21 JUNE 2020 / OSINT

A Guide To Social Media Intelligence

Gathering (SOCMINT)

In my previous article, I introduced the term Open Source Intelligence (OSINT)

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 and talk about how it might be used to support intelligence needs. OSINT
refers to all the information that is publicly available, many estimates show
that 90 percent of useful information acquired by intelligence services comes
from public sources (in other words, OSINT sources). OSINT sources are
distinguished from other forms of intelligence because they must be legally
accessible by the public without breaching any copyright, patents or privacy
laws.

That’s why they are considered “publicly available.”

Social media sites open up numerous opportunities for online investigations because of the vast
amount of useful information located in one place. For example, you can get a great deal of
personal information about any person worldwide by just checking their Facebook page. Such
information often includes the person of interest’s connections on Facebook, political views,
religion, ethnicity, country of origin, personal images and videos, spouse name (or marital
status), home and work addresses, frequently visited locations, social activities (e.g., Sports,
theater, and restaurant visits), work history, education, important event dates (such as birth date,
graduation date, relationship date, or the date when left/start a new job), and social interactions.

This can all be found in one Facebook profile.

Social media intelligence (SOCMINT) is a sub branch of Open Source Intelligence (OSINT) it
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Social media intelligence (SOCMINT) is a sub-branch of Open Source Intelligence (OSINT), it
refers to the information collected from social media websites. The data available on social
media sites can be either open to the public (e.g., Public posts on Facebook or LinkedIn) or
private. Private information -such as contents shared with friends circle- cannot be accessed
without proper permission form the creator.

Data available on social media sites can be classified into two categories:

1. The original content posted by the user – such as a Facebook text content or an uplaoded
image/video.

2. The metadata associated with original content – multimedia files metadata, the date/time
and geo-location info associated with the posted content.

In this article, I will introduce you to the SOCMINT term and demonstrate how we can use a
plethora of tools, online services and techniques to gather intelligence from social media sites to
support a variety of intelligence needs. However, before I begin, do you think collecting
intelligence from social media platforms is considered legal?

There is a debate between privacy advocates and OSINT researchers about whether the
information available on social media sites is OSINT. Although the majority of social media
sites require their users to register before accessing site contents in full, many surveys show
that social media users expect to have some form of privacy for their online activities (even
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 p p y (
when posting content with public access). However, OSINT experts generally consider
information shared on social media sites as belonging to the OSINT domain because it is
public information shared on public online platforms and thus it can be exploited for
intelligence purposes.
Source: Hassan, Nihad. “Chapter 5.” Open Source Intelligence Methods and Tools: A Practical
Guide to Online Intelligence.

Using the information gathered from social media sites in a legal case is generally allowed under
these two conditions:

1. When acquiring permission from a court to gather information about a specific user, a
court order is sent to the intended social media site to hand the information to authorities
officially.

2. If the information is available publicly (e.g., public posts, images, or videos), then law
enforcement can acquire it without a permit, which is the essence of the OSINT gathering
concept.

Private OSINT gatherers should have a legal basis when collecting personal information about
targets, data protection laws (especially the GDPR in Europe) impose restrictions on the way
online investigators collect, process, and retain personal information of citizens. Discussing the
legal issues surrounding OSINT is beyond the scope of this article, however, as a rule of thumb,
make sure to have a legal intent when collecting personal information from public sources and
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 make sure to destroy this information as soon as you finish your investigation without any delay.

Social Media Content Types

People interact with social media sites for different purposes. The following are the general
interactions used across different social media sites:

1. Post/comment: People access social sites to post or write paragraphs of text that can be
seen by other users. Such posts can also include user’s geographical info (In Facebook,
they call this feature, a “Check in”).

2. Reply: This is a text message (can also be an image, video, or URL) that replies to another
user’s post, update status, or comment.

3. Multimedia content (images and videos): Multimedia is popular; a user can upload a video
or image as a part of their post. Many social platforms allow their users to upload
multiple images/videos to form an album. Live streams also are available on many social
platforms such as Facebook, Twitter and YouTube. This feature allows a user to
broadcast live videos and display the recording on their profiles for later viewing.

4. Social interactions: This is the essence of social media sites, where people get connected
online by sending/responding to other user’s request.

5. Metadata: The results from the sum of user interactions with the social platform.
E l i l d h d d i h id /i l d d h d d i
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Examples include the date and time when a video/image was uploaded, the date and time
when a friend request was accepted, geolocation data—if enabled—of the uploaded
multimedia file or post, and the type of device used to upload the contents (mobile or a
standard computer).

SOCMINT is interested in gathering all these content types, however the ability to do this
depends on the privacy control level set by each user when publishing posts/updates online. For
example, it is not possible to see other people’s updates on Facebook if they restrict a post’s
visibility to some friend circles or set it to “Only me.”

Classifications of Social Media Platforms

Many people use the terms social media and social networking interchangeably to refer to
Facebook, Twitter, LinkedIn, and related social platforms. This is not absolutely wrong, but it is
not accurate because social media is the main umbrella that contains other categories like
“social networking” that holds sites like Facebook.

The following are the main social media types classified according to function:

1. Social networking: This allows people to connect with other people and businesses
(brands) online to share information and ideas. Example include Facebook and LinkedIn.

2. Photo sharing: Such websites are dedicated to sharing photos between users online.
E l i l d I & Fli k
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Example include: Instagram & Flicker.

3. Video sharing: Such websites are dedicated to sharing videos, including live video
broadcasts. The most popular one is YouTube. Please note that Facebook and Twitter
also offer live video broadcast service.

4. Blogs: This is a type of the informational website containing a set of posts—belonging to

one topic or subject—organized in descending order according to the publish date. The
most popular blogging platforms are WordPress and Blogger, which is powered by
Google.

5. Microblog: This allows users to publish a short text paragraph (which can be associated
with an image or video) or a link (URL) to be shared with other audience online. Twitter is
the most popular example.

6. Forums (message board): This is one of the oldest types of social media. Users exchange
ideas and discussions in a form of posted messages and replies. Reddit is an example.

7. Social gaming: This refers to playing games online with other players in different
locations. It has gained more popularity recently. KAMAGAMES and zynga are examples
of this type.

8. Social bookmarking: These websites offer a similar function to your web browser’s typical
bookmark. However, they allow you to do this online and share your Internet bookmarks
among your friends in addition to adding annotations and tags to your saved bookmarks.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Example include: Atavi and Pinterest

9. Product/service review: These websites allow their users to review—give feedback—about

any product or service they have used. Yelp and Angie’s List
(www.angieslistbusinesscenter.com) are examples of this type.

Now we have a good understanding of the different types of social media sites, it’s time to begin
talking about how to use different tools and techniques to acquire intelligence from these

platforms, we will limit our discussion to the most two popular social media sites which are:
Facebook and Twitter.

Facebook
Facebook is the most popular social media platform,it falls under the social networking type and
has the largest users base on earth. Facebook was offering an advanced semantic search
engine to search within its database by using natural English language phrases and keywords.
This semantic search engine called Graph Search and was first introduced in early 2013; it allows
Facebook users to type in their queries in the Facebook search box to return accurate results
based on their questions/phrases or combined keywords. For example, you can type: Pages liked
by ********* replacing the asterisks with the target’s Facebook username, to return a list of pages
liked by the specified user.
In 2019 Facebook has removed the Graph search functionality although users are still able to
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 In 2019, Facebook has removed the Graph search functionality, although, users are still able to
utilize Graph search, however, they need to build their graph search queries manually.
After removing its direct support to Graph search, Facebook has improved its search functionitly
makng it more accurate, it also adds many filters (see Figure 1) to refine your search as
neccessary. Keep in mind you should login to your Facebook account first to use the search
options.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Figure 1: Using Standard Facebook Keyword search, notice the number of filters to refine your
returned results

There are several online services for searching Facebook without creating customized search
queries, the following list the most popular one:

1. Facebook Graph Searcher from Intelligence X (https://intelx.io/tools?tab=facebook): You

can search for posts from a specific date or month, post from a specific user posting
about something, you can also search for posts posted by unknown users which is
beneficial for online investigations (see Figure 2).

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Figure 2: Searching Facebook using Intelligence X
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 g g g g
2. Sowdust (https://sowdust.github.io/fb-search): This is another online tool to show how the
current Facebook search function works, you can search for posts from a specific user/page,
restrict to posts published in group or restricting it to specific location. You can filter by Start/End
date and Keyword. Other search options include searching for photos, pages, places among
others (see Figure 3).

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Figure 3: Sowdust interface to search Facebook

3. SearchBook (https://github.com/sowdust/searchbook): This is a Firefox add-on (a version

is also available for Chrome browser) for executing some Graph-like searches against
Facebook. The Add-on functionality is based on the research article Facebook graph
search workaround published by Social Links (https://mtg-bi.com/blog/tpost/aiaxk4xl4d-
facebook-graph-search-workaround). I tested this extension under Firefox, however, it
broke many times during usage.

Legal notice! Using customized code to manipulate Facebook search queries might be
against Facebook Terms of Service and even against the law in many countries, so be careful
with this regard.

O li F b kS hT
Create PDF in your applications with the Pdfcrowd HTML to PDF API l /S i PDFCROWD
 Online Facebook Search Tools/Services
There are many online services that simplify the process of acquiring/analyzing information from
Facebook accounts. The following are the most useful ones:

1. Lookup ID (https://lookup-id.com): This site helps you to find Facebook personal IDs. This
ID is necessary when using any of the previous online services –mentioned previously-
used to compliment Facebook standard keyword search.

2. Facebook Page Barometer (http://barometer.agorapulse.com): This site gives statistics

and insight about specific Facebook profiles or pages.

3. Information for Law Enforcement Authorities

(https://www.facebook.com/safety/groups/law/guidelines): Offers information and legal
guidelines for law enforcement/authorities when seeking information from Facebook and
Instagram.

4. A directory of free tools and online services for searching within Facebook can be found
at: https://osint.link/osint-part2/#facebook

Twitter
Twitter has a built-incorner search functionality located in the upper-right side of the screen—
when using the Twitter web interface—after logging into your Twitter account. A simple Twitter
search allows you to perform a basic search within the Twitter database
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 search allows you to perform a basic search within the Twitter database.

However, do not underestimate this little box, as you can add advanced search operators—
similar to Google advanced search operators known as Google Dorks—to your search query to
force it to dive deep and return accurate results, as you are going to see next.

To begin your search against Twitter database, it is advisable to go to the Twitter Advanced
search at https://twitter.com/search-advanced , from this page, you can customize search filters
to specific date ranges, people and more.

Twitter Advanced Search Operators

Similar to Google, Twitter allows you to use specialized operators to find related tweets more
precisely. Twitter search operators are already available in the Twitter developer site, go to
https://developer.twitter.com/en/docs/tweets/rules-and-filtering/overview/standard-operators to
view them (see Figure 4).

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Figure 4: Standard Twitter search operators

Twitter search operators can be incorporated with other criteria to create more advanced search
queries to find related tweets more precisely, the following are some advanced Twitter search
query to start your search with.

1. The negation operator (-) is used to exclude specific keywords or phrases from search
results. Example: virus –computer

2. To search for hashtags use the (#)operator followed by the search keyword. For example:
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 2. To search for hashtags use the (#)operator followed by the search keyword. For example:
#OSINT

3. To search for tweets sent up to a specific date, use the (until) operator. Here’s an example:
OSINT until:2019-11-30(this will return all tweets containing OSINT and sent until date
November 30, 2019).

4. To search for tweets sent since a specific date, use the (since) operator followed by the date.
Here’s an example: OSINT since:2019-11-30 (this will return all tweets containing OSINT and
sent since November 11, 2019).

5. Use the (images) keyword to return tweets that contain an image within it. Here’s an example:
OSINT Filter:images(this will return all tweets that contain the keyword OSINT and have an
image embedded within them).

6. To return tweets with video embedded with them, use the (videos) keyword (similar to the
images filter). Here’s an example: OSINT Filter:videos

7. To search for video uploaded using the Twitter Periscope service, use the (Periscope) filter.

Here’s an example: OSINT filter:periscope (this will search for all tweets containing the OSINT
keyword with a Periscope video URL).

8 To return tweets with either image or video use the (media) operator Here’s an example:
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 8. To return tweets with either image or video, use the (media) operator. Here s an example:
OSINT Filter:media

9. To return tweets that contain a link (URL) within them, use the (links) keyword. Here’s an
example: OSINT Filter:links

10. To return tweets that contain a link (URL) and hold a specific word within that URL, use the
URL keyword. Here is an example: OSINT url:amazon this will return all tweets that containing
OSINT and a URL with the word “amazon” anywhere within it (see Figure 5).

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Figure 5 - Search for specific keyword within tweets URL

11. To return tweets from verified users only (verified accounts have a blue check mark near their
names) (see Figure 6), use the (Verified) operator. Here’s an example: OSINT Filter:verified

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Figure 6 - Return results from verified Twitter accounts only

12. Use the (min_retweets) operator followed by a number. Here’s an example: OSINT
min_retweets:50 (this will return all tweets containing the OSINT search keyword that have been
retweeted at least 50 times)

13. Use (min_faves) followed by a number to return all tweets with NUMBER or more likes. Here’s
an example: OSINT min_faves:11 (this will return all tweets that have at least 11 or more likes
and that contain the OSINT search keyword)

14. To limit Twitter returned results to a specific language, use the (lang) operator. Here’s an
example: OSINT lang:en (this will return all tweets containing OSINT in the English language
only). To see a list of Twitter-supported language codes, go to
https://developer.twitter.com/en/docs/twitter-for-websites/twitter-for-websites-supported-
languages/overview.

15. To search for tweets with a negative attitude use the following symbol :( For example: OSINT
:( will return all tweets containing the keyword OSINT written in a negative attitude.

We can combine more multiple Twitter search operator to perform a more precise search. For
example, type “OSINT” from:darknessgate -Filter:replies lang:en to get only the tweets
containing the exact phrase OSINT from the user darknessgate that are not replies to other users
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 g p g p
and in the English language only.

Online Twitter Analysis Services

The following are online services to help you find information on Twitter:

1. All My Tweets (https://www.allmytweets.net): View all public tweets posted by any Twitter
account on one page.

2. Trendsmap (https://www.trendsmap.com): This shows you the most popular trends, hashtags,
and keywords on Twitter from anywhere around the world.

3. First Tweet (http://ctrlq.org/first): Find the first tweet of any search keyword or link.

4. Social Bearing (https://socialbearing.com/search/followers): Analyze Twitter followers of any

particular account (a maximum of 10,000 followers can be loaded).

5. Spoonbill (https://spoonbill.io): Monitor profile changes from the people you follow on Twitter
(see Figure 7).

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Figure 7 - Spoonbill show updated/deleted Twitter profiles of the people you follow

Track social media users across

multiple platforms
Most internet users have more than one social media account, according to statista[1], average
number of social media accounts per internet user was 8.5 in 2018. This information is useful
and should be present in our mind when searching social media sites, for instance, many people
prefer to use the same username in multiple social media platforms. If we know the username of
one social media account of the target, we can search to see where else this username is used
on other social media platforms.

You can check specific usernames to see where they are being used (e.g., social media Sites) or
to know whether a particular username really exists using any of the following free online

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 services.

1. Check User Name (http://checkusernames.com): Check the use of a specific username on 160

social networks. This is useful to discover target social media accounts to see if they are using
the same username on multiple platforms.

2. Namechk (https://namechk.com): Check to see whether a specified username is used for

major domain names and social media sites (see Figure 8).

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Figure 8 – Using namechk to search for similar usernames across different social media platforms

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 3. Namecheckr (https://www.namecheckr.com): Check a domain and social username
availability across multiple networks.

4. User Search (https://www.usersearch.org): Scan 45 popular social media websites.

5. UserRecon (https://github.com/thelinuxchoice/userrecon): A Linux tool to find usernames

across over 75 social networks.

6. Sherlock (https://sherlock-project.github.io): Sherlock Project, can be used to find usernames

across many social networks. It requires Python 3.6 or higher and works on MacOS, Linux and
Windows.

Social Media Psychological Analysis

The psychological status of the person posting the contents on their profile can also give
important information, even more than the content itself (in some cases). For instance, the true
identity of an anonymous Twitter account can be revealed by performing linguistic analysis of
the target account.

In addition, people can be tracked online by examining the way they use language when they chat
or when they broadcast their thoughts online (for example, the way a target uses capitalization,
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 omits or includes words, and pronounces some words). The advances in artificial intelligence

systems will make analyzing social media accounts more effective and will help examiners
uncover the true identity of anonymous social media accounts.

This online service (https://tone-analyzer-demo.mybluemix.net) offers free linguistic analysis to

detect human feelings found in text such as tweets, emails, and Facebook messages (see Figure
9).

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Figure 9 - Using tone-analyzer from IBM to detect joy, fear, sadness, anger, analytical, confident and tentative tones found
in text

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Summary
In today’s digital age, it is rare to see an Internet user who does not have at least one account on
one or more social media site. People use social media services to post all types of contents
online such as photos, videos, text messages, and geolocation data. They also mention their
education, employment history, and the addresses where they live. Personal information such as
social connections, places visited, habits, likes and dislikes, family members, spouse, and more
can all be found easily. Although social networking sites allow their users to tighten their privacy
controls to prevent others from seeing posted content, few people care about such issues and
post many of their activities—especially text posts and check-ins— in public status. This makes a
large volume of accessible data about citizens’ lives readily available to different kinds of online
investigations, and this is the essence of “social intelligence” (SOCINT).

Extended Reading:
1. Author dedicated website for free OSINT resources: www.OSINT.link

2. Author Book: Open Source Intelligence Methods and Tools: A Practical Guide to Online
Intelligence, Publisher: Apress; 1 edition, ISBN 978-1-4842-3212-5 By Nihad A. Hassan

About The Author: Nihad A. Hassan (@DarknessGate) is an independent information security

consultant, digital forensics and cybersecurity expert, online
blogger, and book author. He has been actively conducting research on different areas of
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 b ogge , a d boo aut o . e as bee act e y co duct g esea c o d e e t a eas o
information security for more than a decade. His current work focuses on cyber OSINT, digital
forensics, antiforensics techniques and digital privacy. Nihad is the author of a number of books
on digital forensics, open source intelligence, digital security, ransomware and cybersecurity.

[1]https://www.statista.com/statistics/788084/number-of-social-media-accounts

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 The awesome image used in this article is called Santos, Santos, Santos and was created by The High Road.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Nihad Hassan
More articles by Nihad Hassan
Independent information security consultant, digital forensics, cyber OSINT, online
blogger, and book author.

Help Support Our Non-Profit Mission

If you enjoyed this article or found it helpful please consider buying us a coffee, Secjuice is a non-profit and volunteer-based publication powered
by caffeine. We will use your coffee money to help cover our Ghost Pro hosting costs and keep Secjuice an advertisement and sponsor free
zone.

Buy Secjuice A Coffee

— Secjuice —

OSINT

Leveraging Street Art in OSINT Investigations

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Leveraging Street Art in OSINT Investigations

TECHNICAL

A Brief Guide to Open Source Intelligence (OSINT) HTB ServMon Walkthrough

A technical walk through of the HackTheBox ServMon Box.

Getting Your First job in OSINT

See all 39 posts → 15 MIN READ

INFOSEC

Secjuice Squeeze Volume 26

Welcome to the Secjuice Squeeze, a curated selection of interesting infosec articles and news that you may have missed, with upcoming
events.

6 MIN READ

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Secjuice © 2020 Linkedin Facebook Twitter Remote Browser Isolation

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD