Maltego Part 6. “Honey, where have you been? Ran!” (with)

26 April 2023 6 minutes Author: Cyber Witcher

Application of geolocation in OSINT

There are more and more tools to find out the exact location from where a photo or video was taken. Data has been collected for some time, and here we have a surprisingly detailed picture of who you are and what you live for. Add publicly available addresses, tweets, photos, phone numbers, and it’s hard to imagine a more complete picture of you. . The data will tell you which protest actions you took part in, which political or social groups you belong to. The most detailed picture can get into the hands of any people and organizations. Data can be sold for profit. You can make predictions – where a person will be in the future. Ultimately, the information may be used by the government. If your phone allows location data with photos, this information will be included in the photos (for example, a photo’s metadata will tell you where it was taken). People send such photos by mail, upload them to the Internet and do not think that they reveal geolocation data.

Most social networks remove geolocation data from photos upon upload, but there are still plenty of other ways to extract geolocation data from the photos you share with the world. Most smartphones have a mapping program installed. When you move, your current coordinates and where you were in the past are recorded. Geolocation plays not the last role of OSINT. It is not for nothing that on Hack The Box one of the new OSINT challenges (Kryptic Ransomware) is tied to finding the exact coordinates of the target’s house. The challenge is very interesting, don’t be lazy to pass it.

So, let’s begin

The first method I know of is using the native Entities from Maltego: Circular Area and GPS Coordinate.

In the Entities parameters, we need to specify the coordinates, which can be cheekily taken from Google Maps, and the search radius if we are using Circular Area.

For Entity: GPS Coordinate we have:

  • [Censys] Search in IPv4 — make a request to the Censys database and find all IP addresses by the given coordinates.

  • [Facebook] Photos by Geo – find a photo by the specified geolocation.

  • [Facebook] Search for Places – find places by the specified geolocation.

  • [Facebook] Videos by Geo – find all videos by specified geolocation.

  • [Instagram] Media by Geo – find all media files by specified geolocation.

  • [Snapchat] Snap by Geo – find all media files by specified geolocation.

  • [Twitter] Search Tweets by Geo — find all tweets by specified geolocation.

  • [Vkontakte] Photos by Geo Popular – find popular photos by specified geolocation.

  • [Vkontakte] Photos by Geo Recent – ​​find recent photos by specified geolocation.

  • [Vkontakte] Stories by Geo – find all stories by the specified geolocation.

  • [YouTube] Videos by Geo — find all videos by specified geolocation.

There is also an option to convert Entity GPS Coordinate to Circular Area

For Entity: Circular Area, everything is available to us, except for working with the Censys API. The most interesting thing to learn is how Transform works – [Facebook] Search for Places. Regarding photos, videos and media, I think everything is clear: there is a geotag in the social network – there is a hit in the distribution. No label, not issued.

We convert GPS Coordinate to Circular Area, set a radius of 1000 meters and start the transform. We get 94 places from Facebook search results.

Everything is quite relevant, with some exceptions. Among the attractions, clubs, bars and restaurants, 2 incomprehensible elements were recorded. A guy who tells you that you can buy a yacht for 1000 euros and an account called St. Petersburg with a photo of some random dude. For some reason, both of them decided that they were companies and registered on Facebook as a commercial account with the address of a legal entity in the Palatsova Square area. Everything else is quite correct. All accounts have an address within a radius of 1,000 meters from Dvortsova. So these two are more of an oversight by Facebook regarding the authenticity of business accounts than a Maltego bug. Their geodata in their accounts are displayed within 1000 meters of Dvortsova.

Now we try to search for a photo. The coordinates are the center of the palace according to the Google Maps version (59.93901,30.315706), I specifically limited the publication to 50 photos, because otherwise we will simply be overwhelmed by the flow of everything found. And here some model has already begun to emerge, according to which Facebook returns the result. First, the social network finds the closest place of “interest” to the point and returns all photos that have the corresponding geotag. Since we indicated the center of Palace Square, the closest label according to the social network is Palace Square.

As a result, we receive all photos that have this tag.

Well, to confirm the hypothesis – let’s take the coordinates of the COCOCO restaurant (59.934991, 30.308709) and try the same trick with the photo search. And we get a photo from … HI SO TERRACE … (that’s not what we were looking for, in case you didn’t get it).

And no, STOP! Everything is correct. This establishment is located in the same building as the COCOCO restaurant. Apparently, the hand shuddered by half a degree when I put the mark on Google Maps to catch the coordinates).

How are things with VKontakte, you ask? But everything is not so good with our beloved VK. The spread is simply wild. Here, for example, the request is based on the previous coordinates, and in the issue of the photo, both at a distance of 200-300 meters from the point, and in general with the Peterhof geomark!

As for the transformation of [YouTube] Videos by Geo, things are a little better here. Although not very. Both videos with geotags of specific places in St. Petersburg, including the geotag of the COCOCO restaurant, and many videos with the geotag of RUSSIA were released.

Other options for searching by location include Entity: Search Person. This Entity is made to search for a person on Facebook and has several fields in the properties. By specifying these fields, we set the search criteria.

Let’s imagine that we know the full name and city. We set the specified values and run the Transform we need. The choice is:

  • [Facebook] Search Users – user search;

  • [Facebook] Search Users (Exact) – exact search with matching of all input data;

  • [Facebook] Search Users (Up to 60 mins) – delayed user search;

  • [Facebook] Search Users (Up to 60 mins) (Exact) — exact deferred search matching all input data.

Та й тут все ОК. Моя сторінка на Facebook є у видачі, як і передбачалося. Метод, перевірений та на Facebook працює без осічок. Ну якщо тільки не рахувати купу однофамільців, яку доведеться розгрібати в пошуках облікового запису.

Відкладений пошук в даному випадку потрібен, щоб обійти особливість Maltego за вікном відповіді в 2 хвилини. Застосовується, якщо потрібно здійснити пошук за великим масивом інформації. Наприклад, знайти всі акаунти із зазначеним містом та вивантажити їх на граф.

Тепер до практичних висновків

Як самостійний елемент пошуку цей функціонал використовуватися не може. Як додатковий канал перевірки інформації або, наприклад, додатковий вектор розслідування, функціонал може бути успішно застосований. Особисто я застосовував цю методику пошуку 2 рази, коли потрібно було підтвердити за соцмережами фактичне перебування людини десь. В рамках одного кейсу було вивантажено фото за координатами через сутність Circular Area, а потім було вивантажено фото із соцмереж дружини об’єкта кейсу. Maltego, як і належить, побудував зв’язки між збіглися фото і, як результат, ми отримали потрібний результат. Не пропустіть наступні статті циклу. Там ми поговоримо про пошук інформації на формах та магазинах у Dark Net.


Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.