One issue with TikTok is that you can only view an account’s followers and friends if you are using the app, which is problematic if you need or want to be using a web browser because it means you can’t view an account’s connections.
This post will address how you can use a phone emulator via your browser to get around this problem.
Free, Web-Based Emulators
There are several free (or at least, they offer a free trial) web-based emulators. For a list of emulators go to this article.
The article names a number of emulators, but for this post we will use BrowserStack.
Steps For Using Emulator
Here are the steps to use the emulator to view TikTok friends and followers.
1 – After signing up with a google account for a free trial on browserstack, I get this page below:
2 – After choosing one of the device options I get an emulator set up and appears as below:
3 – For the android device, I click on Play Store so that I can download TikTok. After opening Play Store, I log into my google account so I can access Play Store.
4 – I search and find TikTok and then hit install.
5 – From here, it is a simple process of finding and opening a TikTok page of choice, then click on “Following” or “Followers”.
There are a few tricks that can help a researcher looking at a TikTok account. We can look up archived versions of a TikTok account and we kind find what kind of phone and what kind of social media account was used when signing up for TikTok. There is also a tool that helps to search TikTok.
Archived versions of TikTok pages are actually saved in web archives. Archive.is has better data (saves full page and includes saved versions of the videos) but Archive.org is more likely to have saved versions of a given TikTok page. So it is worth checking both.
Here we see that Archive.org has 79 versions of the Tik Tok page we are researching.
Here is what the page normally looks like in TikTok
Here is one version in Archive.org, it only shows the bio information from the page. There were occasional examples of the page that showed the videos, but it was not possible to play any of them.
More often, I got this:
By contrast, when searching for the same page in Archive.is, there was only one captured version of the page available, but it had the full page and contents available, this includes ALL videos and they could be played too.
In addition, we I click on one of the videos, the following page opens up in Archive.is and the video itself is actually playing.
What Social Media Type Used to Sign Up
We can find a TikTok user’s what kind of phone the user has, another type of social media account they use (which they used to log into their TikTok account), and their unique account ID number all thanks to a method discovered by Jake Creps (@jakecreps, jakecreps.com).
This works by opening up a TikTok page, right-click on the screen and select view page source, then do a word search for “user/profile”, and you will find a line of code that looks like this:
1 – “meta property” identifies the user’s device as “iOS” or “android”
2 – “content” will provide the unique profile ID number, it is not entirely clear how much a profile ID is valuable, but it does not change and you can google the number with “tiktok” to pull up the account in question.
3 – “refer” will identify the social media type that the user was logged into when signing up for or logging in to TikTok. The most important aspect is that it shows another account.
#OSINT You can extract the unique ID for a TikTok profile and how they created their account. By inspecting using the browser tools and searching for “user/profile” you’ll find the unique ID as well as a refer=<source> for how they signed up. It might even give you device type.#OSINT Here’s an example: <meta property=”al:ios:url” content=”snssdk1233://user/profile/6746264168812659717?refer=facebook”>
#OSINT You can extract the unique ID for a TikTok profile and how they created their account.
By inspecting using the browser tools and searching for “user/profile” you’ll find the unique ID as well as a refer=<source> for how they signed up. It might even give you device type.
First, open a TikTok account’s page (you don’t need to have a TikTok account for this to work)
Right-click and choose “view page source”
Do a word search for “user/profile”
We see the profile ID number
If we wanted, we could google the number and we pull up the acccount.
Returning to the data we found, we see further along the same line that the “refer” section shows that the user has a Facebook account and the “meta” section shows that the user uses an Android phone.
And further to the right we see that the user also uses an iOS phone.
Finally, Osint Combine has a tool for searching TikTok. It is not a game-changer but it does make searching TikTok easier.
This posts addresses some of the tools that have become available for obtaining information about a given phone number. The prevalence of app-based caller ID has made it possible to identify the owners of unlisted numbers and even identify how they are casually referred to by associates.
WA Tools provide a resource that lets you know if a phone number has downloaded WhatsApp, whether they are active on WhatsApp at that moment, and most importantly it can even (usually) download their profile photo.
Though this is only indirectly related to the phone number, there is also a tool that lets you search (based on name / username) for and view skype profiles.
HLR (home location registry) lookups can potentially reveal general location data about the phone user.
Finally, this post summarizes previously discussed sites and information for researching phones with data breaches, Python, and people-search tools.
App-based Caller ID
True Caller – (truecaller.com) & Sync.me (sync.me) are two widely used apps with over a billion numbers combined. The apps access the contacts lists of their users and will identify a given number based on how people identify it in their contacts list, (i.e. “john – computer guy”). This is especially useful for phone numbers that are not listed in more established sources.
WA Tools (https://watools.io/) can be used to search on any phone number and then find if it has WhatsApp, if the user is on WhatsApp at that moment, and download the user’s WhatsApp profile photo
The tool Skypli (https://www.skypli.com/) (recently discovered thanks to @OsintTechniques) lets you search for a Skype user by name and, if you find them, open their profile which can reveal name, location, profile photo, username and/or possibly other information.
HLR-Lookups.com will want you to sign up for a free account but it is worth it as it shows you the following information that, in theory, includes whether the number is actively roaming. However, Roaming means you are out of your network provider’s territory and is often a sign that the phone, and its owner, are traveling abroad.
Hlrlookup.com will identify a general region where the phone number was issued (see bottom portion of the table below), even if the area code is from a different location. This gives a better feel for the current actual home base of the phone number’s owner. In other words, they may have gotten the phone number and then moved to a different part of the country.
A previous post explained how to use a Python script named Ignorant to find if a phone number had been used to register accounts on Instagram or Snapchat.
If you believe you have then found the correct Instagram account, another post described how to use a Python code named Toutatis to see a partially obfuscated phone number used for the account. You can use that to confirm if you found the correct account.
Ghost Codes – There is a website called Ghost Codes, associated with an app with the same name. The website is a databases of Snapchat-users, limited to those who also have the Ghost Codes app, and for each user in the database there is info on their snapchat profile and other social media accounts.. The database only includes the users who have Ghost Codes and Snapchat.
According to HaveIBeenPwned.com, “Often when online services are compromised, the first signs of it appear on “paste” sites like Pastebin. Attackers frequently publish either samples or complete dumps of compromised data on these services. ” (click here for more information)
“Pastebin is a website that allows users to share plain text through public posts called ‘pastes'”
“There are many similar web applications, known as ‘paste sites'”
“Paste sites are commonly used for sharing code.”
“Pastebin specifically is user-friendly, supports large text files, doesn’t require user registration, and allows for anonymous posting if the user has a VPN. “
“This allows black hat hackers to easily and anonymously breach data in an accessible place.”
Finally, per the Pastebin FAQ, search engines will only index the public pastes
How to Search Pastes?
The following are two good tools for searching pastes. Keep in mind that data breaches are often taken down after discovery on pastebin sites so you have a limited window of opportunity to find the raw data. Eventually, the info will filter down to the data breach sites mentioned in a previous post.
This post explains how to find a company’s employees by using publicly available OSINT tools.
A previous post explained how to find employees’ work email addresses for any company. That process simply required that you search for the company’s website domain in the tools Phonebooks.cz, Snov.io, and Hunter.io to look for email addresses that have the same domain as the company’s website. This process gave a list of work email addresses used by employees.
This current post will address how to identify the users of those email addresses in addition to other company employees as well.
Who Owns the Email?
Using the list of work email addresses that we gained from the aforementioned tools, we can identify the person that uses the email address. We start with the email username which will be a partial identification of the person’s name. Usually there will be an established pattern where “John Smith” working at “Fake Company” will be something like “jsmith@Fake_Company.com”.
AIHIT identifies company employees from corporate registrations, domain registrations, social media, company websites, and other sources. It logs each name and title and even continues to monitor its sources in case a new name appears on a registration and replaces an old one. For any company in a country with public corporate registries (like the United States) you can assume it will appear in this database.
We search for our company by name in the search bar and then in the results page we click on “people” and we receive a list of employee names, titles, and sometimes their work email addresses.
From here we can take an educated guess about who owns which email address. For example, you can see on the right that an employee named Alexander has the username “al” for their email address. From here we can search for the personal contact information for each employee using professional recruitment websites like Apollo.io, Contactout.com, and Rocketreach.co.
Professional Recruitment Websites
These websites have databases full of the names, titles, and contact information for employees of various companies large and small. The sources of their data are not clear. Rocketreach.co vaguely states that their information comes from “publicly sourced data,” and their leads are “generated by tying together 100s of pieces of data using learning algorithms”. What IS for certain, is that there are a lot of complaints by people on sites like Reddit and Trustpilot (see here and here) claiming that these sites are publishing personal contact information that was not intended to be public.
Professional recruitment websites have databases that are specifically built so that you cannot find someone by their name. Instead, you have to search using someone’s employer and title. Now that we have linked a number of work email addresses to a name, title, and employer, we can search for them in these websites. Note that these websites will require that you sign up for a free account if you want to see the person’s contact information.
Here we see the same employee on Apollo.io and the site offers to give you their work email and personal phone number if you get a free account.
And here on ContactOut.com we see the employee’s Gmail address is available
You can find more information about the employee by searching for their email address in Breach Data websites, which were explained in a previous post.
Views on primary topics – First, look at the main topics they discuss and then click on one of the bubbles to find all the tweets on the topic. Read through a few tweets to get the account user’s view on the matter. So for example if one of the main topics is “President”, you can read through the tweets to see if they are pro or against the president
Specific details of their life – look for topics in the small bubbles to find the errant tweets that reveal details about their life, so maybe the bubble that says “wife” will link to a tweet saying “…my ex wife….”
Find closest associates – look at main usernames that are in primary topics and (unless they are a celebrity), look at 5 of them in a row to find common features that can reflect the original account user.
Find relatives – use All My Tweets to list all followers and do a quick word search for the original account owner’s last name
The account’s first follower – this is often someone close to the user. Use All My Tweets to get a full list of the account’s followers. Scroll all the way to the bottom and you will see the first follower there.
Assess relationships – use Tweet Beaver to display “conversations” between the primary twitter account and its close associates. Do they interact or just retweet?
Location – If you cannot find the account owner’s location directly, consider looking for locations of close friends and family in their bios or Geo Social Footprint. Try to identify time zone based on Sleeping Time.
Are staff members tweeting – for famous / powerful individuals, the tweets sometimes come from the actual person or staff members. Often, tweets from the person come from a phone and at any hour while tweets from staff come from a computer during the day. Use Twitonomy to identify the platform used for individual or all tweets. If the tweet came from a phone (it will say “Twitter for Android” or “…Iphone” etc.) or a computer (“Twitter Web App”).
TurthNest (https://www.truthnest.com) look under “Activity” and there’s an option for “Mentioned Users” that shows you which users the targeted account mentioned the most times. You can click on “view latest” under each account to look at the specific tweets of the targeted account mentioning this user. You can also click on the account names to open their Twitter accounts and see their bio pages. This doesn’t sound useful but if you click on an account name in most tools it will merely search for the account in the tools itself. It is useful to right-click on 5 of these accounts in a row and choose to “open in new tab” so you can look at them all at once and find common features.
Tweet Topic Explorer
Tweet Topic Explorer (http://tweettopicexplorer.neoformix.com/) identifies the most common words tweeted from the account (excluding useless words like “the”) and allows you to click on any of them to immediately see a list of the tweets with that word. Scan the map for words that might reflect important things about the account user like political views or profession.
Or, see this post, for how to manipulate data and view original posts, most important topics in content, or rank other accounts mentioned in tweets.
Tweet Beaver (https://tweetbeaver.com/) has a variety of tools that are especially useful for assessing a relationship between two accounts (common followers, what have they tweeted at each other, etc.)
Geo Social Footprint
Geo Social Footprint (http://geosocialfootprint.com/) should show a twitter account’s geotagged tweets on a map and link to the tweets themselves. If you get an error message when you run a twitter account, like “map cannot display”, that often just means that there are no geotagged tweets. Based on the twitter api limitations, it is reasonable to guess that the tool looks at the last 4 thousand tweets.
All My Tweets (https://www.allmytweets.net/) is a great tool to find an account’s first follower. Just select the account to search, click in “Followers” and it will give you a list of followers in chronological order, so scroll to the bottom. A number of investigative reporting guides suggest that the first follower is often a person that has a close relationship with the account holder.
This tool will also list all of an accounts tweets in a list that can be copied and pasted into a CSV file.
Other useful tools include:
AccountAnalysis (https://accountanalysis.app/) this tool categorizes an account’s content to assess relationships and interests. It is similar to Tweet Topic Explorer in that in that it will analyze content of tweets and click on one thing (like a username) and the tool will identify the tweets that reference the account.
Below you see that for the analyzed account, the tool identifies the accounts that it replied to, retweeted, or quoted the most. This is a great way to quickly identify accounts that reflect your subject’s interests or associates. Tweet Topic Explorer takes more of a broad brush approach. But in this tool we can choose to focus on accounts that the subject account replied to rather than retweeted.
The tool lists Hashtags and URLs, which are a great way to figure out the account’s interests.
If you do not understand anything on the page, there is a very useful help section that details all of the analysis fields.
The only drawback of this tool is that you need to specifically request at the top if you want to analyze more than the last 200 tweets., Likewise at the bottom where it lists the tweets that reference the topic you clicked on, it will default to showing you 12 tweets and you have to click for it to load more. This presumably allows the tool to run faster and crash less.
This post will walk through how to use the Python script GHunt via gitpod.io, which lets you search an email address to find the associated Google Account and pulls relevant information from it. Google account
e.) Now your cookies appear in the menu to the right.
f.) For each cookie that you need, the script will identify its by the cookie name, which you can find in the Name column.
So we go to the menu and under Name we find SID
h.) Then we copy the Value and paste it in where the file asked in gitpod
j.) You will be prompted to find and input the cookies named SID, SSID, APISID, SAPISID, and HSID.
Now lets return to step 5 in the process of running GHunt.
5 – Now in order to search for the Google Account of an email address, type in the following command (but with the email address where it says “<email_address>” (also remove the carrots)) and hit enter:
docker run -v ghunt-resources:/usr/src/app/resources -ti mxrch/ghunt check_and_gen.py docker run -v ghunt-resources:/usr/src/app/resources -ti mxrch/ghunt ghunt.py email docker run -v ghunt-resources:/usr/src/app/resources -ti mxrch/ghunt ghunt.py doc
SIDENOTE: GHunt can also research a Google Doc. To do so, get the document link and run the following command:
docker run -v ghunt-resources:/usr/src/app/resources -ti mxrch/ghunt ghunt.py doc
And here is the kind of results you may receive (name, location, photos, etc.):
When I click on the Google Maps link (gitpod requires you to hold down Ctrl while you click on the link), I get the account’s profile photo and a review on Google Maps at a specific location.
Don’t forget to hit Save within the Gitpod workspace so that you do not need to input your cookies in the future!
This post will walkthrough running a Python scrip (Toutatis) in Gitpod that will find information on an Instagram account such as a partial email or phone number that is privately registered with the account. Once you have the partial email, you can make an educated guess about the full email and then search for it in a data breach website to see if such an email does exist.
Recall that a previous post Find if A Phone has an Instagram Account, showed how to use a Python script (Ignorant) to find out if a phone number was registered with an unidentified account on Instagram.
So if you start with a phone and run the script, you will know there is an account out there and therefore you can go look for an account that you think is used by the phone’s owner. Once you find an account you can now use this new script (Toutatis) to confirm if you found the right one by checking if the account is registered to the same phone number with which you started.
Before running Toutatis we must get our Instagram SessionID and then the second is to run the actual script.
Get Instagram SessionID
Open instagram and then right-click and choose “inspect” from the dropdown menu
Then (this is for chrome but it is similar for other browsers) click on Application, then the down arrow next to Cookies, and then http://www.instagram…
The SessionID is 2nd down in the menu in the middle. Double click on it to make it copy-able.
1 – Log into github.com and gitpod.io (for first-time users, registering is quick and easy)
You will see something like this image on your screen for about 1 minute:
Then this screen will appear:
If this screen above does not appear after 5 minutes, you can change your default IDE which will usually fix the problem. See the Trouble Shooting Section at the bottom for how to change your default IDE.
3 – Then type:
sudo python3 setup.py install
4 – type the command
“toutatis -u USERNAME -s SESSIONID”
But replace USERNAME with the username and SESSIONID with the session id
So I will be using the username paulwalker1 and the sessionid 26902806300%3ANXEuxHSiGWtS1F%3A10. So as you see in the screenshot below, I will type:
You can guess the phone number and check it in Trucaller (trucaller.com), a callerid database (calleridservice.com), or people-searching website (truepeoplesearch.com). These websites would tell you if the phone exists and then who owns it. To help confirm that you have the right phone number, it would be good to go back to the Ignorant script ( Find if A Phone has an Instagram Account) to make sure that the phone number you guessed does in fact have an Instagram account.
See below if you were having trouble logging into your virtual environment.
Trouble Shooting Section
If your computer keeps running for more than 5 minutes when you try to set up a virtual environment, then:
1 – open a new tab and log into gitpod.
2 – go to settings
3 – then preferences
4 – then switch the IDE on the right, sometimes VS Code works better, sometimes Theia
We can identify a list of websites where a specific email address has registered accounts in a very straightforward process of 6 steps. This process does not require the reader to know, learn, or download Python, but does use a Python script.
CREDIT WHERE IT IS DUE: This process does not require a knowledge of Python but the explanation must address the computer language a bit. The Github user account Megadose hosts an amazing Python script named Holehe and deserves a lot of credit for this creation.
The script will find the different social media networks where the email is registered to an account. However, because many people do not know anything about Python, I’ve come up with a process intended for people that do not know anything about python and do not want to learn about it. It is a rote process requires no knowledge of python, no downloads, and no thinking at all.
Instructions for First Time Using Holehe
Step 1 (the hardest) – Click here and sign up for an account on Github . Sorry, that is more than one step but the process is simple and it gets easy afterward.
Step 2 – Login to Gitpod. You do not need to sign up for Gitpod if you already have a Github account. Go here (https://gitpod.io/login/) and you will see an option on the left to sign in with your Github account even though you don’t have a Gitpod account. See below:
Once you have logged in your page will probably look like this:
Step 3 – Copy and paste this url into your browser and hit Enter:
Why? – Basically, you are making a url that consists of the gitpod website url, a hashtage, and the url of the github page for the script.
Here is the explanation. We want to run a Python script but to do so we need a development environment. Normally you would download it but in this case, Gitpod provides a development environment online where you can run Python scripts. When you identify a script posted on Github you create a url of the Gitpod website’s url, a Hashtag, and the url for the page hosting the Python script. So with our script hosted at https://github.com/megadose/holehe, we create a url like this:
Gitpod will create a workspace, a virtual computer, specifically for running the script. The script and its affiliated files will be downloaded though you will likely still have to run the setup.py file, or its equivalent. If you go to the script’s page on Github there should be instructions for downloading and running the script.
Wait for Gitpod to do some processing and then your computer should look like this:
Step 4 – At the bottom of the screen find where it says “/workspace/holehe $”.
Click to the right of these words and type “python3 setup.py install” and then hit enter.
Step 5 – Wait for the install to complete and then right click on the folder on the type left that is named “holehe” (not the one titled “holehe.egg-info”). When you right click on the folder a drop down menu appears, choose “open in terminal”.
A new tab has appeared in the terminal, notice the new tab that reads “gitpod /workspace/holehe/holehe” and the cursor is located next to a similarly named prompt.
Step 6 – Finally, choose your email that you want to research, in our case we will use the fake example email “firstname.lastname@example.org”
Now the last thing to do is type in the final sequence with your email in place of our fake example. So find the prompt “gitpod /workspace/holehe/holehe $” and next to it you will type the following and hit enter:
Results: Separately, I ran a real email address for an example to show how the results should look. The output is a list of 50 or so social media networks and other websites. If the name of the site/network is purple, there was no account on it, green means there is an account registered with the email address and red means the script could not check the site. Hopefully you got something like this:
Now that you’ve done this once, the process will be much easier in the future.
Login to Gitpod and there will be a workspace named for the script. It should look like the image below. Just click “Open” on the workspace.
From here, you repeat steps 4, 5, and 6. You install setup.py, open a new terminal tab, and run the command.