Social Media Intelligence (SOCMINT) - Practical tips & tools

Social Media Intelligence (SOCMINT) - Practical tips & tools

Intelligence on Facebook, Instagram, TikTok, Twitter and LinkedIn

Social Media Intelligence (SOCMINT) is a type of Open Source Intelligence (OSINT), which refers to the collection and analysis of data from social media websites. It includes all social media platforms, not only social networking sites. Intelligence is gathered through messengers, image and video-sharing services, microblogging platforms, and social gaming platforms.

Information on social media is either public or private. Private information is more difficult to access as it requires proper permissions from the creator. For example, to be in a circle of friends or a closed group member.

Data on social media divides into three categories:

  1. User-posted content, like a written post, uploaded image, or video.

  2. Metadata, like date/time and geolocation associated with posted content.

  3. Interactions, such as replies, likes, and other forms of reactions.

Social Media Landscape

This article will cover how to gather intelligence on Facebook, Instagram, TikTok and Twitter. These are the most popular social media platforms with the largest number of active users in 2022. LinkedIn has a relatively small number of active users - 66.8 million. However, it's also covered, as it provides invaluable business intelligence.

Number of social media active users, in millions. Source - Statista

Number of social media active users, in millions. Source - Statista

Start from the general search if you don’t have a specific platform in mind. Username is the quickest way to search across different social networks, provided the target has used the same username consistently. Also, a username might reveal a name/surname which is different from the one on the social network page. That introduces additional pivot points. Just pass the username into Namechk.com or Instantusername.com, and scan through hundreds of websites within minutes.

If you need more advanced functionality - get the locally-installed tool called Maigret to customise your search process and create HTML reports. Use the Wayback Machine to access the historical data of social media pages you have found. Not all of them are archived, especially the less popular ones, but it’s worth a try.

Reverse image search is very useful when the target account has uploaded a unique profile picture or other photos. Google and TinEye are good for this, though you might need to review a lot of images that don’t match the target one. Image EXIF data provides valuable information but websites usually strip it out. Check if it is available using Viewexifdata.com.

“Forgot password” functionality is a handy tool to verify if the target has signed up on the website. However, checking each website one by one is tedious, and the Python tool Holehe simplifies this. If you don’t want to bother installing anything locally, use the online service Epieos, which queries Holehe. If you are unsure about email validity, use Proofy.io to verify if the given email exists. To get more information on the person, check the email across known breaches on Dehashed.com. It might bring up some social networks, for example the recent Facebook breach. If you have a phone number, check it on TrueCaller or GetContact to get a possible name/surname, and then search for the account on social media.

Facebook

Facebook is the largest social network and has a lot of data points for research, though it’s getting harder to do OSINT on the platform. User-generated content, lists of friends and shares is important information for digital investigators.

In 2019 Facebook discontinued its Graph Search, which used natural-language search queries. Previously you could query something like “People who like The Beatles and live in New York”. Workarounds are described below but querying data is not as easy anymore.

IntelligenceX Facebook Search tools

IntelligenceX Facebook Search tools

Google Dorks

  • site:instagram.com intext:facebook.com – Google search for Facebook profile links on Instagram.

  • "target_name" "target_surname" site:facebook.com – Google search for target name and surname on Facebook.

  • "OSINT" site:facebook.com/*/videos – Google search for indexed Facebook videos that include a specific keyword.

Online tools

  • Lookup-id.com – Find Facebook ID.

  • Facebook recover – Helps to find accounts by email with Facebook recovery function.

  • Whopostedwhat.com – Search Facebook posts with ability to set a date range and location.

  • Sowsearch.info – Facebook graph search alternative.

  • Intelx.io and graph.tips – These are search tools based on the aforementioned Sowsearch.

  • DumpItBlue+ – Helps to download Facebook profile data for analysis or reporting purposes.

  • Apify.com – Scrapes Facebook posts with comments from one or multiple page URLs. Gets post and comment texts, timestamps, post URLs, likes, shares, comments count, author ID.

  • Barometer.agorapulse.com – determines how many fans a Facebook page has and will compare it to thousands of other pages with a similar fan range.

Command-line interface tools

Friend List Scraper – OSINT tool to scrape names and usernames from large friend lists on Facebook, without being rate limited.


Instagram

Instagram is a good tool to watch what’s happening in real time. People post stories, give a peek into their life and tend to overshare information. For example, employees might post pictures from the workplace that might include sensitive details. Doing business intelligence you might find out the company address and check nearby posts on Instagram.

Instagram Attack Surface Diagram by Sinwindie

Instagram Attack Surface Diagram by Sinwindie

Google Dorks

You can check if an account has changed the username. However, information about former usernames is only covered for profiles that reach many people or make advertisements. It doesn't show the exact username (although it used to) but shows how many times it was changed and if there was a recent change.

Online tools

Command-line interface tools

  • Instahunter – A CLI OSINT app that can fetch data from Instagram's Web API without authentication.

  • Osintgram – Performs analysis on Instagram accounts. Allows to search for specific hashtags, users, or locations on Instagram and collect information such as posts, comments, and likes.

  • Terra – Gets locations, timestamps, captions, pictures and URL of the Instagram account. The tool can also be used for Twitter reconnaissance.

  • InstagramOSINT – Gets a range of information from an Instagram account that you normally wouldn't be able to get from just looking at their profile.


TikTok

TikTok launched in 2016 and has grown very quickly, being popular among young people. Despite its entertainment nature, the app was also adopted by OSINT Researchers. It has become a valuable source of intelligence, especially after TikTok users started to post Russian military vehicles moving towards Ukraine. Researchers monitored Russian troop build-up near the border weeks before the invasion, all from content posted by ordinary users. As young people like to capture and share everything they see, it has turned into a big advantage for OSINT.

The downside of the platform is that an advanced recommendation algorithm shows you content based on what you have previously watched, which might not align with your investigation. Personalised experience is great for the average user, however it creates issues for the investigator. To avoid these issues you can use different devices for each topic you investigate. Those are not necessarily separate mobile phones, but you can run TikTok on several virtual machines as well.

TikTok Attack Surface Diagram by Sinwindie

Google Dorks

  • site:tiktok.com "username" OR "first and last name" – Google search for a specific username or name/surname within TikTok.

  • "username" OR "first and last name" "tiktok.com" -site:tiktok.com – Google search for mentions of the TikTok account on other social media.

  • site:tiktok.com intext:@username -intitle:"username" inurl:video – Google search for profiles mentioning the target username in the body text, but not in the title.

  • -site:tiktok.com intext:"tiktok.com/@username" – Google search for TikTok account mentions over the Internet.

Online tools

  • Ttdown.org and savefrom.net – Download videos from TikTok

  • Exportcomments.com – Export comments from TikTok posts. The tool also allows users to export comments from other social networks, like Facebook, Youtube, Instagram, Twitter and more.

  • Tik.ixspy.com – Shows TikTok trends and performs account analytics.

Command-line interface tools

  • TikTok Scraper – Lightweight and powerful TikTok scraper. Helps to download video posts, collect user/trend/hashtag/music feed metadata and more.

Twitter

Over the years, Twitter has become a go-to platform for breaking stories direct from the source. Because of its network effect, many well-established journalists share real-time news and post unique content you wouldn’t find elsewhere. Even with its recent management changes, which resulted in many people leaving the platform, it is still a great source for conducting open-source intelligence.

Twitter Attack Surface Diagram by Sinwindie

At least 500 million tweets are sent daily, meaning there will be a lot of noise when searching for something in particular. Being familiar with advanced search options significantly increases your chances to find relevant information.

Twitter advanced search operators

Twitter advanced search operators

When you are researching a deleted or private account, you can check who talked to it using the following query:

Also, you can check whether any tweets have been archived before they became private or were deleted. To do this paste the profile URL into Wayback Machine or check if any of the tweets were saved in Tweet Archivist.

  • site:twitter.com/target_username – check private/deleted Twitter accounts for any cached results on Google. However, it will only work well on well established accounts that were previously public.

  • "@username" site:twitter.com – check who is talking to the private account using Google.

Online tools

  • Onemilliontweetmap – Visualises tweets in a world map.

  • Birdhunt – Geolocates Tweets within a certain radius.

  • Spoonbill.io – Lets you see profile changes from the people you follow on Twitter.

  • Sleepingtime.org – Shows the approximate sleeping schedule of Twitter users.

  • Socialbearing – Shows insights and analytics for tweets & conveniently presents data on the dashboard.

  • Accountanalysis – Evaluates Twitter accounts. For example, how automated they are, how many Retweets they post, or which websites they link to most often.

  • Followerwonk – Allows to find people by bios and analyse followers.

  • Foller – Twitter analytics application that gathers near real-time data about topics, mentions, hashtags, followers, location and more.

  • Twxplorer – Search for the most commonly used words and hashtags and the mostly frequently shared links.

  • Tweepdiff – Compare Twitter followers.

  • Hoaxy – Hoaxy is a search engine that tracks URLs, phrases or Twitter accounts to create a visualisation of a story's virality.

  • Tweetbeaver – Download user’s timeline, get account data, get common friends of the account and more to analyse Twitter accounts.

  • Twdown – Twitter video downloader.

  • Followersanalysis.com – Export the list of all Twitter followers and following in CSV/Excel along with their analysis.

  • Threadreaderapp.com – Helps to easily read and share Twitter threads.

Command-line interface tools

  • Twitter Profile Analyzer – Tweets metadata scraper & activity analyzer

  • Twitter Intelligence – A project written in Python for twitter tracking and analysis without using Twitter API.

  • TwitterBFTD – User tweets history for domain names that are available for registration.


LinkedIn

The information from LinkedIn is useful for targeting a particular employee or the whole organisation. Collected information has more credibility than on other social networks, as people on LinkedIn tend to use their real names and share business-related information.

The downside of the platform is that even with the highest privacy settings the target will still get a profile visit notification, which can undermine the investigation process. It will reveal the number of profile visits and the industry of the searcher.

LinkedIn Attack Surface Diagram by Sinwindie

LinkedIn Attack Surface Diagram by Sinwindie

Google Dorks

  • site:ua.linkedin.com/in "gmail.com" DevOps -recruiter – Google search to find Ukrainian DevOps engineers who have publicly listed email. Exclude recruiters from search.

  • site:www.linkedin.com/in -inurl:pub/dir intitle:"IBM" – Google search for IBM employees and exclude “directory” listings

  • site:linkedin.com/in/ "Current Netflix – Google search to find current Netflix employees.

  • site:www.linkedin.com “target_name” “target_surname” – Google search on for public accounts that mentioned the target account.

These are just a few examples to get a general idea. More LinkedIn dorks can be created at Recruitin.net or using the Signalhire browser extension. Note that LinkedIn users can hide their profile from Google indexing. If so, your results will be incomplete and you might want to use the native LinkedIn search functionality. Try performing a Google search to find if there are any mentions of the private account by public ones as this might reveal interesting information

There are also hidden search operators available only on LinkedIn Recruiter and Lite. These include search by seniority, company size, company type, years of experience, years at current company and more. You can check the complete list of operators on Irina Shamaeva’s blog.

Email to LinkedIn profile

Once you get the target's name, supply it to Hunter.io, which is a good tool for email search and validation. If you are unsure about its validity, you can permutate email addresses to get more options with Metric Sparrow. Once you have a valid email, check if there is a LinkedIn user registered with that address. Follow these steps:

  1. Open Microsoft Outlook.

  2. Go to your contacts section.

  3. Add a new contact by clicking "New contact" and add the target's email address.

  4. Open the newly created contact and select “LinkedIn”.

LinkedIn profile details in outlook. Credit - Steve Adams

LinkedIn profile details in outlook. Credit - Steve Adams

Below the details there is a “See full profile” button that will redirect you to a LinkedIn website. Before exploring the full profile be sure to log into your covert account.

Online tools

Command-line interface tools

  • Revealin – Tool to uncover the full name of a target on LinkedIn.

  • CrossLinked – LinkedIn enumeration tool that uses search engine scraping to collect valid employee names from an organisation.

  • The Endorser – An OSINT tool that allows you to draw out relationships between people on LinkedIn via endorsements/skills.

  • The Harvester – Gets employee names from LinkedIn based on the target domain. Also, it provides information about e-mail accounts, user names and hostnames/subdomains.

  • Maltego – Comprehensive OSINT tool that also allows to search for LinkedIn profiles and extract profile information.

  • Recon-ng – OSINT gathering tool that supports collecting employee names and titles from a specified company on LinkedIn.


Conclusion

Modern society leaves their life on social media in the open. People generate a huge amount of information which can be easily found online. Social networking sites are run by private companies that mostly care about revenue and user growth. Those companies will incentivise people to share as much as possible. In turn, that creates more and more opportunities to collect personal data.

This article provides a lot of tools and methods to dig up information online. However, a good researcher does not merely collect information but turns it into actionable intelligence. More information about critical thinking and OSINT mindset will be coming in future articles, so stay tuned.