29.05.2020

Maltego Part 7:

On a black-black night, on a dire DARK NET, one shady account ...
Dark Net. Oh, how much there is to say. Both pathos, horror, and misunderstanding at once. Especially from the side of the media and others who are not very into
it. In fact, the Dark Net is the same Internet, but it exists in its original, pristine state which has no corporate
or government regulation.
And today we'll talk about how to perform OSINT data search using this very part of the World Wide Web.
Disclaimer

For the correct demonstration of the methods, I will use working examples already known to me for finding information. They are not fully real, but still extremely representative. All information given in this article is for information purposes only.
Well, let's be honest: OSINT on the Dark Net forums is not the same as searching for your former classmates on VK and not what you will do in the framework of standard OSINT cases anyway.

In this article, I will try to describe methods from my personal experience where
I turned to the Dark Net to do my search.
Employee Reliability Check
Sometimes an employer, especially a large one, has reasonable questions: «Do my employees trade insider information?» or «Is our new candidate for the position
of X entirely in the clear?» Here comes the test of both the employee's biography
and their behavior in social networks. But sometimes, to answer the questions above, you need to dig even deeper. And here Maltego can come to our aid.
We will check a certain individual Tina Thomson (Tina Tomson) from Berlin for illegal dealings. First, we take the known information about the employee and fill it into
the form. We know the location (Berlin), Name and Surname (Tina Thomson)
and her e-mail address (tin.ka0186@gmail.com).
Using 'Entitie: Search Person', we launch 'Transform: [Facebook] Search Users'
and get Tina's Facebook account.
For 'Entitie: Email Address', we'll run 'Transform: [Facebook] Lookup By Email'. Maltigo faithfully finds the same account than confirms that this is the right person.
We move on and make a query for all the data from her Facebook page to be put
in one graph by running 'Transform: [Facebook] Get User Details'. We get additional information about her place of work, study, or residence (if this information is given
on Facebook profile). The bonus is her Instagram account.
Now I am going to show you a jibe that I have demonstrated already in article #3 about Facebook. We will need to process both accounts by running 'Transform: [Convert]
To Entities From Profile' and get the assumed Aliases of a person (or, in simple terms, assumed nicknames).
Now we have the first 2 starting points with which we can search in forums
on the Dark Net – these are users with the nickname tina.tomson.927 and tinka87.
Run 'Transform: [Darknet] Search User' for both Aliases and see the result.
Here's the user. On a certain Skynet Forum there is a user with the nickname tinkati87 at the following address: 5jloxxxxxxwk3.onion (changed, because it is a bad idea
to throw around links to the Dark Net forums). This is already suspicious!
Let's check what this user is writing. To do this, run 'Transform: [Darknet] User Posts'.
Here's the proof. A user under the nickname tinkati87 on the Skynet Forum sells answers to exam tests at the University of Berlin. And as we have already established earlier, this is where she works. And she is registered on Instagram under the same nickname.
Also, if necessary, we can download the forum topic to the graph and retrieve
the accounts of those other users who participate in the discussion, so that
in the future we can try to identify students who may have bought the answers
to the test from her.
Another interesting feature is the ability to download the entire forum web page directly from Maltego.
And please note, we were able to do the entire investigation without visiting this forum or *.onion sites even once.
PGP key that worked
There is one common practice on the Dark Net which is to use PGP keys to encrypt emails. However, these keys can play a dirty trick to the owner if they fall into the wrong hands.
You ask how? Very simple! The PGP key often contains information about the email address that it is attributed to. Can you see where I am leading you to in relation
to the Dark Net?
For this case in particular, I generated such a key. Upload it to 'Entitie: PGP Open
Key' and do the magic by 'Transform: [Convert] PGP To Email'.
Voila! We have an email address.
What should we do next? Let's look for the same account on Facebook.
Run 'Transform: [Facebook] Lookup By Email'
And, as a result, we get a Facebook account.
Searching for information on the Dark Net forums by keywords and phrases
Now let's get down to something more interesting – search for information by given keywords. It's like Google. Take 'Entitie: Phrase' and set the required word/sentence there. Apply 'Transform: [Darknet] Search Posts' and get a variety of posts on various forums that contain this phrase.
In addition to forum searches, you can also do product search on relevant sites.
The same Entitie will help us here, but now we will run 'Transform: [Darknet] Search Products'. In search results, we will get links to the "items".
You can also search for products using 'Entitie: Location'. Here we can use Transforms to search for delivery to the location or from it. [Darknet] Search Products (shipping from) and [Darknet] Search Products (shipping to).
As always with the Dark Net – there are goods for all tastes. From firearms to cash.
That's all for today. Don't forget – the Dark Net can be a great source of information,
as much as Google in fact. The main thing is to know how to do the search.
Don't miss the following articles! If you have questions, do not hesitate
to ask in comments to the articles. I'll try to answer and help.
Get trial!
Be the first who knows our news!
Once a month you will learn about our latest features and hottest news. And no spam of course.
Thank you for reaching out to us!
Please leave your contact details. Social Links team member will contact you back in next 24 hours on business days.
Get trial!
Close
Follow us