We all have different learning styles. I'm one of those people who learns best by looking over someone's shoulder while they're doing the thing I want to learn. I don't need to be physically looking over their shoulder; a video or written walkthrough works just as well. This is largely how I learned OSINT, by reading and watching other people do it.
Over the years I've become more and more convinced that to be good at OSINT, you need a lot more that a reliance on tools. There is a seemingly infinite collection of OSINT tools on the web, and I have given up many attempts to collect and curate them (others have done a much better job, see footnotes below). Many tools work really well and might still be working in month or two when you need them again. On the other hand, with the endless updates to many of our favourite sources of information, especially social media sites, APIs get altered and the tools that rely on them start to to break. You can find a lot of dead links to once great OSINT tools, and that's no fault of the developer(s) that built them; it's simply that the internet is constantly changing.
So what does it actually take to become adept at OSINT? There are already some great articles on this, which I'll try to dig up and link to at some point, but in a very brief summary (that I'll no doubt add to along the way), here are a few skills a good OSINT researcher needs:
- ability to gather, organise, and connect various sources of information related to the task
- ability to think laterally (I'll talk elsewhere about why I think this is a skill, not a 'talent')
- ability to stay on task, and not be drawn down too many rabbit holes
- curiosity and patience; lots of both
The ability to stay on task is harder than you might think, and takes some practice. How many times have you had the experience of looking up something that should take you five minutes at most, then spent hours watching YouTube videos on completely unrelated subjects? It can't just be me, surely.
⸻
OSINT puzzles from Hotelrooms and other strange places
I learn so much OSINT from puzzles, and have enjoyed annual challenges by @Sector035, and the daily verification puzzles set by the Verification Quiz Bot on Twitter. A few weeks ago, I saw a tweet announcing another set of puzzles, from an OSINT trainer based in Poland, who goes by the The SEINT. Since the first image you see on the repo's README is a white rabbit, I could hardly fail to be drawn in...
⸻
WARNING - Spoilers Ahead!
This should probably go without saying as you're reading a walkthrough, but the rest of this article contains spoilers, as will further articles on this series of puzzles. If you'd rather have a crack at the puzzles yourself before reading this, you should check out the repo yourself.
⸻
STEP 0 - Getting to the start line
So what have we got, then?
Initially, we have a password-protected ZIP file (
rabbit.zip), which we're told contains an archive of puzzles. The Seint tells us that progression at every stage is by providing an MD5 hash. This is not unusual in OSINT puzzles: each stage of @Sector035's puzzles is completed by sending a correct hash to a specific email address. I like to use
CyberChef for hashing, as it includes lots of other useful conversion tools.
File Hygiene. Just be careful with ZIP files downloaded from the internet. Hopefully you don't need telling to virus check archives and their contents. (Not suggesting there's anything wrong with The Seint's files, but it's a good habit to get into.)
Our first clue, then is:
To start, just use the hash of the word "rabbit" (without quotes) to uncover the first level task.
And as you might guess, you're prompted for a password to extract the ZIP:
Putting our clue to good use, we create an MD5 hash on the word 'rabbit' and use that as a password, Success, we're in!
Note: Hashing is case sensitive; the hash of 'rabbit', 'Rabbit', and 'RABBIT' are all different.
⸻
STEP 1 - Photo geolocation and a walk in Google Maps
Unzipping Step 1 gives us five files, including a second ZIP (step2.zip). The remaining files include an image, and some text files:
- step1.jpg
- step1.text
- step1 - hint.txt
- step1 - hint 2.txt
Let's see if we can do without the hints... Here's the image:
And step1.txt reads:
---
The building in the attached picture is in the centre of an European country. Right next to it, a little to the east, there is a bus stop with five buses stopping there. But we will take a 10-minute walk. A couple of friends were supposed to meet in a café/restaurant which is approximately 10-minutes walk away from this bus stop. They were supposed to start walking in a direction set by the road on which the bus stop is and then they would finally find the café. Each of them found the place with the right name, but they didn’t meet. When you find out a reason for that, the name of the café is the answer.---
So now the OSINT begins!
The first step in identifying a building from a photo (unless you have local knowledge), is to use
reverse image search. There are lots of tools for achieving this, but rather than try each one individually, I prefer to use a 'meta' tool that submits an image to more than one search engine. Currently I am using the
Search by Image Chrome Extension by Armin Sebastian.
The consensus across the various search sites is that this is a photo of the Axel Towers in Copenhagen. So it's off to Google Maps to try and follow the rest of the instructions.
'Walking' east from Axel Towers on Vesterbrogade, we do indeed come to a bus stop, that looks like it might be served by five buses:
It is now suggested that two people found their way to a café about ten minutes walk away, but although they both arrived at a café 'with the right name' they did not meet. From my experience, Google Maps reckons most of us can walk a mile (1.5km) in 20 minutes, so 10 minutes walk in either direction could be around 800 metres. So I started looking in these areas (roughly):
So, here's where a bit of patience come in, but it soon pays off with the answer. After about two cups of (real) coffee while (virtually) looking for two cafés with the same name, we finally get our answer:
From @Sector035's quizzes, I've got into the habit of converting everything to lower case before hashing, and The Seint actually confirms he wants us to do this in one of his hints.
So now we have a working hash, and it's on to Step 2, to follow!
Thanks for reading.
J
⸻
Well Curated Lists of OSINT Tools
As I said earlier, keeping a listing of working OSINT tools is a time-consuming job, and you inevitably find dead links in many of them. However, there are a few that I always return to if I need a bit of inspiration, as they are put together by good OSINT researchers, and appear to be regularly curated (please let me know in the comments if you think I've missed any):
Extensive list, well grouped and presented.
The BBC Africa Eye /Forensics Dashboard.
Tailored more to journalists using OSINT to conduct investigative journalism, this is nevertheless a great selection of tools, and a good example of using
start.me to organise and present useful links.
Technisette.
Dutch OSINT pro; extensive collection of tools and other OSINT resources.
⸻