Tag: Online Investigation

CSI Linux SOCMINT Masterclass: Uncover Social Media Intelligence & Digital Identities with Puria Mehmandar – April 11th, 2026

Weekend SOCMINT Masterclass!

https://shop.csilinux.com/shop/instructor-led-training/

The CSI Linux Certified Social Media Intelligence Analyst (CSIL-CSMI) course and certification is designed to teach investigators how to collect, analyze, correlate, and report intelligence derived specifically from social media environments in a structured, lawful, and operationally sound manner. It covers the lifecycle of a SOCMINT investigation, from foundational concepts and investigative preparation through legal and ethical constraints, anonymity, persona development, identity tracing, media exploitation, platform-based investigations, niche communities, automation tools, and final reporting.

Its purpose is not to teach casual social media browsing. Its purpose is to teach how to extract, validate, and connect digital traces across platforms to produce actionable intelligence that supports real investigations and real decisions.

This course is useful because modern investigations increasingly unfold across social platforms, where identities, networks, and intent are exposed in fragmented and fast-moving ways. For law enforcement, intelligence personnel, private investigators, cybersecurity professionals, analysts, journalists, and researchers, the course provides a disciplined framework for identifying individuals, tracking behavior, preserving digital evidence, navigating platform restrictions, avoiding attribution mistakes, and converting findings into structured intelligence outputs. The certification is built around core domains such as investigative workflow, legal and ethical compliance, anonymity and OPSEC, persona operations, evidence collection and preservation, media analysis, platform exploitation, tool integration, and reporting.

Course Phases and Modules

Phase 1. Orientation, Scope, and Foundations of SOCMINT
• Introduction: Opens the course and frames the role of social media intelligence in modern investigations
• About the CSIL-CSMI: Defines certification scope, objectives, and expected outcomes
• Base Process of Investigations: Establishes structured investigative workflows aligned with ISO/NIST standards
• Examples of SOCMINT Investigations: Demonstrates real-world investigative cases and pattern-of-life analysis

Phase 2. Legal, Ethical, and Operational Preparation
• Laws, Ethics, and SOCMINT: Covers legal frameworks, cyber laws, and investigator conduct
• Terms of Service Challenges: Explains platform restrictions, compliance risks, and operational limitations
• Importance of Anonymity: Focuses on attack surface reduction, browser leaks, and investigator protection

Phase 3. Persona Development and Identity Operations
• Setting up an Online Persona (Sock Puppet): Teaches controlled identity creation and account management
• Using Your Persona to Investigate: Moves from creation to active deployment in investigations
• Username Search Techniques: Covers cross-platform identity tracing and correlation methods

Phase 4. Evidence Collection, Preservation, and Forensics
• Preserving Online Evidence: Covers defensible capture, authentication, and legal admissibility
• Investigation Frameworks and Evidence Handling: Applies models like IIF, ISO 27037, and NIST 800-86
• Email and Web Evidence Forensics: Introduces forensic techniques for online artifacts

Phase 5. Media Exploitation and Content Analysis
• Online Investigations with Images: Covers reverse image search and visual intelligence extraction
• Video Evidence Collection: Focuses on acquisition, preservation, and analytical use of video

Phase 6. Social Media Platforms and Digital Environments
• YouTube Investigations: Covers video sourcing, downloading, and metadata awareness
• TikTok Investigations: Focuses on influencer tracking, discovery, and rapid OSINT workflows
• Facebook Investigations: Covers account analysis, search techniques, and privacy considerations
• Telegram Investigations: Explores channel monitoring, groups, and encrypted ecosystems
• LinkedIn Investigations: Focuses on professional profiling and network intelligence
• X (Twitter) Investigations: Covers account authenticity, bot detection, and behavioral indicators
• Instagram and Cross-Platform Analysis: Expands into multi-platform identity tracking

Phase 7. Niche Platforms, Communities, and Threat Environments
• Dating Sites Investigations: Covers identity tracing in niche platforms and breach data usage
• Marketplace Scams: Focuses on fraud detection in online marketplaces
• 4Chan and Image Boards: Explores anonymous environments and high-noise intelligence spaces
• Reddit Investigations: Covers community-based intelligence gathering
• Other Social Media Sites: Includes GitHub, Mastodon, and fringe platforms

Phase 8. Tools, Automation, and Investigative Support Systems
• 3rd Party Commercial Apps: Covers tools like Maltego, Hunchly, and link analysis workflows
• Platform-Specific OSINT Tools: Introduces specialized tools for social media exploitation

Phase 9. Reporting, Case Integration, and Operational Output
• Writing the Report: Teaches structured reporting, case management, and intelligence presentation
• Case Studies: Applies full investigative workflows to realistic scenarios

Phase 10. Practice, Resources, and Continued Development
• Practicing OSINT and Resources: Reinforces skill-building, tool familiarity, and continuous learning
• Course Completion and Certification Path: Finalization, feedback, and certification readiness

Meet Your Instructor: Puria Mehmandar

Puria Mehmandar brings a structured, analytical, and operational mindset to the CSI Linux SOCMINT Masterclass: Social Media Intelligence & Digital Investigations. With a professional background rooted in project execution, procurement strategy, and risk analysis, he has developed a strong foundation in identifying patterns, validating sources, and assessing credibility within complex systems.

Alongside his operational career, Puria has actively specialized in open-source intelligence and digital investigation, with a particular focus on social media environments, identity tracing, and cross-platform analysis. His work emphasizes the disciplined collection and synthesis of open-source data, leveraging multilingual capabilities and cross-cultural awareness to interpret digital behavior across different regions and ecosystems.

He holds advanced academic training in Information Technology and History, allowing him to bridge technical analysis with contextual and behavioral understanding. This combination enables him to approach SOCMINT not just as data collection, but as a method of reconstructing human activity, intent, and networks through digital footprints.

In this masterclass, Puria teaches SOCMINT as a structured investigative discipline. His approach focuses on building reliable workflows, maintaining operational security, respecting legal boundaries, and transforming scattered social media data into clear, defensible, and actionable intelligence.

ITL Event: CSI Linux OSINT Masterclass: Uncover Hidden Intelligence & Digital Footprints with Erfan Tighzan April 4th 2026

Weekend OSINT Masterclass!

https://shop.csilinux.com/shop/instructor-led-training/master-osint-with-csi-linux-live-instructor-led-training-csil-coa-certification/

The CSI Linux Certified OSINT Analyst course and certification is designed to teach investigators how to collect, preserve, analyze, and report publicly available information in a way that is structured, lawful, and operationally sound. It covers the lifecycle of an online investigation, from foundational OSINT concepts and pre investigation preparation through anonymity, persona development, online collection, domain and phone analysis, social media, image and video evidence, geolocation, tracking changes, misinformation, AI challenges, cryptocurrency, and final reporting. Its purpose is not to teach random internet searching. Its purpose is to teach how to turn open sources into actionable intelligence that can support real investigations and real decisions.

This course is useful because modern investigations increasingly begin online, long before traditional evidence is collected. For law enforcement, intelligence personnel, private investigators, cyber responders, DFIR analysts, journalists, HR professionals, recruiters, researchers, and related professionals, the course provides a disciplined framework for identifying online leads, preserving digital evidence, avoiding attribution mistakes, protecting operational security, and converting findings into clear reporting. The certification is built around core domains such as OPSEC, technology basics, laws and ethics, identification, collection and preservation, examination and analysis, and reporting.

Phase 1. Orientation, Scope, and Foundations of OSINT
• Module 1. Introduction: Opens the course and frames the role of OSINT in modern investigations.
• Module 2. About the CSIL COA: Defines the certification, course scope, and expectations.
• Module 3. Pre-Training: Prepares the investigator for how to approach the course and build readiness before deeper work begins.
• Module 4. What is OSINT?: Establishes the meaning, value, and limitations of open source intelligence.
• Module 5. Examples of Online Investigation: Shows how OSINT appears in real investigative contexts and why it matters operationally.

Phase 2. Legal, Ethical, and Operational Preparation
• Module 6. Laws, Ethics, and OSINT: Covers legal boundaries, ethical obligations, and disciplined investigative conduct.
• Module 7. Importance of Anonymity: Explains why investigator protection and source separation matter in online work.
• Module 8. IP Addresses, Proxies, and VPNs: Builds technical understanding of online infrastructure, attribution risk, and anonymity support.
• Module 9. Crafting Your Digital Disguise: The Art of Persona (Sock Puppet) Creation: Teaches how to create a believable investigative persona.
• Module 10. Using your persona to investigate: Moves from persona creation to lawful and disciplined operational use.

Phase 3. Collection, Preservation, and Online Source Handling
• Module 11. Preserving Online Evidence: Covers evidence preservation, documentation, and defensible capture of online material.
• Module 12. Website Collection: Focuses on collecting websites and related online artifacts in a structured manner.
• Module 13. DNS, Domains, and Subdomains: Teaches how domain infrastructure supports identification, correlation, and online attribution.
• Module 14. Translation options: Addresses language barriers and translation support during online investigations.
• Module 15. Phone Numbers and Info: Covers phone based OSINT and the investigative value of telecom related identifiers.
• Module 16. Public Records Searches: Trains investigators to incorporate public records into online intelligence work.

Phase 4. Online Platforms, Media, and Specialized Evidence Types
• Module 17. Social Media Sites: Covers social media as a major OSINT environment for identification, activity mapping, and evidence collection.
• Module 18. The Storytelling Power of Images: Teaches image based analysis, context extraction, and evidentiary interpretation.
• Module 19. Video Evidence Collection: Focuses on video acquisition, preservation, and analytical value.
• Module 20. Geolocation: Covers geolocation techniques and the interpretation of location based clues.
• Module 21. Tracking Transportation: Extends geolocation into transportation and movement analysis.
• Module 22. Tracking changes and getting alerts: Teaches investigators how to monitor changing online targets and preserve evolving evidence.

Phase 5. Tools, Frameworks, and Investigative Support Systems
• Module 23. 3rd Party Commercial Apps: Surveys commercial OSINT tools and how they fit into disciplined investigative workflows.
• Module 24. OSINT Frameworks (tools): Provides structured approaches to tool selection, workflow thinking, and investigative process support.

Phase 6. Analytical Risk, Emerging Challenges, and Specialized Topics
• Module 25. Misinformation, Disinformation, and Deception: Trains investigators to identify deception, manipulation, and false narratives in open sources.
• Module 26. AI Challenges: Covers the role of AI in OSINT, along with risks, distortion, and verification concerns.
• Module 27. Cryptocurrency: Introduces cryptocurrency as an OSINT and investigative topic with identification and attribution relevance.

Phase 7. Reporting, Case Integration, and Investigative Maturity
• Module 28. Reporting and Actionable Intelligence: Teaches how to turn collected information into structured findings and usable intelligence.
• Module 29. OSINT Case Studies: The True Crime Thrillers of Digital Investigations: Applies the course to realistic case based investigative scenarios.
• Module 30. Unraveling the Intricacies of Digital Forensics: Connects OSINT work to broader forensic and investigative practice.
• Module 31. Practicing OSINT and Resources: Reinforces continued practice, investigator growth, and ongoing resource development.

Meet Your Instructor: Erfan Tighzan

Erfan Tighzan brings a rare combination of lived operational awareness, technical depth, and intelligence driven thinking to the CSI Linux OSINT Masterclass: Uncover Hidden Intelligence & Digital Footprints. With roots in aerospace engineering and a career path shaped by real world upheaval, Erfan transitioned into intelligence analysis, cyber threat work, and penetration testing with a focus on the Middle East and the complex realities of modern conflict, security, and digital exposure. His work draws from OSINT, GEOINT, SIGINT, SOCINT, SDR analysis, ADS-B tracking, HFGCS monitoring, and operational security practices forged not as abstract theory, but as practical necessity. He is also a published author and co-author of The Grand Manifesto of OSINT, a CSI Linux linked handbook dedicated to lawful, ethical, and disciplined intelligence practice.

In this masterclass, Erfan teaches OSINT the way it is meant to be practiced: not as casual internet searching, but as a disciplined craft of collecting, validating, preserving, and interpreting digital traces that others overlook. His instruction is shaped by a blend of technical skill, geopolitical understanding, and a relentless respect for OPSEC, deception awareness, and evidentiary discipline. That perspective aligns closely with the themes reflected in The Grand Manifesto of OSINT, which covers anonymity, preserving online evidence, domains, personas, imagery, transportation tracking, cryptocurrency, AI, deception, and case driven investigative thinking. For investigators, analysts, journalists, and security professionals, Erfan brings a teaching style grounded in reality, shaped by pressure, and focused on turning scattered online fragments into meaningful, actionable intelligence.

Posted on by

The CSI Linux Certified OSINT Analyst (CSIL-COA)

Course: CSI Linux Certified OSINT Analyst | CSI Linux Academy

Embark on a thrilling journey into the heart of digital sleuthing with the CSI Linux Certified-OSINT Analyst (CSIL-COA) program. In today’s world, where the internet is the grand tapestry of human knowledge and secrets, the ability to sift through this vast digital expanse is crucial for uncovering the truth. Whether it’s a faint digital whisper or a conspicuous online anomaly, every clue has a story to tell, often before traditional evidence comes to light. The CSIL-COA is your gateway to mastering the art and science of open-source intelligence, transforming scattered online breadcrumbs into a roadmap of actionable insights.

With the CSIL-COA certification, you’re not just learning to navigate the digital realm; you’re mastering it. This course is a deep dive into the core of online investigations, blending time-honored investigative techniques with the prowess of modern Open-Source Intelligence (OSINT) methodologies. From the initial steps of gathering information to the preservation of digital footprints and leveraging artificial intelligence to unravel complex data puzzles, this program covers it all. By the end of this transformative journey, you’ll emerge as a skilled digital detective, equipped with the knowledge and tools to lead your investigations with accuracy and innovation. Step into the role of an OSINT expert with us and expand your investigative landscape.

Here’s a glimpse of what awaits you in each segment of the OSINT certification and training material:

Who is CSIL-CI For?
    • Law Enforcement
    • Intelligence Personnel
    • Private Investigators
    • Insurance Investigators
    • Cyber Incident Responders
    • Digital Forensics (DFIR) analysts
    • Penetration Testers
    • Social Engineers
    • Recruiters
    • Human Resources Personnel
    • Researchers
    • Investigative Journalists
CSIL-COA Course Outline
    • What is OSINT?
    • Unraveling the Intricacies of Digital Forensics
    • Preserving Online Evidence
    • Phone Numbers and Info
    • IP Addresses, Proxies, and VPNs
    • DNS, Domains, and Subdomains
    • Importance of Anonymity
    • Examples of Online Investigation
    • Misinformation, Disinformation, and Deception

    • Crafting Your Digital Disguise: The Art of Persona (Sock Puppet) Creation
    • Using your persona to investigate
    • Translation options
    • Website Collection
    • 3rd Party Commercial Apps
    • OSINT Frameworks (tools)
    • Tracking changes and getting alerts
    • Public Records Searches
    • Geolocation
    • Tracking Transportation

    • The Storytelling Power of Images
    • Social Media Sites
    • Video Evidence Collection
    • Cryptocurrency
    • AI Challenges
    • Reporting and Actionable Intelligence
    • OSINT Case Studies
    • Practicing OSINT and Resources
    • Course Completion
    • The CSIL-COA Exam
The CSIL-CI Exam details
Exam Format:
    • Online testing
    • 85 questions (Multiple Choice)
    • 2 hours
    • A minimum passing score of 85%
    • Cost: $385
Domain Weight
    • OPSEC (%13)
    • Technology and Online Basics (%20)
    • Laws, Ethics, and Investigations (%9)
    • Identification (%16)
    • Collection & Preservation (%13)
    • Examination & Analysis (%13)
    • Presentation & Reporting (%14)
  • Certification Validity and Retest:

    The certification is valid for three years. To receive a free retest voucher within this period, you must either:

      • Submit a paper related to the subject you were certified in, ensuring it aligns with the course material.
      • Provide a walkthrough on a tool not addressed in the original course but can be a valuable supplement to the content.

  • This fosters continuous learning and allows for enriching the community and the field. Doing this underscores your commitment to staying updated in the industry. If you don’t adhere to these requirements and fail to recertify within the 3-year timeframe, your certification will expire.

Interactive Content

[h5p id=”7″]

Resource

Course: CSI Linux Certified OSINT Analyst | CSI Linux Academy

Posted on by

Mastering Domain Reconnaissance / OSINT with Sublist3r

Sublist3r for domain osint
Engaging with Sublist3r: Mastering Domain Reconnaissance in OSINT

Imagine you’re a digital detective, and your mission is to uncover the vast and hidden parts of the online world. Sublist3r is your tool of choice, a powerful ally in domain enumeration. It’s like having a high-powered telescope that scans the digital universe, aggregating data from search engines and sites to reveal subdomains of a target domain.

Let’s take google.com as our target. By running python sublist3r.py -d google.com, Sublist3r unveils a treasure trove of subdomains. This is your first step in mapping the digital empire of Google, revealing its extensive reach across the internet.

Advanced Reconnaissance Tactics

For a more tailored search, Sublist3r lets you choose your battlefields. Use python sublist3r.py -d google.com -e google,yahoo -t 10 -o domains.txt to set Google and Yahoo as your search engines, rev up the speed with 10 threads, and capture your conquests in ‘domains.txt’.

The OSINT Advantage

In the realm of OSINT, Sublist3r is like a master key. It opens doors to hidden corridors of an organization’s online presence. Discovering various subdomains of Google, for example, could reveal new services, potential vulnerabilities, or forgotten digital outposts.

Synergy with Other OSINT Tools

Sublist3r’s discoveries are not the end but the beginning. Pair these findings with tools like Nmap for a stealthy port scan or web application vulnerability scanners, turning data into actionable intelligence.

Navigating Ethical Boundaries

Remember, with great power comes great responsibility. While exploring the depths of google.com or any domain, it’s vital to respect privacy, adhere to legal boundaries, and avoid unauthorized probing.

Sublist3r Syntax Examples
  • Basic Domain Search: python sublist3r.py -d example.com
  • Specifying Search Engines: python sublist3r.py -d example.com -e google,bing
  • Setting Concurrent Threads: python sublist3r.py -d example.com -t 10
  • Saving Output to File: python sublist3r.py -d example.com -o domains.txt
  • Using Brute Force: python sublist3r.py -d example.com -b
  • Specifying Ports for Brute Force: python sublist3r.py -d example.com -b -p 80,443
  • Excluding Subdomains: python sublist3r.py -d example.com --exclude-subdomains unwanted.example.com
  • Verbose Output: python sublist3r.py -d example.com -v
Posted on by

Tor vs. Lokinet: A Comprehensive Comparison

Tor_v_Lokinet

In the field of privacy and anonymity, Tor and Lokinet are two well-known networking protocols. While both aim to provide users with secure and private internet access, their underlying architectures and working principles are quite different. This article sheds light on these two systems, emphasizing the differences in their design, functionality, and user experience.

Tor Network

Definition

The Tor (The Onion Router) network is a free and open-source system that enables anonymous communication across the internet. Its primary goal is to conceal users’ locations and usage from anyone conducting network surveillance.

Architecture and Operation
Tor and the Application Layer of the OSI Model

Tor operates at the Application Layer (Layer 7) of the OSI model. This positioning is central to its design and functionality, and here’s why:

  • Encapsulation: Tor’s onion routing design involves encapsulating the original data with multiple layers of encryption. The Application Layer is responsible for ensuring that communication is carried out in the language that the applications understand, so this is where the encryption takes place.
  • Protocol Translation: Tor handles the traffic and translates it into a form that can be transmitted over the Internet. It needs to understand the application protocols like HTTP, HTTPS, and more, and this translation and interpretation occur at Layer 7.
  • Interface with Applications: Tor primarily provides anonymity for web traffic and directly interfaces with web browsers and other application-level programs. Working at the Application Layer allows Tor to integrate with these programs more effectively.

It relies on a network of volunteer-run servers, known as nodes or relays. These relays bounce the encrypted traffic multiple times before reaching the destination.

  • Entry Relay: Your connection starts at this point.
  • Middle Relay: Acts as a bridge between the entry and exit nodes, further obfuscating the path.
  • Exit Relay: Where your request enters the regular internet.

The layered encryption ensures that no single relay knows the complete path, ensuring anonymity.

Strengths and Weaknesses
  • Strengths: Strong anonymity, widely used, community-supported.
  • Weaknesses: Potential performance issues, the possibility of compromised exit nodes, and application-layer focus only.

Lokinet Protocol

Definition

Lokinet is a privacy-focused networking protocol, part of the Loki Project. Unlike Tor, Lokinet operates at Layer 3 (Network Layer) of the OSI model.

Architecture and Operation

Lokinet uses a mix of onion routing and blockchain technology to create a fully decentralized and anonymous networking protocol. Here’s how it differs from Tor:

  • Layer 3 Functionality: By operating at the Network Layer, Lokinet can encrypt and route not only web traffic but all types of internet traffic, including UDP and ICMP. It essentially creates a private overlay network over the existing internet infrastructure.
  • Decentralization: Lokinet’s reliance on blockchain technology ensures a decentralized framework, allowing more robust security and integrity.
  • Path Building: Lokinet builds multi-hop paths similar to Tor but with a more dynamic and randomized approach. It reduces the risk of correlation attacks.
  • Service Nodes: Lokinet utilizes service nodes, incentivized through blockchain rewards, to route traffic. These nodes stake a certain amount of Loki cryptocurrency to participate in the network.
Strengths and Weaknesses
  • Strengths: More versatile, able to handle various types of traffic, decentralized and incentivized nodes.
  • Weaknesses: Relatively new, lesser community support, potential complexity in setup and use.

Comparison

Here’s a tabular comparison summarizing the differences:

Aspect Tor Lokinet
OSI Layer 7 (Application) 3 (Network)
Traffic Type Primarily HTTP All types
Decentralization Partial Full
Node Incentive Volunteer Incentivized
Community Support Strong Growing

Conclusion

While both Tor and Lokinet offer privacy and anonymity, their operational layers, architectures, and functionality differ substantially. Tor is a well-established system focusing on application-layer traffic, whereas Lokinet’s innovative approach at Layer 3 offers a broader range of encrypted communication.

Lokinet may offer a more versatile solution for various network applications, but it still has some way to go in terms of adoption and community support compared to Tor. The choice between these two depends largely on the specific requirements and preferences of the user or organization.

Posted on by

Tor vs. Lokinet: A Comprehensive Comparison

Tor_v_Lokinet

In the field of privacy and anonymity, Tor and Lokinet are two well-known networking protocols. While both aim to provide users with secure and private internet access, their underlying architectures and working principles are quite different. This article sheds light on these two systems, emphasizing the differences in their design, functionality, and user experience.

Tor Network

Definition

The Tor (The Onion Router) network is a free and open-source system that enables anonymous communication across the internet. Its primary goal is to conceal users’ locations and usage from anyone conducting network surveillance.

Architecture and Operation
Tor and the Application Layer of the OSI Model

Tor operates at the Application Layer (Layer 7) of the OSI model. This positioning is central to its design and functionality, and here’s why:

  • Encapsulation: Tor’s onion routing design involves encapsulating the original data with multiple layers of encryption. The Application Layer is responsible for ensuring that communication is carried out in the language that the applications understand, so this is where the encryption takes place.
  • Protocol Translation: Tor handles the traffic and translates it into a form that can be transmitted over the Internet. It needs to understand the application protocols like HTTP, HTTPS, and more, and this translation and interpretation occur at Layer 7.
  • Interface with Applications: Tor primarily provides anonymity for web traffic and directly interfaces with web browsers and other application-level programs. Working at the Application Layer allows Tor to integrate with these programs more effectively.

It relies on a network of volunteer-run servers, known as nodes or relays. These relays bounce the encrypted traffic multiple times before reaching the destination.

  • Entry Relay: Your connection starts at this point.
  • Middle Relay: Acts as a bridge between the entry and exit nodes, further obfuscating the path.
  • Exit Relay: Where your request enters the regular internet.

The layered encryption ensures that no single relay knows the complete path, ensuring anonymity.

Strengths and Weaknesses
  • Strengths: Strong anonymity, widely used, community-supported.
  • Weaknesses: Potential performance issues, the possibility of compromised exit nodes, and application-layer focus only.

Lokinet Protocol

Definition

Lokinet is a privacy-focused networking protocol, part of the Loki Project. Unlike Tor, Lokinet operates at Layer 3 (Network Layer) of the OSI model.

Architecture and Operation

Lokinet uses a mix of onion routing and blockchain technology to create a fully decentralized and anonymous networking protocol. Here’s how it differs from Tor:

  • Layer 3 Functionality: By operating at the Network Layer, Lokinet can encrypt and route not only web traffic but all types of internet traffic, including UDP and ICMP. It essentially creates a private overlay network over the existing internet infrastructure.
  • Decentralization: Lokinet’s reliance on blockchain technology ensures a decentralized framework, allowing more robust security and integrity.
  • Path Building: Lokinet builds multi-hop paths similar to Tor but with a more dynamic and randomized approach. It reduces the risk of correlation attacks.
  • Service Nodes: Lokinet utilizes service nodes, incentivized through blockchain rewards, to route traffic. These nodes stake a certain amount of Loki cryptocurrency to participate in the network.
Strengths and Weaknesses
  • Strengths: More versatile, able to handle various types of traffic, decentralized and incentivized nodes.
  • Weaknesses: Relatively new, lesser community support, potential complexity in setup and use.

Comparison

Here’s a tabular comparison summarizing the differences:

AspectTorLokinet
OSI Layer7 (Application)3 (Network)
Traffic TypePrimarily HTTPAll types
DecentralizationPartialFull
Node IncentiveVolunteerIncentivized
Community SupportStrongGrowing

Conclusion

While both Tor and Lokinet offer privacy and anonymity, their operational layers, architectures, and functionality differ substantially. Tor is a well-established system focusing on application-layer traffic, whereas Lokinet’s innovative approach at Layer 3 offers a broader range of encrypted communication.

Lokinet may offer a more versatile solution for various network applications, but it still has some way to go in terms of adoption and community support compared to Tor. The choice between these two depends largely on the specific requirements and preferences of the user or organization.

Posted on by

Using Sock Puppet Accounts for OSINT

‘A sock puppet or sock puppet is an online identity used for purposes of deception. The term, a reference to the manipulation of a simple hand puppet made from a sock, originally referred to a false identity assumed by a member of an internet community who spoke to, or about, themselves while pretending to be another person.’ – Wikipedia

These fake social media accounts are used by both sides of the cyber game. You can find hackers, scammers, bots, and other cyber criminals on the dark side while journalists, penetration testers, and investigators are on the other. Like any decent tool, it can be used for both good and evil. Why would YOU want to create an undercover account? When investigating, it is always a good idea to separate your real identity from the initial investigation. You increase the likelihood of the target will get suspicious. You also run the risk of being identified and doxed, harassed, and in the absolute worst-case scenario, targeted for lethal retaliation. Depending on who the suspect is, you always need to take the appropriate countermeasures to protect your organization/agency, yourself, and even your family. Another thing to take into consideration is that many social media sites have Terms of Service (TOS) that specifically cover fake or investigation accounts. Organizations like Facebook are actively looking for these types of accounts, even if they are law enforcement, and banning them.

!!!DO NOT USE YOUR PERSONAL OR BUSINESS ACCOUNTS TO DO INVESTIGATIONS!!!

The Importance of Anonymity and Security

You should connect to a public WiFi access point and only use VPN or Tor as a last resort. The reasons are that VPNs and Tor are sometimes tracked, blocked, or marked as questionable by websites when creating an account. This means the likelihood you will be able to create the account without having a real phone number decreases drastically. Public WiFi tends to look a bit more “normal”.

More about Tor

I love Tor and always have. Tor is great at offering some of the best anonymity available and the best part is that it’s free. The mechanics of Onion routing is that you are essentially moving through several different proxy servers, and this minimizes trace evidence that can be used to tie the traffic back to its original source. You can easily set up a hidden service with a “.onion“ address. This allows us to communicate securely with other investigators, informants, or even suspects. The downside of using Tor is that it is commonly used by criminals and many of the websites we need to investigate may be blocking traffic from Tor or red flagging it. So, even though it offers a lot of benefits, Tor is not always good for Surface Web investigations.

VPN Value?

There has been a ton of advertising for Virtual Private Network (VPN) services that claim that they will protect your Internet traffic. This is only partly true and mostly false. A VPN is a Point-to-Point encrypted tunnel that allows one network to talk to another through an encrypted tunnel. Think of it this way. You are using a third-party VPN service; your traffic is very secure when connecting from your system to the third-party network. The traffic then routes from that server through their Internet connection. The other thousand people using the same service will also share that same gateway IP address. That sounds fine, right? Well, after you leave that service provider, your traffic is back on the Internet for everyone else to see. This means it is naturally less anonymous than Tor. The providers may also be watching everything you do in the name of “Marketing”. Free VPNs and cheaper ones are the biggest risks. The services that claim they DO NOT STORE LOGS are also usually lying or not telling you the whole truth. Within networking, there will always be logs. They are required to troubleshoot when things fail. Logs will be there; it is just a matter of how long and how they are destroyed. Some of the websites are red-flagging the popular VPN services.

Creating a persona

Some people make these accounts from scratch. The more content and backstory you create in the beginning gives you more of direction to make the account look like a real person’s account. Use a password manager to keep track of everything you are creating for these accounts including the user/pass info and keep notes. KeePassXC is a great free solution that is cross-platform that will allow you to share your password management database among multiple computers and different operating systems.

Character/Persona generators

Creating an account can take some time, effort, and creativity. If you are short on any of those for whatever reason. Anyone that has played role-playing games like D&D, WARHAMMER, or other games where you need to generate a character to play, has a step up because they have done this before. There are a few resources you can leverage to help speed up the process and spit out a “character” with a lot of random attributes and content. Below is a list of resources you can use when generating your Sock Puppet persona. Just remember that all information generated is fake. You can change the data to fit your narrative:

  • Fake Identity Generator (fakepersongenerator.com)
  • Random Name Generator (www.elfqrin.com/fakeid.php)
  • Random Character Generator (random-character.com)
  • Personality Generator (rangen.co.uk)
  • Trait Generator (rangen.co.uk)

Image generators

Generating images that have consistency to them can be a challenge. You want to create a realistic person with history and consistency. It is important to NEVER use pictures of friends or family. This can put the investigation at risk and possibly them at risk as well.

  • (thispersondoesnotexist.com) – GitHub project available
  • AI-Generated Faces (boredhumans.com)
  • Gallery of AI-Generated Faces (generated.photos)

Emails

Creating an email is the base for setting up your undercover investigation account. This will be used for setting up social media accounts and communications with suspects. Any email service will work. Here are a few:

  • GMX.com
  • Mail.com
  • Protonmail.com
  • Yandex.Mail

Burner Phones

A burner phone is extremely useful and may be required to create accounts on certain websites along with creating a history for the persona. The reason is the sites are trying to prevent fake accounts from being created and will send an SMS validation message to a phone. Bots rarely have their own phone numbers. In some countries, you do not need to tie your ID or Passport to buy a SIM card or burner phone. If you are in one of these countries, it is suggested to use cash only and let the phone sit for 2+ months before you activate it with a sock puppet email. Sometimes SIM cards can also be purchased on Amazon.com. Keep an eye out for deals and trial offers. Phone emulators can also work.

VoIP Phone

Generate a Voice over IP (VoIP) account with an online vendor. This will be useful to add another layer of separation. Many online services like Google Voice require you to have a real phone number to tie to your account. This makes your burner phone that much more important.

Pre-Paid Credit Cards and Gift Cards

In some cases, you may need to use a credit/debit card for purchases, account setups, and account verifications. If you are in a country or area that allows you to purchase these types of cards (VISA/Mastercard), use good OPSEC to minimize links back. You can also use a privacy.com masked credit card.

Cryptocurrencies

If your investigation requires cryptocurrencies for transactions, you can use prepaid cards on most of the crypto services. Exodus.com is a wallet that allows you to trade many different currencies and their Desktop software is cross-platform compatible. An example of needing cryptocurrencies during an investigation may include fraud cases on sites like Facebook Marketplace, Instagram’s Shop Now, Craigslist, etc. You may also find them useful when purchasing content and buying services.

Social Media Accounts

When creating a social media account, you want to look as ‘normal’ as possible on the website because many of them are trying to stop people from creating fake accounts. Make sure you are not breaking the law or violating terms of service when doing this. Now things to look at when creating your OSINT undercover accounts:

  • Use public Wi-Fi and do NOT use a VPN
  • Pick a social media site to focus on
  • Use your persona’s “real” phone number for verification
  • Save the information in a password manager like KeePassXC
  • Keep Operational Security (OPSEC) in mind:
    – Use a very strong password for the password manager access
    – Use a different password for each account
    – Never cross over accounts with your real-world or personal accounts
  • Go into the settings of the account you just created and change the phone number to a VoIP number
  • When you are done, log out of the account
  • Log back in and start adding information to your account relevant to the profiles
  • Go back to step 2 for the rest of the sites you want to try

Note: You may burn UC personals when creating accounts. Just be patient and persistent. This process takes time and effort.

Aging the Account

Like a fine wine or good whiskey, the account needs to be “aged”. This means creating content and history. This will minimize the likelihood of the account getting flagged as a fake by the service provider and deleted. Become the persona. Go to the same public WiFi you created the account with to log in and generate activity. Like posts, make comments, share things, and grow your connections. Log out when you are done. This is very important and ties into OPSEC. Not logging out can leak other networks and information out for Big Data if you are not careful. The goal is that you are training the site that you are a real person by doing real-person things. Try to add content and history following the personality of the fake character. This includes finding banners with image searches. Think of banners for your social media pages, memes, and pictures from the location your persona is from. Build your account pages how you believe your sock puppet would have. Add enough information to make it look real. Over time, keep logging into the account and add content to build history and the trustworthiness that the account is a “real” person.

Learn from your Investigations

‘Operations security (OPSEC) is a process that identifies critical information to determine if friendly actions can be observed by enemy intelligence, determines if information obtained by adversaries could be interpreted to be useful to them, and then executes selected measures that eliminate or reduce adversary exploitation of friendly critical information.’ – Wikipedia

Things always change and you must keep improving to keep up. Make it a habit of using good OPSEC. There is a saying with investigators. The suspect needs to be lucky every single time, but you only need to be lucky once. The other side can use the same Tactics, Techniques, and Procedures (TTPs) as you do and that flips the table on you. Now, you need to be lucky every single time and they only need to be lucky once.

Resources

  • Creating Research Accounts for OSINT Investigations – We are OSINTCurio.us
  • Dark Side 116: Sock Puppets. What if I told you not all fake social media accounts are used maliciously?
  • DeBot: Twitter Bot Detection via Warped Correlation
  • How to Make Sock Puppet Accounts for OSINT in 2021 | Hacker Noon
  • The Art of The Sock (secjuice.com)
  • The Ultimate Sock Puppets Tutorial for OSINT Operators – Ehacking
  • Identifying Sock puppet Accounts on social media