 So I just want you to join me in welcoming Ryan McDougal, OSINT expert, your mic's been cut, and sexy beast. Yeah, you had to turn it on for that. Okay, thanks. All right. So, as Chris said, my name's Ryan McDougal. I'm a senior social engineer pen tester and the OSINT trainer for social engineer LLC. For those that don't know me, which is likely most of you actually, I started working with Chris in late 2017. Almost immediately he tasked me with teaching his two day advanced OSINT class. The point of that class is to teach students how we as SECOM do OSINT for our clients. That class was geared towards teaching the methodology versus teaching a set of tools. Now, it's not to say tools weren't used, but he picked just a small selection of tools and did a real deep dive into it. To really set the mindset of being an OSINT investigator. It included non-technical OSINT techniques to really push the point that it's not the tool set, it's the mindset. So as a researcher in information security company, the OSINT techniques I use may be different from those used in law enforcement. And in the Innocent Lives Foundation, who I'm also a volunteer for. The hours can be long and grinding, but they are finite. My time as an Infosec researcher is paid for by the client hourly. So their budget really determines how far down the rabbit hole I can go before I have to tell them what I found. And during work hours, what I'm looking to do is to take a name and an email address and find out enough about a person to really figure out how to perform an actual fishing, fishing, or impersonation attack. And I act like the bad guy, but remember I'm a good guy. So if I find very sensitive compromising information, instead of using it like an attacker would, I would turn it over to the point of contact and not put that stuff in the report. But that's not what this talk is about. OSINT can be really fun and enlightening when you're not held to a tight scope and someone's not paying you for a limited amount of research. This is about using basic OSINT skills for in everyday life for fun stories, freaking out your neighbors, and getting the edge in the job, whatever job that may be. Now one of the things I teach in the SECOM OSINT class, which I've revised the content a bit as Chris stated, and renamed it to being practical OSINT for everyday social engineers, is natural observation. Just being aware of your surroundings and often, and utilizing often unseen information to your advantage. Now this is all fun and hopefully some education. Now my son really likes trucks. He's five, so that should not be overly surprising to anyone, at least I hope. So we get lots of books from the library about all kinds of trucks, construction trucks, garbage trucks, general transport trucks. There have been many times while reading these books to him at bedtime that a picture in a book comes up that we're reading that shows a phone number or a license plate and some authors tend to have better operation security than others. So here we have a couple phone numbers to look for. My son also has a map of the U.S. on the wall of his room. So when we find one of these details, we try to plot it on the map. So to see where the truck actually comes from, we put a pin on the map for everyone that we find, and then some days we go back and look at all the old trucks that we found. Now for the armor waste truck, we did a search for just the area code that we see. And for the BFI truck, we search for the whole number because there's no area code in there. And we do this all on my phone while we're lying in his bed looking at these books. So I'm actually showing him what I'm doing on the phone and he gets really interested in it. So here we see the armor waste truck is near St. Paul, Minnesota. And the BFI truck lacking an area code actually comes back to multiple references in Michigan, whether Woodhaven, Garden City, or Pontiac. I'm not really sure what the Florida references about, but the number came back the same and it does reference BFI in the link. Sometimes the information you find is not always accurate or usable at the time that you find it. We mapped that truck back to Michigan based on the more references pointing in that direction. It's a fun little game we use involving looking up area codes, looking really hard with a magnifying glass at license plates or other identifying objects or signs in the photos in these books. But looking just a bit closer at the armor truck says right on the door, Egan, Minnesota, which is about 18 minutes from St. Paul. Now this may not seem very advanced, but it is useful. He's learning that there's much more information in these books than just a couple sentences on the pages. Sometimes it makes story time go a little bit longer than I'd hope. But it is fun nonetheless. Now taking that idea just a little bit further, and also related to my son, is finding out who his friends' parents are. Using OSIN skills over and over again makes me more efficient at doing the work when my client asked me to do a similar task. And I get a clear picture of who the people are in his life. So we have a neighbor with a boy about the same age as my son, and he really likes playing with them. But my wife and I are very deep introverts, if you couldn't tell already. So making small talk is not really a natural tendency for us. Now early in these encounters, stand really close, early in these encounters we'd walk away from their house and one of us would say to the other, what was her name again? And it'd be rude to continue to ask their name over and over and over again when they never forget ours. So starting with Google Maps, we get their address. I work back to find out, and work back to find out who owned the house based on public records. So here we see some voter records on the property and business associated with the address that includes a phone number I didn't previously have. But on the voter records page, I found three names for the address. I've redacted much of the information so as not to expose innocence in this adventure, but I'll explain what's there. I left Victor visible because I remembered that's the name of the father of the household. Seeing it made me remember and since that's the point of this journey is to jog my memory. I didn't recognize the other two names, but the second name fully redacted because it's quite unique, shares the same name as Victor, shares the same last name as Victor. So I'm going to assume that that's his wife at this point, whom I've met many times and the name presented was not familiar, but the name presented was not familiar at all. Now the trick with OSINT is sometimes you have to assume information and then go down a rabbit hole until you can prove it otherwise. So going down another path in my search, the business reference led me to a contact name for the company. The address matched up with what I already knew and the assumed wife's name is listed as the owner of the business. So back to Google and a search for the company name in quotes gave me a few new leads. First being a Facebook page. The photo is absolutely my targets. The profile gives me the school that she attended, which I take note of for future reference. The whole point of this journey is to see if they're fine, upstanding people that I'd feel comfortable with my son being around. Her Facebook page, well, provided a number of adorable pictures of their family. Didn't really tell me much about her that I deemed useful for this purpose. Social media tends to be a mask that people use to kind of give you the best parts of their personality. So relying on it for character assessment really isn't very useful for me. Also, I didn't wreck. I still didn't recognize the name being said in introductions, so there's clearly more to find. Following one of the other leads, my search led to Spokio. This record was specific to Victor, but since they're related, maybe I'll learn more about them through this path. So knowing his general age, I chose the age 36 over the age 53. This is where I saw it. Julia. That's the name that I, that was familiar to me. It was listed there in the related to section. In fact, both the name I didn't recognize and Julia were both there and they had the same last name. Suited him maybe? Possibly. Back to Google. This time, I put Julia in the last name in quotes and I added the state that we're actually in to help narrow down the search. Julia is the vice president of a bank. Now that's pretty interesting. The LinkedIn profile doesn't have a picture though, so I can't be sure it's the same person yet. But if I look at the education that's listed, that comes back to the same university that I saw in the Facebook profile. So it's a good indication that it is the same person. And if I hop back to my Google search from before, but click the link on the images section, now I see a picture of Julia that I recognize. And although it may be hard for you to see here, the link from the picture actually comes from LinkedIn. Following the link from the images takes me back to the LinkedIn profile we just looked at that doesn't have a picture. It's odd, but maybe she removes the picture at some point, but Google never forgets. So now I know that Julia and Victor have the same home real estate business and Julia is a long-term, high-level employee at a bank, so she's likely federally bonded. So I can be a bit more comfortable with her being in my son's life. Now I see much more, I see much more of her than Victor, but maybe in the future I'll go down another path and learn a little bit more about him just in case. It's simple, straightforward, maybe a little awkward if they figured out how I did it, but with a little more than some Google foo, you can also, you can get so much useful information on your targets that having a million tools at your disposal may be overwhelming. But don't get me wrong, use the right tool for the job. Just because you have a hammer doesn't mean you have to use it every time though. So here's my last example. Probably moving very quickly. Oh my gosh. Very quickly. Alright. I wanted to do some work on my house recently. I'm finding a decent contractor is a pretty daunting job if you don't have someone in your immediate circle that does that kind of work. So we reached out to friends and acquaintances just to see if anyone could recommend anyone worth looking into. I got a lead on one guy and I got his first name and his phone number. I called him up, dropped the name of the person who gave me his link, his name, and he was very friendly and agreed to scope out our project. Now, something I should have done before calling him was try to figure out who he was. I mean really figure out who he was. Where am I? Okay. I simply started with the phone number search. Now these can often have lots of lousy results. But it's worth it here because it's pretty much all I had. There was a decent link in that in that that had the phone number associated with a home builder company. Maybe it was his company. This is all new information to me. Searching for that company in quotes didn't yield anything new. In fact, it was just the page that we were on. But adding another piece of information that I had, his first name, that gave me much more information to work with. Nine million results. Now it's unlikely all of them apply but it's definitely better than one. So following the matcha.com link gave me an address that I didn't have before. It stated he established the business in 1998. So he was doing it for a while. And it also let me know he was a one-man show. But scrolling down, I get his last name and a new phone number. So now I need to find out some more information about this company to see if I want to hire him or not. That is the goal of this search in this case. So I search the company name in quotes again, add the state that we were in, kind of reduce the scope to see if anything else new comes up. I get a Facebook page that does not look well maintained. It does have two likes on it though, but again, not learning a whole lot about the company with no stories available. Following the other link, I get this page. While unfortunate, I'm not stuck. Google Cash is your friend in these situations. Going to the cached version of this page gives me Dan's resume when that was posted there at one point. Now this is a great piece of information if I'm trying to determine whether to hire him or not, wouldn't you say? I can see he went from being a chef to an HVAC technician and then having this home builder business that we know he's the owner of from other links. Also the other call out says one of his accomplishments is operating computers programmed with accounting software. So he's got that going for him. Heading back to Google for a new perspective, I searched for Dan's full name in quotes and added the state we're in to see if anything else of note comes up. The first link is a voter records, a voter records link that gives me his full name including his middle name. And while knowing this information is good to figure out if I'm searching for the right person or not, it really doesn't help me a whole lot with the question on whether I should hire him for my project. But the second link is much more interesting to me. Why is he associated with a daycare in a preschool? Turns out he's not. He's only associated with the daycare because his business is in the same zip code as the other business. But that's a different construction company. Clicking that link takes me to a company profile established in February of 2019 registered by Dan. Now that's pretty interesting. Going back to my previous Google search but checking out page two of the results gives me a bit more information. It seems Dan is also involved in a cannabis business. Co-owner in fact. Seems he has a lot of irons in the fire. The second link provides a more detailed description of the business even placing it in and around the area I know he lives in based on other information that I gathered. So I can be reasonably sure it's the same person. I learned a lot about Dan in this trip but ultimately it raised additional questions for me. I'm moving really fast. Okay. So what happened to his home builder business after 20 years? Why did he start a new one at the start of this year? And the cannabis business must be a good gig because it's been around for 11 years. Should I hire him at this point? I'm not really that sure but I do have a lot to think on. Now. None of these techniques that I'm using are revolutionary. In fact, I would classify them all as basic but practical. Practical oscent skills. Anyone here watching this could be thinking, this is all easy. Why am I sitting in this room listening to this? The point I'm making is using these skills for everyday non-work related use can help navigate the world in a much, much more effective way. As a network pentester, using basic oscent skills can laser focus you on your target and make your attacks much more effective in a shorter amount of time. What upper level management doesn't want a strikingly effective pentester on their team? As a sales person, knowing just a few additional details about the prospects both personally and professionally can make it more efficient at closing that deal. They'll give you topics of conversation that you can just bring up to build rapport really quickly. I would imagine learning a few Google techniques to hone your everyday searches and lead you to information repositories of specific tools can help anyone in any profession be better at what they do. The common phrase knowledge is power is I think better said knowledge is confidence. The more you know about your target, the more you know about your target, friend or potential provider or client can make you more confident and will either in either accomplishing your goal or just being more comfortable in the general setting that you're in. So that's all I have as a general presentation. I left plenty of time for questions if you have any questions. So, uh, thank you for sitting through this. I appreciate your time. Now please, are there any questions? Right here. Name some of my favorite free OSINT tools and why. I love search engines. I love, love search engines. There's all kinds of them. The Baidu, Yandex, all of them will have different information. But you don't need a huge repository of tools to be an effective person in OSINT depending on your goal. So there's some that are more useful than others. But when it comes to just doing free simple basic OSINT, search engines will pretty much as long as you know how to use them effectively, we'll get you everything that you need. We use the harvester a lot to get email addresses. I mean there's, there's little Python scripts that are around. I mean tools come and go. So that's why I don't try to focus on specific tools. Because if you learn one tool and you get really stuck on one tool, the moment the developer decides to not develop that tool anymore, you're stuck. So as long as you figure out how to do the mindset of using tools, the tool doesn't matter. It's how you find information, categorize information, and delineate noise from signal. That's the important part of being an OSINT investigator. Anything else? You, sir. What browser plug-ins or virtual machines to protect privacy? Yeah. Well, just separating yourself from your normal day-to-day stuff is fine. I mean, I use Bouscador sometimes, but not every time. And sometimes I'll just fire up a different VM and use it for one investigation and then burn it, or fire up a VPS and do an investigation and burn it. Like it's, it's very simple to distance yourself from that. And browser extensions, again, come and go so you can pick the ones that you like for what your job is. But as far as an OSINT investigator from my perspective, it's more about, again, how to categorize and find information that's more important to me than specific individual tools. Let's try over here, sir. What unexpected things have I found in an OSINT investigation? Finding Dan was part of a cannabis business was kind of weird because I, after getting to know him through Google, it was unexpected. But in professional jobs, we found all kinds of different things like finding people are involved in criminal engagements or pornography, whether they know it or not. You know, things, those things tend to come up as long as you look hard enough. So, yeah, I didn't, not really, can't tell you very specific stories, but yes, sir. Yes. How do I store data to find it more efficiently later? So as a, as a minor plug, the OSINT class that I actually teach, we go into documentation and categorizing information. And we have a very specific way so we can pass it off between researchers. So we, and I'll give you this tidbit here. So it's very simple. We just do, we have one line in our documentation that shows the search that we use, whether it was a Google search or Baidu or whatever, and then the exact search term. And then we put the URL that the information that we want is useful on the second line. And then the third line is just the tad, tidbits of information that are useful on that page. So then, and then we lay it out within our documentation so I can hand it off to anyone and they can follow the exact same path I went through. And then I have that stored. So if I remember, hey, I had that thing about that guy and I go back through, I can follow the exact same path that I took. So it's not necessarily about having a special technique. It's just about being clear and concise in your documentation is the most important. Anything else, sir? Have I seen the transition between the physical world and the digital world during an OSIN investigation? Like an investigator, right? Yeah. Okay. Like, private investigators, I heard, tend to do things like that. Yeah. I mean, this is, so that's kind of like my first story where we look at these books and we see these license plates or these signs that me and my son work on. And then we take that actual physical book and we just find out about the truck or the company and kind of map out where they are and go through that. It's very common to go back and forth. I mean, when we do actual jobs, we will sit in a parking lot and look at people's cars or signs and then go back and find out more about how we can do more effective attacks against them. So that's a very natural transition to go between the physical world and the digital world. Let's go over here. You, sir, with the hair, how is my, how is my OSINT knowledge helped with my personal privacy? What have I done to protect my own privacy? That's a fantastic question. There's only so much you can do with some digital information. You can request stuff to be taken offline, but some sites abide by it and some don't. So I I'm more attuned to what is publicly available to me and then if someone were to come at me with what I know is public information, I treat it as suspect because I know it's public information. So someone is going to be able to find all of this information about me pretty easily and I'm sure, but I'm not terribly worried about it because I know that it's out there and there's little that I can do that it's out there. So all I know is to know that it's out there and react accordingly to known public information. Yeah? Yes, ma'am. Yes. Do I use any databases behind pay walls that I consider useful? Rarely. So this so when I originally wrote this speech, it included people.com and Intel techniques, which suddenly went behind pay walls after I wrote this speech. So I had to spend a significant amount of time figuring out the new way to do this and when I actually did it, I felt like this came across as a better story because as soon as I got stuck in people.com or the Intel techniques stuff, I was stuck in that rabbit hole and it was so much information it was almost overwhelming. But when I decided to actually consciously not use them, I found a better story to find out who these people were like I got locked in people.com for my neighbor and I was like there but I really didn't. And so when I decided to go after her with not using people.com that's when I learned all the banking information and all this job about all this stuff and the correlation between the name I didn't know and the name that I did know. And so I felt like I actually gained more information by staying out of that because it was just overwhelming by the amount of information they can provide. And that's like going down the wrong rabbit hole too far is not useful. You can go very far down a rabbit hole and not have so that's another one of the things that I try to convey to my students is know when to step back. Like go far enough until you're not finding useful information anymore and then step back and go down a different fork of information until you start finding more useful information for your specific goal. Right. Does that answer your question? Great. Yes, sir. Is there a certain demographic that is harder to find through OSINT techniques? Is that your question? Yeah. Right. So it all depends on what your goal is. So like you were saying, older people might not have as much online presence but they probably have an extensive public records presence that you can find out depending on what you're looking for. And if you're looking for your grandfather's Facebook page or your neighbor's grandfather's grandfather's Facebook page that might be harder but if you're looking for who they are what they've done in their life it might not be as hard because they have a longer life history as opposed to younger generations which have an extensive online social media that they just give you everything that you want right up front and you really tend to want to know less about them at that point. Does that help? Like go to libraries and go to paper. I'd love an investigation that would do that. I have not gotten to that point yet but I think that would be really fun. Is that good? I haven't done it yet but I haven't had to. Any other questions? Yes, sir. Do I have a certain point where I know to pull back from a rabbit hole that's not helpful? How do I determine if I'm wasting time? It's a great question. Basically it's I always have to have my actual goal in mind. Doing OSINT with no goal is just web surfing. So if you have a specific goal you have to you know I'll go three, four, five steps down and if I'm not finding what I need to then I'll pull back and just fork off one piece of that information and go a little bit further and just kind of stop because if you just go in one direction too far you're never going to get to your goal unless you get really lucky. So it's kind of piecemealing it. So you want to go a little bit maybe in a couple directions at first until you see okay this one's paying off more than this one's paying off and then you decide to go down this one further and abandon that one. Does that help? Any other questions? Great. A minute. I'll give you back a minute of your life. Thank you very much.