Searching for Usernames on the Net

In this article We tried to give our own interpretation of what OSInt is for US. NOW it's time to start get our hands dirty with one of the first operations performed in online research activities: the search for aliases and usernames used by the same user online.

 

Where to start

Case study: Ramingo

Let's start with this example: we were given a screenshot of a Telegram user (a random real one @trapper ?)

We can immediately make some considerations: without needing to install the Telegram client we can see the username @ramingo, also present in its vanity url (both circled in red). In this case the user has a rather unusual profile picture: a wolf in a suit and tie (circled in blue). The nickname used is “Mr. Wolf”, together with the organic “Come join the dark side…Sfina!” allows us to draw our first conclusions: we are most likely looking at the profile of an Italian user.

It's important to keep in mind, however, that these are all user-provided details and can change very frequently over time. Telegram does NOT currently offer the ability to view the unique numeric identifier that uniquely identifies users in the system. To obtain this data, you need to interact directly with the Telegram API or with specific Telegram clients, such as Telegram PLUS.

After this introduction, let's take a look at the tools at our disposal to carry out this type of research.

 

Search engines

As trivial as it may seem, the first sources from which we can obtain useful data or information are search engines, such as Google e DuckDuckGo. In fact, we often obtain surprising results since aliases are one of the most commonly included data in user descriptions in forums or instant messaging services. An advanced use of the dork It could provide very, very useful results.

Another use we can make of search engines is to search for profile images. Image searches are now a feature common to all search engines. It's worth noting that at the moment Yandex offers extremely interesting image/face recognition.

 

Web search services

The purpose of these web services is to indicate to the user on which sites/social networks it is possible to register a specific nickname.

For our purposes we will use this service by adopting a reverse logic than the one with which it was created: We will initially exclude sites and social networks where it is possible to register the username you enter and will focus on those sites where the username has already been registered.

 

Namevine.com

Instantusername.com

Among the many services dedicated to username searches, instantusername.com It stands out first of all for its GNU GPL v.3.0 license, it also searches over 100 social networking sites, including the very recent social network “Mastodon“.

Command line tools

As an alternative to the services previously illustrated, it is possible to rely on some tool from the command line freely available online or already included in some dedicated Linux distributions, such as Tsurugi Linux. Tsurugi Linux is a completely free open-source project to which we intend to dedicate several more articles.

After starting the distribution in mode live or virtual machine, I suggest you take advantage of the ’OSINT Profile Switcher“ through which you can display only the tools useful for activities related to OSInt, hiding (but still leaving available) those dedicated to Digital Forensics.

Among the various tools available, let's see together how to use a couple of very useful and effective ones.

 

UserRecon

userRecon it's a tool from the command line that you can start directly from the “Tsurugi – Osint” menu. Once started, a MATE terminal window will open where you can directly enter the username found on over 75 websites and social networks.

Once the search is complete, the results will be displayed on the screen, along with all the direct links, and automatically saved to a text file.

Update: The original link is no longer reachable and has been replaced with a working one.

 

Userrecon-py

userrecon-py allows you to expand the same search to almost 190 social network and websites by returning positive feedback on video.

In this case too, userrecon-py can be reached via a menu: a shell will open in which this command must be entered:

userrecon-py --target USERNAME

Once the search is complete, the successful results will be listed on the screen. To obtain a text file containing the successful results, we need to redirect the script output to a text file using this command:

userrecon-py --target wanderer >> userrecon-py.txt

Let's start analyzing the data

After collecting all this data, we need to correlate and analyze it to get the information we need.
The presence of many sites dedicated to the world of immediately catches the eye gamer. While many have not provided appreciable results, some are worth noting:

 

From the research carried out on the gaming platform “Steam“"We've noticed at least 21 profiles currently using the username Ramingo. Checking them individually is undoubtedly the best approach, but it takes much more time. In this case, a careful examination of the profile pictures could help us better focus our search on the most interesting user profile: the first uses the image of a wolf in a suit and tie.

Connecting to the user profile, we can observe the image better:

 

Here, too, we have a wolf in a suit and tie. We can assume with reasonable certainty that, given the combination of photo and username, the two accounts belong to the same person. Steam's functionality should not be overlooked.“This user also played as:” which could indicate other usernames used in the past by the user.

 

It should be noted that this type of service offers the possibility of purchasing games and hardware through electronic transactions. This means that through payment tools Judicial Police could be it is possible to obtain REAL user data such as name, surname, payment methods, etc.

Browsing through the results provided by the previous sites and tools, a Github profile, registered as a wanderer, also stands out:

 

Apparently it is not immediately correlated to the searched profile but the presence of the profile image linked to "“Battlefield 3” suggests that we pay some attention to it.

In fact, the track of the user/gamer provides further insights. Our research also returned a user profile wanderer 9GAG, which could prove interesting.

What other conclusions can we draw from the above images?

• Using a profile picture containing an animal humanized (wolf or cat performing a typical human activity), the numerous sections dedicated to games, the constant presence of posts referring to them (among which we once again find “Battlefield”) and the presence of numerous posts referring to Italy, provide sufficient elements to consider the profile worthy of further investigation.
• The presence of a possible more or less unconscious pattern adopted by the search target in choosing usernames or profile images.
• A general idea of the user's hobbies can help guide your search for other profiles.

Conclusions

In this article we have briefly looked at just two of the main methodologies for researching username, a preliminary and necessary activity to outline a user's digital identity as much as possible.

It must be taken into account, however, that methods such as those just illustrated will provide a large number of false positives, especially with username very common, which require the adoption of methodologies and tools to validate the results.

PS: If you have any suggestions or other articles on the same topic, please let us know in the comments!