Mastodon OSINT: A Comprehensive Introduction

Part one in our series on Mastodon, focused on gathering OSINT from the platform's users, instances and network.

Mastodon OSINT: A Comprehensive Introduction
Estonian Special Forces Wearing PNVG

Welcome to the first part of my series on Mastodon, which focuses on gathering open-source intelligence from the platform, its instances, and its users. Before we dive into Mastodon and start mining OSINT, lets first take a close look at the platform itself from a technical perspective.

An Introduction To Mastodon

Mastodon is an open-source microblogging platform similar to Twitter on the surface, but it is radically different in terms of its decentralized architecture. First released in 2016, it was developed by a German software developer “Eugen Rochko". This platform is of interest to the OSINT community because after Elon Musk took over Twitter, the number of users skyrocketed by 200,000 users within a few days and according to Mastodon founder “Rochko,” the monthly active users reached over one million on November 7/2022 (see Figure 1).

1- Number of Mastodon monthly active users according to its founder by 07 Nov 2022

Mastodon can run on all major smartphones (iOS, Android) and desktop computers. What makes this platform risky is that different applications from third-party vendors can be used to access it, this increases the attack surface as not all applications are designed and maintained using the same security measures.

To find a list of all apps that can run Mastodon, go to https://joinmastodon.org/apps (see Figure 2) and download the one that fits your computing device type.

2- Mastodon supported third-party apps

From an OSINT perspective, what we care about is finding information on the Mastodon platform, and this is what I’m going to do in this guide. However, before I begin, we need to understand how Mastodon works and learn about the different terminologies used in this platform.

Mastodon Instances

Mastodon is not a single network. It is composed of many instances or servers, each running on a separate server. Mastodon servers are also referred to as “Fediverse”, a short for “Federated Universe”.

Volunteers administrate these servers, and each instance is dedicated to discussing a specific topic, such as technology, nature, garden, books, arts or discuss some movies to name only a few. There are other general instances. However, each instance has its moderators, privacy policy and rules that users should obey (see Figure 3).

3- Example a Mastodon Server Rules

Some instances require a user to get an invitation to sign in, while most instances do not impose such a requirement, there are instances that do not allow any user to sign up.

Any user can set up a Mastodon instance, and they will have complete control over their instance, still, they can follow other users existing on other Mastodon servers. To get your Mastodon instance, you need a domain name to access your Mastodon server, a VPS to host the Mastodon code files, and an email service provider to send confirmation links and other notifications.

To sign up for a new Mastodon instance, go to https://joinmastodon.org/servers, where you will be faced with the most popular Mastodon servers (see Figure 4).

4- Mastodon Servers page | servers can grouped according to regions or topics

Even though each user should sign up to a particular instance to use the Mastodon network, they can still follow other users who exist on other instances. For example, my account is on https://techhub.social instance; nevertheless, I can still follow other people residing on other Mastodon instances, such as https://mograph.social. If the user Mastodon account that you want to follow is on the same instance, you can follow them directly. However, suppose it is on another instance. In that case, you need to copy their Mastodon profile URL and paste it into the search field of your Mastodon server search field (see Figure 5) to follow them without opening an account with their Mastodon instance.

5- Mastodon users can follow other users located on other Mastodon servers/instances

According to a website tracking Mastodon instances, there are currently more than 5000 instances. The number of Mastodon instances changes daily. To have a list of all Mastodon instances worldwide, builtwith.com provide such information. Go to https://trends.builtwith.com/websitelist/Mastodonto view -and download- a list of all current customers who are using Mastodon (see Figure 6).

6- Websites using Mastodon Worldwide - source: https://trends.builtwith.com/websitelist/Mastodon

Mastodon Handle

A user Mastodon profile URL is composed of two parts (see Figure 7)

1 The Mastodon Server URL

2 The user Username on that server

7- User Profile URL on Mastodon

A Mastodon handle begins with the user identity followed by the Mastodon server name. For example, my user identity on Mastodon is “Darknessgate” and I’m using the Mastodon server “techhub.social”. This makes my full Mastodon handle:

@darknessgate@techhub.social

Abusive Contents On Mastodon

Mastodon is a decentralized network; unlike traditional social media platforms, it is unsupervised. Hence, no central authority oversees the contents of its instances and monitors what users post on the platform. It is advised to prevent children from taking account of Mastodon unless their parents supervise them.

For example, when searching for Mastodon instances on https://instances.social, you can adjust the search query to find instances with sensitive content, such as Nudity, pornography, and links to illegal content (see Figure 8).

8- Search for Mastodon instances

Although each Mastodon server has its own rules and privacy agreement, it is still unable to implement it strictly in some areas, especially age verification. Besides, Mastodon is directed at tech-savvy people, and suddenly shifting a large number of ordinary internet users to it will raise numerous privacy and security risks. This is because not all new users will know how to handle their accounts, understand posts' security and privacy settings, and how to restrict sensitive content spread across Mastodon networks.

Understanding Mastodon User Interface

After signing up for a Mastodon account, the Mastodon user interface will appear, resembling TweetDeck, a social media dashboard application for managing Twitter accounts.

The Mastodon user interface is divided into three columns – I’m using the web interface (see Figure 9):

1.     The search Section contains a link to “Edit user” profile and the “Toot” field where users can write their thoughts and post it online. Keep in mind Mastodon uses the term “Toot” instead of “Tweet” or “Post”.

2.     All Toots from the users you follow will appear here in the middle section or feed/timeline.

3.     In the Notification section, here you will find links to direct messages, favorites, bookmarks, and lists. This section is important, because it allows you to customize your Toots feed view in the Home section. For example, the “Local” link will display “the most recent public posts from people whose accounts are hosted by user Mastodon Server where their accounts are existed”. The “Federated” link will display the “most recent public posts from people on this and other servers of the decentralized network that this server knows about”. If you want to see only the Toots posted or shared by the users you are following, then click on the “Home” link.

9- Mastodon User interface resemble this of Twitter

“Toot” is the word used by the Mastodon community when posting content to the platform (equivalent to “Tweet” on Twitter). The maximum size (the number of characters) of each Mastodon Toot is limited to 500 chars. Similar to Twitter, a “Toot” can contain Hashtags, Mentions and we can upload other digital files, such as video, image, and audio clips.

Each Mastodon “Toot” can have any one of the following four privacy settings (accessed from the globe icon on the Toot) (see Figure 10):

· Public: Visible to all

· Unlisted: Visible to all, but opted-out for discovery features

· Followers Only: Only your followers can see this Toot

· Mentioned people only: Only the mentioned users in the Toot can see it

10- Mastodon Toot privacy settings

Toots can be customized using the optional “Content Warning” (the icon CW in the Toot); by activating it, the reader needs to click on the content -for example, the image in the Toot- to view its contents.

Searching Mastodon

Mastodon was created with very limited search functionality, this was intentional to provide the maximum privacy for its users. The motivation behind this is somehow clear, Mastodon wants to provide a private environment for those people that do not feel comfortable -about their privacy- when using traditional social media platforms, such as Twitter. This issue was expressed clearly on the Mastodon official blog. Check the excerpt below.

💡
I need to delineate that the following design decisions are more about what the software nudges you towards, rather than a tamper-proof barrier against some behaviours, which is not possible. Mastodon deliberately does not support arbitrary search. If someone wants their message to be discovered, they can use a hashtag, which can be browsed. What does arbitrary search accomplish? People and brands search for their own name to self-insert into conversations they were not invited to.

The built-in search functionality of Mastodon is limited by default. It can only search for #hashtags or @username. You can not use the Mastodon search function to locate text within Toots (see Figure 11).

11- Mastodon built-in search can be used to search for hashtags and usernames only

Some Mastodon instances allow full-text search (this feature requires installing ElasticSearch feature by the Mastodon instance logged-on, so that logged-on users can find results from their own Toots, their favorites, their bookmarks and their mentions, however, this function does allow searching within the entire Mastodon database, such as Toots text.

Hashtags play an important role in the Mastodon platform more than it does in traditional social media platforms like Twitter and Instagram. For instance, if users want their Toots to be discovered, they should add hashtags to them because the Mastodon search feature does not work similarly to other websites.

Social Search is a free service developed by https://noc.social/@dcid that allows users to search across Mastodon instances. To use this service, go to https://search.noc.social , enter your search query ,and the search results appear in the page's lower part (see Figure 12). The Social Search will search for user keywords in hashtags and user accounts only, as Mastodon does not allow searching within Toots unless ElasticSearch feature is installed.

12- Using https://search.noc.social to search across different Mastodon instances simultaneously

Alternative ways to find people on Mastodon

As we note, searching for users and content on Mastodon using the built-in search function is limited, however, we can still use external services to find people accounts on Mastodon easily. In this section we will cover different ways to do this.

Finding Twitter users who own a Mastodon account

As we said, many users are migrating from Twitter to Mastodon, to inform their followers on Twitter about their new Mastodon account; many of them are linking their current Twitter account with Mastodon by setting up their Mastodon profile URL in their Twitter bio. Here is how we can find those people.

Go to Twitter search and type “Mastodon”. Select the “People” category to view people accounts containing the Mastodon keyword. You can filter your search results by limiting it to the people you are currently following on Twitter (see Figure 13).

13- Searching for Mastodon accounts using the Twitter search function

You can also search for the hashtag #TwitterMigration as many people are using it when opening a new Mastodon account and are migrating to the new platform.

Few online services exist to collect Mastodon accounts from Twitter. For example, the Fedifinderis a free online service that extracts the fediverse handles of your Twitter followers/following (see Figure 14).

14- Using the Fedifinder service to find all Mastodon accounts a user follow on Twitter

Mastodon Hashtags

As we already said, Hashtags play an important role in Mastodon. For instance, when users want their Toots to be discovered, they will add hashtags to them. Not all Mastodon servers handle hashtags in the same way. For example, the https://techhub.social allows  user to follow hashtags similar to Twitter. When following a hashtag, it will appear in your feed.

As a part of your OSINT job, you may want to track different hashtags across Mastodon in real time. To do so, follow these steps:

  1. First, you must turn your Mastodon interface into an advanced view. Go to "Preferences" on the right side.
  2. From the "Appearance" link, check the option "Enable advanced web interface" (see Figure 15).
15- Enable Advanced view in Mastodon web interface

3. In the top left search bar, enter the hashtag that you want to track. In my example, I want to search and track the #OSINT hashtag.

4. Th search results will appear below the search bar, these results are clickable, in my case, I want to follow #OSINT,  I will click on it (see Figure 16).

16- Search for a particular hashtag to track it across Mastodon networks

5. A new column appears on the right side of the screen. On the upper bar of the new column, there is a plus sign that allows you to follow this hashtag (see Figure 17).

17- Follow specific hashtag

6. You can follow more than one hashtag at the same time and use the same tracking column we already create for the #OSINT hashtag, so they all appear in a single feed. To add more hashtags, click on the "settings" button on the #OSINT column and customize (add, exclude) hashtags (see Figure 18).

18- Add/Exclude hashtags to track them across the Mastodon networks

Investigating Mastodon Platform

As we saw, the Mastodon search feature is limited by design; still, we can get a good amount of information by inspecting the target Mastodon instance.

Mastodon Server

Each Mastodon server contains information about its administrators, contact information, and the number of users already registered with this instance, among other things. To access the information associated with a particular Mastodon instance, go to that server URL; on the left side of the page, you will find the number of active users registered with this instance. In the bottom left corner, you will see different links containing information about the instance (see Figure 19).

19- Mastodon Server main page showing different information about the instance

The “About” link in the bottom left corner of the page, contains the following information (see Figure 20):

1.     Server Avatar image

2.     Server name/URL

3.     Server Administrator name and Contact information

20- Mastodon Server About page

There are three links at the bottom of the page:

1- About section – contains information about the “Current infrastructure status”, “Donation/Costs/Transparency”, “Reporting harassment”, “Code of Conduct” and Admin contact information.

2- Server Rules – All users should obey these rules to avoid closing down their account.

3- Moderated servers – as we already know, a user of one server can interact with other users residing on other Mastodon servers, however, there are exceptions. For instance, most Mastodon servers prevent their users from communicating with other Mastodon servers hosting porn materials. When a particular server wants to make exceptions and prevent its users from communicating with other Mastodon servers, these banned server names go here.

I found the “Moderated Servers” section interesting, it lists banned Mastodon servers and sometimes mentions the reason for the ban. Such information could be useful in some investigation cases as many Mastodon servers could host illegal materials and are dedicated for a limited group of people. The "Moderated Servers" area can help us discover such servers (see Figure 21).

21- Moderated Servers section help us discover unknown Mastodon servers hosting illegal contents

Another link in the bottom left corner of the Mastodon Server home page is the “Profiles directory” (see Figure 22).

22- A Mastodon Server "Profiles directory" list all users on the server or have some relation with users of the current server and who made their profile accessible

The profile directory shows all users accounts who agreed to make their accounts appear in the directory.

The profile directory can be filtered either by recent activity (the most recently published status), or by new arrivals (newly created accounts). The directory can also be filtered to show only local accounts, or to show all known accounts that your server is aware of (see Figure 23).

23- We can filter "Profiles directory" based on different criteria

The profiles will appear as boxes that include a user’s display name, address, account bio, and some stats such as the number of posts, number of followers and following.

Inspecting Mastodon Server Domain Name

As we said before, the user must provide a domain name to set up a Mastodon server. There are different tools and online services for investigating domain names. I will list the most important ones in this section.

Whois Domain Name History

H5q is a Mastodon server containing adult content explicitly declared in the Server main page. I will use this domain in my experiment.

We can begin inspecting this domain name by checking its Whois records. https://whois.domaintools.comis a free service for finding domain name information and history (see Figure 24). The paid service allows viewing the domain name's hosting history, such as list IP address, name server and registrar history.

24- Using DomainTools to view Mastodon Server domain name Whois information

It is worth noting that most Mastodon instances that host sensitive content use proxy registration service (domainsbyproxy.com) to mask their factual Whois information. However, we can still find helpful historical information about the domain name by querying specialized online services, and https://www.whoxy.com is one of them that provides this service for free (see Figure 25).

25- Using whoxy service to find who own a particular domain name in the past

Previous History

The second thing to investigate is the previous history -or screen captures- of the target Mastodon domain name. Wayback Machine is our first choice. In my experiment, I found previous screen captures of the Mastodon instance that show this domain name was used previously in an insurance company, later, it was moved to a domain name escrow company in China before it was used to initiate a Mastodon instance (see Figure 26).

26- Viewing previous website screen captures 

When checking the previous versions of a particular website, we may get important information, such as contact information such as email, phone numbers and personal names. Images published in previous versions can also be investigated for Metadata (such as by using the ExifTool) and using Reverse Image Search and Face Search to see where those pictures appear online.

Fediverse Observer (Information About Mastodon Servers)

A good website to check when inspecting any Mastodon server is the Fediverse Observer. It list different technical information about the Mastodon server (see Figure 27) such as:

· Current Mastodon software version and master version

· The language used in the server

· Whether the server allows new users to sign up or no

· Historical statistics about the Mastodon server include Uptime and Speed, User Stats and Clicks Out.

27- Viewing different stats about Mastodon servers using https://fediverse.observer

The Fediverse Observer has online map showing all Mastodon servers worldwide. It is a nice feature to browse all active Mastodon servers and collect information about each instance (see Figure 28).

28- Viewing all Mastodon instances online by going to https://fediverse.observer 

The Fediverse Observer live map helps us find Mastodon instances visually and based on geographical location. For example, I went to Japan (on the map of course), I picked up a Mastodon instance, the live map displays brief information about this instance, such as software used, number of users in the instance, uptime, instance age in months and if signup is allowed or not (see Figure 29).

29- Fediverse Observer live map displays brief information visually about Mastodon instances

Inspecting Mastodon User Profile

In the last section of this guide, I want to talk about the type of information we can get from a Mastodon user. I will use "Eugen Rochko" Mastodon founder, as an example.

The user profile page of Mastodon is similar to Twitter. The following information can help us in our information-gathering process (see Figure 30).

1.     User profile image or Avatar

2.     Header image

3.     User bio

4.     Join date (the date when registered for the Mastodon account)

5.     Links to other user profiles, such as personal website, blog, Twitter|Linkedin|Youtube|Discord, and other links a user wants to show on their Mastodon profile

6.     Number of "Posts"

7.     Number of "Followers"

8.     Number of "Following"

It is worth noting that a user can hide the "following" and "followers" lists (user accounts) in their profile. However, the number of "Followers" and "Following" will remain visible.

30- A Mastodon user profile is similar to the Twitter interface

We can conduct various searches by inspecting a Mastodon user profile, for example:

Mastodn Username Search

Many people prefer to use the same username across different social media platforms, and Mastodon is no exception. There are different online services to know where a particular username is used. There is a list of such services on https://osint.link/osint-part2/#user

For example, the Mastodon founder username on the Mastodon platform is "Gargron". He is using the same username on LinkedIn https://www.linkedin.com/in/Gargron

Reverse Image Search

We can reverse image search of any Mastodon user profile image and header. This link contains a list of reverse image search; another list contains specialized face search engines for searching user profile Images/Avatar.

Inspecting Links Existied In Mastodon User Profile

Any links exited on the user profile, such as links to their Twitter and Facebook profiles, should be inspected independently. A guide published before on Secjuice covers this in detail (A Guide To Social Media Intelligence Gathering (SOCMINT)).

Inspecting Toots

As we said, Toots inMastodn is equivalent for post or Tweet on Twitter, while "Boost" is equivalent to "retweet" in Twitter.

A user Toot contains the date/time when it was posted, and users who like add this Toot to their favorites and those who Boosted this Toot (see Figure 31). Replies to each Toot (if they existed) also appear under each Toot.

31- Mastodon Toot

Some Toots contain images (we can search for them using reverse image search), while others could have video and audio files.

If you want to see any Mastodon image (Included in a Toot) in its original size, follow these steps:

1.     Click over the Toot image that you want to view its original size.

2.     Right-click over the image, and click "inspect" (see Figure 32). I'm using Google Chrome.

Go to the "src" attribute; the source image file should appear. Click over it to view the image in full size (see Figure 33).

32- Use Google Chrome Developer Tools to inspect the image source and view it in full size
33- View Mastodon Toot image in original size (original image)

I could not find metadata in the uploaded image; Mastodon strips this information when uploading the image to its database.

Summary

Mastodon is a decentralized social media network. Anyone can create a Mastodon instance after providing a hosting space, and domain name and make the necessary configurations. There are thousands of Mastodon instances (also known as servers); some contain only one user or two, while others contain thousands of users. Any Mastodon user can follow and interact with other users residing in other instances without the need to register for a new Mastodon account to access their server.

Unlike traditional social media networks, such as Facebook, Twitter and Instagram, no central authority governs the Mastodon network. Of course, a developer oversees the platform's technical issues, but regulating and monitoring the contents published on Mastodon is the duty of each Mastodon instance Admin. Server Admin put Server rules and should monitor their registered users' contents and behaviors to see if they breach any of it.

The decentralized nature of Mastodon resembles what we will expect in the future when Web3 technologies become widespread. Web3 is the next iteration of the web and is likely to prevail within years from now. Web3 depends on the blockchain model to deliver decentralized web services. These services are not governed by a single entity (organization or a country). This allows users to restore their freedom and prevent giant tech companies from selling their personal information and browsing habits to advertisers. However, as with everything in technology, there are still drawbacks. For instance:

· The decentralized nature will make web content spread worldwide or across servers spread in different geographical locations; it will be challenging to know which data privacy regulation should apply when issues arise.

· Tracking users' illegal activities is more challenging. Users can hide their real identities more easily when verification methods are weak.

However, these drawbacks do not mean decentralized services are bad. It is just unregulated strongly compared to the service we used in web2.

From the OSINT perspective, Mastodon is an emerging platform; it has been there for a while; however, after the vast migration from Twitter to Mastodon, we should add this platform to our list of social media platforms that should be investigated.

In this article, I tried to introduce Mastodon briefly and give some techniques for searching for information on this platform.

Extended Reading:

1. Author dedicated website for free OSINT resources: www.OSINT.link

2. Author Book: Open Source Intelligence Methods and Tools: A Practical Guide to Online Intelligence, Publisher: Apress; 1 edition, ISBN 978-1-4842-3212-5 By Nihad A. Hassan

About The Author: Nihad A. Hassan (@DarknessGate) is an independent information security consultant, digital forensics and cybersecurity expert, online
blogger, and book author. He has been actively conducting research on different areas of information security for more than a decade. His current work focuses on cyber OSINT, digital forensics, antiforensics techniques and digital privacy. Nihad is the author of a number of books on digital forensics, open source intelligence, digital security, ransomware and cybersecurity.

Estonian Special Forces Wearing PNVG