JavaScript Bookmarklets

A bookmarklet is a bookmark stored in a web browser that contains JavaScript commands that
add new features to the browser. Bookmarklets are unobtrusive JavaScripts stored as die URL of
a bookmark in a web browser or as a hyperlink on a web page. Regardless of whether bookmarklet
utilities are stored as bookmarks or hyperlinks, they add one-dick functions to a browser or web
page. When clicked, a bookmarklet performs one of a wide variety of operations, such as running
a search query. For example, clicking on a bookmarklet after selecting text on a webpage could
run an internet search on the selected text and display a search engine results page. The following
are induded with the previously mentioned Firefox profile available for free download. They
each execute specific code against the target website within the browser. If you do not see these
new bookmarklets after applying the downloaded profile mentioned previously, dick on View >
Toolbars > Bookmarks Toolbar within Firefox.

Modified: Displays the date that a static website was last modified
Cached: Displays a Google Cache of the website (Chapter Three)
Wayback: Displays the website archive within the Wayback Machine (Chapter Three)
Source: Displays the source code of a website
Site: Conducts a Site: search of the website (Chapter Three)
YTReverse: Conducts a reverse image search of a video (Chapter Fifteen)
J

Notes: Opens a blank page for note taking

FB-ID: Displays Facebook User ED of current profile (Chapter Four)
FBExpand: Expands all comments on a person’s Facebook Timeline (Chapter Four)
ClearTD: Removes any Tweets populated within TweetDeck (Chapter Five)
TorView: Opens a Tor website through a proxy for view natively (Chapter Three)

C* U} w!ns://inteltechniques.com.WaMj A SfewcK 'S [ȣ / T t :

Tools ■<% Modified Cached Wayback Source Site YTReverse Notes FB- ID *4 FBExpand ClearTD H. TORView

'' ' • ' . ...................

In tel Tec hn iq ues W

’ ’
Mic h a e l Ba z z e l
OSINT TRAINER &
l

Sear c h To o l Pr iv a c y Co n s u l t an t

I OnBne Training live Training Services Tools forum Wog Podcast Books B» Contact

Figure 1.12: A row of JavaScript Bookmarklets available for download.

Chrome (google.com/chrome/browser/desktop)

Chrome is an excellent browser that is known for being very fast and responsive. Chrome is also
very secure by nature, but compromises privacy since Google receives a lot of data about your
internet usage. Both Firefox and Chrome “sandbox” each tab. Sandboxing restricts the content
in that tab to that tab only, preventing it from “touching” other tabs in the browser, or the
computer’s hardware. This is a very important feature in preventing malware from being installed
when you visit a malicious website.

While I always prefer Firefox as my browser for investigations and daily usage, Chrome is my
browser for training events. This is due to stability when loading dozens of tabs, and your system
should have a lot of RAM if you want to take advantage of Chrome’s power. For investigative
purposes, Chrome can use several of the add-ons previously mentioned for Firefox. I highly
recommend uBlock Origin as discussed previously on any browser that you use, including
Firefox, Chrome, Safari, and Opera.

The only time that I use Chrome during an investigation is when I am forced because of a
Chrome-specific utility. There are a few extensions for Chrome that will not work on Firefox. I
will focus on those here. Before discussing any investigative resources, I suggest you harden your
Chrome security. Enter the Settings menu and consider the following changes.

Privacy: Beside the content settings button is a button labeled “Clear browsing data...” This
button will open a dialogue that allows you to dear any or all of data stored during your sessions.
You may erase information for a period of time ranging from the last hour to “the beginning of
time”. You may wish to use this function to dear all of your browsing data daily. Alternatively,
you could install the extension Click&Clean to automate this chore.

Passwords and forms: I recommend disabling these features by unchecking both boxes:
“Enable Autofill to fill out web forms in a single click”, and “Offer to save your web passwords”.
If you have stored form-fill information or passwords in Chrome, I recommend removing any
data before conducting investigations.

Chrome Extensions: To install add-ons in Chrome, navigate to the settings menu. Click
“Extensions” on the upper left side of the Chrome interface. You will be presented with all the
add-ons that are currendy installed in Chrome. I recommend uninstalling any add-ons that you
did not personally install or research for trustworthiness. Furthermore, most extensions
previously explained for Firefox can be installed in the same manner in Chrome. The following
Chrome-only extensions may provide additional benefit to your online research.
Prophet (recmitingtools.com/prophet)

Prophet monitors the social networks that you visit and supplies additional details about the
targets that you are researching. It does not require an account After installation, launch Prophet
by clicking on the black arrow button in the upper right of your browser. This works best when
you are actively on the social network profile of your target. Figure 1.13 displays the view while
launched from a person’s Twitter page. The results identify her AboutMe, Facebook, Foursquare,
Google+, Linkedln, and Klout profiles. It also connects direcdy to her personal blog and Flickr
page. The “Find Email Address” option reveals two verified email addresses that belong to the
target.

I have successfully used this extension on numerous investigations. While the methods that
Prophet uses to obtain the data can be replicated with manual searching, it is a laborious process.
This extension saves time. In one investigation, I needed to quickly locate the Facebook pages
connected to several Twitter profiles involved in a threat case. Clicking through each profile, with
the Prophet sidebar expanded, immediately identified the majority of the accounts. A two-hour
task was completed in less than fifteen minutes. This tool works best when executed from a
Twitter, Facebook, Google+, or Linkedln profile. It does not work well from blogs or personal
websites.

Hom® y' Moments -> PROPHET

shannon, morse;

LISTS 0
Sweets Following tifoes List
31.1K 519 1,111 2

Tweets Tweets & replies Media

Shannon Morse
ffi’Sstofcs 4 finned Twwt
. |>k> Shannon Morse
Internet Media Host / Producer with
Get exclusive access to behind the scenes extras every
s-HakS & - Singer. Actor.
-» show we love to co!
Keynoter, Gamer. Atheist Geek St Gadget
Educator. KMSE pf>. -g- 5 - A - > .
Views R Mine!

i;;1 San Francisco. CA, USA

C>' tinktr.eesfcrwbs
Q View broadcasts

0 Joined March

Figure 1.13: A Prophet search result from a Twitter profile.

360Social (https://www.360social.me/)

Similar to Prophet, 360Sodal aims to immediately discover social accounts associated with the
current target page. Once installed, this extension resides in the Chrome menu. When you visit
any social network profile, the icon will switch from greyscale to color, indicating potential
information. Clicking the icon presents the full menu as seen in the right-side portion of Figure
1.14. In this example, the same target was chosen as was used previously. However, much more
information was obtained. We now have direct links to her Twitter, Google+, AboutMe, Flickr,
Foursquare, Github, Instagram, Klout, Yelp, and YouTube profiles. We also have links to her
personal blog, employer, Snapchat account, and IMDB page. As a further benefit, hovering over
any social network profile link, such as her friends or retweets, will immediately change the detail
menu to information found about the new target associated with the link.

M awnis

Shannon Morse
Internet Media Host /
Producer with ©HakS &
©TekThmg - Singer. Act-.

Expandafl V

9 Twitter

&• Google*

31.IK 51?? 44.1K 1,111 nw AboutMe

• • Flickr
Tweets Tweets & replies Media
Shannon Morse [3 foursquare

Shannon Morse $ ©Snubs ■ Sep 4 O Github

Internet Media Host / Producer with
Get exclusive access to behind the scenes extras every single week
@ Hjk$ & <.®Tekrhmg - Singer. Actor.
show we love to do! © Instagram
Keynoter, Gamer. Atheist. Geek & Gadget
paUeon.com/ThreatWire
Educator. KM6FPP. t'—5—A— CH Klout ■: a
Views R Mine!

O YouTube

Z? linkrr ee/smibs

£ hakS.org

stcamcommunity.com/id/snu..

(3 siubsie.com

tekthing.com

q ) iindb.coni/name/nm6368(M9.

snapdiat.com/add/snubsie

Figure 1.14: A 360Sodal detail view from a target Twitter account.

Hunchly (hunchly)

While FireShot and Nimbus were explained as free options that work with both Firefox and
Chrome, they both have their limitations. Neither work extremely well with laige social network
profiles and both provide no type of file management solution. While I try to focus only on free
resources, this book would not be complete without a discussion about Hunchly. Hunchly is a
paid tool that is designed to optimize your data capture and analysis during an OSINT
investigation. Hunchly takes full content captures of every page that you visit so that you don’t
lose information during the course of your investigation. Additionally, it automatically does the
following:

• Creates a cryptographic signature for each page captured for verification purposes
• Automatically extracts EXIF metadata from every photo encountered
• Enables you to tag pages for easy organization of small or large cases
• Powerfill full text search of all captured pages and EXIF data
• Flexible export and reporting options
• Automatic attachment of downloads including documents and video files
• API integration with tools such as Maltego

Hunchly is completely integrated with Google Chrome so you can stay in your browser while you
are doing your investigative work. With Hunchly working in the background, you never have to
worry about remembering to take screenshots or annotate with some tool. All of the pages are
captured, timestamped and documented automatically.

' Log In or Sign up

Figure 1.15: The Hunchly capture tool in use.

Tor Browser (torprojectorg)

Tor is an acronym for The Onion Router. Basically, it allows you to mask your IP address and
appear to be browsing the internet from a false location. Normally, when you connect to the
internet and browse to a website, that website can identify the IP address that was assigned to
you from your internet service provider. This can often identify the city and state that you are in
and possibly the business organization where you are currently located. In some instances, it can
identify the building you are in if you are using public wireless internet access. The owner of the
website can then analyze this information which may jeopardize your investigation. This is one
of the many reasons that I recommend the uBlock Origin add-on for Firefox which was explained
earlier. uBlock Origin will block most of the analytic code within websites that monitors your
information, but it will not stop everything. Occasionally, you may want to change your IP
address to make you appear to be someone else in a different country. This is where Tor excels.

The Tor bundle available for free download is completely portable and requires no installation.
After download, unzip the file and extract all of the data. You are now ready to start the program
by double clicking the “Start Tor Browser” icon. The first task that Tor will complete is to create
a connection to a Tor server. This connects you to a server, usually in another country, and routes
all of your internet traffic through that server. After the connection is successful, it will load a
custom version of the Firefox browser. Now, every website that you visit through this browser
will assume that you are connecting through this new IP address instead of your own. This
provides a layer of privacy to stay hidden from a suspect. This may be overkill for most
investigations. If you are only searching and monitoring common services such as Facebook,
Twitter, or YouTube, this service is not needed. If you are visiting personal websites and blogs
of a tech savvy hacker, you should consider Tor. When using Tor, you may notice a drastic
decrease in the speed of your internet. This is normal and unavoidable. This often improves the
longer you are connected. To stop the service, simply close the browser. This will disconnect the
Tor network and stop all services. Figure 1.16 displays the IP address assigned to me through the
Tor Browser (top) and a browser not using Tor (bottom). Any activity conducted through the
Tor browser is not associated with my real internet connection an appears to be originating in
Canada.

216.239.90.19 [Hide this IP with VPN]

Montreal Quebec (CA) [Details]

Proxy 216.239 90.19 1.143.60.25

iP Address 209.58.129.99 [Hide tw* ip w&t v pn j

IP Location San Jose, California (US) [Details]

Proxy 209.53.129 89, 198.143.34.33

Figure 1.16: A Tor IP address and location (top) and actual data (bottom).