In my previous article, I introduced the term Open Source Intelligence (OSINT) and talk about how it might be used to support intelligence needs. OSINT refers to all the information that is publicly available, many estimates show that 90 percent of useful information acquired by intelligence services comes from public sources (in other words, OSINT sources). OSINT sources are distinguished from other forms of intelligence because they must be legally accessible by the public without breaching any copyright, patents or privacy laws.

That’s why they are considered “publicly available.”

Social media sites open up numerous opportunities for online investigations because of the vast amount of useful information located in one place. For example, you can get a great deal of personal information about any person worldwide by just checking their Facebook page. Such information often includes the person of interest’s connections on Facebook, political views, religion, ethnicity, country of origin, personal images and videos, spouse name (or marital status), home and work addresses, frequently visited locations, social activities (e.g., Sports, theater, and restaurant visits), work history, education, important event dates (such as birth date, graduation date, relationship date, or the date when left/start a new job), and social interactions.

This can all be found in one Facebook profile.

Social media intelligence (SOCMINT) is a sub-branch of Open Source Intelligence (OSINT), it refers to the information collected from social media websites. The data available on social media sites can be either open to the public (e.g., Public posts on Facebook or LinkedIn) or private. Private information -such as contents shared with friends circle- cannot be accessed without proper permission form the creator.

Data available on social media sites can be classified into two categories:

1. The original content posted by the user – such as a Facebook text content or an uplaoded image/video.
2. The metadata associated with original content – multimedia files metadata, the date/time and geo-location info associated with the posted content.

In this article, I will introduce you to the SOCMINT term and demonstrate how we can use a plethora of tools, online services and techniques to gather intelligence from social media sites to support a variety of intelligence needs. However, before I begin, do you think collecting intelligence from social media platforms is considered legal?

There is a debate between privacy advocates and OSINT researchers about whether the information available on social media sites is OSINT. Although the majority of social media sites require their users to register before accessing site contents in full, many surveys show that social media users expect to have some form of privacy for their online activities (even when posting content with public access). However, OSINT experts generally consider information shared on social media sites as belonging to the OSINT domain because it is public information shared on public online platforms and thus it can be exploited for intelligence purposes.
Source: Hassan, Nihad. “Chapter 5.” Open Source Intelligence Methods and Tools: A Practical Guide to Online Intelligence.

Using the information gathered from social media sites in a legal case is generally allowed under these two conditions:

1. When acquiring permission from a court to gather information about a specific user, a court order is sent to the intended social media site to hand the information to authorities officially.
2. If the information is available publicly (e.g., public posts, images, or videos), then law enforcement can acquire it without a permit, which is the essence of the OSINT gathering concept.

Private OSINT gatherers should have a legal basis when collecting personal information about targets, data protection laws (especially the GDPR in Europe) impose restrictions on the way online investigators collect, process, and retain personal information of citizens. Discussing the legal issues surrounding OSINT is beyond the scope of this article, however, as a rule of thumb, make sure to have a legal intent when collecting personal information from public sources and make sure to destroy this information as soon as you finish your investigation without any delay.

Social Media Content Types

People interact with social media sites for different purposes. The following are the general interactions used across different social media sites:

1. Post/comment: People access social sites to post or write paragraphs of text that can be seen by other users. Such posts can also include user’s geographical info (In Facebook, they call this feature, a “Check in”).
2. Reply: This is a text message (can also be an image, video, or URL) that replies to another user’s post, update status, or comment.
3. Multimedia content (images and videos): Multimedia is popular; a user can upload a video or image as a part of their post. Many social platforms allow their users to upload multiple images/videos to form an album. Live streams also are available on many social platforms such as Facebook, Twitter and YouTube. This feature allows a user to broadcast live videos and display the recording on their profiles for later viewing.
4. Social interactions: This is the essence of social media sites, where people get connected online by sending/responding to other user’s request.
5. Metadata: The results from the sum of user interactions with the social platform. Examples include the date and time when a video/image was uploaded, the date and time when a friend request was accepted, geolocation data—if enabled—of the uploaded multimedia file or post, and the type of device used to upload the contents (mobile or a standard computer).

SOCMINT is interested in gathering all these content types, however the ability to do this depends on the privacy control level set by each user when publishing posts/updates online. For example, it is not possible to see other people’s updates on Facebook if they restrict a post’s visibility to some friend circles or set it to “Only me.”

Classifications of Social Media Platforms

Many people use the terms social media and social networking interchangeably to refer to Facebook, Twitter, LinkedIn, and related social platforms. This is not absolutely wrong, but it is not accurate because social media is the main umbrella that contains other categories like “social networking” that holds sites like Facebook.

The following are the main social media types classified according to function:

1. Social networking: This allows people to connect with other people and businesses (brands) online to share information and ideas. Example include Facebook and LinkedIn.
2. Photo sharing: Such websites are dedicated to sharing photos between users online. Example include: Instagram & Flicker.
3. Video sharing: Such websites are dedicated to sharing videos, including live video broadcasts. The most popular one is YouTube. Please note that Facebook and Twitter also offer live video broadcast service.
4. Blogs: This is a type of the informational website containing a set of posts—belonging to one topic or subject—organized in descending order according to the publish date. The most popular blogging platforms are WordPress and Blogger, which is powered by Google.
5. Microblog: This allows users to publish a short text paragraph (which can be associated with an image or video) or a link (URL) to be shared with other audience online. Twitter is the most popular example.
6. Forums (message board): This is one of the oldest types of social media. Users exchange ideas and discussions in a form of posted messages and replies. Reddit is an example.
7. Social gaming: This refers to playing games online with other players in different locations. It has gained more popularity recently. KAMAGAMES and zynga are examples of this type.
8. Social bookmarking: These websites offer a similar function to your web browser’s typical bookmark. However, they allow you to do this online and share your Internet bookmarks among your friends in addition to adding annotations and tags to your saved bookmarks. Example include: Atavi and Pinterest
9. Product/service review: These websites allow their users to review—give feedback—about any product or service they have used. Yelp and Angie’s List (www.angieslistbusinesscenter.com) are examples of this type.

Now we have a good understanding of the different types of social media sites, it’s time to begin talking about how to use different tools and techniques to acquire intelligence from these platforms, we will limit our discussion to the most two popular social media sites which are: Facebook and Twitter.

Facebook

Facebook is the most popular social media platform,it falls under the social networking type and has the largest users base on earth. Facebook was offering an advanced semantic search engine to search within its database by using natural English language phrases and keywords. This semantic search engine called Graph Search and was first introduced in early 2013; it allows Facebook users to type in their queries in the Facebook search box to return accurate results based on their questions/phrases or combined keywords. For example, you can type: Pages liked by ********* replacing the asterisks with the target’s Facebook username, to return a list of pages liked by the specified user.
In 2019, Facebook has removed the Graph search functionality, although, users are still able to utilize Graph search, however, they need to build their graph search queries manually.
After removing its direct support to Graph search, Facebook has improved its search functionitly makng it more accurate, it also adds many filters (see Figure 1) to refine your search as neccessary. Keep in mind you should login to your Facebook account first to use the search options.

Figure 1: Using Standard Facebook Keyword search, notice the number of filters to refine your returned results

There are several online services for searching Facebook without creating customized search queries, the following list the most popular one:

1. Facebook Graph Searcher from Intelligence X (https://intelx.io/tools?tab=facebook): You can search for posts from a specific date or month, post from a specific user posting about something, you can also search for posts posted by unknown users which is beneficial for online investigations (see Figure 2).

Figure 2: Searching Facebook using Intelligence X
2. Sowdust (https://sowdust.github.io/fb-search): This is another online tool to show how the current Facebook search function works, you can search for posts from a specific user/page, restrict to posts published in group or restricting it to specific location. You can filter by Start/End date and Keyword. Other search options include searching for photos, pages, places among others (see Figure 3).

Figure 3: Sowdust interface to search Facebook

3. SearchBook (https://github.com/sowdust/searchbook): This is a Firefox add-on (a version is also available for Chrome browser) for executing some Graph-like searches against Facebook. The Add-on functionality is based on the research article Facebook graph search workaround published by Social Links (https://mtg-bi.com/blog/tpost/aiaxk4xl4d-facebook-graph-search-workaround). I tested this extension under Firefox, however, it broke many times during usage.

Legal notice! Using customized code to manipulate Facebook search queries might be against Facebook Terms of Service and even against the law in many countries, so be careful with this regard.

Online Facebook Search Tools/Services

There are many online services that simplify the process of acquiring/analyzing information from Facebook accounts. The following are the most useful ones:

1. Lookup ID (https://lookup-id.com): This site helps you to find Facebook personal IDs. This ID is necessary when using any of the previous online services –mentioned previously- used to compliment Facebook standard keyword search.
2. Facebook Page Barometer (http://barometer.agorapulse.com): This site gives statistics and insight about specific Facebook profiles or pages.
3. Information for Law Enforcement Authorities (https://www.facebook.com/safety/groups/law/guidelines): Offers information and legal guidelines for law enforcement/authorities when seeking information from Facebook and Instagram.
4. A directory of free tools and online services for searching within Facebook can be found at: https://osint.link/osint-part2/#facebook

Twitter

Twitter has a built-incorner search functionality located in the upper-right side of the screen—when using the Twitter web interface—after logging into your Twitter account. A simple Twitter search allows you to perform a basic search within the Twitter database.

However, do not underestimate this little box, as you can add advanced search operators—similar to Google advanced search operators known as Google Dorks—to your search query to force it to dive deep and return accurate results, as you are going to see next.

To begin your search against Twitter database, it is advisable to go to the Twitter Advanced search at https://twitter.com/search-advanced , from this page, you can customize search filters to specific date ranges, people and more.

Twitter Advanced Search Operators

Similar to Google, Twitter allows you to use specialized operators to find related tweets more precisely. Twitter search operators are already available in the Twitter developer site, go to https://developer.twitter.com/en/docs/tweets/rules-and-filtering/overview/standard-operators to view them (see Figure 4).

Twitter search operators can be incorporated with other criteria to create more advanced search queries to find related tweets more precisely, the following are some advanced Twitter search query to start your search with.

1. The negation operator (-) is used to exclude specific keywords or phrases from search results. Example: virus –computer

2. To search for hashtags use the (#)operator followed by the search keyword. For example: #OSINT

3. To search for tweets sent up to a specific date, use the (until) operator. Here’s an example: OSINT until:2019-11-30(this will return all tweets containing OSINT and sent until date November 30, 2019).

4. To search for tweets sent since a specific date, use the (since) operator followed by the date. Here’s an example: OSINT since:2019-11-30 (this will return all tweets containing OSINT and sent since November 11, 2019).

5. Use the (images) keyword to return tweets that contain an image within it. Here’s an example: OSINT Filter:images(this will return all tweets that contain the keyword OSINT and have an image embedded within them).

6. To return tweets with video embedded with them, use the (videos) keyword (similar to the images filter). Here’s an example: OSINT Filter:videos

7. To search for video uploaded using the Twitter Periscope service, use the (Periscope) filter. Here’s an example: OSINT filter:periscope (this will search for all tweets containing the OSINT keyword with a Periscope video URL).

8. To return tweets with either image or video, use the (media) operator. Here’s an example: OSINT Filter:media

9. To return tweets that contain a link (URL) within them, use the (links) keyword. Here’s an example: OSINT Filter:links

10. To return tweets that contain a link (URL) and hold a specific word within that URL, use the URL keyword. Here is an example: OSINT url:amazon this will return all tweets that containing OSINT and a URL with the word “amazon” anywhere within it (see Figure 5).

11. To return tweets from verified users only (verified accounts have a blue check mark near their names) (see Figure 6), use the (Verified) operator. Here’s an example: OSINT Filter:verified

12. Use the (min_retweets) operator followed by a number. Here’s an example: OSINT min_retweets:50 (this will return all tweets containing the OSINT search keyword that have been retweeted at least 50 times)

13. Use (min_faves) followed by a number to return all tweets with NUMBER or more likes. Here’s an example: OSINT min_faves:11 (this will return all tweets that have at least 11 or more likes and that contain the OSINT search keyword)

14. To limit Twitter returned results to a specific language, use the (lang) operator. Here’s an example: OSINT lang:en (this will return all tweets containing OSINT in the English language only). To see a list of Twitter-supported language codes, go to https://developer.twitter.com/en/docs/twitter-for-websites/twitter-for-websites-supported-languages/overview.

15. To search for tweets with a negative attitude use the following symbol :( For example: OSINT :( will return all tweets containing the keyword OSINT written in a negative attitude.

We can combine more multiple Twitter search operator to perform a more precise search. For example, type “OSINT” from:darknessgate -Filter:replies lang:en to get only the tweets containing the exact phrase OSINT from the user darknessgate that are not replies to other users and in the English language only.

Online Twitter Analysis Services

The following are online services to help you find information on Twitter:

1. All My Tweets (https://www.allmytweets.net): View all public tweets posted by any Twitter account on one page.

2. Trendsmap (https://www.trendsmap.com): This shows you the most popular trends, hashtags, and keywords on Twitter from anywhere around the world.

3. First Tweet (http://ctrlq.org/first): Find the first tweet of any search keyword or link.

4. Social Bearing (https://socialbearing.com/search/followers): Analyze Twitter followers of any particular account (a maximum of 10,000 followers can be loaded).

5. Spoonbill (https://spoonbill.io): Monitor profile changes from the people you follow on Twitter (see Figure 7).

Track social media users across multiple platforms

Most internet users have more than one social media account, according to statista[1], average number of social media accounts per internet user was 8.5 in 2018.  This information is useful and should be present in our mind when searching social media sites, for instance, many people prefer to use the same username in multiple social media platforms. If we know the username of one social media account of the target, we can search to see where else this username is used on other social media platforms.

You can check specific usernames to see where they are being used (e.g., social media Sites) or to know whether a particular username really exists using any of the following free online services.

1. Check User Name (http://checkusernames.com): Check the use of a specific username on 160 social networks. This is useful to discover target social media accounts to see if they are using the same username on multiple platforms.

2. Namechk (https://namechk.com): Check to see whether a specified username is used for major domain names and social media sites (see Figure 8).

3. Namecheckr (https://www.namecheckr.com): Check a domain and social username availability across multiple networks.

4. User Search (https://www.usersearch.org): Scan 45 popular social media websites.

5. UserRecon (https://github.com/thelinuxchoice/userrecon): A Linux tool to find usernames across over 75 social networks.

6. Sherlock (https://sherlock-project.github.io): Sherlock Project, can be used to find usernames across many social networks. It requires Python 3.6 or higher and works on MacOS, Linux and Windows.

Social Media Psychological Analysis

The psychological status of the person posting the contents on their profile can also give important information, even more than the content itself (in some cases). For instance, the true identity of an anonymous Twitter account can be revealed by performing linguistic analysis of the target account.

In addition, people can be tracked online by examining the way they use language when they chat or when they broadcast their thoughts online (for example, the way a target uses capitalization, omits or includes words, and pronounces some words). The advances in artificial intelligence systems will make analyzing social media accounts more effective and will help examiners uncover the true identity of anonymous social media accounts.

This online service (https://tone-analyzer-demo.mybluemix.net) offers free linguistic analysis to detect human feelings found in text such as tweets, emails, and Facebook messages (see Figure 9).

Summary

In today’s digital age, it is rare to see an Internet user who does not have at least one account on one or more social media site. People use social media services to post all types of contents online such as photos, videos, text messages, and geolocation data. They also mention their education, employment history, and the addresses where they live. Personal information such as social connections, places visited, habits, likes and dislikes, family members, spouse, and more can all be found easily. Although social networking sites allow their users to tighten their privacy controls to prevent others from seeing posted content, few people care about such issues and post many of their activities—especially text posts and check-ins— in public status. This makes a large volume of accessible data about citizens’ lives readily available to different kinds of online investigations, and this is the essence of “social intelligence” (SOCINT).

Extended Reading:

1. Author dedicated website for free OSINT resources: www.OSINT.link

2. Author Book: Open Source Intelligence Methods and Tools: A Practical Guide to Online Intelligence, Publisher: Apress; 1 edition, ISBN 978-1-4842-3212-5 By Nihad A. Hassan

About The Author: Nihad A. Hassan (@DarknessGate) is an independent information security consultant, digital forensics and cybersecurity expert, online
blogger, and book author. He has been actively conducting research on different areas of information security for more than a decade. His current work focuses on cyber OSINT, digital forensics, antiforensics techniques and digital privacy. Nihad is the author of a number of books on digital forensics, open source intelligence, digital security, ransomware and cybersecurity.

[1]https://www.statista.com/statistics/788084/number-of-social-media-accounts