How to Use the Buscador OSINT VM for Conducting Online Investigations

Sep 7, 2018 09:33 PM
Jun 22, 2019 12:09 AM
636703484166872062.jpg

For anyone using open source information to conduct an investigation, a balance between powerful tools and privacy controls are a must. Buscador is a virtual machine packed full of useful OSINT tools and streamlined for online research. This program can easily be set up in VirtualBox, and once that's done, we'll walk you through some of the most useful tools included in it.

OSINT Investigations

When I showed employees at Uber research tools like TheHarvester and Maltego, the reaction ranged from wide-eyed amazement to suspicious questions about the legality of the programs being used. Most people have similar reactions to the amount and kind of information that can be pulled from open sources. OSINT research tools allow access to the incredible amount of data our society produces, often used as forensic clues to solve a crime or as a method of reconnaissance to allow a hacker to plan their attack.

With all the data available in the digital world, the problem for a researcher is rarely whether or not the information exists; The amount of data that exists is overwhelming and difficult to sort through, but the right data almost always there. Instead, finding the most efficient path to the right data is one of the core challenges an investigator will face; This means using tools much more sophisticated than a Google search to hunt down clues relating to a target. There are a lot of great tools for this out there, but installing and configuring them all can be a pain.

After seeing glaring holes in the operational security of the way many police departments conduct OSINT research, experts Mike Bazzell and David Westcott set out to create a specialized VM specifically to bring together the most effective OSINT tools and customized scripts used by themselves and other investigators. Another focus of this VM was security, stealthiness, and the ability to easily save digital forensic evidence found during an investigation.

Editor's note: Mike Bazzel's Buscador OS that's featured in this article was temporarily taken down from his website due to increased DDoS-style attacks, but it's back up and running as normal. The OSINT Tools on his website, however, will not be returning because of DMCAs and cease-and-desists from some of the tools.

A VM for Hackers, Researchers & Investigators

Hackers can think of the Buscador OSINT virtual machine like an OSINT-focused version of Kali Linux. Based on Ubuntu rather than Debian, Buscador does not include the formidable set of cyber weaponry that Kali boasts, instead hand-picking a collection of useful OSINT, privacy, and capture tools into one stealthy package. Because avoiding detecting is a goal of both investigators and hackers share, Buscador comes with Tor preinstalled and boasts other helpful privacy tools.

Buscador VM is also capable of being booted from a USB thumb drive on any available computer, as well as being loaded onto the hard disk and booted directly. This allows the flexibility of using it anywhere you have access to a computer, regardless of whether or not you have your personal device with you. At 3.5 GB, the VM image is compact and easy to carry on a flash drive that's 8 GB or more.

Extensively documented in Mike Bazzell's book, "Open Source Intelligence Techniques," Buscador encourages good research habits and empowers researchers to find more clues in their investigations. Some familiar tools such as Maltego, Recon-ng, Creepy, Spiderfoot, TheHarvester, Sublist3r, and other tools we've covered on Null Byte are preinstalled.

What You'll Need

Trying out Buscador is easy. You'll need to download the most current version of Buscador from the IntelTechniques website. The most current VirtualBox version as of June 2019 is Buscador 2.0.

Next, you'll need to download VirtualBox, as well as the VirtualBox Extension Pack to run the virtual machine. Make sure to install both before continuing, as running Buscador without the extension pack can make using Buscador more annoying by requiring you to hit an escape sequence to release the mouse from the VM.

Once you've installed both VirtualBox and the VirtualBox Extension Pack, you can proceed to the first step of setting up Buscador. (Note: There is Buscador is also available for VMWare.)

Step 1: Import & Configure the Virtual Appliance

First, we will need to import the appliance and adjust a few settings. Open VirtualBox, and in the drop-down menu, click on "File" and then "Import Appliance" to select the Buscador .OVA file you downloaded previously. Then, select "Continue."

636703204361782560.jpg

Go ahead and click "Import" to load the virtual machine.

636719240819126326.jpg

Next, click on "Settings," and in the "General" tab, rename the Buscador VM to something you will remember. Under "Advanced," change "Shared Clipboard" to "Bi-Directional" to allow copying and pasting between the guest and host system.

Click on the "System" tab, and under "Motherboard," add about half of the total system RAM to the virtual machine. Then, click the "Display" tab and then "Screen" to increase Video Memory to at least 128 MB, to allow for video and other digital evidence to be displayed properly.

636719244409996565.jpg

When this is done, click on the "Storage" tab, then click on the plus-shaped icon in the lower-left corner, select "Add Optical Drive," and then select the "Leave Empty" option.

Finally, click on the "Shared Folders" tab, and select the plus-shaped icon on the right. Now, you can create or select which folder you want to use to save evidence from Buscador onto your computer. Once this is selected, make sure the folder is set to "Auto-mount."

636719244628121360.jpg

With this complete, you're ready to run Buscador for the first time. Click "OK" to save the settings, and then select the Buscador VM from the list of VMs in VirtualBox, and click the green "Start" button.

Step 2: Run Buscador for the First Time

After Buscador boots, you should find yourself at a login menu with a spooky OSINT guy, possibly a self-portrait of Mike Bazzell, as the wallpaper. The default username is osint, and you can log in with the password osint.

636703184535219849.jpg

Once you've logged in and the desktop has booted, click on the "Devices" tab at the top of the VirtualBox menu, and then select "Insert Guest Additions CD Image" to show the CD in Buscador. If it doesn't auto-run, select the CD on the desktop, then click "Run Software" to auto-run the Guest Additions installer. Once it's finished installing, restart the virtual machine.

636703430927965103.jpg

After logging in again and loading the desktop, open a terminal window. We'll need to add the "osint" user to the "vboxsf" user group, and to do so, we'll type the following and press Return/Enter.

sudo adduser osint vboxsf

Supply the password (osint) and then reboot the VM again when the process is complete.

636703432645152941.jpg

Now that these steps are complete, your Buscador is set up and ready to use!

Step 3: Take Advantage of Browser Extensions

Buscador offers a number of browsers preconfigured with the most useful add-ons and extensions for investigators. This curated list focuses on capturing clues you find for further review and analysis, and we'll jump into some of the most useful ones included for Firefox first.

Firefox Browser Add-Ons

Firefox is a fast and powerful browser that comes packed with eight browser add-ons installed in Buscador. You'll see the icons tucked into the top right of the browser. The first two, Nimbus Capture and FireShot, are for taking detailed screenshots of pages of interest, allowing you to archive them, make notes on them, or even make PDF copies of websites.

636719252158589780.jpg

Next up are two browser extensions for collecting video and audio posted online. These allow you to save any video files either individually or in bulk using Video DownloadHelper and Bulk Media Downloader, respectively.

Ublock Origin should be a familiar sight to anyone who doesn't want to be tracked or see ads in their content, but the User-Agent Switcher might be an interesting new toy for many researchers. The User-Agent Switcher add-on changes the operating system and browser type your browser sends each time it makes a request, allowing you to pretend to be any kind of device you want. This is useful for getting the mobile version of a webpage or doing something you can't do on a desktop device (like posting a photo to Instagram).

The last two add-ons for Firefox are Google Translate, to provide a quick translation of pages in other languages, and the super-helpful Resurrect Pages, which can find old versions of webpages that have been changed or taken down, allowing you to see what people try to hide.

Chrome Browser Extensions

Google Chrome, which opens by default into Incognito mode, is also included in Buscador. It boasts even more extensions than Firefox, including Ublock Origin, Fireshot, and 15 other extensions.

636719255463590997.jpg

The Lightshot screen capture extension replaces Nimbus in Chrome, with 360social and Prophet adding tools for searching social websites for more information about a person, like email addresses.

For analyzing websites, Chrome has a User-Agent Switcher and Wappalyzer, which will break down and tell you the underlying technology any website is built on.

Shodan as a browser extension is also extremely helpful, allowing discovery of information in Shodan about a particular website you're on. Privacy tools like HTTPS Everywhere and WebRTC Leak Prevent aim to keep the investigator insulated from malicious websites or possible detection.

These browser tools can be used together in clever ways to pull off attacks like tracking down a user's Tinder profile.

Step 4: Use the Helpful Included Tools

Aside from Maltego Community Edition, there are several tools that have been well-documented on Null Byte which are included in Buscador. You should check out these OSINT staples to get a feel for what Buscador has to offer.

636703185450688547.jpg

For email scraping, Buscador comes with TheHarvester, which allows you to search for all email addresses on a domain you're interested in.

Spiderfoot, a powerful cross-platform OSINT tool, is also included. Spiderfoot autonomously gathers information about a target and transforms the results into an easy to understand report.

Based on Metasploit, Recon-ng is a complete Python module for reconnaissance developed by Tim Tomes which is popular with hackers and investigators.

While we haven't covered all the tools available in Buscador on Null Byte, there are many useful customized scripts for downloading videos and images from targeted social media accounts and other places people share information about themselves. These tools allow us to intake, process, and analyze impressively large amounts of data with only a few clicks.

We'll cover some of these tools in more detail in an upcoming tutorial, but if you'd like to learn more about Mike Bazzell's OSINT techniques, you can check out his book.

Buscador Can Help You Follow the Clues

After setting up Buscador, I recommend checking out one of Null Byte's guides on the included OSINT tools to get a head start on conducting your first investigation. It's important to practice using these tools to answer a question rather than fishing for information. Without doing so, you're likely to get lost in the sea of information OSINT tools can return. There is little value in all of this data if it cannot clearly answer a question which guides the investigator's understanding of the situation forward.

Because no investigation can succeed without answering well-posed questions, the goal of this specialized VM is to support a researcher by bringing together all the tools and data they need to decide which questions to ask. If you need a powerful and convenient system for conducting investigations beyond the scope of a Google search, Buscador will help you find the answers you're looking for.

I hope you enjoyed this guide to setting up the Buscador OSINT virtual machine! If you have any questions about this tutorial on Buscador or you have a comment, feel free to reach me on Twitter @KodyKinzie.

Cover photo and screenshots by Kody/Null Byte

Comments

No Comments Exist

Be the first, drop a comment!