Reddit is a social media platform that does not get as much attention in the open source intelligence (OSINT) world as the big players such as Twitter and Facebook. However the open nature of most boards, also known as subreddits, make it a must check when doing an OSINT investigation on a target. Reddit is also one of the few social media platforms that have a robust set of third-party tools which make investigation even easier, going so far as allowing investigations to obtain content which may have been previously deleted.
This article is designed to guide you through all of the various points of exploitations that a Reddit account may have available. It will provide references to what information can be obtained, as well as provide some of my specialty-crafted tools and techniques for making your Reddit investigation more streamlined and efficient.
Every Reddit account will have a username by default and will appear above the user’s posts as well as on their profile page. Investigators should take note of any identifiable information within the username, such as names, significant numbers (possible birth date or year, area code, etc), or hints of a location. Many online users are partial to their usernames, and will reuse the same username across multiple platforms. For this reason it is good practice to look for the Reddit username across other social media platforms, in search engines, or on message boards. When doing so be cognizant of false positives which may occur due to a common username.
In the example above, the username provides a few bits of information that might assist in identifying them. Oakland likely refers to a city, which they might reside in or originally be from, while Chi could be a nickname or a reference to a second city such as Chicago. Finally the 84 at the end of the username could signify a highly-important date to the user, possibly their birth year, the year of an academic graduation, etc.
Although technically all Reddit accounts should have an avatar / profile photo image by default, they are often left as those automatically generated by the site rather than one chosen by the account owner. This is because Reddit generates an avatar depicting their mascot by default for new accounts.
This can be seen in the first example above. If you are unsure whether it is a default avatar or not, you can cross reference against the known default avatars here. Also be aware that Reddit might replace the user’s avatar with an image stating that the user has mature (18+) content. An example of this can be seen above in the second avatar. In addition to these platform-generated profiles, a user may also upload their own avatar such as the third example above.
The first thing I do with every photo I run across during an investigation is run it through a reverse image search such as images.google.com (or Tineye, Bing, etc). This is done to find any additional websites that might include the same photo. A reverse image search may assist in uncovering additional user accounts if the target reuses the same profile photo across platforms. A large number of matching images might also help an investigator determine if the photo was just ripped from elsewhere online.
There are a few points of interest within this photo worth pointing out. For one, the male in the center of the frame could perhaps be the account owner. There is also unique architecture, such as what appears to be a church in the background, the fence, and the unique styled shops and buildings to the right of the male figure. There is also what appears to be a unique sticker on the building in the front. Unique graffiti and sticker slaps that showcase local artists, venues, or bands can often assist in narrowing down a photo’s location as well. Reverse image searches for this avatar came back with positive results in which the owner of the Reddit account utilized the same username and profile photo on additional websites. This would give me additional sites to look at and would assist in narrowing down the identity of my target.
A user’s topics are the threads or posts in which they are the original poster (often referred to as the “OP”), rather than just a commentator, and may include text or images. In order to view all of a user’s topics you can navigate to their profile page and click on posts at the top. (ex: https://www.reddit.com/user/REPLACEWITHUSERNAME/posts/) Once there you can scroll through their list of topics and click on them individually to see more information. Also pay attention to the different subreddits in which they frequent in order to get a good read on their interests. Be sure to read all of their topics carefully for any clues, whether in their text or in any attached images or links.
In the example above we can see a commonality among this section of the user’s posts. Many of his topics are posted within European subreddits and the user also appears to have an interest in history. You may also notice the user’s flair (which will be further explained below) in multiple subreddits also indicates the user may be Polish and/or living in Poland
Comments are a user’s response to their or another user’s topic or comment. They may include text or links to another website or image. To view all of a user’s topics you can navigate to their profile page and click on comments at the top. (ex: https://www.reddit.com/user/REPLACEWITHUSERNAME/comments/) Once there you can scroll through all of their comments and click on them individually to see more information. As with topics be sure to look for any identifiable information in the text and links that might help identify your target.
In the example above, we can see that the user has at one point been to the city mentioned where they took a photo that was in the original post. This could assist in narrowing down their general location. It is also worth noting that the microphone to the right of the username indicates that the commentator is also the person which originally posted the topic.
Posts: Deleted Content
Ladies and gentlemen, this is where Reddit outshines nearly every social media platform in terms of OSINT-friendliness. Quite often once a social media post is gone it is hard to retrieve it for analysis unless someone captured it via a screenshot or on one of the many archiving sites such as the WayBackMachine. This is not the case with Reddit. Instead, there is a handy website called Removeddit (among others) that allows investigators to view comments and topics removed automatically by a moderating bot, or manually by the user or a moderator of the subreddit. Although it does go down from time to time, I have successfully used it to find identifiable information on targets who made posts and then removed them later on while trying to hide their identity or after trying to improve their OPSEC.
Looking at the above post, I can see that there were at least two posts in this thread that had been removed. I opened up the Removeddit version of the Reddit thread by using a bookmarklet to automatically replace “reddit” with “removeddit” in my url bar. Doing so allowed me to see most of the removed comments below.
Although these posts do not assist in further identifying the user(s), they do offer a great example of the different types of responses you can get using Removeddit. Sometimes the user deletes their post quickly after they made it, in this case it will not be captured in time. The different colors indicate whether the posts were removed from a mod or via the user. Another thing to note is that the username may not be visible on the original Reddit thread, but oftentimes remains on the Removeddit version.
If set, a user’s flair will appear to the right of their username on their posts and topics. Flair can provide additional information on a Reddit user, such as location or affiliation, and may exist as text or as a small emoji. A user’s flair differs depending on how it is set up within each subreddit they post within, with some not having any flair(s) set at all. Be sure to look through all of a user’s posts and topics to get an idea of the different types of flairs they use across different subreddits.
The examples above include a text flair and a text and emoji combination flair. The first flair denotes the user’s location as Denmark and in-game team affiliation and level as Valor and level 40 respectively. The second example could suggest that the user is originally from Greenland and yet may currently reside in Denmark.
Now that we have the full size photo we can more easily read the signature of what we can assume is the artist in the lower-right side of the image. Just like with any photos you run across, you will want to run a reverse image search and inspect the highest resolution of the banner as possible to gather any additional information. It is worth noting that Google reverse image searches are quite apt at detecting images that were edited so long as enough of the original photo is still intact. As an example, running a reverse image search on the banner above brought back a modified version of the same photo which was being used by the target’s Facebook page and the website dedicated to the comic.
Profile: Display Name
Reddit users may choose to add an additional display name to their profile. Although users may not change their Reddit name, they can change their display name multiple times should they wish to. This name will appear on the user’s profile between their avatar and their username. This will otherwise be blank by default. Be sure to capture any changes in a target’s display name as they may offer additional clues, such as their name or additional usernames to search.
In the above example, we see two different iterations of the user’s display name, both of which include the name Jim. This might be an indication of the user’s actual first name.
A Reddit user’s profile may also contain a small section of text that the user adds for their About section. The About section will appear o na user’s profile between their name(s) and their karma and cake day information. This section is blank by default, however it can often provide a good bit of information on the subject, especially if they are the type to openly share information or are trying to get their name or brand seen by more people. That being said, be mindful of any attempts of a user using this section to mislead or profile false information.
Our above example shows that the account is owned by the artist of the comic strip which shares the same name as the Reddit user. In this example the user also provided their name as well as their location.
Think of Karma as (kinda) intangible internet points. When a user posts a topic or comment other users can upvote or downvote their submission, which in turn affects their overall karma amount displayed on their profile. Some users take great lengths to get their karma counts as high as possible, and some subreddits may be difficult to post in with negative karma as a way of weeding out spam and troll accounts.
In the example above, there is an older account which has negative karma. Despite being older, there are no recent posts by it, and all of its comments appear to be from around the time the account was created. Based on this, it would be safe to say that it was a troll account at the time it was active, which can be further confirmed based on the user’s brief post history.
Profile: Cake Day
A Reddit user’s “Cake Day”, the day in which they created their Reddit account, will display on the right side of their user profile. It can help assist in determining the age of the account and can be used in conjunction with a user’s overall Karma count (discussed in more detail below) to determine if an account is a troll or shitposter (low karma, recent Cake Day) rather than a regular user. On their Cake Day anniversary, the user will have a slice of cake to the right of their username on their topics and comments.
In the example above we can see that our user had a cake day during the time of me writing this portion of the article. We are able to see that the account is one year old, and has a good bit of Karma, suggesting that it is a legitimate user and likely not a troll account.
Profile: Trophy Case
Reddit user’s can also accumulate trophies, which will be displayed on the user profile’s Trophy case. These trophies can be obtained from a number of different things, such as contributions to the site or submitting popular content. In an investigation, trophies that I tend to be most interested in are those related to the account age and the verified email. You can also find a list of all current Reddit trophies here.
Our above example has a few trophies which help us determine that the account is legitimate and likely not a troll or throwaway account. For one, the account has the trophy which is given to Reddit accounts that have been around for eight years. Second, the user has paid money to Reddit in order to obtain a premium account. Finally, the user has a verified email attached to the account. It is worth noting here that at the time of this article being written an email account was still not required to make a Reddit account.
Profile: Connected Account(s)
If enabled, connected accounts will appear on the right hand side of a user’s profile. Connected accounts are other social media accounts that are tied to the Reddit account via the owner of both accounts. This will show you additional accounts that the Reddit user has on another platform. This makes finding additional accounts to exploit far easier than having to search for them. At this time I have only seen this for Twitter accounts.
Above we see a Twitter account that was connected by the Reddit user. It is worth noting that the Twitter and Reddit accounts did not use the same username, which may have hindered us finding the Twitter account had the user not directly connected it. It also provides us with an additional username to search for on other social media platforms.
Profile: Moderators of these Communities
Users that moderate one or more subreddits will have them listed on their profile. These forums are likely those which the user either created themselves or has invested a lot of time and energy into in order to be appointed a moderator by someone else. This list is great for getting a pattern of life and determining some of the interests of your target as the subreddits they moderate are likely to be on subjects more personal and close to them. In the above example, we can quickly determine our target’s interests and political leanings based on the communities he moderates alone.
Profile: Public Custom Feeds
Public Custom Feeds are subreddits that a Reddit user chose to track and receive updates on. You may see the name of the feed created by the user on their Reddit Profile. Clicking on that name will open the feed page which will display the list of all subreddits within the feed on the top right side of the new page. In the above example the user has a feed titled “ar”, and upon opening the feed we can see that it includes many subreddits related to augmented reality. Public custom feeds offer the same type of insight as the Moderators of these Communities section of a user’s profile. These feeds may help you determine a users hobbies, cities, or other pattern of life information.
I hope that this guide shows you just how resourceful Reddit can be in an OSINT investigation. If you would like to take this a step further and start a Reddit-based investigation on your own I have created a graphical guide and a toolkit containing the same tools I use for my own Reddit-based investigations. You can download both of these from my Github repository here. Should you have any questions or problems with the tools, or would like some assistance on Reddit or another particular platform, please feel free to reach out to me on Twitter.