Exposing a Pretender using SocMed OSINT

SocMed = Social Media
OSINT = Open Source Intelligence

So you’re an investigator and you’ve been given a task to prove that a person named Thomas Straussman is a cheater who pretends to be so in love with his fiance, Francesca. One of the existing information that was given to you is his username, “tstraussman”.

Username Investigation
In this portion, we will check if the username exists in different online accounts. If you will do this manually, it will take you a lot of hard time and effort. Fortunately, we have “Sherlock” that automates these things.

Sherlock used to identify the online accounts with tstraussman username

As you can see, there’s a Reddit within the result which will be the focus of this writeup:
https://www.reddit.com/user/tstraussman

Social Media Investigation

First, let us view posts, comments and other information on the target’s Reddit for us to come up with a specific strategy.

The one and only post of Thomas Straussman on his Reddit

So there’s only one post which is a bad thing for some since less information will be accumulated but not for us. Do you remember the saying that when you put something on the Internet, it is there forever? Well, it is somehow true in this case. What we will do is to investigate the past versions of the comments section in order for us to identify if someone commented in this post and then deleted it since that someone might lead us to something for the target especially if they are close.

We will be using WayBack Machine (wayback.archive.org) to check for the past versions of this . However, before doing that, instead of just reddit.com, we will use the old version of Reddit which is the old.reddit.com. So the final output that we need to input in the WayBack Machine if we wanted to check the past versions of the comment section is: https://old.reddit.com/user/Tstraussman/comments/kh1pzg/big_thank_you/

If you will click on the oldest version, you will see this one comment that seems to know our target personally. Take note that this comment were deleted since we cannot see it on the latest version.

The only comment on the oldest version of Thomas’ Reddit post that were deleted.

If we will view the profile of minikhans, he has some posts and comments with a real name of Hans Minik. However, there is no content that is related to our target. What we can do is to perform what we did on Thomas’ profile to Hans’ profile. So let us input the profile of Hans into WayBack Machine. After checking the oldest version, you can see that there’s a new entry that we didn’t see on the latest version.

The new entry that we’ve got from the oldest version of Han’s Reddit profile

This post have a blackmail letter from Hans to Thomas. It seems that Hans knew what Thomas did (cheating) and Hans is using it to gain money.

Post of Hans with a title of “disappointed”

Then let us view the link and use the text below it as password.

Email of Thomas to Emilia Moller

So as you’ve read in Thomas’ email to Emilia, we now have evidence that he is really cheating and just pretending to be in love with his fiance, Francesca.

P.S. Thomas is just a fictional character.

Wanted to Learn More About Hacking?

Train here: https://referral.hackthebox.com/mzw8Olf