March 19, 2020
TikTok Investigations and OSINT Tips
Jake Creps
TikTok is the fastest growing social media platform on the internet. Quickly encroaching 1 billion active users, TikTok is becoming the social media platform of choice in the 15-35 age demographic. From an open source intelligence (OSINT) perspective, TikTok is a treasure trove of valuable data, including photos, videos, audio, social networks, and more. This guide will explain how to discover profiles on TikTok, extract content from profiles, apply analysis to the information found, and expand an investigation from TikTok and beyond, all within the constraints of a web browser. No mobile phones or emulators are required.
This is an introduction to TikTok for OSINT investigations. To view the full guide, which includes advanced techniques and analysis, click here.
Investigative Limitations of TikTok on the Web
Similar to Snapchat, TikTok is a mobile-first app; however, unlike Snapchat, it does have a desktop version. For the sake of this guide, we’ll cover using the desktop version to discover and extract content. It is possible to use a mobile device or emulator, and for certain data points, it is necessary. Still, it’s much easier to extract content at scale using tools available on a desktop. We’ll explain how to do this later in this guide. The TikTok website for desktop has many limitations. This means various tools and techniques will be needed to get the information for an investigation.
Profile Discovery
TikTok’s homepage doesn’t have a search engine. When visiting the home page, all that is visible is the top-grossing accounts and topics or download the mobile app. For most investigative purposes, this isn’t helpful. Fortunately, Google indexes pages on TikTok, and using a Google Search (or any other search engine) to look for specific information on TikTok is realitively easy. Let’s take a look at a few methods for profile discovery.
site:tiktok.com “{first + last name}” OR “{username}”
With Google Search, using the site: operator to filter our results will only show the website specified. In the example above, using site:tiktok.com will only show results from TikTok. By replacing {first + last name} with the subject in your investigation, Google will search the entirety of TikTok specifically for only that person. If it’s a more common name, like John Smith, additional identifiers are needed; however, if it’s a unique name like Jake Creps, finding much fewer results will make it easier to verify. By adding the OR operator, Google will know to search for two things at once without requiring both of them to be present on the page. Entering site:tiktok.com “John Smith” OR “soccerfan247” will cause Google will search for mentions of John Smith OR soccerfan247 on TikTok. Searching this way allows the usage of as many first and last names or usernames as needed. Make sure to add the OR operator between each identifier; otherwise, the results will get narrower instead of broader. Here’s an example.
-site:tiktok.com “{first + last name}” OR “{username}” “tiktok.com”
Let’s say that trying the first method came up with no results. That’s typical, and more than likely, nothing is wrong with the query. People often use different display names and usernames for different platforms. Creativity is required in these situations to find who or what we’re searching for. Using the -site: operator, Google knows to check everywhere else except for the website mentioned. We’re going to use the same name and username inputs but have added “tiktok.com” at the end of the query. What this will do is it will look for all other websites where that name or username can be found, and it will also check for mentions of tiktok.com. This will find users mentioning their TikTok profile on Instagram, Twitter, YouTube, or other platforms. Notice that there isn’t an OR operator in between “{username}” and “tiktok.com.” This is intentional. Doing this allows Google to search any combination of name OR username, but the results must include tiktok.com. We don’t have to specify the AND operator because it’s the default operator on Google. Here’s an example.
tiktok.com/@{username}
The last method for profile discovery is the most basic. TikTok uses the same URL structure for every profile page. If a list of usernames or emails is available, checking if that username has a TikTok profile is as easy as adding the username after tiktok.com/@ and cross-referencing the profile with already known information about the subject. Don’t forget to add the @ in the URL. Without it, a 404 page will appear. Here’s a correct example.
Content Extraction
Once a profile that matches the subject in the investigation is found, it’s time to start extracting as much data from that profile as possible. Here is where using the desktop version of TikTok limits the amount of information that is accessible. However, it’s a great place to start an investigation. If the investigation allows and warrants it, it is possible to expand to the mobile version of the same TikTok profile using a mobile device or emulator. This guide will cover that in future chapters. First, let’s discover what can be extracted from the desktop version.
Profile Picture
Unlike Facebook, TikTok only allows users to post one profile picture. Unfortunately, this means if the user changes their profile picture, it’s effectively lost. If an internet archive of the page doesn’t exist, there’s no other way to recover that image. For this reason, it’s essential to download that image and archive it for evidence collection purposes and to establish a timeline throughout the investigation in the event the picture changes. Previously, downloading profile pictures on TikTok was more difficult. Now it can be done by simply right-clicking the image, opening it in a new tab, and downloading it in its full resolution.
Biographical Information
Now that we’ve downloaded the profile photo, the next step is to copy the username, display name, following count, follower count, like count, profile description, and social media links. Unfortunately, the following, follower, and like lists are unavailable on desktop. If that list is essential for the investigation, using a mobile device or emulator will be necessary. When setting up a profile, TikTok allows users to link their Instagram or YouTube to their TikTok profile page. This is a great pivot point and a verifiable way to link two accounts together. It’s important to know that not all users link their profiles, so just because one isn’t listed doesn’t mean it doesn’t exist. This process shouldn’t take more than a few seconds. It is easiest to either copy and paste the text, take a screenshot, or both.
Videos
Videos are the bread and butter of TikTok. Unlike other platforms, almost all of the content on TikTok is user generated. Because of this, the subject of the investigation is very likely to be in these videos. Finding connections, behaviors, and locations and establishing a timeline can be done by analyzing the videos found on TikTok. It is important to download them off of TikTok to archive them in the event the user takes them offline. Unlike profile pictures, it is impossible to right-click on videos to download them. First, it is required to isolate the video on a separate page to download the source video. Here’s how to do it.
Start by clicking on the required video. Doing so will open a pop up showing that video, the video description, sound file, and engagement summary.
Right-click on the video and choose “Inspect.” For this guide, Google Chrome was used, but this will work on any browser. Next, a panel that has a list of links will show up on the page. Find the one that includes “v-16-web.tiktok.com” in it. It should be directly above the highlighted elements on the page. Right-click on that link and open it in a new tab.
This new page will allow the video to be downloaded directly to your local storage. TikTok has made a variety of changes to their desktop version this year. If an error occurs while trying to access a video, try again later or try a different browser.
Repeat this process for every video on the profile of interest until all videos have been downloaded.
Video Descriptions
Each video posted on TikTok has a description. Within that description, users often post hashtags and other accounts mentioned; however, there is also a link to the sound used in that video. These are all data points that will be valuable for the investigation. Let’s start with mentions.
TikTok doesn’t hyperlink mentions on the desktop version. It is required to copy usernames in the description and paste them into the TikTok URL structure mentioned before to pull up the new profile. Once completed, the same content extraction process can be used on the new profile as was done on the first.
The next step is to find hashtags. Hashtags are hyperlinked on TikTok for desktop. Once clicked, they’ll open a new page showing all content that used that same hashtag. Effectively, this is the unofficial hashtag search engine of TikTok. When looking at the URL of the page after clicking on a hashtag link, it will look like tiktok.com/tag/sanfrancisco. Searching for any hashtag just requires replacing everything after tag/, in this case, “sanfrancisco,” with any other topic of choice. Using trending hashtags on other social media profiles can be useful to find relevant content on TikTok. Location names are often searchable hashtags because many TikTok users will tag the city they live in to get more visibility. Here’s an example.
It is important to access and understand the date stamp of the video in question. TikTok previously allowed users to see the exact date and time a TikTok video was uploaded. That information is no longer available in the source code. Now, only the month and date that a video was posted is available. That information is located directly to the right of the display name, above the video description.
Lastly, there’s the video’s audio. This feature is unique to TikTok. They encourage users to take audio from someone else’s video to use for their own video. This was originally intended for songs; however, it’s used for all types of audio from speeches to impersonations to music and everything in between. By clicking on the audio link in the image, a list of all users that have used the same audio in their video is available. For popular songs or celebrities, this list could be hundreds of other videos. With smaller accounts or regular users, this might only be a few videos. Here’s an example.
Through this, it is easy to start creating and analyzing social networks or reverse-engineering viral content.
This is an introduction to TikTok for OSINT investigations. To view the full guide, which includes advanced techniques and analysis, click here.