The OSINT Newsletter - Issue #90
Why OSINT Certifications Aren't Worth It and What to Do Instead
👋 Welcome to the 90th issue of The OSINT Newsletter. This issue contains OSINT news, community posts, tactics, techniques, and tools to help you become a better investigator. Here’s an overview of this issue:
Investigating GitHub profiles
You can change your Gmail address?
Nano Banana ruining the internet
Local AI inside of GitHub OSINT tools
Deobfuscating Telegram messages
Face recognition reverse image search
Over the past few weeks we have posted 6 CTF challenges as part of the OSINT Newsletter CTF. A new challenge is now live on the CTF website. You can sign up and compete now.
Here are the answers to those challenges:
Operation Jaguar
Challenge #1: The Jaguar Building - Google Lens on the building locates it as the Cartier shop in London.
Challenge #2: The Mystery Car - Reg plate obtainable from user submitted 360 view footage from Google Maps.
Challenge #3: Vehicle Attribution - Information available from the UK’s MOT website.
Challenge #4: Looking Back - Vehicle damage history (partially) available from MOT website.
Operation X
Challenge #1: Twitter Account Geolocation - Using the CLI tool to export the data, 60% of the recent RT’s come from Europe or European counties.
Operation History
Challenge #1: Past is Prologue - Using wayback machine we can find the earliest recorded snapshot of the osintpodcast.com. Then, using developer tools to view the source code of the page we can see multiple mentions of “assets.buzzsprout.com” and other code snippets mentioning the Buzzsprout service.
🪃 If you missed the last newsletter, here’s a link to catch up.
⚡ Investigating X Account Locations at Scale
🎙️ If you prefer to listen, here’s a link to the podcast instead.
Let’s get started. ⬇️
OSINT News
📰 GitHub Commit History is Misleading
This is not OSINT-related per se; however, if you discover a GitHub profile during your investigation that seems to be dormant (the commit history is completely gray), you might be making a mistake. Before closing your tab, make sure to look at all of the commit history and other activity first.
Turns out, contributions to branches other than main don't show up in the contribution graph (until you merge). Good to know for anyone else wondering why their activity isn't reflected accurately! 🎩 H/T: Emrah Nazif
📰 You may soon be able to change your Gmail address
Soon, Gmail users might be able to change their email address. This is pretty significant considering that, similar to usernames, the uniqueness of an email address as a personal identifier might be weakened, specifically with Gmail.
A Google support page in Hindi says the feature is "gradually rolling out to all users."🎩 H/T: Will Shanklin
📰 Nano Banana Pro vs AI Detection; Who’s the human here?
In September, I wrote a post about testing AI detection against existing models. Google’s Nano Banana was released in August and it’s becoming a big problem. Jonathan tests out the new model against existing detection models I didn’t cover in my previous issue.
🎩 H/T: Jonathan Hatzbani
OSINT Tools
🔎 God’s Eye
AI is so accessible that it’s even making its way into free OSINT tools. God’s Eye is a subdomain enumerator (among other features) that uses a local AI (Ollama) to do analysis for vulnerabilities and produce reports.
Zero-cost local AI with Ollama for intelligent vulnerability analysis, CVE detection, and executive reports. 100% private.🎩 H/T: Vyntral
🔎 Telegram Spoiler Decoder
If you’re on a Mac, the Telegram can display text that looks like braille. It’s a unique way of obfuscating text; however, like other methods, you can still reveal the plaintext behind it.
Telegram client on MacOS sometimes displays text under spoiler as pseudo-braille characters. In such cases, if you share your screen or take a screenshot, the hidden text can be recovered!🎩 H/T: Soxoj
🔎 Surfface
Surfface is another reverse image search that uses face recognition to identify people. With Pimeyes and Facecheck.id going behind the paywall, investigators on a budget are always looking for new tools that don’t require a card on file (or a crypto transaction).
🗒️ You have to spoof your location to use the tool. I set my VPN to a Russian IP.
✅ That’s it for the free version of The OSINT Newsletter. Consider upgrading to a paid subscription to support this publication and independent research.
By upgrading to paid, you’ll get access to the following:
⚡ Why OSINT Certifications Aren’t Worth It and What to Do Instead
OSINT certifications are expensive and the training associated with them is often outdated. In this issue, I step through what I did to build my resume in OSINT. I don’t have any certifications.
👀 All paid posts in the archive. Go back and see what you’ve missed!
🚀 If you don’t have a paid subscription already, don’t worry there’s a 7-day free trial. If you like what you’re reading, upgrade your subscription. If you can’t, I totally understand. Be on the lookout for promotions throughout the year.
🚨 The OSINT Newsletter offers a free premium subscription to all members of law enforcement. To upgrade your subscription, please reach out to LEA@osint.news from your official law enforcement email address.
