(Click here to watch and listen to the video version of this blog entry)
The ability to find localised information is extremely important when carrying out live investigations. Often in my workday as an OSINT analyst I am tasked with finding data on ongoing events to help gather more evidence about what happened. This could be a video of the aftermath of a terrorist attack showing an amount of victims that could, or not, be different than the official numbers given by the local government. Maybe photos taken in a way that enable us to quickly geolocate the incident. Or even perhaps evidence of how the local forces are attempting to censor the coverage of what happened by the press or nearby citizens.
All of the data I am tasked to find will come from social media and, although this really depends on the country, a lot of it will be coming from Twitter. Some other social media platforms such as Facebook or YouTube are great for “older” data but for quick, live event ones, Twitter is definitely at the top of my list.
Previously I have explained how to find geotagged videos on YouTube using an online free tool. In this blog entry I will be focusing on a different (also free!) OSINT tool for when we need to find content that is being posted in real time regarding ongoing and unfolding events.
In order to regularly find geotagged data on Twitter I use a great OSINT tool developed by Louis Tomos Evans entitled BirdHunt which allows me to select any area on the world map to find tweets posted within a certain radius (plus other options).
It is very easy to use and it already contains a tutorial within the website but I’ll still go through all the steps of what I usually do.
Although most of the time I use it to find crucial pieces of evidence regarding possible human rights violations, I also use it for another, probably less thought of, task which I will cover later on in this article.
BirdHunt as a tool to find evidence
Most of my searches for work are of unfortunate circumstances, usually around possible human rights violations. I wanted to spare you a bit and instead chose something nicer for this tutorial on how to find data on Twitter around specific events and locations.
At the time of writing is May 2, 2022, the end of the holy month of Ramadan in many countries. On this day, Eid is celebrated by many people around the world and, as any happy event, Twitter will be full of nice messages and photos that we will try to find.
I have decided to go with Saudi Arabia as my target location as I know that Eid started on Sunday, 1st of May, and the country will be celebrating Eid-ul-Fitr on the 2nd of May (today). Within Saudi Arabia I figured that the capital, Riyadh will be the most likely candidate to find some nice tweets as it has millions of inhabitants.
When you open BirdHunt you will be greeted by a world map. You can either zoom around until you find your target location or you simply use the search option if you have a searchable place in mind like a city such as Riyadh.
Once you’re happy with your selection and have clicked on the map (in case you were zooming around), you will need to “confirm location” as shown below.
Immediately after confirming the location a menu on the right will pop out and you will be able to select what search radius you want. For this task I have decided to go with the suggested 10km radius around our pin on the map.
Afterwards we could just go with this search as it is but let’s select “Show Advanced Options” as I want to tweak it a bit more.
On the advanced options area we can add a query by inputting keywords, search for media type, search for questions, and add a minimum of like and retweet count.
As I will be looking for photos of Eid celebrations, I will tweak my search accordingly. I’m hoping to find specifically images of food because they are always amazing, both in taste and in presentation!
So let’s quickly jump to our trusted old friend, Google Translate, and see how to write “Eid Mubarak” (“Blessed Feast”, the way to wish people a happy Eid) in Arabic, the official language of Saudi Arabia.
Once you’re done you can press the double rectangle (circled in red below) to copy the translation.
Now we go back to BirdHunt and input our keywords (“عيد مبارك”) into the “Add a search Query” section as shown below.
I have also selected the “Just Images and Video” option as I’m looking specifically for that. In general, unless I can read the language, I just stick to gathering photos and footage as anything else takes too long to translate and my focus is on gathering evidence anyway.
You have also the options to search for questions or add a minimum like and/or retweet count. I do not use this feature as usually what I’m looking for is raw material and therefore without any likes or retweets (yet). I would say this feature is probably be very useful to see what trends are emerging in certain areas and what people care about in specific locations. I can imagine it being great for journalists looking for local stories or even local campaigners trying to find out what the population is talking about. For this example let’s just skip these settings.
Lastly, there are two more options, the first to filter out tweet replies and the second to choose the language in which the tweets were submitted. For this task I selected to display all tweets and to give me the results in Arabic as it is the language I used for my keywords.
And that is it, time to click “Search for Tweets” and see what we can get. You don’t even need a twitter account for this as it will work just the same. BirdHunt will then input your search options into the search bar on twitter.
Mine contained the following:
“عيد مبارك geocode:24.633333,46.716667,10km filter:media lang:ar”.
First you see the keywords I was looking for (عيد مبارك ), then the coordinates of my pin on the worldmap (24.633333,46.716667), followed by the radius of search (10km), then filtering by media only, and lastly the language as Arabic (lang:ar).
And here’s a compilation of some of the results I got. Definitely plenty of mouth watering photos of food shared on Twitter by people wishing others an Eid Mubarak.
BirdHunt as a tool to improve your sock puppet account
This is one of those occasions in which I found a use for a tool that was not intended at first.
In the OSINT world you will need social media accounts in order to access data in certain platforms, this could be Facebook, Instagram, Telegram, etc. It is a very bad idea to use your real account for obvious reasons. Last thing you need is to click the like button on the post of someone you’re investigating and immediately flag yourself up to them.
A sock puppet account is a fabricated persona created in order to safely browse around without the risk of having the account connected to our real identity. I have so many of them that I keep a little notebook with all the info next to my workstation. Here’s a little preview of my sock puppet notebook below.
The problem with sock puppet accounts is that they usually have no friends, content or interactions with other users so they might be easy to spot (although people still won’t know who’s behind it).
Most of my sock puppet accounts are like that but sometimes I will need one to be a bit more active. This could be due to wanting to get information that is behind private groups or only available if you’re within the “friend bubble”. Take for example Facebook groups in which you have to be approved in order to view the content of a page. For those situations you need a convincing sock puppet and those take some work to make it realistic.
At this point I believe that in the near future I will need to gain access to certain groups on certain platforms (being deliberately vague here) to gain information that wouldn’t otherwise be easily available. I have been using BirdHunt to make my sock puppet sound more realistic. I will explain my quick and simple process below.
Let’s imagine I want to pretend to be Greek for whatever reason. I do not speak or read any Greek so in order to keep my account active and looking legitimate, I need to find a way to post content in Greek. I would not trust whatever Google translate gives me as, although a very good tool, sometimes you’ll get some weird translations that any native speaker can identify as being translated. So what do I do? I search for content that Greek native people have posted online, translate to confirm it is nothing too weird and then post it as my own. In a sea of content, it’s almost impossible to tell I just copy pasted a random thought on Twitter. Especially if the platform of my sock puppet account is not even Twitter.
Here’s how I do it. I select the most populated city in my target country so in this case I am going with Athens.
After confirming the location I picked the highest radius option of 25km. At this point I don’t really care about the location, I just want to target Greek speaking Twitter users.
On the advanced options I select to filter out tweet replies as they are usually conversations or discussions between people and I’m not looking for interactions. There’s also the option to select the specific language so I choose “Greek” to avoid any tourists or anyone else tweeting in a different language.
Now that it’s all done I can just click the “search for tweets” options and see what I can find.
An important note is that some languages are gendered. This means that there’s a difference in the sentence of a man or a woman. This is not the case in English but it’s certainly the case in my native language, Portuguese. As a general rule I try to pick users that match the gender of my sock puppet account to avoid any issues around gendered language. I also avoid tweet replies as they are usually directed at someone and I just want a one or two sentence content in the target language to keep my sock puppet account active and relevant. Something simple like “Happy New Year” or “Mondays are the worst!” are perfect. News or sports related content is also good if they are neutral and won’t get people all riled up because the last thing you need is someone trying to engage in a discussion with you in a language you simply don’t know.
So after a quick look around I found this tweet that is definitely the type of material I would use. It says “Οχι που δεν θα έτρωγα.” which, according to Google, translates to “Not that I would not eat.” accompanied by a decadent looking strawberry meringue cake. In this situation I would find another image of something equally delicious looking, add the sentence I just copied from the twitter user, and submit it as my own with some emoji next to it.
Doing this over the space of weeks and months will definitely make your account look more legitimate. This of course is not the only way to make your user look like a real person. You’ll also need to start adding other people and occasionally comment on stuff (emojis are great to avoid language and widely accepted as communication) but this is the strategy I use to find content in the native language of a geographical area using BirdHunt.
Overall BirdHunt is a great tool developed by Louis Tomos Evans, who also created HuntIntel.io, an intelligence gathering platform I had the pleasure of testing and providing feedback. I often use BirdHunt for the two tasks mentioned above. On one hand it’s great to see what’s happening in specific locations and gather data in the form of photos and videos from users sharing content during an unfolding event, and on the other hand is very useful to trick people into thinking you know the language by finding and copying content from native speakers into your sock puppet account.
I hope you find this tool as useful as I do and if you can think of any other ways of using it for OSINT purposes I’m all ears.
Thank you for reading!