April 05, 2021
OSINT for Gab and Dissenter Investigations
Jake Creps
Gab is a social media platform launched in 2016 commonly associated with a far-right user base. After the recent removal of Parler from the Apple App Store, Google Play Store, and Amazon Web Services, many free speech advocates are flocking to Gab instead of back to more mainstream platforms. In light of riots at the US Capitol on January 6, 2021, it’s essential to understand the importance of expanding an OSINT investigation to alternative social media platforms. This guide will cover how to discover users and groups on Gab, extract relevant content from pages of interest, and analyze the data collected. Additionally, it’ll cover Dissenter, a Brave-based custom browser created by Gab, and how it can be useful in an investigation.
Profile Discovery
When starting an investigation, typically, there is limited information available. This could include a name, username, email address, phone number, etc. We’ll use that available information to locate profiles and groups on Gab. Unlike platforms like TikTok, Gab has a search engine that can be used to locate details. However, we’ll start with results found in Google’s index, allowing the use of their advanced search capability.
Personal Profiles
Search Engines
site:gab.com intitle:"(@" -inurl:trends -inurl:help
Unlike Parler, Gab doesn’t have a specific designation for profile pages. Their URL structure is just gab.com/{username}, making it difficult to find results in a search index. Although, after analyzing a few Google search results, it is possible to specify profiles by adding a few filters to the Google query.
Entering site:gab.com instructs Google to only view results from gab.com. Adding intitle:”(@” tells Google to look for pages with that text in the title. In the case of Gab profiles, they always list the username next to the title’s name using this format.
Finally, to remove subdomains like trends.gab.com or help.gab.com, simply add the -inurl:trends and -inurl:help commands to remove those types of results from the search. What remains are only profile pages for individuals. At the time of this writing, there are about 44,700 results indexed.
site:gab.com intitle:"(@" -inurl:trends -inurl:help “{display name}” OR “{username}”
After removing potential false positives by excluding subdomains, it’s time to enter the information available in conjunction with the Google query we’ve already built. Using the above search structure, looking for a name or display name OR a username is easier.
Download our whitepaper on Gab to learn more about profile discovery.
Profile Picture
Similar to Parler, Gab allows users to upload a profile image. Unlike Facebook though, a user only gets one, and there isn’t a history of previous profile images. For this reason, it’s important to extract that profile image and archive it in the event it’s changed. Pulling the profile image is easy; however, it takes a small adjustment to get it right.
If you right-click and save the profile image, it saves in a .bin format. This is odd because the cover photo, which we’ll cover in a moment, is in a .png format. Depending on the operating system used, it might not be possible to view a .bin file without a special utility. Fortunately, simply renaming the file extension from .bin to .png will allow the file to be viewed normally. You can use this image to conduct reverse image searches on Google, Bing, Yandex, or other reverse image search tools to expand an investigation beyond Gab.
Display Name
At first glance, the display name doesn’t seem like a valuable data point. However, it’s important to note that not only can a user choose an alias there; instead, they can also change their display name at any moment. Archiving this information with a screen capture is important. Additionally, an MHTML download of this page will allow the reference page’s source code to be captured if the evidence collected is ever called into question.
Another thing to note is the blue checkmark next to the display name. Blue checks indicate a verified account. Like Parler, Gab requires users to upload a government-issued ID to prove verification. Gab states the information is ‘immediately deleted once verified’; although, ‘once verified’ could include a significant delay.
Username
If the profile in question was found via searching by username, this data point may not be of value; however, if an alternate username was discovered while searching by display name or any other identifier, this can be a very valuable data point. It’s important to note a few things here about usernames on Gab.
Usernames cannot be changed on Gab. Once registered, one’s username cannot be altered. Typically, many users will simply abandon accounts to create new ones under alternate usernames. Keep this in mind if abandoned accounts are discovered. The user may still be active but using a different username.
Unlike Parler, Gab doesn’t automatically generate a username based on an email address if available. During the signup process, Gab asks users to select their username before account creation and checks availability. This means that a username is not indicative of an email address; likewise, an email address isn’t indicative of a username. That said, make sure to conduct a reverse username search across multiple social media platforms to expand an investigation beyond Gab.
Biographical Information
In addition to a display name and username, Gab users can also add a biography listed in the “About” section of the page. Often, this is a section where the user describes who or what they are; they may also post URLs, email addresses, and phone numbers in some cases. In the case of Andrew Anglin, there are 4 URLs. The profile also tells us that Anglin’s profile was created in January of 2017.
Finding information such as an email address or phone number can be a significant lead for an investigation. Additionally, finding previously unknown domain names, as seen with Daily Stormer’s URL, can help find additional information doing a reverse WHOIS search or pivoting to that website for further information.
Header Photo
The header photo on Gab is similar to cover art on Twitter. This image can be easily downloaded by right-clicking on it and saving it to your local drive. Unlike the profile image, there is no need to convert from .bin to .png on this one. However, the same logic applies. At any given moment, the user can change their header photo, and if it hasn’t been archived, it could be lost forever. Like profile pictures, make sure to reverse image search any unique header photo to expand the investigation beyond Gab. If the profile has stock imagery or a common meme/photo, this reverse search will likely produce false positives.
Download our whitepaper to understand all of the content you can extract from Gab.
Dissenter
Early on in Gab’s history, the platform received a lot of criticism about hosting extreme content. Users of the platform could not interact in comment boxes and on mainstream sites using the same language without removal. In response to this, Gab created Dissenter.
Dissenter gives Gab users the ability to comment on and discuss any content on the web without regular viewers being able to view it. It started off as a browser extension that would generate a pop-up when users turn on the extension allowing them to see comments from other Gab users on the page. Shortly after, Dissenter was removed from web browsers. In response to this action, Gab created its own web browser for Dissenter based on an open source framework. Operating similar to the Brave web browser, Dissenter maintains the functionality of “invisible comments” with their browser extension enabled by default on the Dissenter browser. Let’s take a closer look.
At first glance, the browser looks very similar to the majority of mainstream browsers. The main difference is the default dissenter browser extension. We suggest going into the extension settings to make sure it’s enabled on all sites and shows when comments are visible on the page. When the Dissenter extension is clicked on, a pop-up that looks like this is shown.
Within this pop-up, all 1367 comments on the CNN homepage can be viewed. Within each comment, there is the functionality for conversation among Gab users.
Because Dissenter operates from its own domain, these profiles and their content aren't visible in Gab's search engine. To find content specific to Dissenter, you have to use dissenter.com and specify that domain in your Google search queries.
Conclusion
New social media platforms are coming out every year. With current events, platforms like Gab and Parler are no longer edge cases. Their success highlights the importance of being familiar with and regularly checking new sources. Skopenow helps by automating this process. Skopenow will take any information you have and automatically search across all social media platforms, open web data, court records, and documents.
This is only an introduction to how to use Gab for OSINT investigations. To register for our webinar, which includes advanced techniques and analysis, click here. Registrants also receive a white paper with the full guide to OSINT investigations as well as a free tool or expediting search.