L'OSINT est une méthode née à l’issue de la guerre froide, alors que les États-Unis se demandaient quelle nouvelle forme donner aux renseignements. En 2005, la CIA lui crée un Centre dédié. Depuis, l’OSINT a largement investi le monde militaire, des renseignements, de la Justice, des grandes entreprises et des journalistes.

Here at TF we track a lot of lawsuits, not to mention buy, research, and then ultimately report on them. While that can be a lot of work, in the United States detailed information is mostly easy to find.

The same can’t always be said when piracy-related news is made available by various third-parties, often with a commercial interest in how information is presented. Through selective emphasis, useful information may not even be presented at all.

As a result, indirect yet open sources of information are increasingly important, not necessarily to report directly in public, but to better understand the bigger picture. Sometimes the bigger picture starts with an actual picture.

Zoom In. Now Enhance. Enhance Again

We’ve all seen the memes and subsequent compilations of those memes, so finding yourself in a zooming and enhancing situation can be unintentionally comical, at least initially.

Last year we reported on a series of raids in the UK against suspected IPTV resellers. With no services named and no clear idea who had been arrested, we reluctantly published the news as provided along with the officially-supplied images below.

A few days later, after being alerted to a failing SSD, a swift check of the data revealed little worth saving; if the SSD died, it died. However, the drive contained a handful of images with one in particular standing out due to a larger-than-usual file size.

After quickly opening the image in GIMP , the picture of the Firestick boxes in a bag appeared so, given its size, a quick zoom on the label seemed in order. Before the image finally ran out of resolution, it was possible to zoom and enhance nine times. The image below shows the detail at just six.

Zoom Out. Zoom Out Again

In itself, an image of Firestick boxes in an evidence bag is nothing unusual. The devices are cheap, functional, and as such are popular among those selling and buying pirate IPTV packages.

Whether there were any physical devices in these particular boxes is unclear because, on closer inspection, it appears that some of the boxes had been previously opened. The evidence label also mentions ‘4x Fire TV Stick’ but for some reason, the word ‘boxes’ was written on another line.

For those wondering why that might be important, it probably isn’t. The fact that GIMP indicated that the image had previously been rotated is very important, however.

GIMP was able to determine that fact due to the image’s EXIF data , a collection of metadata tags embedded in a file that can show anything from shutter speed and exposure compensation, to whether a flash was used or not. All of this data should’ve been stripped before the images were published online.

EXIF Data Jackpot

EXIF data can be extracted with a number of tools but in this case, FOCA was to hand and it always does a great job. According to the data, the Firestick photo was taken on a Samsung S21 smartphone (SM-G998B) at 07:44 and 16 seconds on the day of the raid. The metadata also confirmed (orientation: Right side. top (Rotate 90 CW) that the image had indeed been rotated.

Image metadata, also not stripped before being made available to the public, included GPS coordinates. This information is usually accurate to about five meters and revealed where the photo was taken.

The coordinates reveal that both photographs were taken at the same address in an area of London, not far from an area previously mentioned in connection with the case; although not exactly the same area according to a pair of helpful tools.

Thanks to Google Maps and Google Street View, identifying addresses and cross-referencing with other public data sources referencing people and sometimes historical events, building a bigger picture can be time-consuming. Frequently, however, it’s worth the effort.

Don’t Take Data For Granted

While the GPS coordinates in any image can be useful, they also have the potential to mislead or, in fringe cases, may have even been tampered with. Taking this case as an example, just because the photograph was taken inside a particular address, it doesn’t necessarily follow that the items were actually seized from inside that address.

We’re unable to commit the resources to prove one way or the other, but these devices may have been retrieved from a vehicle, rather than bricks and mortar.

While not necessarily used or useful in this case, other items in images like these can at times prove helpful. With carpet clearly visible, that has the potential be matched to an address. Since knocking on the door and asking to look around might not be well received, the property may have been sold recently. If so, an estate agent has probably photographed the entire house and left the listing online.

Finally, feel free to freak yourself out with GeoSpy AI , an online tool which tries to identify the location of photographs taken outside, even with metadata stripped. It can be hit-and-miss depending on image and location but when it gets it right, it does so with startling accuracy.

TorrentFreak previously notified the source of both photographs that metadata hadn’t been stripped

From: TF , for the latest news on copyright battles, piracy and more.

Evgueni Prigojine, dirigeant des mercenaires de Wagner et chef de guerre russe, est décédé dans un mystérieux crash d'avion. Les données en source ouverte permettent de suivre les dernières minutes du vol. [Lire la suite]

Abonnez-vous aux newsletters Numerama pour recevoir l’essentiel de l’actualité https://www.numerama.com/newsletter/

Récemment, je suis tombé sur MetaOSINT , un projet créé par un ancien analyste et enquêteur OSINT qui en avait assez de chercher des ressources de manière plutôt brouillonne. Il a donc créé un agrégateur gratuit et ouvert regroupant la crème de la crème en matière d’outils et de ressources OSINT.

MetaOSINT est comme un couteau suisse pour les enquêteurs OSINT. Il répertorie et trie des milliers d’outils provenant de trois sources différentes, chaque source ayant un niveau de confiance et de biais potentiel qui lui est propre. Avec plus de 4000 ressources recensées, vous avez ainsi accès à un trésor d’informations et d’outils pour vous aider dans vos enquêtes en ligne.

En parcourant MetaOSINT, j’ai eu l’impression d’être un enfant dans un magasin de bonbons. Chaque outil semblait plus utile que le précédent. Le monde de l’OSINT peut être assez vaste et intimidant, surtout pour ceux qui débutent, mais MetaOSINT rend la tâche beaucoup plus accessible. C’est un peu comme un ami expérimenté qui vous prend par la main pour vous montrer les bons outils et les bonnes ressources. Grâce à ce site, vous serez en mesure de mener des enquêtes plus approfondies et de trouver des informations pertinentes plus rapidement.

Et si la compilation des meilleurs outils et ressources OSINT ne vous suffit pas, MetaOSINT invite également la communauté à contribuer au projet. Si vous avez un outil ou un site Web OSINT de qualité et qui n’est pas encore répertorié, vous pouvez soumettre ses infos via un formulaire dédié. Les connaissances collectives de la communauté OSINT peuvent certainement aider à faire ressortir de nouvelles pépites.

Bien sûr, avec un grand pouvoir vient une grande responsabilité. Comme disait le grand père de Spider-Man: « Un grand pouvoir implique de grandes responsabilités, et comme t’es pas Président de la République, tu devras rendre des comptes. »

Alors utilisez ces outils et ressources de manière responsable. Soyez éthique dans vos recherches et n’utilisez pas ces informations à mauvais escient. Souvenez-vous que l’objectif d’une enquête OSINT est de rester dans les limites légales et éthiques.

À découvrir ici: https://metaosint.github.io

On the surface there’s a world of difference between the crisp-suited executives of international corporations and the internet-dwelling swashbucklers intent on reappropriating their copyrighted content as swiftly as possible.

In reality, the closer one gets to the piracy front lines, the more difficult it is to tell the factions apart. They use similar tools and obfuscation techniques, need to innovate to stay ahead of the game, and even participate in the same discussions. Earlier this year a group of ‘pirates’ on Reddit obtained all kinds of information on at least a dozen pirate apps using ancient lost arts; opening accounts months earlier, pretending to be almost clueless, and then just blatantly asking.

Totally unsurprisingly, there was zero shortage of helpful pirates willing to answer, but these kinds of efforts are only useful in limited circumstances and can only yield so much useful intelligence. Technical information needs to be obtained methodically before being meticulously documented, potentially for use in future legal action against pirates themselves or intermediaries – or both.

IFPI – Content Protection & Enforcement

Global recording industry trade group IFPI has a sophisticated anti-piracy team tasked with mitigating threats, gathering evidence for use in legal action, and staying on top of the latest piracy trends.

In a job listing posted Monday, the group called out for a new technical investigator to join the team at IFPI’s impressive headquarters in London.

“The ideal candidate will have well-rounded technical knowledge and be capable of analyzing and testing infringing services and producing written reports in a clear and concise manner. The candidate will work closely with the technical investigators and analysts within the team, developers, operational staff, and lawyers, as well as law enforcement professionals,” the listing reads.

Responsibilities

While prosecutions are still carried out in the UK, most music pirates have moved on from selling pirate CDs at the local market. The role at IFPI seems to be a thoroughly digital affair, with investigations focused on pirate apps, social media platforms, and online streaming services.

The successful candidate will also have knowledge of ancillary technologies, including blockchain, decentralization, metaverse and gaming platforms, and of course, Artificial Intelligence. They will also have a blemish-free past, which IFPI will confirm via an enhanced background check. These checks go beyond convictions and include any information the police may have on record that’s considered in some way relevant.

OSINT & Technical Investigations

While techniques and tool availability have developed significantly in recent years, the basic questions requiring answers in any piracy investigation remain the same; how does the infringing service or platform deliver content to end users, where does that content come from, what type of infrastructure supports it, and who are the humans involved and what roles do they play.

Investigations can be triggered when a new app appears online. Whether iOS or Android (mostly the latter), the process is the same; find out how the app functions, and then determine where the content comes from and how. The IFPI job listing gives little away on the specifics but does state that the successful candidate will have experience with three specific tools – Wireshark, Charles, Postman.

In Your App, Sniffing Your Traffic

There’s no doubt that Wireshark is the best-known tool of the three. Launched in the late 1990s and originally called Ethereal, Wireshark is the leading network protocol analyzer by far and is used by millions of people worldwide.

Wireshark is also completely free of charge but for most novices, completely overwhelming too, at least in the beginning.

For those who persevere, Wireshark offers a window into the hidden world of protocols, packets and networking, and is as proficient at monitoring the communications behavior of a regular browser accessing YouTube, as it is monitoring a mobile piracy app, or sniffing out unauthorized BitTorrent traffic on a network.

Wireshark is an extremely powerful tool and as likely to appear in a pirate’s toolbox as it is an anti-pirate’s. In most aspects Wireshark is more powerful than Charles, or Charles Proxy as it’s often known, but sometimes a more focused piece of software is preferable to all-out overkill. Charles has some interesting tricks up its sleeve.

While Charles also monitors traffic, it’s a web-debugging tool rather than a packet analyzer. In a typical scenario where an investigator wants to know how a new Android music streaming app works, the smartphone running the app (or an emulator) can be made to connect to Charles before it goes about connecting to external sources to stream music or obtain covers etc.

Meanwhile, Charles acts as a ‘man-in-the-middle’ silently listening and logging all activity, even when pirate app traffic is otherwise ‘protected’ by encryption. Charles can decrypt SSL/TLS connections, obtain cookies and grab passwords.

It sounds like the kind of behavior pirates might enjoy but on the piracy war frontlines, the sides have more in common than either would like to admit.

IFPI’s job listing can be found here

From: TF , for the latest news on copyright battles, piracy and more.

The MPA and strongly-affiliated Alliance for Creativity and Entertainment are the sworn enemies of illegal streaming sites, IPTV services, and torrent portals.

Still, when everything boils down, the hunter and the hunted ultimately find themselves on the same digital battlefield, equipped with broadly similar tools, underpinned by mostly the same technical rules. Tradition seems to allow pirates to break and make up rules as they go along, while Hollywood is free to amend legislation to take up the slack.

There’s no one-size-fits-all scenario in the piracy wars, but in general, pirates need their services to stay visible at all times while staying invisible themselves. The challenge for MPA/ACE investigators is almost exactly the opposite. Find a chink in the armor, obtain information, and then exploit every possible resource to remove anonymity.

Victory in the endgame – rendering once-visible sites permanently invisible via a binding legal agreement – relies on meticulous evidence. The MPA wants to add two more people to its Global Content Protection team to help harvest that from the internet.

Internet Investigator (OSINT)

On a basic level, most internet users have dabbled in the world of Open Source Intelligence (OSINT). A Google search will return information retrieved from the open internet, but that’s just one tool out of the hundreds available to OSINT investigators, including those working in the anti-piracy niche.

“The Internet Investigator (OSINT) is primarily responsible for conducting detailed investigations of key players and other global targets involved in copyright infringement, including the investigation of individuals and organizations,” the MPA’s job listing reads.

The position demands someone with skills in OSINT and attribution methods. In a nutshell, this means leveraging openly available information to identify an individual and/or a group/organization and then being able to link those targets to illegal activity, direct or secondary infringement, for example.

Social media research is unsurprisingly cited by the MPA as an area of interest. Many pirate service operators use platforms such as Facebook and Twitter to attract customers and service existing ones. On the plus side for investigators, the volume of data that can be extracted from these platforms and their users is extraordinary.

Key Responsibilities

Gathering information on pirate services and those who run them can be relatively easy, but that’s only part of the job. Any specific intelligence collected may also be utilized more broadly, requiring the candidate to produce “forensically sound and actionable investigative reports.”

After obtaining intelligence on a target, a decision must be taken on how to proceed. Is civil action appropriate or is behavior more suited to a criminal investigation? The candidate will offer recommendations based on the intelligence at hand.

As pirate services disappear or get taken down, new ones tend to appear. The successful candidate will be required to proactively hunt for potential future targets and analyze them, which sounds easy but almost certainly isn’t.

The skill here is to identify a new site’s potential for growth, based on factors available today. An approach that treats all new entrants equally risks the misallocation of resources to dozens of low-key threats. That doesn’t mean MPA/ACE won’t happily take them down but priority targets are called that for a reason.

Of course, hindsight is always 20/20 and some initially innocuous players will inevitably slip through the gaps. Datasets that indicate disproportionate interest on social media may help to reduce that – in tandem with dozens…and dozens of other sources.

Investigations Manager

A second managerial position will see the successful candidate “assist the Global Content Protection team in shaping, contributing to, and executing the team’s enforcement strategy.”

Other responsibilities include the following:

– Supervise a team of investigators working on detailed investigations of key players and other global targets involved in copyright infringement, including the investigation of individuals, organizations, and technical infrastructures

– Assist in identifying cases suitable for escalated actions, civil and criminal

– Collaborate with MPA member studios, industry partners, law enforcement, vendors, attorneys, and various internal departments to work towards the resolution of cases

– Supervise the proactive identification of new potential targets. Monitor, analyze, and report on emerging trends and technologies in online piracy

For anyone interested in OSINT and/or piracy, the above sounds like exciting work. Of course, the MPA will know everything about most potential candidates before they’re invited for an interview, largely thanks to the trails almost everyone leaves behind.

Enjoy .

The MPA job listings can be found here ( 1 , 2 )

From: TF , for the latest news on copyright battles, piracy and more.

Ça vous dirait de faire un peu d’OSINT aujourd’hui ? C’est-à-dire de collecter un maximum d’information sur par exemple, un nom de domaine, afin de découvrir l’IP du serveur qui se trouve derrière ainsi que toute sa config DNS, qui a enregistré ce nom de domaine à différentes époques et surtout lister tous les sous-domaines présents ?

Évidemment, histoire que cela se fasse en douceur, toutes ces recherches doivent être effectuées de manière passive. Et cela est possible grâce au script WebOSINT qui une fois en place sur votre machine, ira collecter toutes ces informations, soit directement, soit en utilisant certains services tiers.

Pour que tout fonctionne correctement avec WebOSINT , vous devrez donc vous créer des comptes sur différents services afin de récupérer les clés API. Les clés seront à renseigner dans le fichier config.json.

Concernant l’API HackerTarget, pas d’obligation puisque vous pouvez utiliser l’offre gratuite limitée à quelques requêtes en utilisant l’option « -F ». Concernant l’ API WhoisXML ou WhoisFreaks , il vous faudra par contre créer un compte, mais rassurez vous, c’est gratuit dans une certaine limite. WhoisXML se limite gratuitement à 500 recherches et WhoisFreaks à 100 recherches gratuites.

Ensuite pour installer WebOSINT, ouvrez un terminal et entrez les commandes suivantes :

git clone https://github.com/C3n7ral051nt4g3ncy/webosint
cd webosint
pip3 install -r requirements.txt
python3 webosint.py

Pensez à bien renseigner les clés API dans le fichier config.json.

Une fois l’outil lancé, vous n’avez plus qu’à entrer le nom de domaine et laisser faire la magie de WebOSINT.

Merci à Deuza, soutien Patreon de renom , pour la découverte.

Si vous faites un peu d’OSINT et que vous cherchez un bon outil pour analyser des comptes Github, ne cherchez plus, vous venez de trouver !

Cet outil codé en python s’appelle GitFive et il retourne un tas d’infos intéressantes.

• L’historique des noms et logins du compte ainsi que leurs différentes variations
• L’adresse e-mail du compte GitHub
• La possibilité de trouver les comptes Github associés à une boite mail.
• Le clonage et l’analyse des dépôts ciblés
• La découverte des identités locale (bruno@my-computer.local)
• La recherche des comptes secondaires
• La possibilité de générer toutes les combinaisons d’adresses emails possibles pour les recherches
• Le transfert de clés SSH publiques
• Et l’exportation de tout ça au format JSON

Pour l’installer, rien de plus simple. Il vous faudra pipx à installer avec la commande suivante :

pip3 install pipx
pipx ensurepath
pipx install gitfive

Ensuite pour utiliser gitfive, vous devrez d’abord vous identifier sur Github. Donc entrez la commande :

gitfive login

L’outil vous demanderas alors votre login et mot de passe Github + une clé API (Token Classic) que vous pouvez générer ici en lui donnant les droits repo et delete_repo :

Tapez ensuite ceci dans votre terminal si vous voulez récupérer les infos à partir d’un nom d’utilisateur :

gitfive user NOMUTILISATEUR

Vous pouvez évidemment utiliser une adresse email (email xxx@xxx.com) ou plusieurs (emails) si vous le souhaitez.

Et vous obtiendrez ce qui se fait de mieux en matière de récupération de données. C’est royal !

Bravo à Mxrch pour le boulot !

Si vous cherchez un moyen de scraper les informations de profils sur Instagram, voici un script Python nommé Toutatis qui devrait vous plaire.

Alors bien sûr, il ne va rien récupérer qui n’est pas « public » donc ce n’est pas un outil de piratage. Mais il remonte quand même des informations intéressantes comme le UserID, le type de compte (business vérifié…etc.), le nombre de followers / following sans oublier le nombre de posts / vidéos ainsi que le lien de la photo de profil.

Si le numéro de téléphone et l’email du compte sont accessibles en clair, il le renverra également. Si c’est masqué, vous n’aurez que les derniers chiffres / lettres.

Pour installer Toutatis, c’est très simple. Ouvrez un terminal et entrez les commandes suivantes :

git clone https://github.com/megadose/toutatis.git
cd toutatis/
python3 setup.py install

Ensuite pour lancer une analyse, ouvrez Instagram en étant connecté, puis ouvrez une photo appartenant au compte que vous voulez récupérer. Lancez les outils administrateur de votre navigateur puis allez récupérer la valeur SessionID du cookie d’Instagram.

sé

toutatis -u username -s instagramsessionid

Je me faisais la réflexion justement sur ces numéros de téléphone masqués. Certains services donnent les 2 ou 3 derniers chiffres, d’autres, juste le début…etc. J’imagine qu’en allant toquer à la porte de plusieurs de ces services, il devient possible de reconstituer un numéro complet ou presque. Même chose avec l’adresse email…

Bref, une fois encore, méfiance avec les données que vous laissez en ligne.