 While there are many ways to look for a person of interest my methods primarily Revolve around my pen testing skills and my technical expertise So get ready for a roller coaster ride of useful information as I show you the next level of open source intelligence What I won't be talking about today is everything that Oscent consists of all the basics like Google dorking people search websites. There are hundreds of those image metadata analysis all the hundreds or thousands of breached databases Social media accounts. There's an entire field on Oscent just on digging deep into social media There's plenty of government records You can look through especially in the US and I won't be touching on the dark web either a lot of things I won't be touching on But what I will be talking about is some of the skill sets that I bring to this field of Oscent to understand better where these skills skill sets come from It's good to know a little bit about my background. I come from a very hardcore network design background Doing rotting switching a lot of coding I transitioned into an ethical hacker being a pen tester Started doing things a little bit more legally Doing a lot of social engineering whether fishing wishing or in person Today I consult for organizations small and large as a virtual chief information security officer I also Advise on privacy as I do oscent investigations to find people and and to catch the bad guys some of the things that my family members When they don't understand the technical side of this the column on the right is how I explain it to them. I'm the good guy Before I start. I just want to throw this out there that everything we do as oscent professionals Revolves around covering your tracks. So obstacle operational security is absolutely important everything you see on the list here We need to practice without these in place. We can't start our investigations We need to protect ourselves before we Before we inadvertently expose our footprints a Lot of these things for the purposes of today's demo. I may not be using so don't judge me But in the real-life scenario, I will pay special attention to these So enough of slides Let's get started So in order to start an investigation you need some seed info In my case the seed info. Let's look at a hypothetical hypothetical scenario an actual scenario The only information we have is There's a Tesla part in the parking lot of a university Northwestern University Who owns it? That's all the information we have. We don't have a name a phone number anything How do you go about? starting your investigation is if all you know is a type of vehicle and the university it's parking, so let's say it's parked in the the faculty parking area So thinking outside the box is big and knowing where to find information I know that there's a data breach called the park mobile data breach and There is some data in it around email addresses and Vehicles so let's look that up first So I do a rip a grep a faster way of doing grep So I'm gonna search through this file that I have the park mobile data breach Which is almost five gigabytes and I'm going to search for everything that has at Northwestern edu in it and the park mobile data breach and Let's see what it finds it found a lot of email addresses associated With that university and a lot of details. Let's narrow it down a little bit more Let me cancel the search. This shows you how many people use their corporate email IDs for an app that helps you park your car But let's let's stack on you know the word Tesla next to it So it searches for both in conjunction in conjunction. I got exactly one hit I got an email address in this DRK and I know that this person has a Tesla and I got a bunch of License plate numbers probably 10 15 of these So let's see which one is his or hers So now I have an email address Let's take this further and simply Google it when you Google this email address. It tells you the person's full name I Clicked through click on that link and I preloaded some of these tabs because sometimes They'll fail or may not load right or on my VPN So for the sake of demo, let's go to the next tab here So when you click on that first link, I already now know enough information about this through people search websites I have a phone number. I know he's a doctor There's a website here It says MD on his title. So he's likely a doctor and an address here Again now that I know some information, I will dig deeper. I know he's a doctor. So there's a nationwide database for their their license I'll I simply searched his name on this database. So I'll go here. I mean go back a little I Pre-populated this so NPI records are doctors records all in the US I could do it this way or the conventional way I did this was I go in my health insurance website and search for doctors It gives you a little bit more information around it. So similar information I get so at least I'm Verifying now that this is an official record. It's not some people search website that can be manipulated or disinformation can be spread This is an actual health care record For this person the address here is different. It has a suite next to it. So this is a clinics address And probably an office phone number, but at least I know the person's Full three names middle initial and he's legit. So I take the other address I had here the 751 This is likely his home address And I put it in google street view This is that address not a lot of information But remember I was looking for that car does he own this car or not? Or at least do I am I lucky enough to see it parked on the street? Not in this view But what you can do is go back in history on google street view and let's look at a 2018 view of the same thing almost immediately I spot the tesla here in the in the center and I zoom into it I can tell it's a florida license plate again. This is information that is geo specific Geography specific so someone not in the us May not recognize it instantly. They may need to do a little bit more research But I can kind of see the orange In the in the center That's a florida plate and I can see the last two numbers google them do a great job in and Masking that out. It says 67. Let's go back to this data breach here and There is a 67 right here in the license plate dj y f67. Let's Take this plate now And run it through another oscent tool, which is this database of vehicles So you you put in a plate here. So that was This plate number you look for The state this is vehicle history.com and you hit search And if you get lucky You find it. So I found that exact tesla I found the win number and I can take the win number further I also found it had 53 000 miles who was sold for 45 000 in 2020 So some vehicle history the plate is the same but if I keep going further into the pictures I actually see a map here And the map shows florida in it. So some of my information is now Uh correlating and also in the top bar, you see the profile username Dr. K and that is our person of interest So very quickly. I got a lot of information on this person Just through an alternate means of of searching I can also then go to a site like weigel.net And under the bluetooth section search for maybe, you know, the car bluetooth At um a beacon that it's sending out in this case. Let me just make up a name. You know tesla model s jarvis Let's query this. So any device with a bluetooth name of this within, you know, this map search that I have here is going to show up and Basically tell me where it was spotted So all these bluetooth beacons were spotted, you know, all over the u.s If you know the exact one of the person you can actually pinpoint where they've been Or where they are based on the date over here. So another way besides just wi-fi Searching you can also search for bluetooth Again, this is crowdsource data. So may not be accurate but Continuing on with this you can always look at people search websites like advanced background checks And try to look for a date of birth It shows me, you know the how all this person is but says for privacy reasons. We don't reveal full date of birth Which is fine. Let's keep moving on fast people search same person Scroll down and it'll actually show you September 1942 so it gave me two out of the three variables And this is interesting because if my goal is to get the full date of birth of a person there are other ways I I know enough information about a person One other piece that I would use are government records to verify information So let's say a voter record like the massachusetts website for voter registration I can look up people by their first name Last name full date of birth and a zip code if I have all of these things It'll give me more information who they voted for and stuff like that and an address So all of this is confirmed and verified information and that's very important When you're when you're doing oscent, you can't trust the information that you're presented with you have to verify So in this case, let's pick another target. I don't want to dox the same person. Um, so let's uh, Let's pick this person here. So William Francis Galwin if I put in his name here, I don't know his date of birth But guess what he's a popular person likely Um google his name his full date of birth shows up september 17th His zip code is the next thing we need Uh, a people search website will show it's zero two one three five. So I have everything I need about him, but let's say I didn't This is where I fire up my hacking tools like burp suite And within burp suite, I open up that same page and I enter the information here and I enter the zip code here What was it? zero two one three five zero two one three five And I hit Search here and intercept is offered. Let's let me turn on intercept. So it's going to intercept this request So it didn't really search yet. It paused here. So I have this request here now I'm going to modify some of the things here to search for the missing items. Let's say I didn't know the date of birth So let's send this to intruder I go in intruder and I mark some positions that I need to know. So let's say You know, I did not know the day of birth. Let's clear all these things here. Let's go back And so the day of birth is 17 Let's put A variable around this This number let's I didn't know it was 17. I was just guessing so I have 30 tries to get this right or I could automate the process using burp suite now under payloads. I would go and say Let's let's cycle through all the numbers from one to 30 and in steps of one And decimal numbers minimum in t-shirt in t-shirt digits one maximum two And fractions zero zero it gives you an example here What the output would look like and I can start my attack. So before I do that, let's go under options You can run a grep match and Let me I'm doing this fast because I've done this Quite a few times and I want to match for everything that says not found Because when I do find something it will stand out. So now I have everything. Let's run this Attack so it's it's basically going to run through all the different iterations It's going to submit the form with different values of day And as it does this it shows me the length of the packet and I'm looking for an anomaly I'm looking for something that stands out if I click on any one of these It shows me what it's submitted. Let me render the form here and it'll show me What the form looked like so since it was an incorrect entry It's that water registration information not found and that's what I'm searching for This item right here with the checkbox Was actually found and it has a different length A bite length here versus the rest the rest are very close to each other. This one is kind of the odd one out And when I rendered this it says yes water registration status was basically found and it gives me this person's Full date of birth. So in case I didn't know it it's going to try 30 attempts and if I didn't know other variables, I would put those in as well And it would increase the number of events But I can use a tool like this just to automate the process and Verify this information now. I know since a government record exists of this information This is 100 percent verified So I not only do I know the full date of birth, but another missing piece of information was the address That's now there a lot of people, you know, write their true addresses on voting forms Whereas on social media websites, they'll they'll try to hide it or Spread some disinformation, but on government records, it's highly likely that this is your actual address So very quickly using, you know hacking tools like this you can dig through OSINT scenarios Much faster and actually verify the information that you have Taking this one step further now that I have more pieces of information Let's take that email address bag that we found initially and then just run it through have I been pwned Just to three just to see are there other data breaches we can check So it quickly shows me it's part of so many other data breaches Each breach will have its own unique piece of information And I can just dig further and further it shows me the part mobile data breach Which I just checked through had a license plate number in it Since I know this information exists. I kind of I know shortcuts on how to find it fast But Even passwords and stuff Passwords are not what we're looking for. It's all the other information But if I take this same email address and run it through a password breach or a website like this breach directory dot tk and just put in this email address I very quickly get Redacted passwords of this person and if I take one of these redacted passwords It shows me the sha1 hash And as a pen tester, I know hey a sha1 can be reversed Pretty quickly, especially when I know half the characters. So instead of you know finding the actual password I'll quickly go back to kali linux. I will go to Hashcat Which is Right here. So I'll use hashcat. I'll do a dash m 100. That's for sha1 A3 is a brute force attack And that's the hash that I got from that website now. I'll put a mask on it I know the first four digits, but I don't know the remainder of the digits I'll brute force the remainder of the digits and I press enter And usually hashcat takes a while, but one you know once you know half the variables Let's see how long this actually takes it took a couple of seconds To actually figure out The password it cracked it and the password was right here dr carlin, so dr carlin Hopefully he changed his password. I'm pretty sure he did But that's a very quick way of reversing a hash using hashcat And that's the first place I would go to before you even digging deeper Now a lot of the times passwords will reveal much more than just What was here they may reveal A second person's name your dog's name your spouse's name or something secret to you Or you can then take Each individual password that unique password that you got if it's unique and then do a reverse search on just passwords to find out other hidden accounts for the person So that's one other way to do it but Then I would take the phone number and do a reverse carrier search on this and now I want to verify that this phone number Is this person's phone number? So I spoof my name my my caller id and I call T-mobile and I search what number you know t-mobile's customer care and I give t-mobile a call And when I call them spoofing this person's number, here's what I hear T-mobile Hi mark, so tell me how can I help you today? So t-mobile confirmed. This is that person Moving forward, you know more google searches reveal the same person's name But that same website if I look at the archive Wayback machine, it'll actually show me a middle name Simeon right here. So I can get more information this way I take the same person's name and go to classmates.com I see a yearbook entry and I click on the yearbook Now it's going to show me a paywall and I can't really click on any of these But that was what page 54. I believe but it'll actually show me the first page So first few pages I can always right click on any of these pages open image a new url And visit that url and modify the file that's here. This is jpeg file number two If I go was it 54? I get the high resolution image of that same mark person and this guy is pretty much the same as the person here So again digging deeper So there's there's a lot you can do and I said I wouldn't touch social media But let's let's let's take a quick example of one of the hacking tools in social media Let's say there's this person instagram Dot com slash Michelle I want to know more about this person A lot of the things are masked here. So let's go to a tool called So let me demonstrate two real quick tools for you here So one of the tools is two tartis I put in the name Michelle here and I put in a This is random string here. There's these entire directions here to how to use this instagram tool But when I run this tool, it actually gives me redacted email addresses One email address and a phone number plus four four. That's uk Which I did not get from the social media profile itself. So this is Using apis same thing. I use another tool by the same person called holy he and I Enter in an email address and it actually give it's runs through multiple social media accounts And spits out some information regarding where this account was used So once this tool is is done, it'll actually give me more social media accounts to dig through right here A lot of these did not show up in regular searches like garmin and stuff So now I have more points of interest to go through Social media will also tell you other stuff if you go back in time on twitter It will give you you know location or the person's real name In this case, the person only had his first name on twitter This is not me. This is somebody who Got the name before me But in in this scenario, I now know the person's full name because it's on the wayback machine Look at brian kreb's account and it shows you used twitter for ipad Dig a little bit deeper using tools like social bearing and it shows you this person brian kreb's uses an iphone an ipad and twitter for web So now I know a device that this person has Very quickly if you go into linkedin and do a search for You know linkedin.com slash in slash jane doe You get some information, but if I use an api from people data labs Pdi I can actually put in this profile there and see what they have on her And now I get a linkedin id which I could have gotten by right clicking to but then I get facebook profiles phone numbers A whole bunch of other stuff here to utilize as well free apis So Very quickly realize there's a lot of tools at your disposal It's how you use them how quickly and how efficient you are at these tools Will determine what amount of information and you can get out of these That linkedin id that I found just to put a little perspective on it If you just search the linkedin data breach with that same id you are going to find Let's see what you find you find A lot of id's which are Similar to this. Let's stop the search and narrow it down a little bit. Let's put a comma next to it and Slash beef to create a boundary So that linkedin id which we got from jane doe's account Equates to this one email address So that's how you use some of the breaches and the tools to kind of Real quickly dig deep Let me take a breather here. There's a lot to talk about there, but let's Kind of wrap this up. So Here's where we started and this is where we want to be we started with a piece of information about a tesla at a university and We quickly went into a breach breach turned into an email We found an email address and then we find found all this information that I showed And you know things in white here are all the hacking tools that we used You know hashcat to find more details on a password color id spoofing to verify And most of these things are by the way to verify like burpsuit was to verify a date of birth And to find it as well url manipulation to bypass some of the paywalls tools in social media tools like holy he to tatis Probably butchering the names here, but these tools are Used to dig deeper into further information You know on facebook just look for when people started saying happy birthday to the person that kind of verifies what their day of birth is at least But using people data labs open apis To figure out other accounts using linkedin to find member IDs and breaches types of device used to kind of profile the person better using weigel or Looking back in time on the archive archive.org There's a lot of information you can use just by using some of the tools that weren't really made To for people hunting, but you can absolutely use this on top of your oscent regular oscent skill set Now where you want to be here eventually Is Is a chart like this where you start off with a profile dig deeper into all the different elements And just keep growing this chart little by little and that's basically What will Provide that larger profile of the person and then start connecting the different pieces together It's the connecting the dots that really matters and Make puts your investigation in front of the rest So ingredients to success a lot of the things you saw me do here require planning You know a lot of extreme op sec thinking outside the box Knowing what tools exist so that you can dig deeper for that information But to me what really defines this success is persistence and perseverance Keep trying Eventually people will make a mistake and they will leave evidence and and perseverance leave no stone on turn a quick simple example I can give you of this is Try all the tools that you dispose of useful or useless like you know, here's michael bezels tools here and One of these search tools like let's say I was looking for a name john doe I'll populate all there's all these websites I can look for simply clicking on submit all watch how many tabs open up I can't even look at this. It's like flashing lights But all of these tabs are now opening up for me to go through browse and Check one by one. Did I miss anything? This is called being thorough? Sure, it takes a lot of time, but all I need is one hit 20 tabs open up if one of them has the information I'm looking for that success I'll close the rest of it. So you have to spend the time and the resources to go through all of your All the tools in your tool set and then obviously Have that positive attitude And I can almost guarantee you that with a lot of patience With the perseverance and persistence If you continue this You will find your target or your person of interest Thank you and have a great rest of the evening