March 03, 2023
Tools & Techniques for OSINT Investigations on Emerging Social Media Platforms
Steve Adams
Product Marketing Manager
When looking for a subject on social media, investigators typically start their search on the social media giants, Facebook, Twitter, and Instagram, then follow up with big mobile-based social platforms like Snapchat and TikTok.
However, as we covered with our webinars last year, such as when we covered Gab, Gettr, and Parler, there is an increasing opportunity to find relevant information on emerging sites.
In 2022, many social media users are starting to move away from the popular social media platforms they’ve used for years and many are starting to look at emerging platforms. Last year, Elon Musk paid $44 Billion to purchase Twitter and plenty of Twitter users fled the platform. Some users are fatigued, some are seeking decentralization or enhanced privacy, and others are seeking an environment that suits their politics.
Whatever the reason, it’s important that investigators keep up with them and ensure that they’re prepared to explore the new platforms for data relevant to their investigations. In a large proportion of cases, there may be nothing relevant on these sites, but there’s always a risk that if you don’t check them you may miss something that is investigation critical.
Mastodon is open-source software created by Eugen Rochko that enables individuals to build and self-host Mastodon instances/nodes, called servers, which interoperate to become a united decentralized social networking platform. Each server is run independently by a moderator and has its own code of conduct, terms of service, privacy policy, privacy options, and moderation policies. Having multiple servers enables users to select a node whose policies they prefer, however, users maintain access to the broad Mastodon social network and can interact with one another from different servers.
Cohost, meanwhile, is a browser-only social media platform built to function like a blogging website, first launched in 2020. Founded by Colin Bayer and Jae Kaplan, who both have professional backgrounds in software engineering and tech startups, Cohost doesn't leverage algorithms, ads, or sharing tending posts. Cohost posts, called coposts, appear in chronological order and have no maximum character limit.
This article will provide an introduction to some of the tools and techniques for OSINT investigations on Mastodon and Cohost. To view the full webinar click here or download the guide, which includes advanced techniques and analysis, click here.
Mastodon
Accessing Mastodon Content
Mastodon users can easily access content either through a web browser or a mobile app. Investigators should use a web browser to collect OSINT to enable optimal collection capabilities.
To view their first Mastodon content, investigators can head to a Mastodon server, such as https://mastodon.social/explore, which is a server operated by the Mastodon gGmbH non-profit. At this time, this mastodon server is closed to new account holders, so investigators will need to choose another server to see all of Mastodon’s user account data.
To locate a Mastodon server, users can go to https://joinmastodon.org/servers, which lists all known Mastodon servers. Some servers require users to apply for an account, whilst others permit any user to create an account.
Profile Discovery on Mastodon
Like Twitter, Mastodon users have an account page that captures their account details, posts, reshares, media, and likes.
Mastodon has inbuilt search functionality that offers the best results when searching for a profile on the platform. Investigators can search Mastodon for user profiles, posts, and hashtags. Unfortunately, Mastodon does not allow advanced search operators within its searches, such as ‘from:’, to help limit results.
To search within Mastodon, investigators can enter any search term into the search bar at the top left-hand corner of the page. Searching within one instance will search across all Mastodon servers.
The screenshot below shows a search for George at https://mastodon.social/explore.
When signed in, users can click on the ‘Load more” button to increase the number of results beyond 5. On the All tab, results will include a full list of results matching the search term, which includes profiles, posts, and hashtags.
Search results from users show which Mastodon server a user is a member of. In the image below George Takei is a member of the https://universeodon.com/explore server, while George Hahn is a member of the https://mastodon.online/explore server.
There are two ways to view a user’s account page. Firstly, click on the matching result to be redirected to their profile page within the Mastodon server you are using, which will have a URL such as https://glasgow.social/@georgetakei@universeodon.com or https://mastodon.social/@georgetakei@universeodon.com.
Alternatively, enter the user’s Mastodon instance followed “/@” and their username, i.e.
https://universeodon.com/@georgetakei.
From a Mastodon user’s profile, you can collect a range of useful information about a subject, including their Profile Picture, Cover Photo, Name, Username, Description, Verified Status, Website/ Social Media Platforms, Joined Date, Following, Followers, and Posts (Messages posted using the software were originally known as "toots", although they are now simply called "posts").
Cohost
Accessing Cohost Content
Cohost users can access content through a web browser. To view content and find user accounts, investigators should use a web browser and are required to create an account. Users are not given any indication of which accounts have looked at their accounts or posts, so investigators can use either a covert or overt account for OSINT purposes.
To access Cohost, investigators can head to https://cohost.org/, where they should hit the “sign up” button to create an account.
Profile Discovery on Cohost
On Cohost, users have an account page that captures their account details, posts, reshares, and replies. Cohost has inbuilt search functionality that enables investigators to search for a profile on the platform. Investigators can search Cohost for both user profiles and tags in posts.
To search for a user profile within Cohost, investigators should hit the “search” button in the left-hand menu or head to https://cohost.org/rc/search.
As investigators enter any search term results will instantly start to appear, without the need to hit enter. The search appears to be fuzzy, bringing back close matches as well as exact matches. In addition to heading to the search page, investigators can jump straight to results through URL manipulation, adding “?q=” with any search term to the search URL, such as https://cohost.org/rc/search?q=jenny. Spaces in the search term can be represented as either a + symbol or “%20”.
Once the results populate, investigators can click on a user's display name, username, or profile picture to be directed to their profile. When conducting OSINT investigations, ensure not to click the “follow” button, as the user can see who follows them and this constitutes direct interaction with the subject.
Locating Content on Cohost Profiles
Having discovered a subject’s Cohost profile, investigators may wish to dive deep into its contents to locate and extract relevant information of value. From a Cohost user profile page, investigators may find a Cover Photo, Profile Photo, Display Name (usually a first name), Username, Dek (Short description under username), Description (Long description above Follow button), URL Hyperlink, Posts, Replies Controls, Shares Controls, and Pinned Tags. Users do not need to input all of this information and some may only include a name and username, alongside the replies controls, shares controls, and pinned tags.
Automating OSINT Investigations
Following the above techniques, you now know how to manually discover profiles and posts within both the Mastodon and Cohost platforms during an OSINT investigation
Using a tool like Skopenow, you can automate OSINT investigations to collect data from emerging social media platforms like Mastodon and Cohost. Skopenow instantly and anonymously locates and archives web pages and social media activity, plots location history, flags actionable behaviors, and reveals hidden connections between individuals. Skopenow’s automatic report builder will save you time organizing the analyzed intelligence into a court-ready report. Please reach out to sales@skopenow.com or visit www.skopenow.com/demo to schedule a demo and activate a 7-day free trial for qualified businesses.
Remember, this article is only an introduction to some of the tools and techniques for OSINT investigations on Mastodon and Cohost. To view the full webinar click here or download the guide, which includes advanced techniques and analysis, click here.