Skopenow Resource Center / Post

February 28, 2022

Instant Messaging App OSINT Investigations Tips & Techniques

Instant Messaging Apps are communication services used for online real-time communication. Instant Messaging Apps have all but replaced technological conversation mediums like SMS and MMS text messaging. With origins in AOL Instant Messenger, instant messaging is utilized throughout the world using platforms including WhatsApp, Facebook Messenger, iMessage, WeChat, Telegram, and Snapchat. Instant Messaging Apps enable users to instantly and freely share text, photos, GIFs, videos, emojis, and more, as long as the device is connected to the internet. 

This is an introduction to Instant Messaging App OSINT Investigations. To view the full webinar and handout, which includes advanced techniques and analysis, click here.

 

Techniques for Snapchat 

Snapchat is an American-owned multimedia instant messaging app and service owned by Snap Inc. A principal feature of Snapchat is that media exchanged between users is usually only available for a short time before it becomes inaccessible to their recipients.

Snapchat is designed to be a phone-based application and so opportunities for intelligence collection are slimmer than those available for many web-based platforms.

It is estimated that roughly 306 million daily users of Snapchat and that over 75% of the 13-34-year-olds in the US, UK, Australia, France, and the Netherlands use Snapchat.

Snapchat content can appear in several forms, which can be useful to an investigator when available.

 

Searching Snapchat by Location

If a user has device-level location services turned on and has opted into location services on 

Snapchat, Snap will collect location data at various points during the user’s use of Snapchat.

Users have some control over the retention and deletion of their location data in the app settings, meaning that location data is not always available. 

Snapmap is an official Snapchat Map, which enables the public to view publicly available geotagged snaps by their embedded location. Publicly available snaps are those where the user has location data turned on on their device and has opted into location services in the Snapchat app settings. Investigators can use Snapmap to conduct a map/location-led search of public Snapchat content.

Investigators can manually move to any location in the world and view public snaps posted from any location by clicking on the location on the map. The Snapmap is a heatmap, which shows areas of a high density of public snaps ranging by color, running from low, blue, through to high, red.

In addition to manually navigating to a location in Snapmap, investigators can also jump to a location using URL manipulation. In the following URL, https://map.snapchat.com/@40.711832,-74.011222,14z, “@40.711832,-74.011222” represents co-ordinates, whilst, “14z” represents distance. To manipulate the URL simply replace “@40.711832,-74.011222” with the coordinates of the desired location.

 

Viewing a Snapchat User’s Recent Public Snaps

Investigators can utilize a Snapchat web URL to identify if an account is associated with a username and view any recent public Snaps made by that account. To determine if a username is valid and a Snapchat account is associated with it, investigators can type the username into the Snapchat app search bar, found under the magnifying glass icon on the top-left corner of the app, or enter it into the following URL,  https://www.snapchat.com/add/username, replacing ‘username’ with the subject’s unique username.

 

Extracting Snapchat Content

Public Snaps, both those identified in Snapmap and Stories, can be manually downloaded within the browser.

To download a Snap from Snapmap, open up Developer Tools by clicking F12 or right-clicking on the page and selecting Inspect.

Within the Developer Tools menu, select the Network tab and then the Media subtab.

If the data section for Media is empty then you may need to refresh the page using the Refresh button or clicking ‘Ctrl’ + ‘R’.

Right-click on the snap link and click to open it in a new tab.

Similarly, the same process can also be used to download a video from a Snapchat user’s story. To download a Snap from Stories, open up Developer Tools by clicking F12 or right-clicking on the page and selecting Inspect.

Within the Developer Tools menu, select the Network tab and then the Media subtab.

If the data section for Media is empty then you may need to refresh the page using the Refresh button or clicking ‘Ctrl’ + ‘R’.

Right-click on the snap link and click to open it in a new tab. Alternatively, locate the video under the Headers, copying and pasting the URL into a new tab, or the Preview tab, right-clicking on the video and selecting to open it in a new tab.

Once a Snap has been opened in a new window, you will be able to play the Snap.

In the bottom-right corner of the video, there will be an Options button, which has 3 dots.

Clicking the Options button will open up a list of options. Click the ‘Download’ button to save the Snap to your device.

You might find that there is a blurry section on the screen, which is due to an overlay label that has been removed. By default, Snap removes the graphics overlay layer added by users from public stories. However, this overlay can be readded to the Snap and shown by manipulating the URL, enabling investigators to view the original video as it was uploaded.

In the following URL, https://s.sc-cdn.net/<string>/default/media.mp4, replace “media.mp4” with “embedded.mp4”

After changing the URL, the overlay will be visible on the video. 

 

Snapchat Index Websites

Limited investigative insights can also be gained from third-party index sites, including Snapdex and Ghostcodes. These index sites do not have access to Snap’s user database, so for a Snapchat user to appear on these sites, they must manually sign up. Therefore, it is extremely unlikely that you will find most subjects within the directories of these sites.WhatsApp is the largest social messaging app globally, with more than 2 billion phones spanning across 180 countries registered to the application. Whatsapp, therefore, holds information relating to over a quarter of the global population. As a messaging app rather than a social media platform, WhatsApp provides limited opportunities for information collection. There are some opportunities to gain insight into the subject of an investigation using the platform.

Techniques for WhatsApp

WhatsApp is the largest social messaging app globally, with more than 2 billion phones spanning across 180 countries registered to the application. Whatsapp, therefore, holds information relating to over a quarter of the global population. As a messaging app rather than a social media platform, WhatsApp provides limited opportunities for information collection. There are some opportunities to gain insight into the subject of an investigation using the platform.

 

Identifying registered phone numbers on WhatsApp

The most commonly known method of checking if a phone number has an associated WhatsApp account is to add it to the contacts app on your phone. WhatsApp identifies registered application users to other platform users through the WhatsApp contact list and the native contact app.

Adding a phone number to your contact list to check for a WhatsApp account is not a perfect solution without risk. Several mobile phone apps have previously collected and sold contact lists to data aggregators. Mobile phone lookup services like https://sync.me/ and OSINT services like PIPL have then attributed the name saved in contact lists to the phone number in their public records. Adding a contact to your phone may also inadvertently add them to a LinkedIn contact list.

Fortunately, you can check if a phone number has a registered WhatsApp account without adding it to your contacts using a URL to query the WhatsApp API. Using the below URL, replace ‘NUMBER’ with the phone number of the subject.

If you are conducting the process on a web browser, entering the phone number into the URL, https://api.whatsapp.com/send/?phone=NUMBER, or https://wa.me/NUMBER, will send you to the below page:

Clicking the ‘CONTINUE TO CHAT’ button will redirect you to a webpage where you can select a hyperlink to ‘use WhatsApp Web’.

If the phone number is registered to WhatsApp then a blank chat window will open. If the phone number is not registered, you will receive a message stating that “Phone number shared via URL is invalid”.

If you are conducting the check on a phone, then the process will be similar. Entering the phone number into the URL, https://api.whatsapp.com/send/?phone=NUMBER, or https://wa.me/NUMBER will direct you to a webpage with a button containing a link to open the WhatsApp app, labeled ‘CONTINUE TO CHAT’. If the phone number is linked to an account then a new chat window will open. If the number is not registered, a message will appear stating that “The phone number NUMBER isn’t on WhatsApp”.

 

Downloading a WhatsApp Profile Photo

When building a subject profile, you may want to capture a WhatsApp profile photo for inclusion in the document. Extracting profile photos is possible on a mobile device, however, the captured image then needs to be forwarded to the core operational device. To simplify this process, you can download a WhatsApp Users profile image using WhatsApp Web.

Once you have set up WhatsApp web for your device, you can find any previous chats within the left-hand menu. To locate a phone number you have added to your contact list, search for the associate name in the search bar. Images can be right-clicked on within the left-hand menu without the need to open a new chat window. Alternatively, you can follow the steps above to identify if a phone number is used on WhatsApp using the URL. If a phone number is registered to WhatsApp, a blank chat window will open, enabling you to extract their image.

Click on the profile photo within the Contact info section, which will open up the full-size version of the image.

Alternatively, right-click on the image within the contact list or within the Contact info section and select to open it in a new tab, which will also provide you with a URL for the image.

 

WhatsApp Search Operators

Advanced Search Operators on Search Engines enable investigators to search for WhatsApp content. Results are likely to be limited and reliant on chat links being posted on web pages.

chat.whatsapp.com “Topic”

Searching by WhatsApp chats and a topic, such as chat.whatsapp.com "cricket", enables investigators to search for any public group chats that might relate to the topic of their investigation.

site:http://instagram.com “http://chat.whatsapp.com” AND "Name"

Searching on Instagram, investigators can search for a subject’s or business’s name, such as site:http://instagram.com http://chat.whatsapp.com AND "Traders Club", to identify if there is a link to any WhatsApp chats.

site:http://4chan.org http://chat.whatsapp.com AND "Phrase"

Searching on 4Chan, investigators can search for a topic, such as site:http://4chan.org http://chat.whatsapp.com “Origami”, to identify if any public group chats have been shared that might relate to the topic of the investigation.

When a phone number is available, WhatsApp can provide several opportunities to facilitate information collection during an investigation. Phone numbers can also be reverse searched within the Skopenow platform, enabling investigators to aggregate and analyze intelligence from thousands of social media, open web, deep web, and dark web data sources.

Using a tool like Skopenow, you can automate the processes outlined in this guide to extract and analyze content from instant messaging apps. Skopenow instantly and anonymously locates and archives social media accounts and posts, plots location history, flags actionable behaviors, and reveals hidden connections between individuals. Skopenow’s automatic report builder will save you time organizing the analyzed intelligence into a court-ready report. Please reach out to sales@skopenow.com or visit www.skopenow.com/try to schedule a demo and activate a 7-day free trial for qualified businesses.

This is an introduction to Instant Messaging App OSINT Investigations. To view the full webinar and handout, which includes advanced techniques and analysis, click here.

Unlock the Power of Skopenow

See for yourself how Skopenow can modernize your investigations. To get started, request a demo and an expert will get in touch with you shortly.

Book a Demo