观察追踪者的思考方式:挖掘推特情报的基础教程(2)

  • 我们在完美隐身中强调过:您需要尽可能了解追踪者的思路,这样才能先下手为强,实现最有效的防御

本话题的第一部分在这里:《如何从推特挖掘情报(1):一个流行工具的具体介绍》。

开源情报研究人员、社交工程师、调查记者、黑客,都喜欢对社交媒体进行侦察。因为社交媒体情报有可能非常高效

社交媒体情报是完全无可避免的。也正因此,要鼓励公民掌握挖掘信息的能力 —— 让它民主化,并应用在正义的事业上

像 Twitter 这样的网站提供了庞大的可搜索数据库,可以由数百万用户实时更新,这是一个天然的情报金矿;但是手动筛选可能非常耗时。

值得庆幸的是,像 Twint 这样的工具可以爬到很多年的 Twitter 历史数据,只需要单个终端命令就可以挖掘几乎任何信息

尽管曾经一直以来 Twitter 由于难以搜索和解析而被开源情报社区贬低,但仍有许多方法可以解决对于搜索和理解大量 Twitter 数据而产生的瓶颈。

视频:

把推特作为开源情报数据库

制定好的计划的关键是好的研究员。如果你不能了解情况,就很难甚至不可能设计出一个资源高效的计划。

优秀的研究人员可以采取一些基本步骤,将形成计划所需的各个部分整合在一起。

首先,研究人员提出数据可以回答或证明的问题,然后,由此确定搜索答案的最佳信息来源。

接下来,分析数据以寻找隐藏的线索或模式,并在必要时引入更多数据以全面了解目标。

最后,借助对情况事实的了解,可以将数据转换为可操作的情报,以支持决策和行动计划。

这就是模式 —— 定义问题、制定收集计划、收集数据、以及分析结果的过程,这也是不断完善线索以使其易于理解的过程。

Twitter 通过提供大量要搜索的结构化数据对调查任务提供补充,这些数据可以以令人难以置信的准确性切分。

您将在 Twitter 上找到的数据有哪些

对于使用开源情报能力来决定行动计划的红队来说,Twitter 等社交媒体网站可以提供其他任何地方都无法获得的信息。

您可以期望在 Twitter 上找到以下类型的信息(当然不止推特,所有社交媒体平台都有大量不注重隐私的人在不断发布敏感信息):

  • 各种包括徽章、电子设备、门禁系统等关键信息的照片;
  • 被发布的电话号码和个人详细信息;
  • 办公室空间和私人住宅内部的照片和视频;
  • 通过主题标签连接的具有不同观点的同一事件中来自其他人的照片和视频(帮您补充不同视角的观察);
  • 关于当前可能正在调查的任何主题的主要来源陈述;
  • 调查目标的闲暇时间花在哪里(概况定位);
  • 显示了其他员工身份信息的公司或办公室的照片;
  • 旅行和即将发生的个人事件的记录;
  • …… 等等

想象一下,你可以观看一个视频,该视频向您显示了您无法物理进入的建筑物内部,您无法触摸的系统的硬件配置,或任何潜在的社交工程目的的个人兴趣。这是有多丰厚的大礼呢。

这些细节通过揭示安全系统内的薄弱环节,极大地改变了红队的参与过程。

使用 Twint 分割数据

尽管 Twitter 中包含的数据很有价值,但查找和处理它们也很耗时。

一条推文的发布时间,通常在一条推文是否有用、以及位置、主题和许多其他变量中,起着至关重要的作用。

为了帮助研究人员快速了解这些选项,Twint 配备了搜索过滤器,您可以通过有用的方式组合它们以显示精确的信息。

是否想知道自去年以来用户在某个目标城市附近标记的每条推文?或者,也许是所有被点赞提及了的特定主题的推文?…… 借助正确的搜索标记组合,您甚至可以搜索与目标帐户交互的所有人的信息。

尽管许多搜索工具都需要使用您的 Twitter 帐户通过 Twitter 的API发出请求,但 Twint 不需要。如此一来您就可以绕过API的限制,通过代理查询、以及以其他匿名方式,使自己与要研究的目标之间保持安全的距离

Twint 能够快速生成文本和 CSV 文件以存档感兴趣的推文,因此它成为了一种很好的可服务于法医取证或调查性工作的 Twitter 工具。

对于高级用户来说 Twint 是一个Python库,可以编写脚本来执行更多自定义的或复杂的操作。

使用 Twint 编写和扩展 Twitter 搜索脚本的功能使其成为从社交媒体提取数据的简单而且强大的方法。

步骤1:安装 Twint

要开始使用 Twint,我们将下载开发人员版本。

我从 GitHub 页面尝试了几种不同的安装方法,但发现只有一种方法可以在我使用的 Linux 系统上工作。您将需要 pip 包管理器,该程序应随 Python3 一起安装。

打开一个终端窗口,然后键入以下内容以下载并安装开发者版本。

pip3 install --upgrade -e git+https://github.com/twintproject/[email protected]/master#egg=twint

这样就可以安装所有需要的东西了。如果您在安装pip时遇到问题,也可以尝试使用Git。要使用 Git 进行安装,请打开一个终端窗口,然后键入以下命令。

git clone https://github.com/twintproject/twint.git
cd twint
pip3 install -r requirements.txt

步骤2:查看 Twint 的选项

安装完成后,可以在终端窗口中运行 twint -h 来启动 Twint,并查看可用搜索过滤器的列表。

sudo twint -h
usage: python3 twint [options]

TWINT - An Advanced Twitter Scraping Tool.

optional arguments:
  -h, --help            show this help message and exit
  -u USERNAME, --username USERNAME
                        User's Tweets you want to scrape.
  -s SEARCH, --search SEARCH
                        Search for Tweets containing this word or phrase.
  -g GEO, --geo GEO     Search for geocoded Tweets.
  --near NEAR           Near a specified city.
  --location            Show user's location (Experimental).
  -l LANG, --lang LANG  Search for Tweets in a specific language.
  -o OUTPUT, --output OUTPUT
                        Save output to a file.
  -es ELASTICSEARCH, --elasticsearch ELASTICSEARCH
                        Index to Elasticsearch.
  -t TIMEDELTA, --timedelta TIMEDELTA
                        Time interval for every request.
  --year YEAR           Filter Tweets before specified year.
  --since SINCE         Filter Tweets sent since date (Example: 2017-12-27).
  --until UNTIL         Filter Tweets sent until date (Example: 2017-12-27).
  --email               Filter Tweets that might have email addresses
  --phone               Filter Tweets that might have phone numbers
  --verified            Display Tweets only from verified users (Use with -s).
  --csv                 Write as .csv file.
  --json                Write as .json file
  --hashtags            Output hashtags in seperate column.
  --userid USERID       Twitter user id.
  --limit LIMIT         Number of Tweets to pull (Increments of 20).
  --count               Display number of Tweets scraped at the end of
                        session.
  --stats               Show number of replies, retweets, and likes.
  -db DATABASE, --database DATABASE
                        Store Tweets in a sqlite3 database.
  --to TO               Search Tweets to a user.
  --all ALL             Search all Tweets associated with a user.
  --followers           Scrape a person's followers.
  --following           Scrape a person's follows
  --favorites           Scrape Tweets a user has liked.
  --proxy-type PROXY_TYPE
                        Socks5, HTTP, etc.
  --proxy-host PROXY_HOST
                        Proxy hostname or IP.
  --proxy-port PROXY_PORT
                        The port of the proxy server.
  --essid [ESSID]       Elasticsearch Session ID, use this to differentiate
                        scraping sessions.
  --userlist USERLIST   Userlist from list or file.
  --retweets            Include user's Retweets (Warning: limited).
  --format FORMAT       Custom output format (See wiki for details).
  --user-full           Collect all user information (Use with followers or
                        following only).
  --profile-full        Slow, but effective method of collecting a user's
                        Tweets and RT.
  --store-pandas STORE_PANDAS
                        Save Tweets in a DataFrame (Pandas) file.
  --pandas-type [PANDAS_TYPE]
                        Specify HDF5 or Pickle (HDF5 as default)
  --search_name SEARCH_NAME
                        Name for identify the search like -3dprinter stuff-
                        only for mysql
  -it [INDEX_TWEETS], --index-tweets [INDEX_TWEETS]
                        Custom Elasticsearch Index name for Tweets.
  -if [INDEX_FOLLOW], --index-follow [INDEX_FOLLOW]
                        Custom Elasticsearch Index name for Follows.
  -iu [INDEX_USERS], --index-users [INDEX_USERS]
                        Custom Elasticsearch Index name for Users.
  --debug               Store information in debug logs
  --resume RESUME       Resume from Tweet ID.
  --videos              Display only Tweets with videos.
  --images              Display only Tweets with images.
  --media               Display Tweets with only images or videos.
  --replies             Display replies to a subject.
  -pc PANDAS_CLEAN, --pandas-clean PANDAS_CLEAN
                        Automatically clean Pandas dataframe at every scrape.
  --get-replies         All replies to the tweet.

步骤3:抓取目标用户的最新推文

现在您已经看到了分割数据的方式,可以开始进行调查了。假设我们要跟踪目标或开始调查一个 Twitter 用户。

本指南将假扮为新聘的国税局IRS代理人,负责第一次审计。已收到某人被控逃税的文件,这次调查任务是确定如何最好地接近目标人。

第一次审核的文件上的名字为 John McAfee。快速搜索之后,可以看到他是使用 “ officialmcafee” ID 的 Twitter 用户。

首先,可以使用 -u 指向目标用户名,并使用 –since 指向当前日期,以获取有关最新推文的信息。

sudo twint -u officialmcafee --since 2019-2-17
1096956729768767488 2019-02-16 18:17:19 PST <officialmcafee> Oh yeah!!
1096947035360636928 2019-02-16 17:38:48 PST <officialmcafee> Yes. Every last one. Every last one.
1096946784113516544 2019-02-16 17:37:48 PST <officialmcafee> I was so stoned in that photo. I remember tweeting that out . Can't recall why.

步骤4:找到历史证据

John McAfee 在推文中说他正逃离美国,这是最近的消息,他担心国税局计划起诉他。早些时候他还发推文说,很长一段时间没有提交纳税申报表了。

使用 -s 查找证据,以找到今年内发布的有关税收申报的所有推文。

sudo twint -u officialmcafee -s "tax return" --since 2019-1-01
1080953136985133062 2019-01-03 14:24:45 PST <officialmcafee>
I have not filed a tax return for 8 years. Why? 1: taxation is illegal. 2: I paid tens of millions already and received Jack Shit in services. 3. I'm done making money. I live off of cash from McAfee Inc. My net income is negative. But i am a prime target for the IRS. Here I am.

很好,我们的目标人承认八年不提交纳税申报表。假设您正在调查此案,将需要收集一些进一步的证据。

目标人是否还有其他关于逃税的声明?将它们收集在一个文本文件中,以供以后查看。

为此,我们将使用 -o 输出到文本文件,并使用更常规的方式搜索有关 “taxes” 的推文。

sudo twint -u officialmcafee -s "taxes" --since 2009-01-01 -o mcafeetax
1097243822143213568 2019-02-17 13:18:07 PST <officialmcafee> Yes. Income taxes are illegal.
1096836632672653312 2019-02-16 10:20:06 PST <officialmcafee> I had cataract surgery 6 months ago and bright light still hurts my eyes. I will not take them off for you my friend. And taxes are unconstitutional. I will not pay. Why the fuck do you? Where are your fucking balls?
1092592264164134913 2019-02-04 17:14:29 PST <officialmcafee> Good God woman!! We're running from the fucking tax man. Why don't we just rename our private sessions. I've always favored "Bring that God-like scepter here babe".
1091156545398804481 2019-01-31 18:09:27 PST <officialmcafee> It's all I could afford. The IRS taxed the remaining pixels.
1090719204687429634 2019-01-30 13:11:37 PST <officialmcafee> Lmfao  Deal.  But my $15 mil is locked up in a swiss account due to a Swiss tax assessment. If you give me the 2 mil to unlock it, I will send you the 15. Really. You can trust me.
1088992872890802178 2019-01-25 18:51:48 PST <officialmcafee> The IRS survived withoit income tax for over a hundred years. Furst showed up during the civil War
1088462380051369985 2019-01-24 07:43:48 PST <officialmcafee> tltorally wrong. . Get real. It isn't a crime not to file taxes.  Grand Juries aren't convened for failure to pay taxes. And if you believe taxes are good, you have purchased our government's propaganda. You are way worse off than me. We had no taxes before the Cuvil War.
1082710638365835264 2019-01-08 10:48:26 PST <officialmcafee> Good God!!!! Educate yourself! Thr U.S. had no income tax at all, with the exception of the Civil War, until 1913. We fucking did fine. This is what Im talking about. People are buying Government propaganda and eating it up. We font need income taxes.
1082709806031368192 2019-01-08 10:45:08 PST <officialmcafee> I have paid tens of millions in taxes in the past. Dont dare talk to me abour "orher tax payers".
1081582572461834240 2019-01-05 08:05:54 PST <officialmcafee> Income taxes are unconstitutional. That's my beef. You may not mind being controlled by a corrupt givernment but i do
1081309939841286144 2019-01-04 14:02:34 PST <officialmcafee> We declared our independence from Britain and fought a bloody war to escape burdensome taxes, yet here we are, less than 250 years later, being burdened by income taxes that are more crushing than anythung rhe British dreamed of.  Free yourselves people!   https://www.ccn.com/crypto-shill-john-mcafee-i-havent-filed-a-tax-return-in-8-years/ …
1081122728005066752 2019-01-04 01:38:39 PST <officialmcafee> Fox News reported that i don't pay taxes. The IRS is angry (and corrupt). They will strike using law, twisted by 'their' facts, as a club. My offense is small and won't do. inferences of conspiracy or foreign collusion, or something, will come. I promise.   https://www.foxnews.com/us/john-mcafee-trashes-irs-in-series-of-tweets …
1081019828658495488 2019-01-03 18:49:46 PST <officialmcafee> We had no income tax in the U.S. prior to the Civil War. There are uncountable alternativrs. Look it up and educate yourself.
1081017561695903744 2019-01-03 18:40:45 PST <officialmcafee> No sir. We had no income taxes prior to the Civil War and yet we were a world powet. There are thousands of ways to fund a givernment besides income taxes. Pay for service is one way: pay for road use by mileage, pay to access National parks, etc.,
1080988662077247488 2019-01-03 16:45:55 PST <officialmcafee> My Crypto goals drive the IRS mad. Privacy coins will obsolete income taxes. Can't tax money you cant see, and I promote this as a good thing. The SEC is legally failing in their power grab so It's up to the IRS now to silence me. I've called them out. They will come. You'll see.
1080953136985133062 2019-01-03 14:24:45 PST <officialmcafee> I have not filed a tax return for 8 years. Why? 1: taxation is illegal. 2: I paid tens of millions already and received Jack Shit in services. 3. I'm done making money. I live off of cash from McAfee Inc. My net income is negative. But i am a prime target for the IRS. Here I am.
1080854344331939840 2019-01-03 07:52:11 PST <officialmcafee> I'm done trashing the SEC. Let's move on  to the IRS - the agency that takes from you an average of three months of your labor each year. First - taxation is theft. It is unconstitutional. Prior to the civil war there was no income tax, yet we managed. Stay tuned for the truth.
1071899943680512001 2018-12-09 14:50:36 PST <officialmcafee> And that does'n happen to me constantly??? But ask-- who do the Feds work for? Me, as much as anybody since I've paid the Feds, through taxes, hundreds of millions of dollars for services I have never received. Every Fed burstung through the door will get a "Past Due" notice
1033463922735624193 2018-08-25 14:19:34 PST <officialmcafee> I have made enough in my lifetime to have paid over a quarter of a billion dollars in taxes. I do not have to account for my money anymore. Some of the dollars I spend, are from the millions I made in 1987, never mind the hundreds of millions over the subsequent 10 years.
997495042347622400 2018-05-18 08:12:05 PST <officialmcafee> The SEC created a fake ICO called the Howeycoin, where the "Buy" button takes you to a page which discourages the purchase of cryptocurrencies. This is where your tax dollars are going - into deception, subterfuge and a desperate attempt to save the SEC.   https://www.howeycoins.com/index.html#team 
951689398135001089 2018-01-11 21:36:48 PST <officialmcafee> Tax writeoffs.
947326031890911233 2017-12-30 20:38:21 PST <officialmcafee> When I follow someone, God gives them a new Bentley Azure. Tax free.
947325176701706241 2017-12-30 20:34:57 PST <officialmcafee> When I follow someone God himself comes down and gives them a Bentley Azure. Tax free. It used to be Ford Focus. Don't know why the upgrade.
947007111011151872 2017-12-29 23:31:04 PST <officialmcafee> As I said earlier ..... When I follow someone God himself comes down and gives them a new Bentley Azure  ..... Tax free.
947005611253919744 2017-12-29 23:25:06 PST <officialmcafee> I did. But I don't believe your name is Tom. You realize, of course, that when I follow people, God himself comes down and blesses them - giving each of them a Bentley Azure - tax free.
939924816664121345 2017-12-10 10:28:33 PST <officialmcafee> Good  God! Do I have to spell it out? Well ... No taxes, no regulatory problems, no traceable income, no tax accountant costs, etc,etc,etc
644436140183973888 2015-09-17 02:02:03 PST <officialmcafee> My policies now posted  https://mcafee16.com/issues/  #ForeignPolicy #drugs #immigrants #tax #educate #economy #cyber +more pic.twitter.com/ugCnhKEBsL

哇哦,看起来他真的很讨厌税收。现在有了一个名为 “mcafeetax” 的文件,其中包含刚刚刮到的所有有关税收的推文。

如果是执法机构,可能会好奇是否可以与目标交谈一下,万一对方是全副武装的呢?也许 Twitter 可以回答这个问题!

步骤5:导出证据和元数据

来看看是否可以找到过去一年中有关枪支(武装)的任何推文。实际上,尝试查找目标在帖子中某处提到“枪支”的图像也可以。

为此,添加 -media,以表示只希望查看包含照片或视频等媒体的帖子。

接下来,将找到的证据保存到名为 “mcafeeguns” 的CSV文件中。

sudo twint -u officialmcafee -s "gun" --since 2018-01-01 --media -o mcafeeguns --csv
1071009885645627392 2018-12-07 03:53:49 PST <officialmcafee> U jumped the gun when I divulged the Skycoin video that someone shot during the week of revelry at my place. Seems there is a remix now. Great improvements plus without the shot of Hayden with his dick hanging out.   (link:  https://youtu.be/R5q7_UWKcDg ) http://youtu.be/R5q7_UWKcDg 
1022223220861272067 2018-07-25 13:53:02 PST <officialmcafee> ANTI-GUN FOLK: READ NO FURTHER. Now -- guns don't kill people. Bullets kill people. And if you want to kill people with a handgun, no bullet beats the FN-57. High velocity, flat trajectory, tumbles on impact, making massive exit wounds. I urge all all if my security to use it.  pic.twitter.com/P5hu2Hfur6
1007413614205120512 2018-06-14 17:04:57 PST <officialmcafee> This look like a water gun?  pic.twitter.com/VKoh01GuCg
1000389938200895489 2018-05-26 07:55:22 PST <officialmcafee> About my guns  pic.twitter.com/MIwq5K6amN
999482149190492160 2018-05-23 19:48:08 PST <officialmcafee> Bull shit. When am I not holding guns or surrounded by guards  pic.twitter.com/fawZh7gBRv
999480884003786752 2018-05-23 19:43:06 PST <officialmcafee> When am I not in a photo with guns and guards?  pic.twitter.com/iNC343Yq5I
971322857363005440 2018-03-07 01:53:10 PST <officialmcafee> You ask -- Why do I have guns?  Dateline: Amy confesses to trying to kill me:  http://www.nbcnews.com/video/dateline/50515302 …  Newsweek: Wife confesses to cooperating with Cartel:  http://www.newsweek.com/topic/john-mcafee …  USA Today: War with Cartel:  https://www.google.com/amp/s/amp.usatoday.com/amp/21712017 …  Google: Tons of stories.  Any questions? pic.twitter.com/ODSm4wHz1K
965249086562734080 2018-02-18 07:38:10 PST <officialmcafee> People asked why I have guns in the corner of my previous post. Anyone want to explain why we have the right to bear arms in America?  pic.twitter.com/NtT2Fg9qnq

在生成的 CSV 文件中,还可以访问有关每个帖子的许多元数据

可以看到找到的每个图像都被提取了。单击一个,可以立即看到,是的,目标确实装备良好 ……

枪支的图像有很多,但在调查过程中其中一个可能特别需要注意。

在本年内发布的另一张带有“枪支”标签的照片中,在一只FN57式手枪前面,目标人摆出了一个5.7×28mm的子弹。

这种特殊的手枪是一种不寻常的模型,具有很高的速度可以击穿防弹衣

通常这种枪很难找到,因为它们被禁止进口。

仔细看这张照片,那枚子弹的顶端是黑色的,这表明它是穿甲弹。

Image by officialmcafee/Twitter

SS190子弹具有穿透力,这意味着任何试图接近目标人的执法人员都不应依靠软体防弹衣来确保安全。

只通过 Twint 的一次搜索,不仅确定了嫌疑犯的武装状况,而且还确定他可以使用的特殊类型的弹药。

步骤6:收集实时数据

Twint 的优点是提取信息。通过结合地理位置和主题标志,可以指定只希望看到有关此区域中某些主题的帖子。

假设你听到警察在街上突袭,想要更多信息。可以搜索在洛杉矶附近标记的帖子,例如,搜索诸如“被捕”或“ LAPD”之类的关键字,来定位正在发生的事件相关的图像。

sudo twint --verified -s "arrested" --near 'Los Angeles' --since 2019-02-17 --images
1097368136293208064 2019-02-17 21:32:06 PST <KTLAMorningNews> Suspected DUI Driver Arrested in Deadly Hit-and-Run Crash in South-Central L.A. Caught on Video  http://bit.ly/2SJbRGO  pic.twitter.com/T2EYC0OtRB
1097353829375463425 2019-02-17 20:35:15 PST <KTLA> Yucaipa Father Arrested in Death of 6-Month-Old Baby Girl  http://bit.ly/2SF1Ydx  pic.twitter.com/O8Sd0k9wLt

如果要搜索视频证据,则可以修改命令以搜索视频类型的内容。在这里,搜索提及“LAPD”会产生一个视频,显示最近一次致命的警察追捕行动的结束。

sudo twint --verified -s "LAPD" --near 'Los Angeles' --since 2019-02-17 --videos
1097300577447378944 2019-02-17 17:03:39 PST <KevinTakumi> Fatal #crash #Chatsworth LAFD/LAPD on scene 2 car crash DeSoto/Plummer 2 transported to hospital 2 dead on scene, investigation ongoing long term @FOXLA pic.twitter.com/srlUTlgtdF
1097264275586871296 2019-02-17 14:39:24 PST <LAPDHQ> Our city might not be perfect, but it has life — it has culture. It’s our privilege to be able to serve and protect the City of Angels. pic.twitter.com/yqXWyIIq8w

现在开始应用将实时数据提取到我们的搜索中的功能。目标人的支持者是谁?

使用 -to 创建一个发推提及该帐户的所有人的CSV文件,以便您也许会找到能够提供帮助的人、或通过发照片或打招呼显示与目标有交互的人,并对其审核。

sudo twint --to officialmcafee --since 2019-01-01 -s help -o mcafeecontacts --csv
1097503235684864000 2019-02-18 06:28:56 PST <FlyCryptoGuy> Which side defends the bees?  Bees die, man dies.  Why don't you support #Buzzcoin bro?  Help mankind.  Save the damn bees.  It's easy to throw insults, start throwing solutions.  Thank you sir.
1097356068164898816 2019-02-17 20:44:09 PST <SkepticalMinded> Well said, the labels that hold people  back as a true progressive society, are the same labels that help those same people feel belonged and validated.  So in other words fuck what people think and be yourself.
1097280716466020353 2019-02-17 15:44:43 PST <BitcoinGhost1> I'm in Germany, put me in mind and I'll be ready to help.

打开CSV文件可以看到其中充满了对目标的最新答复,其中许多都提供了支持。

太好了,到目前为止,调查表明目标是一个拥有许多支持者的全副武装的、不悔改的逃税者,这对任何执法机构来说都是 “充分的情报”。

步骤7:通过其他搜索进一步挖掘

假设您现在想了解有关目标在宣布逃税之前如何隐藏其资金的任何线索。

因为目标人此前已经发表了许多关于税收的陈述,所以作为追踪者,可以使用 -year 查找在此之前所作出的陈述。

我们对关键字 “taxes”或“tax”感兴趣,因此可以使用以下命令来构造 Twint 搜索,以搜索2018年之前发布的关于税款的任何帖子。

sudo twint -u officialmcafee -s taxes --year 2018
947326031890911233 2017-12-30 20:38:21 PST <officialmcafee> When I follow someone, God gives them a new Bentley Azure. Tax free.
947325176701706241 2017-12-30 20:34:57 PST <officialmcafee> When I follow someone God himself comes down and gives them a Bentley Azure. Tax free. It used to be Ford Focus. Don't know why the upgrade.
947007111011151872 2017-12-29 23:31:04 PST <officialmcafee> As I said earlier ..... When I follow someone God himself comes down and gives them a new Bentley Azure  ..... Tax free.
947005611253919744 2017-12-29 23:25:06 PST <officialmcafee> I did. But I don't believe your name is Tom. You realize, of course, that when I follow people, God himself comes down and blesses them - giving each of them a Bentley Azure - tax free.
939924816664121345 2017-12-10 10:28:33 PST <officialmcafee> Good  God! Do I have to spell it out? Well ... No taxes, no regulatory problems, no traceable income, no tax accountant costs, etc,etc,etc
644436140183973888 2015-09-17 02:02:03 PST <officialmcafee> My policies now posted  https://mcafee16.com/issues/  #ForeignPolicy #drugs #immigrants #tax #educate #economy #cyber +more pic.twitter.com/ugCnhKEBsL

目标似乎发表了关于将钱隐藏在加密货币中的声明。

知道犯罪嫌疑人正在逃亡中,追踪者可以对任何公开发布推文给目标并提供支持的人,进行重点搜索

为此,使用 -to 搜索任何与目标交互的用户,并使用 -phone 搜索可能包含联系信息的任何推文。

您还可以通过搜索他们上周(也就是最近)发布的行踪照片或视频,以尝试找到他所在的位置。

使用 -location 仅刮取带有位置标签的推文,可以从中拉出任何包含媒体的推文,这些推文可能会让您看到近期目标所在位置的线索。

sudo twint -u officialmcafee --location --since 2019-2-10 --media
1096942869091356674 2019-02-16 17:22:14 PST <officialmcafee>  pic.twitter.com/vbtdCI6ULP | Location House McAfee
1096932395012554754 2019-02-16 16:40:37 PST <officialmcafee> Back at the third floor of the "compound". We are just mellowing out after a day of speeding between islands in my first test of our tender (Moored alongside) pic.twitter.com/sd0ix15MPB | Location House McAfee
1096929852056395776 2019-02-16 16:30:31 PST <officialmcafee> Here is the third floor of our "Compound" right now. The "dingy" is moored alongside. pic.twitter.com/UCnRn3AoJX | Location House McAfee
1096915137087320064 2019-02-16 15:32:03 PST <officialmcafee> A boring video. But Rick took it. He's proud of it. He asked me to tweet it. I just did. He is outside of social media however, so I can dis him in this (for him) alternate universe, while I truly love him in that universe which, for me at this moment time, is alternate. pic.twitter.com/yXPdGF3oW1 | Location House McAfee
1096635092393517056 2019-02-15 20:59:15 PST <officialmcafee> Rick caught me with my harmonica attempting to regain favor with IT guy. He was way out of my league. pic.twitter.com/5HZxPKwyf8 | Location House McAfee
1096614989857738752 2019-02-15 19:39:22 PST <officialmcafee> Holy FUCK!!! My Bahamian IT guy -- whom I judged to be the dweebyest person on earth -- shows up in the band I hired for Choppy's bar for the weekend. People -- never judge. The IT guy is the sax player. pic.twitter.com/e0KW6fWIbY | Location House McAfee

第一个结果是一个视频,该视频显示了目标人驾驶一艘船经过一系列岛屿的画面。

在前一天的另一条推文中,目标人员在巴哈马一个城市乔治敦的一家酒吧的自拍。

所以,根据过去几天内在 Twitter 上发布的照片和视频显示,目标是在巴哈马乔治敦海岸附近的一艘船上。

Twitter 使开源情报追踪变得更容易

在本案例的场景中,作为一名初级国税局特工,您的第一次审计发现,目标是出没在加勒比海岛屿附近全副武装的逃税者。于是就可以利用1994年9月22日巴哈马与美国之间生效的引渡条约。

这就是条子的思考方式。

这里想说的是,无论调查的类型如何,来自社交媒体的数据都可以通过提供看似无穷无尽的信息流来丰富您对事件的理解。

从研究用户之间的交互作用、到通过话题标签连接的内容系列找到对同一情况的替代观点,社交媒体上共享的信息应成为任何开源情报调查人员工具包的一部分。

⚠️再一次强调:如果您想要的是免追踪、和避免成为条子的目标,您应该能通过这些演示观察到追踪者普遍的思考方式,从而有效地防御 —— 什么东西不应该在推特说,什么样的人际关系不应该在任何公开平台呈现,等等。

以上是给普通人的,而不是 John McAfee;事实上他已经很聪明了,他公开发布的内容没有导致他被捕 —— 比如在远离此地之后很久才开始发布照片等等,这些小技巧都好用。

以 McAfee 做例子仅仅为演示追踪的基本过程,而非任何立场。

最后,请注意,您还记得 McAfee 是怎么被抓到的吗?是的,被一个愚蠢的记者出卖了,您可以在这里回顾《无处可藏的数字足迹 — 亦正亦邪元数据 (上篇)》。

所以,⚠️您不仅需要对社交媒体情报的细致防御,还需要注意出现在您身边的所有人 —— 他们都应该具备与您保持一致的高水平的安全意识,否则,他们中任何人都可能出卖你。

好了就是这样。本文的目标依旧是演示追踪技术,为民间调查人员提供参考。希望对您有用。⚪️

2 thoughts on “观察追踪者的思考方式:挖掘推特情报的基础教程(2)

  1. Pingback: Coin Dollar Pay

发表评论

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据