Disinformation and propaganda has been one of the key features of the war between Russia and Ukraine. One of the many groups that have sprung up to push pro-Russian propaganda narratives is a small hacktivist organisation called Beregini. This article by Givi Gigitashvili provides a useful introductory insight into the methods of Beregini by analysing the content of some of their recent leaks. For this post I thought it would be interesting to see what insights might be gained from digging into the web infrastructure of the Beregini group website. It’ll also be a good opportunity to run throu ..read more

This week’s huge protests in Israel drew huge crowds to the streets – but how many people took part? Crowd sizes are often used as evidence to show how widely supported a particular cause is, so being able to determine how many people took part in a demonstration is an important skill for those working in verification. Fortunately counting crowds in public spaces has been made easier than ever before by the creators of MapChecking. It is powered by Google Maps and allows researchers to plot a geographic area and then calculate the number of people that could fit in that space. There are three ..read more

In last week’s Wednesday Quiz Tilman Wagner posted this photo and asked us several questions about it: 1) Who posted it and where? 2) What was the occasion? 3) Did Tilman participate, and if so, how? So where to start? We need to know the location before we can answer any of Tilman’s questions. There are a few clues in the image that might make a good starting point: the language on the screen is is in British English (organisation spelled with an ‘s’) and it suggests a networking event or meeting of some kind. There’s a WiFi sign but unfortunately the network name is too small to read, or e ..read more

Wondering how to start out in OSINT? In this video Micah Hoffman, Technisette and I joined David Bombal to discuss some basic OSINT techniques and share examples and stories of our OSINT experiences ..read more

Twitter would not be Twitter without a daily dose of QAnon drama. Recently there were claims that since Q-drop archive site qmap.pub now shares the same IP as 8Kun proved that 8Kun owner Jim Watkins is Q. I’m not sure that a reverse IP lookup by itself can really stretch that far, but it does raise some interesting questions. Firstly there’s a technical question – what is reverse DNS and why does it mean if two or more domains share the same IP? Secondly there’s a methodological question – what do you do with information that is ambiguous or unclear? 8Kun’s New IP Address After losing the pro ..read more

The term “OSINT” sometimes gets thrown around a little too loosely. The “open source” part of OSINT is straightfoward enough: there’s a world of information out there and with enough digging and practice you can find almost anything you could ever think of – but by itself this is not OSINT. The “intelligence” part of OSINT is often neglected, sometimes with quite serious consequences. Getting your hands on the data you want is usually easy enough, but this raw information has to be analysed and turned into a coherent narrative, a process that is often fraught with difficulty and uncertainty. A ..read more

This article was written jointly with Matthias Wilson (@MWOSINT). It is also published on his own site here. IP addresses feature prominently in digital investigations, but how useful are they for geolocation? The truth is that while IP addresses have many investigative uses, they can be quite unreliable as a precise geolocation method. The limitations of IP addresses as geolocation tools are grounded in the technology itself. The current IPv4 protocol allows for the existence of just under 4.3 billion separate IP addresses. This was not an issue when the technology was designed in the early 1 ..read more