Back to Recording

Summary

Overview

This course session provides a comprehensive, hands-on introduction to Open Source Intelligence (OSINT) techniques, focusing on web archiving, password management, file transfer and encryption, automated reconnaissance tools, and geolocation of IP addresses. The trainer demonstrates practical workflows using browser extensions, command-line scripts, and specialized tools to collect, preserve, and analyze digital evidence. Emphasis is placed on real-world application, tool reliability, and ethical considerations, with repeated exercises to reinforce learning. The session concludes with foundational knowledge on public vs. private IP addresses and their use in geolocation.

Topic (Timeline)

1. Web Cloning and Archiving with HtTrack and Archive.org [00:00:03 - 00:09:39]

The session begins with a live demonstration of website cloning using HtTrack, where participants clone sites (YouTube, 1TV) to create local offline copies. The trainer explains the purpose: preserving web content as evidence in case of deletion. Errors during cloning (e.g., “error de volcado”) are addressed by retrying with HTTP protocol. The focus then shifts to Archive.org’s Wayback Machine, showing how to search for historical snapshots of a website (1OTB) dating back to 2003. Participants observe how the site’s appearance changed over time (2003, 2011, 2018), including redirects and content evolution. Advantages of Archive.org include cross-device accessibility and legal admissibility in some jurisdictions; the key disadvantage is public visibility of saved snapshots.

2. Browser Extensions for Web Capture and Privacy [00:09:39 - 00:17:00]

The trainer demonstrates the “Save Page Now” feature of the Archive.org browser extension to capture and submit live pages to the Wayback Machine without visiting Archive.org directly. A parallel exercise shows how to search archived URLs via the extension’s “Search URL” function, retrieving historical versions of YouTube from 2005. The session then covers screenshot tools: capturing full pages, visible areas, or selected regions using browser extensions. Participants download high-definition screenshots of YouTube and 1TV as evidence, noting that these tools outperform native OS screenshot utilities. The trainer invites participants to replicate the process, confirming understanding and addressing minor technical issues.

3. Browser Privacy and Data Removal [00:17:00 - 00:18:46]

A browser extension with a red icon is introduced, offering tools to manage privacy settings, view RAM usage, and clear browsing data. The trainer demonstrates a one-click removal of browsing history, cookies, and cache, emphasizing its utility in OSINT work to avoid leaving digital footprints. A participant asks about OS compatibility, and the trainer clarifies that these tools are browser-based (compatible with Chrome, Firefox, Brave) and function identically across Windows, Linux, and macOS.

4. Password Management with KeePass [00:18:46 - 00:29:56]

The trainer introduces KeePass as a portable, cross-platform password manager. Participants create an encrypted database on the desktop, set a password (with strength feedback), and add entries for services (e.g., YouTube) including username, password, URL, and optional notes. The trainer warns against weak passwords and recommends storing recovery codes securely. A live demo shows opening the database, copying credentials, and logging into a real service (Shodan) using stored data. The trainer contrasts KeePass with Google Authenticator, noting the latter’s mobile sync advantage but recommending KeePass for local, offline use in training environments.

5. File Transfer and Encryption with Cryptomator and WinRAR [00:29:56 - 00:44:48]

The trainer demonstrates file encryption using Cryptomator, creating a secure vault on the desktop with a password. A file is added to the vault, and the process of unlocking and viewing it is shown. Due to technical issues, the exercise is paused. The session then shifts to file transfer services: Gufile, File.io, FileBin.net, tmpfiles.org, SendExploit.in, and uFile.io, highlighting their anonymity, auto-deletion, and manual deletion features. The trainer shows uploading a screenshot to uFile.io and sharing the link. WinRAR is introduced as a reliable method to compress and password-protect files before upload, ensuring only recipients with the password can access content.

6. Secure Text and Link Sharing with Private.bin [00:44:48 - 00:48:04]

The trainer demonstrates Private.bin, a service for sharing text or links that self-destruct after one view or after a set time. A link to a uFile.io file is pasted into Private.bin, configured to auto-delete after reading, and shared via chat. The trainer explains this as a secure method to transfer sensitive investigation data: 1) one-time access link, 2) auto-deleting file service, 3) password-protected archive. Participants are assigned a practical exercise: compress a screenshot, upload to a file service, and share the link via Private.bin with a peer.

7. OSINT Frameworks, Repositories, and Tool Ecosystems [00:48:04 - 01:12:23]

The trainer reviews curated OSINT frameworks and repositories: OSINT Framework, IntelTechniques, OSINT Techniques, Manuelbot59.com, and Ciberpatrulla.com. Each is evaluated for regional relevance (e.g., Manuelbot59 for Latin America, Ciberpatrulla for Spain/Europe). The trainer emphasizes that many tools become obsolete due to API changes (e.g., Twitter, Facebook) and recommends only verified, tested tools. GitHub repositories (e.g., OSINT Framework) and curated collections (podcasts, YouTube channels) are presented as resources for staying current. The trainer stresses that tool reliability depends on continuous community updates and personal testing.

8. Automated OSINT Scripts: Mr. Holmes, Social Analyzer, PhoneInfoGa [01:12:23 - 01:52:55]

The trainer demonstrates three command-line OSINT scripts installed on the virtual machine. First, Mr. Holmes: participants run it via CMD to perform passive reconnaissance on an IP address (47.119.158.127), retrieving geolocation (China, Guangdong), ISP (Alibaba), and performing a traceroute and Google dork search. Results are saved in a text report. Second, Social Analyzer: participants use Python to search for the username “Luisito Comunica,” outputting metadata in JSON format. The output is formatted via a JSON viewer, revealing social media profiles across platforms (Chess.com, Bandcamp, AudioJungle). The trainer warns about encountering adult or illegal content. Third, PhoneInfoGa: participants query a Mexican phone number (+52 55 2685 4444) via PowerShell, retrieving carrier info and Google dork results. The trainer explains why phone numbers are searched in multiple formats (e.g., with/without country code, grouped digits) to maximize search coverage.

9. Public vs. Private IP Addresses and Geolocation [01:52:55 - 02:12:04]

The trainer explains the difference between public IP (assigned by ISP, visible on the internet) and private IP (used internally within a home/office network). Participants are instructed to check their public IP on a website (e.g., “what is my IP”) from their personal device, not the VM. Results show ISP (e.g., Telmex) and country (Mexico). The trainer contrasts this with the VM’s U.S.-based IP. Participants then use two geolocation tools (TraceMyIP, IPLogger) to input their public IP and view approximate location on Google Maps via latitude/longitude. The trainer emphasizes that geolocation is approximate (5–10 km error) and useful for narrowing investigation scope, not pinpointing exact addresses. The session ends with a break announcement, concluding the morning’s content.

Appendix

Key Principles

  • Evidence Preservation: Use HtTrack and Archive.org to create offline and public backups of web content before it is altered or deleted.
  • Digital Footprint Management: Regularly clear browser data and use private browsing to avoid leaving traces during investigations.
  • Credential Security: Never store passwords in plaintext; use encrypted password managers like KeePass for local use, or Google Authenticator for cross-device sync.
  • Secure Sharing: Combine password-protected archives (WinRAR), auto-deleting file services (uFile.io, File.io), and one-time link services (Private.bin) to protect sensitive data.
  • Tool Reliability: Prioritize tools with proven, current functionality; many OSINT tools become obsolete due to platform API changes (e.g., Twitter, Facebook).
  • Search Precision: Use multiple query formats (e.g., phone number groupings, IP variations) to maximize search results across platforms.

Tools Used

  • Web Archiving: HtTrack, Archive.org (Wayback Machine)
  • Browser Extensions: Archive.org “Save Page Now,” screenshot tools (full page, area capture)
  • Privacy: Browser data cleaner extension
  • Password Management: KeePass, Google Authenticator
  • File Transfer: Gufile, File.io, FileBin.net, tmpfiles.org, SendExploit.in, uFile.io
  • File Encryption: Cryptomator, WinRAR
  • Secure Text Sharing: Private.bin
  • Automated Recon: Mr. Holmes (IP lookup), Social Analyzer (username search), PhoneInfoGa (phone lookup)
  • Geolocation: TraceMyIP, IPLogger, Google Maps (via lat/long)
  • OSINT Frameworks: OSINT Framework, IntelTechniques, Manuelbot59.com, Ciberpatrulla.com, GitHub OSINT repos

Common Pitfalls

  • Using weak passwords in KeePass databases.
  • Assuming geolocation from IP is exact (it has 5–10 km error).
  • Trusting outdated tools from OSINT frameworks without verifying current functionality.
  • Sharing sensitive data via unencrypted or non-expiring links.
  • Not testing multiple search formats for phone numbers or usernames.
  • Using the VM for public IP checks (it masks the user’s real location).

Practice Suggestions

  • Replicate the HtTrack and Archive.org exercises on 3 different websites.
  • Create a KeePass database with 5 real service entries (e.g., email, social media).
  • Compress a file with WinRAR, upload to uFile.io, and share via Private.bin with a peer.
  • Use Mr. Holmes to investigate 2 public IP addresses from different countries.
  • Search your own username on Social Analyzer and review all results critically.
  • Use PhoneInfoGa to look up 3 different phone number formats (with/without +52, grouped digits).
  • Visit Manuelbot59.com and Ciberpatrulla.com weekly to track new tool updates.