OSINT: You can't hide // Your privacy is dead // Best resources to get started

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
- I don't know what you want. If you are looking for ransom, I can tell you I don't have money. - I saw that there were some posts. She was indicating she was in Belgium. Then suddenly she was in the Netherlands, but the pictures didn't add up with the city she was in. - But what I do have are a very particular set of skills, skills I've acquired over a very long career, skills that make me a nightmare for people like you. - Just running PHP beta scripts through every single email, sending them. Say there's a bomb at the school. It's gonna go off at 3:30 today. And that caused mass school evacuations in the UK. - If you let my daughter go now, that'll be the end of it. I will not look for you. I will not pursue you. But if you don't. - This is a case of probably safety, of public safety. We don't know where this person is. - I will look for you. I will find you. (fast-paced, tense music) - Hey, everyone. It's David Bombal, back with a very special group of guests or a panel of guests. We're gonna be talking about OSINT. Welcome. Technisette, let's start with you. - Well, I'm Technisette. You can find me on Twitter at @technisette or on technisette.com. My real name is Lisette. I'm currently working in law enforcement in the Netherlands. - Before this call started, I was trying to like get some information out of you, but obviously you're very shy about sharing that, but that's fine. (laughs) Steven. - Hi, everyone. Yep, my name is Steven Harris, though I'm probably better known by my nickname, which is NixIntel, which is where you can find me on Twitter and my blog at nixintel.ino. Similar to Lisette, I have a background in law enforcement. I spent most of my career working in cyber crime and open source intelligence. I teach the Open Source Intelligence course for SANS. I'm one of the instructor candidates for that. And I work for a company called QOMPLX and we use open source intelligence to help people improve their cyber security. - And last but not least, Micah. - Hey, David. It's nice to be on the show with you. I'm Micah Hoffman. I go by the WebBreacher moniker online. I like to say about myself that I am a collector of amazing people in the world of OSINT, bringing them together. Whether it's through OSINT Curious Project, whether it's through My OSINT Training's training platform I run, or whether it's through the OSINT Games Capture the Flag OSINT platform, I like bringing together the best of the best and having a lot of fun with them. My background is in psychology then in medicine, then in IT, then in cyber, and finally into OSINT. So I've got a pretty diverse background. I'm on my like fifth career. - Tell us about OSINT Curious. What is this? How did the three of you get together? What is it about? - Sure. OSINT Curious is a US-based nonprofit. It was created back in 2018 when myself and five other people got together and decided to create a free place with highly accurate and trustworthy, open source intelligence training materials and blog posts. We'd noticed that there was a wide variety in the technically complete OSINT data that was being released on the internet, and we wanted a single place where people who come to and they could trust the content. I go there. I know that it's going to be actionable information that's solid, ad free, et cetera. And so back in 2018, we created the OSINT Curious Project. Right now, we have about 13 members all around the world that create blog posts, YouTube videos, live streams, and 10 minute tip videos. We also have our own Discord so that people can, again, come together and talk as a community. - I'll put the links below. Please go and subscribe to the OSINT Curious YouTube channel. Show them some love for sharing such great content. Go and follow everyone on their social media. Show them that we really want to get them back for more content. Let's start with this question. What is OSINT actually, and how do I get started? - Let's start from the very beginning and say what OSINT stands for, which is open source intelligence. And it's really, really broad, and it can mean different things in different disciplines, but it's essentially taking information that is publicly available, whether you pay for it or you don't pay for it, and analyzing, verifying, developing that public information into something that is useful for you, for your client, for your company, or whatever. That's the intelligence part of it. So the open source is where we get the data from, and the intelligence is the useful stuff we can do with that information. - Lisette, you're in law enforcement. Is this something that I'm assuming gets used a lot in law enforcement, as well as in commercial enterprises, yeah? - Definitely. If we do a lot of OSINT stuff within law enforcement as well. A lot of the OSINT stuff you can do, you can do like any other person on this planet with an internet connection and a device, either a phone, a tablet, or a laptop would be able to do all of the things we are doing as well. The only difference for me personally, for being in law enforcement, is that I have a lot more rules to obey to, to make sure I'm not crossing any privacy lines or any laws. It's quite strict for me. - And I mean, especially 'cause you're in the EU. I suppose there's a lot of like additional rules. And we won't get into the politics, but EU has all kinds of rules of things that you can and can't do, right? - The EU does have a lot of rules going, but for in the Netherlands, it's only the Dutch law I have to keep myself to. I'm obeying that rule and that law and making sure that everything I do is legal for me. - Why OSINT, and how's that different if you like to red teaming and all cyber, just for people who don't understand how it's different. So why do we do OSINT? - Open source intelligence, or, as you probably call it in cyber, reconnaissance or recon is literally the first step in most of the cyber security things that people do, whether you're doing red teaming and penetration testing and you have to find targets. You have to find a person or a company, find out more about them, find out what domains they own, what IP addresses. Or whether you're a blue teamer researching who's attacking your systems, researching why people got a certain phishing email. In digital forensics, people use open source intelligence when they dump somebody's phone and they have all the user names that they need to figure out what they're connected to on social media. So open source intelligence for me was that aha moment when I knew that my cyber career was finally coming to an end and I had found this exciting, accessible place, like Technisette said, where you can find almost anything online that people, governments, and companies are sharing. And it's in those techniques that we share, in those tools that we use, and ultimately, like Steven said, in the intelligence that we develop that truly makes OSINT an amazing all around activity for professionals and for hobbyists alike. - I once heard a story, and I dunno how true it is, that some government agencies are really happy that Facebook exists because it saves them a lot of the old hard work. Is there some truth in that? - Yeah, I think so. I started my law enforcement career just before Facebook sort of came into existence and you had to do intelligence the old fashioned way, like you had to go and speak to people and write things down and then draw maps with pen and paper to see who's connected to who. And then as Facebook became more popular, it was all there for you. You knew who was friends with who, and you knew where they went. And so yeah, those sort of platforms, Facebook in particular, but social media more generally, has made things a lot easier. - Do you need any special skills to do this? Or do you have to go on special courses or is it just something that you can pick up? - I think anybody can do this, David. You just need some personal characteristics or personality traits that you can bring forth. And Technisette, I know that you wanna say some of this. I'll just mention one and maybe you can take it from there. The determination that people have, the persistence, those are incredibly important when you have this, well, infinite amount of data on the internet. Technisette, what were you thinking? - You have to be curious as well. You have to want to go on this treasure hunt as you may wanna call it, to find that little gem that connects all of the dots or answers that one specific question you really need to get an answer to. And this is one big puzzle hunt. I'm gathering all of my pieces of information, putting them together to paint the whole picture for myself. And every time it's a different puzzle, so I rarely get bored doing this. - But I think it's, to take that metaphor one more step, it's a puzzle that you don't know what it's a picture of until you've got all of those data points together, assemble them or analyze them, and now you can see the picture. Would that be accurate? - Yeah. - I agree. - Yeah. I think that's right. You don't need any formal skills or training to get started necessarily. I think to get to that end stage where you are producing really good, high quality intelligence, around the analysis of things, that's the tricky, harder part. There's no kind of magic book you can read to do that, but that's what takes the time and the practice to become a good OSINT practitioner, I think. Do you guys agree with that? - Absolutely. I think the trainings give you that jumpstart if you need them, but very much like the cyber stuff that's out there right now, you could literally watch, I don't know, David's channel over the past couple of years and you could learn a huge amount about hacking and all. There are so many videos out there that from various OSINT conferences. You absolutely could learn things just by watching YouTube videos and reading blog posts. - Especially read what the OSINT community is sharing. 'Cause I've been in this specific field in law enforcement for over nine years. But I know now that I've been doing this work for far longer than the nine years, been also doing this at my previous employer. In that whole time, let's say 15 years, I only have three trainings on how to do OSINT. All of the other stuff I learned by either doing them, but also reading what other people have experienced. Like NixIntel writing a blog on how he delocated a specific image on Instagram motivates me to be more specific when I'm, for example, looking at a picture, to look at the lamp post or look at a electrical socket. You need to be active in the community. Well, you don't need to be active, but you need to read and catch up. And if you do that, you can get like at a good certain level quite easy. - Like if I was starting today, where would I start? Would I go OSINT Curious's YouTube channel? Or what I do first step, second step. Have you got like any tips? Go here, start here. Kind of guide me. - The OSINT community is very active on Twitter. Search for the #OSINT. look at all of the top tweets or all of the latest tweets and I can guarantee you you'll be ending up with very interesting blogs, good quality YouTube videos. And what I personally think is great about OSINT, you can read a blog, which may take you like 10 to 15 minutes and you've learned something new. And that's what we do at OSINT Curious as well. We try to create content that doesn't take you like four hours to get to know a specific topic or a specific technique. We tend to keep it small and simple. So we do videos of 10 minutes max to teach you a new skill. And I think that's also quite cool doing OSINT is that you can learn something new in a relative short amount of time. Be curious, click around. (David laughs) - Give some names, like the three of you. That would be my first three people to follow on Twitter. Any other recommendations of accounts or people? And then websites. Give us specific websites. I'll put them below. Give us your websites, various resources that I can start with. - So my suggestion, David, is start with OSINT Curious. That's OSINTCurio.us. That is like a one stop shop to all of us. On our about us page, we have all of our Twitter handles. So if you don't know who to follow on Twitter, you've got that on our about us page. But wait, there's more. If you want to talk with other people outside of just Technisette, Steve, and myself, we've got a Discord where you can talk to hundreds of thousands of people all around the world that love open source intelligence. So instead out of asking me, Micah Hoffman, hey, how do I do this on Facebook, Instagram with a domain? You can ask people in different parts of the world what do they do. And then also on the OSINT Curious Project's website, there are links to those 10 minute tip videos, our YouTube channel, and of course our blog posts. - Why did you create this? Was it just to try and help the community? - We created it to have that voice and to bring people together really. We had five people and myself that got together and we said, instead of us speaking with separate voices about this is good open source intelligence, we brought it together on a single platform and decided this is what we want to do. And Technisette was one of those other people that was there at the very beginning. - You know, the problem is when you're starting, it can seem overwhelming. So some people like to read, some like to watch videos. Do you have any books that you could recommend? Any one of you? - I'll just say from my perspective, there are books out there about open source intelligence, but I think the minute that they are published, they are very much out of date. Much like cybersecurity or many aspects of cybersecurity that are constantly evolving and changing, by the time you write a book about exploiting something, it's probably a little bit old. So in open source intelligence, there are some books by several people. But I think that watching social media, whatever platform you're on, for the hashtags, going to some of these websites and YouTube videos, you absolutely will stay better informed and more up to date than following some of these books. But I don't know. Steven? - Yeah. There's one book I will recommend, although you've made a really good point. The material that's produced by the community can go out of date quite quickly, because techniques change very often. So it's hard to recommend a book I read this year or two years ago that's still relevant now. But I will mention one called "Hack the World with OSINT" by Chris Kubecka. For anyone who wants to think about offensive security, recon, it's a fantastic primer. Some of the things that she discovers in that book, like some the insecure systems and vulnerability she finds, just using open source intelligence, it's so fantastic for anyone who wants to get into that. - That's great. Technisette, any recommendations from you? - I must say I agree with Steven as well. I like Chris's book a lot, because it brought me more OSINT on a perspective which is not part of my daily job, as much as it is for other people. I do have a copy of Michael Bazzell book as well, the Intel Techniques book. I do like it, but it's a very thick book and I'm not very well-concentrated finishing big books. But it's a very good quality book when you are in the US, because I've noticed that a lot of the things that he wrote are specifically for US only. So for me in Europe, some of the things are not as relevant as they are to people in the States. - When I look at like a lot of content online, it tends to be very US-focused or very even European focused. But is a lot of the resources on OSINT Curious relevant to, like, if I was living in Africa or in the Far East? Is it just general stuff that can be applied all over the place, or are there specific skills for like the US versus other parts of the world? - I think that a lot of things are pretty similar. So whenever I want to do an investigation on somebody and I tend to use Google as my first search engine to go to, a lot of the search operators I use can be used in multiple parts of the world. Maybe I have to think about changing some language, maybe translating a specific name into Arabic or Cyrillic or whatever, but there will always be specific websites only locally to a specific area. So for example, before Facebook was the number one platform in the Netherlands there was Hyves.nl. I used to work there. It looked like Facebook, had the same look and feel, but it was focused on Dutch people only. So if somebody from the States would be investigating somebody from the Netherlands, that should have been a platform they should visit and see if they can find any information. So there are always locally-known websites that are quite popular and you need to catch up on that, either by Googling or, for example, looking at the top visited websites of a specific country to see if there might be any websites in that list you're unfamiliar with, or looking at mobile apps that are popular. For example, in India, they probably are not the same apps that are popular in the UK or in Spain and you need to get those platforms as well. There's a lot of similarities, but there are some country-specific or region-specific websites and apps you should definitely investigate if you are in that specific region. - So anyone up for a demo? - Can do something. So one of the main things that we find in the open source intelligence investigative world is that we have sort certain data that we start out with. So if it's an email address or whether it's a phone number or a domain, we take that and then our whole job is to find other places, mostly online, where that data has pivot points, where there's other data out there. For example, I'll start out with just John@example.com. Most people know about going to Google. With most people, they'll get these results. And you can see there are almost 12 million, 12 million? 12 billion (laughs) results that have come back. So the next thing that we have to do is obviously narrow down Google's results. Maybe we're looking john@example.com and we put it in quotes. So the quotes say, John@example.com. That string itself has to appear in the results. And notice our results have come down to 132,000 results. So previously Google was chopping up the word John, example, and .com. And now it's saying, oh, John@example.com is in the results. So just by adding quotes, we have some good results. We can add other things too. If we're looking for other words, we can add keywords, we can remove keywords. For example, maybe I don't want anything with the word test in it, so I can use dash symbol here or the hyphen to don't give me anything with the word test in it. I just took out another 30,000 results. And through this iterative process of creating keywords, searching them, using Google operators, and then refining your results using these Google operators, we can narrow Google and Yandex and DuckDuckGo and other results. But I mean, other people will tell you that Google's only one piece of the pie. For instance, let's just take John@example.com and head over into the cybersecurity world of searching for breach data. Very common thing that we do is take an email address and see if it's been found in any breaches. Because if we can find that, then what we might be able to do is identify passwords and systems where the accounts of this person might be found. Have I Been Pwned?, which is a site that you're probably familiar with, might be familiar with. We come over here and what we do is we paste in our John@example.com and we find, oh no! It's in 98 breaches and 33 pastes. Each time we're doing this, we're recording what we're doing. The most glamorous part about OSINT is documentation, and I say that with a big grain of salt. But what we're looking for is those pivot points. Here we have John@example.com, our target email address, and we see that it's on the 500px system. All right, now I know that there may be an account over there that I might want to pursue, or an Animal Jam or something. And each one of these bits of data has other things, like in this breach, there's email addresses, passwords and usernames. Whether it's an email address or we can start out with a site that I really like, which Technisette and Steven will attest to, whatsmyname.app. Sometimes you don't start out with an email address or you start out with an email address of like WebBreacher@gmail. And you're like, wait, that WebBreacher could be a username. Well, not only do we go through our process for email address searching, but we also might wanna break that WebBreacher off and then search on the whatsmyname.app site. I'll search for something else, John Doe. And this site takes one username, and when you choose the category that you want to search, it'll have your browser make over 370 requests to find other places where an account for that username exists. So here on coder wall, you can see the URLs down here. Reddit, there's a John Doe user account. Gab has a John Doe user account. Over here on the right hand side we have a nice little table that we can export to our notes and now we have a huge number of other sites that we need to start investigating. And when we find those sites, we work through our process to harvest the avatars and the biographical information, the location data, and we continue to move, gathering data, analyzing it and pivoting. - Just to add up to what Micah was saying is that we do need to check if all of these results are one and the same person, because there's a very high chance that somebody else on the world has the same username as well. So we need to visit all of these sites, pivot further on to see if everything matches and then only you can conclude, well, John Doe indeed has over 72 other accounts on other platforms, which we can either connect to each other or connect to that one person we're pivoting on. - Have you got any examples of how this has helped something like in a case or just in a business or something? - Well, I had a very successful case when I had just started out in law enforcement. When in law enforcement, you get a lot of extra information about what everything else is going on within the police force. For example, I don't wear a uniform, but the people who work on the streets and who take care of all of the emergency calls, they experience a whole different world from the things that I do. We have like a newsletter. Gets sent to your email once a week, just updating you on whatever is happening in the region you work in. And as I was working in Amsterdam we got an alert from Interpol saying that this girl, she came from Australia, she suddenly left her house. She was only 21. And she left a note on a table to her parents saying, "Well, I fell in love with this Dutch guy. He bought me a plane ticket. I'm heading over there. Well, see you later. I won't be back for a while." So the parents got very anxious because they were afraid their daughter might be in the hands of a human trafficker because they've never heard of this guy and they were also very conscious because her mental health wasn't very stable. And all they asked in a newsletter was if you see this girl, just check if she's okay, report it back to Interpol. And I was like, hey, this is interesting. This is a young girl. She's 21. She must be out there on social media. So I was searching on Facebook, found her Facebook profile, but it had very... Well, the information didn't add up. I saw that there were some posts. She was indicating she was in Belgium. Then suddenly she was in the Netherlands, but the pictures didn't add up with the city she was in. So then I found her Instagram account and she had two photos there, one saying, well, this is the front view of my balcony. And this is the other view from the backside of the apartment building. As I was looking at that picture, I was like, this screams that it's in The Netherlands, because like the way the houses were built. There was a bus line and there was a bus actually driving. And I recognized the logos of a bus line that goes in the Netherlands. It must not be very hard to figure out where she is. And by looking closely at the pictures she posted, I was able to geolocate it back to the apartment building she was probably staying in. And because I'm in law enforcement, we have a little bit extra data, more of the closed sources, and I was able to search for the name of the person she said she went to to see if anyone in that apartment building might be having the same name and I found only one person with the same name. So I called up the local police because it was in another district than where I was working in and I was like, "Hey, have you seen this newsletter? I think she's in this location. Maybe you can do a welfare check." And they were like, "Okay, well, this sounds very legit. Let's go there and see who opens up the door." And it was the girl. So within less than two hours, I was able to find her, found her. She was indeed very much in love with the boy. And I'm not quite sure. I hope they are still happily ever after, (David laughs) but he was very shocked that the police were at his front door and he apologized a trillion times, and so everything was good. She was not in the hands of a trafficker, but I was really happy that I was able to give relief to parents who were on the other side of the world and me just behind my computer, not even ever stepping a foot in the location where she was. So that was quite cool. - Is that how you got interested in this, or was that after a period of time? You'd already been doing this for a while? - This was in the first six months I was in law enforcement. Just definitely lit the fire even more. I was like, yeah, if I can do this, I'm going stay here and do a lot of this other stuff that I can help people with. - What did your colleagues think about that? I'm assuming some of the older colleagues perhaps didn't realize the power of this? - Absolutely. And still a lot of people are especially afraid. I think it's like the first time a computer got introduced on the work floor, people were like, "Oh no, computer! I like my typewriter much more." And I think there are people who still have that feeling like, oh, I like my computer now, but the internet is quite scary. I do like Google, but that's about it. So I think there will always be a generation gap between people willing to adapt to new, modern techniques. - But isn't this an opportunity for someone who's young? Because I mean, a lot of people who are young and up and coming, I'm showing my age, but I mean, not all of us grew up with an iPhone in our hands. This is a great opportunity for someone who's tech savvy. Is that right? - Absolutely. The world you have to navigate to work in open source intelligence is very familiar to you already if you are a young person. So you know how social media platforms work, you know which platforms are popular, which are not. You might understand a little bit about the technical side of the internet. When I think of some of my older colleagues in law enforcement or people of my parents' generation for example, they wouldn't have a clue really how to get started in this world. But if you are a younger person now, and you know how to, I dunno, make a podcast or post a video on TikTok, you are already at the beginning of being able to understand the environment that we can work in. And it might seem to you that it's just something you take for granted, but actually there are a lot of people who lack those skills and you're at a huge advantage now if you're a younger person wanting to get into OSINT. - There just seems to be a lot of opportunities, is that right? So, I mean, there's a lot of kind of jobs available, is that correct? - It depends. And many of the jobs don't say, "You must know OSINT." They use other words like recon or they just say you have to be able to do certain skills. The skills that open source intelligence investigators use are used by lots and lot to people. I had a conversation with a recruiter one time and I said, "You look for people with certain skill sets in certain parts of the world and so do I. What do you do?" And she looked left and she looked right and she said, "Let me tell you. I can get a lot of trouble for telling you this, but we use Boolean queries." I'm like, "What do you mean Boolean queries?" She goes, "Okay, you go to Google and then you type in penetration tester or security engineer." I said, "Oh, that's a Google dork. We've been doing that for 20 years." She goes, "No, no, no! Boolean searches." so a lot of people that do OSINT don't realize they're actually doing OSINT. And what we're seeing now with the advent of OSINT-jobs.com and other places, the word OSINT is now becoming more prevalent in job titles and also job fields. But it's also there are a lot of opportunities for volunteer efforts to help decrease human trafficking, to help people that are domestic violence victims. A lot of those nonprofits use the volunteer efforts of people that want to get into OSINT to help their victims. - Yeah, a lot of people have the cool and sexy, like I wanna be a hacker and I'm gonna use OSINT for that. But that's just one small, tiny piece of the pie. Is that right? - Yeah, 100%. OSINT is multi dimensional and red teaming recon is just one part of the OSINT landscape. There are journalists who use OSINT, most famously Bellingcat, but many other journalists. Obviously there's law enforcement, but fraud investigators, risk analysts. I've even seen finance, cryptocurrency firms are now advertising for OSINT specialists because they realized people are starting to understand what this word means. So, yeah, if you are looking to work in this field, the opportunities are vast, probably as long as I've been in this area more than they ever have been I think. - The field of cyber is absolutely huge with red teaming and blue teaming and all of the other different, policy and compliance and all. Same thing over in OSINT. There are people that we know of that are amazing at geolocating a photo. You show 'em a photo. They look at the fauna in there, they look at the flora, they look at the plants and trees, and they're like, "Oh, this palm tree only is found in the East Coast of the Mediterranean Sea within this latitude and longitude." But those people might not be great at social media exploitation, like Technisette is good at. Or there's people that are really good at domains and IPs, and WhoIs and DNS that do other stuff. Saying that you want to get into OSINT is still just the first step into this huge area that you can further differentiate yourself into. - I think the scariest thing for me is the more I talk to you and the more I read about this, the more I wanna take myself offline. Can you give us like some examples? You know, like if I wanted to be private, do I have to go live in a cave? - [Micah] The answer is yes. - The answer is partially yes. Probably everyone you know has to live in that cage too. The flaw of trying to hide online lies in the hand of your friends and family, because they will post that picture of the family reunion. They will post that picture of you having dinner with your friends in either your backyard or restaurant. So even though you might be trying to stay off of all of the platforms, it's the people who stand close to you who are your biggest risk probably. - Well, it's even worse than that, right? I mean, if we wanna get really scary with facial recognition that's out there. I mean, David, you're walking through the city, just minding your own business and there's some tourist there that takes a selfie of themself and you're in the background and you just happen to look. Now whatever platform they are posting they have a shadow profile for a person with your face. So even if you don't have your David profile on that platform, they know that a person with this face happened to be in that location on this date. And, oh, look, they were over here on this other date. So there are a lot of privacy issues that are really, really important. The more private a person is the less OSINT we can find online about them. And we do have to do things like what Technisette said. We have to pivot to their family members, their colleagues that might be sharing their data. But yeah, there are absolutely ways that you can decrease your online persona to make yourself and your family more private. - And let's talk about that for a second. Like Edward Snowden is a famous example, whether people love him or hate him. He does this thing where he says you have to put something over your head when you look at your computer or you have to do things to your phone and all kinds of crazy things. How would I become more private, apart from living in a cave and having no friends and family? (all laughing) - That's the solution. You just nailed it. - Is that the answer, yeah? - Yeah. - Divorce my wife, have no kids, have no family, go live in a cave. - One of the ways that people sometimes end up in OSINT I think when they start to look at themselves. I think you have to figure out how private you want to be. So for some people that is just increasing the settings on your social media profiles so that they're not publicly viewable. It might mean you don't have a LinkedIn profile for example. It might mean if you register a website, you use a privacy service so that the WhoIs is redacted. That kind of thing. What I would suggest to people is know why you want to be private first of all. 'Cause I think when I've sort of mentored or dealt with people who are new to OSINT sometimes, they really tie themselves in knots of anxiety. What if Tor's compromised? And what if my VPN provider? And do I have to have a VPN provider on Raspberry Pi? I'll just give this as as an example of that. I was talking to a guy probably about a year ago. He was sort of 16, 17, starting out in OSINT and he was good to take part in Trace Labs, which is an open source investigators capture the flag, basically to help find people who are missing in real life. It's a great cause. And he message me saying I'm about to do my first Trace Labs. I've got one Raspberry Pi that's running my VPN and that's connected to another Raspberry Pi which is connected to Tor, and I bought this fancy new router for my home setup, which has extra open source firmware. Do you think that will be enough? Like, yeah. (laughs) Well, if we're gonna do OSINT we are gonna have this single privacy and we're gonna do it properly. But you need to avoid tying yourself up in those knots and spending lots of time and effort. You need to think about why you want to be private first. Do you just wanna avoid being targeted by fraudsters? Do you just want to avoid corporations sneaking around your data? Or are you trying to take on the NSA? Because there's a big spectrum of things you can do to address those- - Well, there's really two parts of that, right Steven? You mentioned, and David, you were talking about, us as potential targets making ourselves more private online. But then Steven actually mentioned the operational security or OPSEC when you're doing open source intelligence investigations, making sure that you, me, Micah Hoffman, Steven Harris, Technisette don't get caught up in the investigation. I don't know, David, if you've ever seen the Netflix show "Don't F with Cats." - No I haven't. Go on. - It's a three part series I believe about some people that found a person that was abusing a cat and eventually found out that this person was a murderer. He went and killed somebody. The challenge there was that these people who were doing open source intelligence investigations, they were not protecting themselves. And through a series of events, they created a Facebook group to talk about this and share things. And eventually the person that was their target joined that Facebook group, and it really opened each one of them up to becoming a potential victim. So as OSINT investigators, we do use VPNs. We do use virtual machines, which many people know about. And we use those things, things called sock puppet accounts, which are real accounts on social media that aren't in our own names to do our work. So when we're on Facebook, when I'm looking at things on Facebook, I'm not searching for people using Micah Hoffman on Facebook, I'm using a different account so that people can't attribute that information to me. But it really also depends on your personal risk model. Who are you trying to protect yourself against? - I mean, the problem is you can get really paranoid. I mean, Steven, we both of us live in the UK. And I mean, I'll say this in jest, but the UK government has got this really, I dunno how to say it politely, this wonderful rule where they can spy on all your internet traffic. So some people who are very privacy focused might in jest say the UK is as bad as North Korea because they wanna look at all your traffic. Is the answer how paranoid do you want to be? I mean, if you really want to be out of it, don't live in London because you'll be on every camera on the Underground, 'cause England is full of cameras. What is a reasonable ground to be fairly private? - My experience is, having been on the other side of that on various law enforcement investigations, which using CCTV is a basic investigative technique. There are other, more secretive techniques to do with communications and things like that. Having been in that world, I actually worry less on the outside because seeing how it's not a data free-for-all. So if MI5 or the police want to access certain types of internet data about you, the bar doing that is actually pretty high. You're talking about you have to argue your case to a judge first. You can't just log onto the computer and say, "Oh, I'll see which websites David Bombal's been visiting this week." There are lots of safeguards in place and I actually worry less now than I might have done before in all honesty. Yeah, can you hide from CCTV cameras? Yeah, come and move to the countryside. It's great. (both laughing) - I'd agree with that. Yes. - Yeah. The reality, it's very, very difficult and there has to be this, I think, without going to the politics of it, we have to be vigilant about our freedom still but be mindful that there are things there that do protect you to a certain degree in terms of how this material's all processed and accessed. Be proactive in monitoring how that changes. - Best way that people can figure out how to make themselves more secure online is to figure out what's out there. Take 15 minutes or 30 minutes, Google yourself, Google every single one, or use whatever search engine you want. Search every email that you have. Put quotes around it. Use every nickname, pseudonym, username that you've used, and your family members, and see what's out there. I can't tell you the number of times I've done an OSINT investigation and my client says, "Hey, I have these three accounts on Instagram, Twitter, and Facebook," or whatever. And then I simply put in their phone number, email address, or name sometimes and it comes up with MySpace accounts or some comment that was left on a pornographic website using their username. And it's embarrassing and it's simple to find. So in order to reduce your overall online perspective, go and find out what's out there, make a note of it and go, "Hey, I think I should change my name on that website or remove some of that data." It'll really be helpful and it's easy for anybody to do. - So in other words, do an OSINT on yourself, yeah? - Yeah, absolutely. Because you also know what's right and wrong, right? If I search for Micah Hoffman, I'll be able to find results and go, "Wait, this is the Micah Hoffman out in California. That's not me." And so I know what's out there and then I can see, oh wait, I didn't know that this was indexed. One of the things that I think Technisette can absolutely attest to is that the social media platforms are constantly changing what's public and what's private in your account. So I had an example. One time I did a security awareness training for a company. And I said, "I'm going to look at myself, see what I can find on myself in 15 minutes." Set a timer, started doing things. And I was finding like all of my LinkedIn stuff that I know just a month before I had secured. And it turned out that LinkedIn did an update. When they did the update, they changed some settings to make my profile more private. So my data was hanging out there on the public internet. And the only way I found that out was by actually doing the searches. - My take is nothing you put on the internet is secure, like on any social media website, should I say. So, I mean, be prepared that someone's gonna find it at some point, I suppose, is sort of my paranoia way of looking at it. But that's interesting. So you do an OSINT on yourself and that will do multiple things. That'll help you secure your data and also teach you the process. Is that kind of the idea? - Absolutely. And as you start adding more and more tools, there's a great website out there made by Bruno Mortier. OSINTFramework.de is a site that has a huge amount of resources with links. So just start out doing what you know. if you only know how to Google, Bing, Yandex, Baidu, use a search engine, cool. But if you are competent on a social media platform, if you are somebody that understands some other things about domains and other stuff, then use some of the links that he has on that website. Or go to Technisette's website, type in the word phone in the search field, and you'll get a whole bunch of blog posts, YouTube videos, and websites that you can go to, to search for your phone number to see if it's out there on any of the sites. - That's great. Technisette, there's a big problem in tech. There's too few women in tech. So is this an area for women? I'm assuming it is 'cause you're in this field. - The funny thing is that when I look at my fellow OSINT researchers in law enforcements, I would say the majority is female. But not everybody is as fond of being in the spotlight. Like I'm publicly known, people know my face, people know I'm Technisette. Not everybody likes being in that kind of daylight. So I think there are quite some women out there which we are not familiar with or we don't know them because they choose to stay in hiding. The whole discussion if there are too little women out there in tech or OSINT, I find it very difficult because it has to do a lot with how you grow up. Because when I was a child, I used to play with Barbies. But my mom was the biggest computer freak I knew, so she was actually teaching me how to do, like how to play a game on a floppy disc using just the command line in Windows. And she actually taught me a lot of the things I still do today. But if you don't have that person in your life, that mom or dad or other people who have a educational role in your life, it can be a teacher in a school as well. If they don't offer you the opportunity to sniff whatever a computer can do, I think it can be really challenging. I think a part of why women are maybe not so big in cybersecurity and computers, et cetera, is maybe because people tend to think that girls like other stuff. So at a young age, they get a lot of other things than a computer in front of their nose to play with. - I mean, I don't wanna get into the politics of it, but I think if I look at my wife and myself, she would be a million times better at social engineering than me because she has this ability, uncanny ability, to be able to sum up someone just by looking at them, and I'll never see that. I'll just use her as an example. Are there certain attributes that ladies have that would be a huge advantage in OSINT? I mean, I think social engineering, my wife would be a million times better at that than I would. - When looking at females in general, maybe people think that there's a lower risk that we might be dangerous. So people tend to believe you a lot sooner probably than, let's say, a bald guy. (all laughing) - That hurts. - No offense. - No offense. No offense. - At least she didn't say with a beard, 'cause that's a one-two punch. - That's true. (laughs) - You guys have to leave the conversation now. - Yeah, pretty much. You're absolutely right, David. I mean, social engineering uses a lot of OSINT to get that backstory, to get the data points to support whatever trust type of ploy that you're gonna do. And women not only have great, and as a whole have a great investigative spirit, but they also are more believable actually carrying off those social media and those social engineering types of engagements. - Even when I walk into a store and say, "Oh, can I please use the restroom?" There's a higher chance that they will let me go in there than, let's say, a- - Steven. - Let's say Steven. (laughs) Just because you can laugh and you can like smile a little and they will let you go. But we're a wolf in sheep's clothes. (laughs) - And that's a good point, Technisette. We're talking about, well, you mentioned being public versus being private. A lot of people that do amazing open source intelligence work do not seek the limelight because of the sensitive targets that they're working with. When you're working with organized crime or some kind of government that has some authoritarian types of reigns, or maybe you're investigating hit squads that have been sanctioned by government employees or by some government. You are less likely to say, "Hi, I'm Micah Hoffman and I'm researching that country's hit squads" publicly, because now the target's on me. So there are a lot of people that are not as public as we are with OSINT. - Yeah. That's a very good point. Technisette, what advice would you give women then who are interested in this? Again, is it just like follow women on Twitter? I just want to try and broaden it. The reason I always do this is I've got two daughters and if I ever wanted to interest them in this tech, how would I come convince them that this is cool and exciting, rather than doing something else? - If you have a daughter and you yourself are in the tech world in any kind of way, or doing anything with computers or technical stuff, just to let them experience whatever you are doing a couple of times. Let them help you do a small investigation, saying you want to see whoever bought your grandmother's house after she passed away, for example. - That's a good one. - Just Google the address. Show her some little tips and tricks that might very helpful in her phase of her life. So for example, if she needs to Google stuff to find resources for her study, help her saying, "Well, there are all of these Boolean searches or Google dorks you can use to find the exact literature that is helpful to continue your study with. Or if she's going on a date, let's Google this person together, or I'll give you some tips so you can Google that person yourself just to check if he or she is a safe person to hang out with. - That's a good one. I'm gonna use that on any boy that likes my daughters. (Technisette laughs) - Let me show you what daddy does when he researches your boyfriends. That's gonna be great, yeah. - So just some simple things that could make her life more convenient, that might spark a little bit of a fire on getting further into the field of OSINT, I hope, I think. - I think it's great. I mean, it's like my daughter, she's been on my YouTube videos from young and all she wants to do is be a hacker, and that's because she does it with me. And I think it's exactly right. Like your example of your mom teaching you computers. If you share your passion with your kids, they're gonna also be inspired hopefully to get into this field. - I did some work in the dark web in Tor, and I remember when I was creating one of my talks, my daughter was a great age and she decided that she wanted to come in and say, "What are you doing, dad?" Like, well, I'm on the dark web. You wanna learn about at the dark web? It was the safer areas of the dark web, if those exist. But I was showing her what was going on. And then at later at dinner, my wife said, "So what did you do today?" to my daughter and she's like, "Oh, well, I saw how to buy drugs on Tor. And if you want a fake ID or wanna buy a US passport, this site has it. But if you want," and I was like, okay, okay, okay. We need to dial that back a little bit. But yeah, I mean, show them what's out there. And I think that also has the counter effect of if they see how easy it is for us to find those Instagram posts and the Snaps, then they may be less likely to share publicly. - How do you convince your kids not to post on TikTok and all these websites? Show them how easy it is. - You cannot prevent them from being online, but I think it's very important that you have the conversation in not a negative way. So not saying, "You should unpost this and that on Instagram," or "You shouldn't accept anybody as your friend," but have an open conversation. I learned this a long time ago. There's an organization in the Netherland very actively involved in teaching parents how to deal with their children and their online behavior. And one of the things one of the speakers said, well, just by asking your child, have you seen anything funny on Instagram today? Can you show me? Just to get into that conversation, get into a very friendly field of just letting your child show you what they have been up to online, but not in a judgmental way. So maybe you can laugh together about a funny video of a cat they maybe saw. And maybe you spot something that might be harmful or dangerous, then talk about it and say, "Hey, did you see there's somebody commenting and swearing a lot. If you have any problem with this, or if you feel offended by this, please let me know, come to me and talk to me about this because then we can handle things or help you further." So I think it's very important to have a conversation with your child about what they're doing online, but not in a judgmental and negative way. - 100% agree with Lisette there. In my line of work that I dealt with usually teenagers who had become victims of sexual abuse online, for example, the common theme there where things have started to go wrong was that parents had no idea about what they're doing. And the advice we always used to give to parents is to be proactive in your interest in what the kids are doing. So a lot of parents are technophobic. They don't know one platform for another. They just know they're in their room on the internet all day. and even with youngsters who got into hacking and fell foul- - The 15 year old in Oxford, wasn't it? Like recently? - Yeah. To be honest, I was taught this statistic when I worked in cyber crime. I dunno how true it is but it was true in my experience that the average age is about 37, 38. For cyber crime, it's about 18 or 19. For kids who are getting into hacking, it's a perfect age where you have that curiosity, that drive, that want to prove yourself, to show off your friends, but you're also not always the best at assessing risk and consequences at that age, too. The younger you are, like parents, please take interest in what your kids are up to even if you don't understand it. - Even if you don't understand it, that's probably the best reason to talk to your kids about it. Say "Hey, you are on Instagram all the time. Can you show me what it's like? Would it be something for me to be onto as well?" And then say, of course, "I'll never follow you, or like any of your pages, because that will be very embarrassing to you, but show me how does this work." - One of the things that was helpful, I think, in my family was my respecting of the kids and what they want and don't want posted. For instance, I know a lot of parents are taking pictures of themselves and their kids and just putting it on their social media. And I've heard people say, "Oh, my kids didn't want that to go online, but I'm the dad, so I'm gonna go ahead and post it." And what we're teaching our kids is that they don't have a say in what images should be or should not be online. And so respecting that and teaching them also that taking pictures inside of your homes can be dangerous. One of the things that Steven's really good at is doing image analysis and looking at the things that are in the background. I mean, David, I've been looking at that mindset is everything poster. I've been looking at all of those books and stuff, and we do that, whether it's on Zoom or whether it's in some live stream or some picture. And pulling out those details about how a family or how a person lives can be extremely powerful in figuring out how to do trust games, how to social engineer them, or how to get them into some bad relationships. So teaching kids that when I look at somebody else's YouTube video and I can see, oh, look, he bought this thing. Let's research that product. Where did he buy it? Or other things, it helps them think about other people might do that to them as well. - Yeah, so basically you're telling me to go live in a cave, yeah? - Pretty much. We're back to the cave. Yes, absolutely. I mean, that solves so many things! Unless your cave has wifi, in which case that's a challenge too, but yeah. - Is there any closing thoughts or advice or any war stories? I always love stories before we wrap it up. - I have a good username story. Probably about four or five years ago now when I was still in law enforcement, we were dealing with a group of teenage hackers. I call them hackers. Their actual hacking skills were relatively low, but they were great at causing nuisance online. So they learned how to SWAT people, which is where you call in the law enforcement and tell them there's a gun at the house to get them into trouble. Or they were emailing out mass bomb threats. They got the email address of every school in the UK via a Freedom of Information request and just ran a PHP script through every single email, sending them, say, there's a bomb at the school. It's gonna go off at 3:30 today. Blah, blah, blah, blah. And that caused mass school evacuations in the UK. Their capabilities were limited, but in terms of the damage they could cause it was quite significant. But they loved the attention. And rather than keep quiet, they sought approval from their peers. They wanted to taunt the FBI and they wanted to taunt the police. And so they took to Twitter and they set up a Twitter account. And every day they would post these messages about what they'd been up to. And some of them were nonsense. Some of them, they actually had caused some harm to people. But their constant thing was you'll never capture us, FBI. You'll never capture us, UK police. You'll never capture us. We're undoxxable and gods, and all this kinda stuff. So all we had to go on when I started looking at this were usernames. And what we figured out was that as part of, they saw it as part of their operational security to continuously change their usernames. I think in their mind they thought if I change my username all the time, I'll be harder to find. But what we figured out, well, they change their usernames all the time they can't have always thought this. They're obviously fairly new to this. So if we can go back far enough to some of that other social media accounts, we'll find what their old usernames were and we'll work with those. So there's a couple of things we can do with Google. For example, we can filter Google results by time. So if I wanted search for what David Bombal was talking about in 2014, I could just set up a Google filter and just show my results in 2014. So we did that with their usernames and we went back only a couple years when they were in their early teens, when they were into Minecraft and we had their Minecraft usernames. And we used tools like, well, I don't think you'd release What's My Name App at that stage, Micah. This is probably four or five years ago. We used some similar tools to find what other platforms did they use these usernames on? And this one guy who's the leader of the group, we took his Minecraft username and we ran it through the platforms and we found he had an account on Reddit. So how do we know it was his? Well, he was mostly talk about Minecraft and things like that. So we inferred from the content it's probably the same guy. But what we found in one of the posts he's made on Reddit was he had used what we call a PGP key to verify that the account was his. And for those of your viewers who are not familiar with the PGP key, it's basically, it's a unique string that identifies you. It's like a signet ring. It's like your autograph, a fingerprint. So when I tagged my Reddit account with a PGP key, it's definitely mine. And so we then searched for his PGP key, which we could link to an email address. And we took the email address and we did a search on the first part of that. We took the first part of the email address, like Micah showed before, and eventually we found an account on Pastebin. Pastebin, it doesn't seem as popular as it used to be. But Pastebin is basically a site where anyone could dump any old random text and share it with anybody. So it used to be used for data breaches and things like that. We found he had had some technical issues with the DDoS tool that he was making. As part of their campaign of terror, they were doing DDoS for hire or DDoS as a ransom. So they would knock a company's website offline and say unless you pay so many thousand dollars, you're not gonna get any customers. Again, it was fairly low level stuff, but quite disruptive for the victims. And in one of these pastes, we found a conversation they'd had between both of them where they were trying to use a VPN, but they couldn't get it to work. They were trying to run a VPN connection to their DDoS tool and they couldn't get it to work. So they pasted, trying to troubleshoot it, they pasted the log into Pastebin. I went through this and it also had the username. It had the home IP address that they were trying to connect to in the logs. It had the log of the server that they were trying to, the IP address of the server they were trying to connect to. So immediately we can link username to home IP, to the DDoS tool. And it had the Mac address of the device that he was connecting from in there. And again, if your viewers aren't aware, the Mac address is the unique serial number on the network adapter on your laptop, and they're one of the kind. They're unique. They're like fingerprints. So lo and behold, when my colleagues in the, I think it was Herefordshire police, when they went down to arrest him, they went to his house and sure enough when they seized his laptop, it was the same Mac address. He was arrested and remained in custody and he chose to plead guilty after that. But that was all from a username, from people opening their mouths on Twitter. You'll never catch me! You should know if you do that, that is a red rag to a police officer. (laughs) - Exactly. - If you say FBI will never catch me, well, you know what's gonna happen. - And he was a teenager when he was arrested? - Yeah, he was 17 or 18 at the time. He'd be in his early twenties now. But yeah, he went to jail for three years on the back of that. And his counterpart in the US went to jail for eight years I think. The Americans are more generous with their sentences. (laughs) But that started from username inquiries, username and pivot and pivot, and finding a key, find an email, turn that into username, pivot again and you find this stuff. And there were a lot of rabbit holes along the way, and it took several weeks to do this. It wasn't instant. So that's my favorite username story. I dunno if I'll ever top it. - Back when I was working for a company years ago, one of the use cases for OSINT that we had was finding missing employees. We had a lot of employees and sometimes one or two of them didn't show up to work, and we'd have to call them and email them and try to find them. And I remember one time, this person just didn't reply to their emails, didn't reply to their phone. We tried next of kin. Nobody had any idea where this person was. And so naturally we start thinking this is a case of public safety. We don't know where this person is. We hope that they're okay. And so what we started doing was taking those selectors, those phone numbers, emails, usernames, and then looking at social media. And we didn't find anything. We knew that they took off on a flight from one place, and they were supposed to go see a client for work, and they never made it. And so after exhausting all the social media platforms, looking at all of the other places, we decided to branch out and widen the area and start looking at news events that had happened. And we took the flight number, the destination, and this person, not even this person's name, but just those things and we just started searching. We found on a news site that there was a medical emergency that had happened while the airplane that this person was flying on was en route to his destination. And it said that the person, the patient, whatever was taken immediately to this hospital for further evaluation or emergency surgery. It turned out he had an appendicitis attack at 35,000 feet and the only way we knew about this and knew where he was, was from some public events that were shared. - I've joked multiple times now about going and living in a cave. But I mean, the world is so connected these days. I suppose the advice, or what advice would be, be careful with what you share online. Be careful with your personal data. Is that kind of the bottom line? - Probably Google yourself. - Google yourself is better, because one of the things that you'll find is that some of the stuff out there, David, it's not stuff that you've posted or maybe even your family, but it's stuff that, I don't know if you're a runner or a bicyclist and you compete in races. - I'm an IT guy. I don't exercise. - Me neither. Me neither. I gave it up for privacy reasons. Well, when you finish your race or whatever, they put your name, your age, and other thing, your time, online for other people to get. And I don't want people to get that. But I was doing a case one time and I was looking and my target was a runner. And I noticed that on every finishing race results list, there was a woman with his same name that finished just a second or two faster and she was eight years old. And I was like, well, okay, same last name, runs every single race that he does, eight years old. This is probably his child. And sure enough, just by looking at those running races which were public data, it was easy to identify that. So using the Google technique will help find those things too. - Weren't the Americans in Iraq or something and they were running and their Fitbits- - You're about Strava. Strava's an exercise application. Been around for a while. And it allows people to use their smart watches and Fitbits to track where they go using GPS, and then they upload that data to a website. It's a social website so that they can share that data and say, "Hey, Technisette. Look, I ran over here." One of the biggest problems that has come to bear with that is that many places where service people from around the world were actually running were on bases that may not have been in public satellite imagery. So in 2018 when Strava aggregated a whole bunch of those runs, those bicycle rides, those walks that people had generated and they essentially updated this heat map. And you can go to the Strava heat map now online, and you can look at an area and the brighter a path or road is the more activity has happened there. The idea there is that if a person in a certain country or city is in charge of maintaining trails, they can look at the Strava map and say, "Oh, this is very bright. This trail is heavily used." The problem became is when people made that map have a dark background, and then they moved over places where there were no roads. and they saw very bright areas like in the middle of the deserts in different places in the Middle East. They would look in those deserts and say, "Hey, there's a very bright spot there." And when you look at the Google satellite imagery, there's nothing there but desert. And yet, if you look at the Strava data, you can see that people were absolutely running on a very, very structured road layout. And Strava, to their credit, once people said, "Hey, you're revealing where our bases are," Strava removed some of that data. But yeah, I gave a talk back in 2015 about that, where people over there in the UK were making their, well, a company over there in the UK was making their guards use Strava as they walked their patrols around different facilities and then their guards would log in, Patrol Steven and Technisette at 04:25, and they put that out publicly. And I looked at the Tilbury power substation over there and you could see the exact path aggregated over time and this heat map of where the guards were walking and where they weren't walking as well, and it was incredible. - If someone wanted to do something nasty, that would show them where to attack basically. Is that what you're saying? - Yeah, absolutely. In this exact case, the guards would walk along the west, south, and east sides of this Tilbury power substation. The whole northern side was never, ever walked on, at least never walked on while the person was logging things to Strava. It absolutely can be used for reconnaissance and physical- - It is however far less than it used to be, because the functionality for other people to see where you were, so to actually see the tracks you were running onto, this feature was called fly by. So you would be able to upload a route and to see whoever flew by the location you were running, walking, or cycling on. And Strava actually turned this off by default. So if you want to share publicly what your exercise route is, you have to manually switch it on again. So the amount of data that was found a couple of years back, it's probably not the same as it is today. For everybody who's now very anxious watching this YouTube video, like, oh my God, my Strava data is out there. If you have never switched this on, this is still off. But maybe check your Strava privacy settings just to be sure. (laughs) - Yeah, you're not making me any more confident, because I'm talking to the three of you and the more I listen to the three of you, the more anxious I get about like, okay, I'm gonna go live with that cave. Hopefully I've inspired people watching to go and Google themselves, and also get into this field because it's very much a growing industry, isn't it? There's a lot of demand. Is that right? - Google yourself. And if you want to show your employer the benefit of OSINT, Google your company and you'll find lots of security and other skeletons in the closet that you wouldn't find otherwise. Yeah, Google yourself and Google your employer. (laughs) - Well, thanks so much. I really wanna thank the three of you for spending so much time with me. Hopefully I can convince you to come back and perhaps get into more techy stuff, like get into the weeds. We've done a little bit about that. But for the audience, any of you watching, please put your questions below that I can ask in another video, or we can answer in the comments below. Really wanna thank you for spending so much time with me. Thanks. (upbeat music) - The more you learn about open source intelligence, the less likely you are to publish, to post to social media. It's just scary what's out there. - I hope you recorded that. - Nope. I didn't. - Well that's good. I recorded it in Zoom, so that's- - No! (Technisette laughs) - I'm kidding. If you don't want me to post that, I won't.
Info
Channel: David Bombal
Views: 316,079
Rating: undefined out of 5
Keywords: osint, cyber, hacking, osint tools, osintgram, osint framework, osint ukraine, osint tutorial, osint bunker, osint course, osint framework tutorial, osint investigation, osint tv, osint curious, osintgram kali linux, osint instagram, cyber security, information security, open-source intelligence, open source intelligence, cybersecurity training, cyber security training, kali linux, what is osint, hack, ethical hacking, blue team, red team, cybersecurity jobs, cyber job
Id: ImWJgDQ-_ek
Channel Id: undefined
Length: 73min 15sec (4395 seconds)
Published: Sun Apr 24 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.