that are not live on the show, you can always submit a question for any of our podcasts or comment to us on the website Authentic8.com.
That's Authentic with an 8. com/ NeedleStack/ Comments. And so, please submit any question or any thing you may have that you'd like to reach out to us about. So Matt, we've got these questions. Are you ready to get to our first question?
MATT ASHBURN
Let's do it.
JEFF PHILLIPS
All right. All right. So, I'm going to grab this first one. We'll start basic here. I thought this was really going to be helpful to our newer online researchers." What are good resources to learn about online tools that can be useful to OSINT?
MATT ASHBURN
That's a great question. We've always covered a number of things on the podcast here, right?
We always try to give some helpful websites to go to and tools that you can use, but there are a ton out there, right? It's hard to keep track of them all. So, I recommend that people go to Start. me. Start. me as an online bookmark service, and you can have essentially an online homepage with a bunch of different shortcuts that are categorized by different features or categories, right? So, recommend you go there. There are a number that are out there for OSINT in particular. So just Google Start. me, and then OSINT.
You'll find about three or four that are really, really comprehensive, including some that are by Start. me themselves. There's also one called the ultimate OSINT collection, and a few of them are out there. They all have slight differences, but they have a number of free tools that are available that are very useful for OSINT research. And Jeff, I'll have one for you here. So, I'll pick one here from the hat, and how about this one? This is a good one here, and it's about native search engines in a particular region.
And the person asks," Are there advantages to using native language search engines if you're looking at foreign information?"
JEFF PHILLIPS
Oh, that is a good question? I'm actually going to expand that a little bit.
There's both using native native language search engines in the sense of, is that a search engine specific to a given region, and there's even just using Google in a given region in the native language. I've talked to a number of practitioners, this has come up before in terms of, how does language work in dealing with translation? And it absolutely does have an impact for those looking to dive deep and find things specific to a region when they're doing searches.
So, first point is, if you're aware of search engines that focus on a specific geography, Baidu is an example of one in China and in the APAC region where you will definitely get different results from one that's within the region than out.
And if we talk about Google, you can actually do that side by side for yourself and test it. If you search in English, even though you've maybe looked like you're appearing you're in a specific region, you've manipulated your geography; you'll get a certain set of results related to that search.
If you go right back in the same search engine and searching that native language, whatever those characters may be, you will end up getting a different set of search results. And so both, I think, can be super useful depending on what you're looking for. And so, I would absolutely say yes. Native language is going to give you a different set of results. Whether they're at advantageous to what you're doing, that all depends. Doing both is probably the right way to go when you're doing research to dive deep and get an understanding of what all is out there.
I would say do both things.
MATT ASHBURN
Great. And do you have another one for me?
JEFF PHILLIPS
I do, sir.
Again, going back a little bit to the beginners, because we do have here... We focused a lot on the digital fingerprint and getting into OSINT. The question here is," Is there any free training available for the beginner that's becoming an open analyst?"
MATT ASHBURN
Yeah.
The great thing about OSINT is that there's a ton of information out there.
There are a few things that I'd recommend as a quick hit fundamental in OSINT. So, the first one would be a really good YouTube video by Heath Adam, AKA The Cyber Mentor on YouTube. It's entitled Learn OSINT in 4.5 hours.
And I'm not kidding, this is a really, really good course. It's literally four and a half hours long, or maybe four hours and 28 minutes, something like that. He does a great job of breaking down, essentially the fundamentals that you need to know for OSINT in different categories of information and research techniques and all of those things. A few other ones that I'd like to mention. There are of course, a lot of SANS Summits and talks that are out there. They have their OSINT SANS Summit coming up in April, which is a good thing to attend if you can. And then there are a number of videos that are out there as well.
So for example, Michael Hoffman has Moving Past Just Googling It. It's talking about collecting information in different ways beyond just Google. That's a really good one as well. All right, Jeff, my turn to ask you a question. Let's see. Let's try this one." We've talked a lot about digital fingerprint and changing your geographic location.
Are there other advantages to changing your geographic location or your user agent string, aside from just being anonymous?"
JEFF PHILLIPS
That's a good question.
We have focused a lot on people that need to keep themselves and their company anonymous, due to retribution, et cetera.
But there are definitely other reasons. Again, when I talk to practitioners... In particular, for example, on the SOC side of things, cybersecurity analysts. Now, they're out there dealing with malicious sites. Let's take phishing for example, I've specifically talked to a few about this, where being able to change your geographic location is useful because a particular site may be targeting users in a particular part of the world.
So this is phishing, but it's set up, it's targeting users in Australia. And so, it's presenting itself in a certain way. If you're coming from IP ranges in that specific geography, it may be blocked to people coming say from the U. S.. So from a location standpoint, that site could react differently, and when they're trying to understand what they're dealing with from an incident response perspective, being able to change your geography can show you how that site reacts.
And same with the user agent string. Typically here it's whether that that particular attack or that campaign, in the case a phishing example, is targeting certain OSs or browser types, or could even be targeting specific device types, right?" Am I on a mobile phone?
What type of mobile phone, or is this targeting Windows machines? Macs?" So that ability... Now, we would tell you from a trade graph perspective, you don't want to be changing your user string in the middle of an investigation, of course. That's not good trade craft, but if it's tactical in the sense of trying to understand what this particular site is doing mechanically and who is it targeting to understand the campaign, I've heard lots of SOC analysts from that perspective. And then the other one, I mentioned being blocked for geographically.
The reverse comes into play or a little different is from different analysts being blocked on their own side. So, from their own firewalls or gateway that are blocking them to get to certain geographies in the world.
So geographically, the company's said," We don't want you to... We're just blocking that. There's no reason typically for someone to go there." So, being able to manipulate your location to get around some of those blocks with software can be helpful to get around internal blocks, to get access, to get the whole story of what you need.
Great questions. These are really good. All right, Matt. Okay. Back to some tools. One of our episodes was all about tool tools. This person asks," What are some tools or software that can help to geolocate photos when you're dealing with photographic analysis?"
MATT ASHBURN
Yeah. Reverse image searching comes up all the time. And a lot of people are very familiar with Google images.
For example, Images. Google. com. You can search by keyword, return a bunch of images in response to that keyword search. You can also do reverse search. You can actually upload a photo and find photos that are very similar in nature to that photo.
Perhaps you want to understand where the photo originated from, or where the image originated from. That can be very useful. But there are a number of other resources that are out there as well, beyond Google, right? Google's just one of the top ones. There's certainly Yandex. ru. It's a Russian based website. So, the usual caution that comes along with that, just be aware of that.
That sometimes can provide different results than Google, for example. So, try multiple search engines, not just Google. Another one that's out there is called TinEye. TINEYE. TinEye reverse image search is also very good, and it has almost like a sister website called PimEyes, PIMEYES. And PimEyes is specifically for photos with a face in it, and they use AI ML based facial recognition to actually find faces that are similar in different photos.
So, if you upload a photo of, let's say a target of investigation, you can perhaps find other profiles or other websites on which that photo appears or that person appears, rather. Of course, the usual caution comes along with this, right?
If it's a free tool, just be aware that the data can be used and stored and all of those things. So, just be cautious about it. But those are the top ones that I would point people towards if you're new to this, you're looking for some reverse image searching; TinEye, PimEyes, Yandex. ru. Those are good starting points. Well, Jeff, I think we're just about out of time today, but we wanted to say thanks to everyone who attended our show today, especially those to ask questions.
And as always, if we didn't get to your question today, feel free to contact us and submit your question. We can get to it maybe in a later episode and get back to you via email or something like that.
And again, you can always subscribe to our show wherever you get your podcasts. Watch episodes on our YouTube channel, and view transcripts and other episode info on our website, Authentic8. That's Authentic with the number 8. com/ NeedleStack. And by the way, we'll be back on March 8th with our next episode talking about the role that OSINT plays in world events. We'll see you then.