In this episode for The Pivot podcast, we welcome Henri Beek!
Henri Beek has more than 13 years of professional experience working in the Open Source Intelligence (OSINT) space. Within his career, he has used OSINT for different types of investigations, ranging from fraud and employment screening to family protection, red teaming, and cyber threat intelligence. Henri currently works at DataExpert, where he provides OSINT training and consultancy to law enforcement and related agencies throughout Europe.
In this episode, we peek into OSINT investigations from back in 2008, when it was still called “Desk Research” and conducted with plenty of paperwork. Henri also expands on the topic by bringing up the access problems, such as the takedown of Facebook Graph. He also points out that investigators should be more mindful of the information they are sharing online and be keen on examining the source and reliability of the contents.
The Pivot: Your New OSINT and Infosec Podcast 🔗︎
Brought to you by Maltego, The Pivot is your OSINT and infosec podcast that dives deep into topics pivoting from information security to the criminal underground. Through The Pivot episodes, we aim to share insightful information for beginners and seasoned investigators alike, shedding light on all things OSINT and infosec from an insider’s perspective.
Each episode features one or two of Maltego’s Subject Matter Experts as the host and an external expert, researcher, or industry leader invited to share their projects, stories, experiences, and advice.
Where to Listen to The Pivot? 🔗︎
The Pivot podcast is available on Spotify, Apple Podcast, Google Podcast, and the Maltego YouTube channel. Each episode is 45 to 60 minutes long and is released on the 15th of every month. Stay tuned with us for more updates!
What really got you into OSINT? 🔗︎
Henri: I was into gaming a lot back in the days when Battlefield 2, World of Minecraft, and things of that sort came out. You needed some more information on maps for Battlefield 2, for example, what the nice points to be a sniper were or what the good guides on Dungeons and rating in World of Minecraft were.
These things brought me to look for stuff on the internet, and I got the hang of searching for information. After that, I diverted my attention to social media platforms, and then that was picked up by a private investigation firm here in the Netherlands. That’s how I rolled from a hobby into the business doing OSINT stuff.
Where did you start doing OSINT work? Was it just browser-based, or were you using any applications at that time? 🔗︎
Henri: It was still called Desk Research when I first started in 2008 at a private investigation firm. To them, Desk Research was looking into the Chamber of Commerce, lens register files, and a bit of search engine work. They weren’t really interested in the whole social media and source code in the beginning. Here in the Netherlands, we had a lot of social media platforms like Superdudes and Hives (now closed). When I got there, it was really missing pivot points in which you could still conduct investigations.
One of the first things I did when starting in that job was to expand the sources and methods to get more information out of the sources. One of the walls [in my office] was covered with bookcases with phone books and zip code books. I was in the room where the printers were, which felt like a wrong room to be in. However, they were like: “No, this is your workspace. Here is your seat and your computer, and go ahead.” I was like, “Yeah, but why all the phone books in paper?” I mean, it was 2008. We were past the starting point of the internet. Why all these books? What they told me was, “Well, it’s nice we have the internet. Sometimes, phone records are taken off the white pages or the yellow pages online, and then we still have those paperback phone guides which we can use to search for a phone number of the person we’re interested in or maybe a neighbor.”
That really got me thinking that OSINT was more than that. We nowadays look at only the internet in the World Wide Web, but it’s also still about TV broadcasts, radio broadcasts, and podcasts, for example. There’s much more to it than just the internet.
What are the usual tools you rely on during investigations? 🔗︎
Henri: Maltego, of course, and I’m not saying that because this is the Maltego podcast. I’ve really been a Maltego user for a very long time in my career, even back in the days when it wasn’t that good yet. For websites, I use host.io, Censys, Shodan, and some commonly used search engines. As for commercial tools or software, I tend to stay away from them a bit, same with extensions.
I try to teach my students more about extensions. You need to know who it’s from and understand third-party risk. With every extension you install in your browser, you’re exposing your searches and making yourself stand out from the basic users.
With all the accounts I have, it’s not feasible to remember all the alias passwords. Therefore, the password manager is the extension I use the most now, along with the user agent switcher and maybe an instant data scraper.
What do we do now when something’s behind Cloudflare? 🔗︎
Henri: There are some points you can look at with Cloudflare. For instance, what I usually try to do is look at other domains owning or sharing the same name as the domain I’m looking into and see if some of the information is still out there.
Or use tools like Whoxy.com, one of the whois tools giving you some free whois history information. Sometimes people don’t use Cloudflare at the beginning. However, they start using it a couple of months later when they register the domain. You have the option to see who was the register before Cloudflare stepped into the whois records, and that gives you a slight advantage.
The other way is looking into the source codes, that is, the analytics codes. If it’s shared across websites, you can use it, and it also applies to certificates shared by websites. People tend to be lazy and use the same stuff everywhere, and I’m no exception.
Was there a hallmark investigation that made you think that was something we are doing now? How did that happen? 🔗︎
Henri: It was during my time in fraud investigations, which really highlighted the technical part of OSINT for me. There was this person with his one-man construction company offering renovations to cottages, and he messed up a project due to the use of the wrong materials, which resulted in damage that was worth thousands of euros. Consequently, the client wanted to sue him, but he was like, “I’m a one-man company. Business has been bad lately, so I have no money. You can sue me. It’s just nothing here.” We had some intel that he was actually working for a very large construction company which, of course, had a deep pocket and could afford the damage. Nonetheless, the Chamber of Commerce turned up nothing.
He had a website consisting of an HTML page with scrolling text and an awful blue background with yellow font on it. All of a sudden, I had an idea to look in the DNS records. In the DNS records, a mail server was mentioned that if I emailed this guy, it would not go to his Outlook or Gmail, instead, it would go to mail.large.company.com. I thought to myself, “If I send my email, I do not send it to a random mailbox, I will always send it to an email that I have control over.”
That was the smoking gun and the evidence we needed to prove that there was a link between the large company and his company. He had a mailbox on the mail server of that larger company. People often talk about social media and stuff like Telegram, still, there’s a lot of information in DNS records and other things that’s open for you to find. The DNS record is a nice point in this investigation, and because of that, every time I conduct a company investigation, I always look into the DNS records and see what’s there.
The book Red Teaming says that some people view red teaming as playing devil’s advocate. Is this the same with red exercises? 🔗︎
Henri: It’s basically the same as with OSINT. I think there’s still no clear definition of OSINT. If you ask someone from the US Defense Department, he or she will give you a different definition on OSINT than if I ask someone from the Dutch law enforcement, for example.
Red teaming is similar in that sense. It depends on your aim. The way we used it was to see if we, in the role of an adversary, could get into the network of a company and do all kinds of shenanigans to get the company’s data, exfiltrate data, or even combine them with a physical entry, dropping some rubber duckies or something like that. Also, we could examine if someone would put it in a computer and get access through the network in that way.
Technology changes fast nowadays, what’s your advice for people new to OSINT? 🔗︎
Henri: If you are new to OSINT, I think what’s really important is to pick a specialization. You can go into search engines and pulling operators, which is where everybody starts with the file types and the sites. If you wanted to commit to social media investigations, there are many platforms out there already, with more to come and go every week or month. That being said, if you want to stare into social media, you do not have time for geolocation or technical OSINT.
You can’t be a specialist in all of them, otherwise, you become a jack-of-all-trades. He’s a master of none. To be good in OSINT, pick a few things you are interested in, go for those specializations, and team up with other people that are good in different kinds of topics within OSINT.
OSINT is a team sport. The most fun investigations I’ve had are with colleagues and friends to capture the flags. When you do investigations with different kinds of people, you get different point of views and exchange knowledge. That’s the most exciting part for me.
How does one start off in one of the branches of OSINT investigations? 🔗︎
Henri: It starts with being curious. If you want to start in a branch of OSINT, you need to learn more about the branch. The only way to learn about the branch is reading, but also talking to people and going to events. You could start even a bit further down the road, like attending an IT conference or an IT security conference. If you talk about cyber threat intelligence, see what companies are out there in the industry, what kind of stuff they do, and what they find interesting, then go from there.
Nevertheless, what I see in a lot of young people or students now is, “Yeah, we’ll just read it on Twitter.” or “Yeah, we’ll just send an email instead of approaching people, picking up the phone, interviewing people and getting out there.” Getting to know each other, helping each other out, and learning by doing, I think are the better ways to reach out to people and get more people into OSINT.
There’s More! Listen to Our Full Interview with Henri! 🔗︎
If you have found those interview snippets interesting, don’t miss out on the complete version!
Listen to our full interview with Henri to learn more about:
- Henri’s collaboration with our previous guest Micah Hoffman on Google Analytics
- Why Henri thinks certain techniques should only be known to law enforcement to avoid any misuse
- How Henri’s curiosity led him into programming and building his first HTML website
And much more!
Check out Henri’s work on Twitter!