USERNAME OSINT INVESTIGATION

Effective digital forensics investigations relies heavily on gathering small pieces of information about the suspect(s) and building a comprehensive profile of the suspect by combining these pieces of information. Being able to find information like email addresses, usernames and sites on which the suspect(s) have accounts helps build out a profile that can be used for further investigation.

 In your digital forensic investigations, you may have probably come across usernames a lot of times. In fact, a username may be the only lead you have in a case. In this post we will discuss the investigative procedure to follow in placing the suspect behind the keyboard when a username is the only information you have about the suspect.

A useful guide for OSINT investigators in this case scenario is shown in the image below created by Michael Bazzel of IntelTechniques.

 

Figure I: IntelTechniques.com OSINT Workflow Chart: User Name

 

The benefit to you in searching usernames is that if your suspect chooses a username for criminal activity, it is possible that he may use the same username for legitimate activity, even though the email addresses associated with the username may be different.

However, if the same username is found on more than one website or online platform, it does not necessarily mean it is the same person. Usernames are specific to an account on the Internet, not to the Internet as a whole. Finding the same username in more than one location means time is needed to investigate if the owner of the username is the same person. 

Search Engines

The initial sources from which useful information about the suspect can be obtained are search engines such as Google, Bing, Duckduckgo, Yandex and the likes. Interesting information can be revealed as usernames are most commonly included data in user descriptions present in forums, social media accounts, blogs, instant messaging services, and other platforms on the internet.

Performing a search using Google advanced search queries (known as Google dorks) can return information that is difficult to locate through a simple search.

inurl:JoseffMoronwi site:twitter.com



"JoseffMoro" site:instagram.com

To search for an exact match, surround your search term/phrase with quotation marks as shown above. From the above results, we have been able to determine that the real name of the suspect is Joseph Moronwi.

 “joseph” “moronwi” -site:twitter.com

 


The above query shows results that exactly match the given name and surname but in different combinations. while excluding twitter from the results (assuming twitter was the platform on which the suspect was discovered and there was no further need to search twitter anymore but other sources).

Opening the results of the above query one after the other will give us more information about the suspect and make us more certain in our investigation. It will enable us to build more comprehensive profile of the suspect beyond the username which was the only lead we had.


From the above, we have discovered the picture and probable location of the suspect. We can also conclude that the suspect is tech-savvy.

From the above, we have been able to obtain further information about the suspect such as his work and education.

Web Services

There are specialized websites and tools that you can use in your OSINT investigations of usernames. You can check specific usernames to see where they are being used (e.g., social media sites) or to know whether a particular username really exists.

 KnowEm

KnowEm is one of the most comprehensive search websites for usernames. The main page provides a single search field which will immediately check for the presence of the supplied username on the most popular social network sites. A search for the username "josephmoronwi" provides information about the availability of that username on the top 25 networks.
  • If the network name is slightly transparent and the word "available" is stricken, that means there is a subject with a profile on that website using the supplied username. This is where the investigator will want to focus his attention on.
  • When the website is not transparent and the word "available" is orange and underlined, there is not a user profile on that site with the supplied username. 

For an OSINT researcher, the first set suggest  a visit to the site to locate that user's profile. To simplify your search, you can use the following direct URLs.

https://knowem.com/checkusernames.php?u=some-username 
https://knowem.com/checksocialnames.php?u=some-username  

Check Username

You can check specific usernames to see where they are being used (e.g., social media sites) or to know whether a particular username really exists.

This site searches approximately one third of the sites on KnowEm, but it links directly to the target's profile when one is identified.

Namecheckr

This service appeared in late 2014 and conducts the same type of search as the previous services. The only slight advantage here is that the search is conducted faster than other sites. Additionally, you have a live hyperlink that will navigate to any identified accounts of the target.

Namevine

This username search service provides a unique feature missing in the rest. It allows you to begin typing any partial username and it will immediately identify registered accounts within the top ten  social networks. This could be beneficial when you are not sure of the exact name that your target is using. If your target has a Twitter username of "JoseffMoro", the previous services will easily identify additional accounts that also possess this name. If however, you suspect that your target may be adding a number to the end of the username, it could take some time to search all of the possibilities. With Namevine, you can quickly change the number at the end of the username  and get immediate results. It will search Twitter, Facebook, Pinterest, YouTube, Instagram, Tumblr, Wordpress, Blogger, and Github. It will also check for any ".com" domains that match. The benefit of this service is the speed of multiple searches. 

 Social Searcher

This option provides a unique response. It is not a traditional username search site which displays accounts OWNED by the target. Instead, it queries for social network posts which MENTION the target.

Whats My Name

This resource appeared in 2020 and replicates many of the features previously presented. This service provides a unique feature. You can export your results to clipboard, XLSX, CSV, or PDF. A search of my own username revealed the following for easy documentation.

https://bitbucket.org/JoseffMoro/
https://nitter.net/JoseffMoro
https://github.com/JoseffMoro http://en.gravatar.com/profiles/JoseffMoro.json https://pastebin.com/u/JoseffMoro
https://www.reddit.com/user/JoseffMoro/about/.json
http://archive.org/wayback/available?url=https://twitter.com/JoseffMoro/status/*

Gravatar

Gravatar powers your public profile, visible wherever you post, comment, and interact online. This service is responsible for many of the small image icons that you see next to a contact in  your email client which could be configured by the sender of the email.

While the Gravatar home page does not offer an username search option, you can conduct a query directly from the following URL as shown below. Simply replace the username with your target information. The resultant image can then be searched with a reverse image query

https://en.gravatar.com/target_username

 Skype

Identifying a Skype username can be an important lead. It could direct you toward additional searches of the newly found data. A quick method will reveal any Skype username when searching by name or email address. While logged in to a Skype account within the website or application, navigate to the search area. This section allows you to enter a real name or email address, and then conducts a search of the Skype user directory. Any results will appear immediately below. Clicking on these results displays the user's basic profile details including a photo. If the user chose not to include a photo, a silhouette graphic appears. Right-click on either image format and choose to "Open image in a new tab" (Chrome) or "View image" (Firefox). The new tab will contain the image that was already available. However, the address in the URL will reveal the Skype username of the target.

Other web services include:

  • Namechk: Check to see whether a specified username is used for major domain names and social media sites.
  • Instantusername: Instant Username Search will check more than 100 social media sites for you.
  • Peekyou: Enables you to locate a person by their online alias, wherever they can be found on the Web.

Command Line Tools

It is possible to rely on some command line tools freely available online for our username OSINT investigations.

WhatsMyName

This is a Github project which has the unified data required to perform user and username enumeration on various websites.It is included in more advanced tools: Spiderfoot and Recon-ng. However, you can use it as a standalone checker by cloning the repository here.

 


UserRecon

 According the author @linux_choice, userrecon "finds usernames across over 75 social networks This is useful if you are running an investigation to determine the usage of the same username on different social networks." You can clone the Github repository here.


Sherlock

 

With Sherlock, we can instantly hunt down social media accounts created with a unique screen name on many online platforms simultaneously. For a detailed tutorial on how to use Sherlock for investigation, please refer to this page.  

If you don’t know much about your target, I highly recommend Sherlock as it covers a large number of platforms and you might find relevant information on social media platforms other than the usual big ones that come to mind, such as Facebook, Instagram, TikTok and the likes.

Email Assumptions

We can also make assumptions in order to identify target accounts. Assume that your suspect is hushpuppi5 on Instagram. A search of the email addresses of hushpuppi@gmail.com,  
hushpuppi@hotmail.com, and hushpuppi@yahoo.com at Have I Been Pwned (HIBP) or Dehashed might reveal an active account that appears within a compromised database. Unfortunately, this manual search is time consuming and takes a lot of redundant effort. Therefore, consider using this option within the custom search tools.

These services contain two search fields near the bottom of the page. Each queries a provided username through HIBP and Dehashed. The code appends the most popular email domains after the supplied usemame, and conducts a search within a new tab for each. If you provide hushpuppi5 as the target username, the following email addresses are queried within independent browser tabs.

hushpuppi5@gmail.com 
hushpuppi5@yahoo.com 
hushpuppi5@hotmail.com 
ushpuppi5@protonmail.com 
hushpuppi5@live.com 
hushpuppi5@icloud.com
hushpuppi5@yandex.com 
hushpuppi5@gmx.com 
hushpuppi5@mail.com 
hushpuppi5@mac.com 
hushpuppi5@me.com

 Any positive results indicate that an address exists matching the search criteria, and that address was present within a breach. If you look at the code behind the tools, it appears as follows.

setTimeout(function(){window.open(https://dehashed.com/search?query=%22' + all3 +'@gmail.com%22','1leak3window' );},1 000);

The Timeout function places a short pause in between searches. This ensures that we do not upset the server by conducting too many automated queries at once. If desired, you could replace gmail.com, or any other options, with an email provider more appropriate for your investigations. If you are outside the U.S., you may want to replace several of these. You could  also add more at the end. If I were to add "abc.com" after the last option, it would appear as follows.

setTimeout(function() { window.open(https://dehashed.com/search?query=%22' + all3 + '@abc.com%22','13leak3window');} ,35000);

The 35000 is the next Timeout option to ensure that we have 3000 milliseconds in between each search execution.

 

2 Comments

Post a Comment

Previous Post Next Post