A Free OSINT Lesson: Sometimes It's Easier Just to Make a Phone Call
Piiick uuppp the phoone....
When I was a kid in the early nineties, there was this commercial for an adults-only phone chat line. It became a bit of an earworm, and anyone over 35 reading this probably remembers it.
For a very young man who’d stay up far too late past his bedtime watching Mad TV at 11:00 PM, there was the significant allure of this advert to “piiiick up the phoooone.”
Now, this was the nineties. Little did I know that this advertisement, and yes, the subsequent call my cousin and I would make to this number one night in 1995, would have such a lasting impact on my life.
Now, in our defence, we were 10.
Yes, it cost 50 cents per minute (which seemed like a lot of money then).
Did it show up on my parent’s phone bill?
Yes.
Did I get in trouble?
Oh, fuck yes.
The one lesson I learned from this curious moment in my life was, sometimes, you just need to “piiiiiiick uuuuup the phoooooonnnne.”
A common task when you do what we do at Permanent Record Research is finding people. Now, this varies, and no two cases are alike. Sometimes, it’s because you’ve been able to deanonymize a threat actor or a CSAM peddler, and now a client wants to know who they are and where they live. Sometimes, you have a criminal case and need to locate a potential witness. Sometimes, you are helping with a manhunt. Sometimes, you have a wrongful conviction case, and there is a lead on another suspect, but they’ve vanished.
If you work in a job and OSINT somehow falls into your job description, finding people is a thang most of the time.
As you know, passive collection is a consistent process in investigations. You search the internet, archives, old newspapers, whatever, for information about your target. Social media, breach data, Google, Bing, Yandex… you know the drill. You start getting selectors and more selectors, and you run those down. You get the information you need. You hand it to your client. They are happy.
But sometimes, you bump into those tough cases.
A target that doesn’t seem to have much of an online presence. Perhaps you have some basic details, but they simply don’t use social media that much, so they don’t have boatloads of accounts all over the place. Maybe they read books or some shit for fun, I don’t know.
The point is that their place in the digital ether is very small. Moreover, they may live in countries where digital privacy, or privacy in general, is way more strict. In simple terms, they may be old school.
This means that you, as the investigator, need to be old school.
We had this one case where we were tasked to track down this guy who was a higher-up for a small tech firm. I need to be purposefully vague, but he allegedly embezzled a bunch of money and skipped town. The tech firm he worked for was now going after him in civil court, but there was a problem: they couldn’t find him.
The one social media account he did use was deactivated. His girlfriend’s social media accounts were also closed down. They moved out of their condo, though they still owned it, and just like that… they were gone.
A year went by, and still no luck. The tech firm couldn’t serve this guy, which slowed the justice machinery down a bit. They were out a few million dollars. It was a big deal.
PRR got involved, and we were asked to help locate this individual.
Now, we love our clients. And when we get a new client, in this case, a tech firm trying to save the world instead of fuck it up like asshole tech bros can sometimes do, well, we love them a little extra.
This was a cause to celebrate. So, I bought my usual three cases of Coke Zero, tossed it in the fridge, and got to work. A quick aside:
1) No. We are not sponsored by Coca-Cola. Though, if someone from Coke is reading this, and wishes to sponsor us, or hire us… “piiiiiick uuuuuuppp the phooooooonnnne!”
2) I got a new cup.
This majestic vessel can hold two physical cans of Coke Zero and probably the liquid of three.
I got it at a movie theatre when I bought the biggest size drink possible. And when it was handed to me, I held it up in glory like some ancient weapon from the gods to slay my enemies.
I began with my usual searches, got some selectors, and watched it start coming together. The inherent issue was that there was very little online information about the target. Yeah, the dude was a higher-up in a smaller, medium-sized tech firm (that’s a lot of size words, I know), but he had a very limited internet presence. It was a bit weird because this wasn’t his first kick at this can. He had done this type of embezzlement before.
Anyway, the hunt led me deeper into this guy’s limited online existence, and it would have been a real slog. We were getting to the point of “this is no longer surface shit…we need to go deeper.” Moreover, while he did reside in the United States off and on, he wasn’t American, and he was from a country where privacy laws are more strict and data can’t easily be scraped by various open-source tools.
Now, in my long line of research vectors (I do have physical cheat sheets posted on a bulletin board), keyword searches on various social media platforms falls around the middle. Now, often, I don’t always need to get that far down the list, as other open sources provide me with what I need fairly quickly. However, this guy wasn’t so active, so those immediate and fast sources became less useful.
The dude worked for, and allegedly scammed a tech firm, but he was old school or knew that limiting your online presence makes you tougher to track.
I began running all the various versions of his name that he went by. These weren’t alter egos or anything, but we all know that person who goes by “James” and “Jim” and “Jimmy” and “JJ.”
Annoying, right?
And my target was one of those guys with two first names… so doubly annoying.
With three Coke Zeroes now poured into my new OSINT goblet, I began to search inside social media platforms for his name(s).
Now, this dude was older, so automatically, I was thinking Facebook and Twitter (sorry, Elon, X is a dumb as-shit name, and I will forever be loyal to the old gods).
Then it happened, like Miss Cleo in some psychic trance, a hit came clear as day. There he was!
This was one of those lucky break situations. About three months prior to me sitting down with the Coke goblet, trying to track him down, the target attended a small local tech conference in Colorado.
Some random attendee snapped a selfie with his table mates and posted that he was at this conference with these cool guys, and in the post was my target's name. No account link. Just the name.
The selfie had four dudes in it, and one was 100% my target.
So I looked up this conference and began to sort out who would attend such an event. Mostly local Colorado-based tech companies. Smaller-ish in size. I went back to the rando's selfie. Who was my target sitting with? I looked into that guy, and it didn't take long. He was a CEO, so his face and name were all over the Colorado-tech-internet-world.
I went to this company's website and began combing through public staff lists, posts, and social media.
When I found their LinkedIn page, I began scrolling to see if there were any photos, and then I spotted one, but it was unclear. It was a social event they had hosted for some local entrepreneurs about a month ago. There was a dude in the shot that looked like my target, but he was half-turned around, talking to someone, so I couldn't be 100%. Moreover, from what I could gather from the post, even if it was him, perhaps he was attending the social event, and not actually working for this Colorado firm.
If my target were working there, he'd have an email address.
I quickly ran the company domain in Google and found that they structured their emails as first initial and last name (jdoe) @companyX.com.
I popped quickly into OSINT Industries (bless those guys), and ran his first initial and last name at companyX.com to see if it even registered.
Sure enough, there was a Microsoft Teams account registered to that email, and his full first and last name.
I found my guy…
Now… I wish it ended there.
There were no records of a recent home address; honestly, I didn’t know if he was even residing in Colorado. In his last position, where he allegedly embezzled a bunch of money, he was working remotely (from the condo he and his girlfriend vacated).
The client needed their legal team to serve him court papers for a civil suit. They wanted to know where he was, physically.
I paused to think.
I could pivot to my target’s girlfriend. Perhaps that would work? It would be like starting from scratch, but she may have left more fresh tracks. That would take a long time, though, and I didn’t want to add extra hours to this gig and cost my clients money. We like closing projects and having happy clients, not billing them more.
As I took a sip of my giant Coke chalice, I realized I could simply pick up the phone. I had enough information. I knew where he worked, I just didn’t know IF he was physically there.
I came up with a plan.
I knew my target attended that tech entrepreneur meet-up event about a month ago. He probably would have met many forgettable people (no offence, tech bros). I came up with a forgettable name, “Derek Thomas (two first names, am I right? Just the worst…).
I decided I should be the Chief Innovation Officer (whatever that means) at a brand-new start-up in Boulder. My target and I spoke briefly at the aforementioned event. I gave him my card, and he said that I should call him in a couple of weeks.
Things got busy, and I’ve finally got around to it.
I considered the options. I had to be cautious not to tip him off that something was fishy. Some people have this knack for sensing ill intent in the most innocent situations. I didn’t want to risk engaging him directly if I didn’t have to. An overzealous administrative assistant may have eagerly placed me on a direct line. Or, it was one of those weird New Age open office concepts where they yell out, “Hey! There’s a phone call for you!”
You just don’t know, and this may be the most important part of this free OSINT lesson, so fucking pay attention: Pause. Walk away.
I had my story as to why I was calling. I had enough to go on, but I didn’t want to be placed into that awkward moment where, all of a sudden, I’d have to come up with some excuse to hang up and give the target that single momentary, fleeting thought, “Oh shit… what if they found me.”
I paused. I got up. I walked away from my laptop and took 20 minutes to think. I remembered reading that this tech company was actually a subsidiary when I looked into the CEO sitting at the table with my target.
I returned to their website and found a basic organization chart. In the exact same building in Boulder, Company X (where my target worked) shared space with Company Y, which was another subsidiary of the parent firm. Moreover, based on surface information, the subsidiaries worked closely together. A quick Google search showed me they operated offices on separate floors.
Using an anonymous US-based burner phone number, I called Company Y.
A quick aside:
1) Getting a burner number is easy. There are apps, websites, convenience stores, eSims, etc. You can pay for them in every way possible from your personal credit card to cash to crypto to disposable VISA cards, etc. You don’t have to give your name or any personal information in some cases. You can figure this all out yourself. I’m not helping you.
2) You need to assess the threat here. If you are dealing with serious threat actors who would have the resources, the inclination, and the desire to find you, and you’ve never done this before, don’t.
One small mistake in a whole long line of things you have to do to secure yourself can fuck you over. Just don’t do it. Find another way.
Lastly, don’t break the law. You’d be surprised what a court order or a subpoena can turn up.
In this particular situation, this was very low risk and I was well within the laws of the land.
"Company Y."
"Hi there! Maybe you can help me. I've been trying to reach Company X, but their line keeps cutting me off. It makes some weird buzzing noise and then disconnects. It's very annoying. Anyway, I'm actually trying to reach someone there…" At this point, I told the nice admin assistant the name of my target. Let's just go with Jim. "…and the damn thing keeps disconnecting."
She now responds.
"Oh, that does sound annoying. Did you want me to try and transfer you?"
"You know, I'm not even sure I'm calling the right place now… I'm getting old…"
I let out a charming befuddled laugh, like if Hugh Grant was American… and worked in tech… and wore a puffy vest. I kept it light. She laughed. It was a good sign.
“I met Jim at the…” insert name of the entrepreneur event… “last month…”
Followed by some small talk about the event—she knew about it but didn't attend.
"You know," I interjected. "Jim told me to give him a call, but I couldn't get through. Does he happen to work with you folks at Company Y?"
"Oh no, he works upstairs. They are a separate company."
"Ah, I see. Is he up there right now?"
"I'm not sure. Did you want me to transfer you to their reception?"
"Sure. I mean… he does actually work in the office right? Actually working? Not like one of those remote guys I have to deal with who say they work?"
At this point, I let out a good laugh. I came off like an asshole.
*For what it's worth, I work remotely. It's the best.
She let out a bit of a laugh.
I don't know if it was real, or one of those fake 'I deal with frat tech bro assholes so often, I'm numb to the pain of this dick behaviour.'
Then came the information I needed.
"Oh no, he definitely works in the building. He's here for sure."
I let out a sort of chortle laugh? I don't know where it came from. All those years of dramatic productions in high school, I guess?
"That's good. I like him already. A Monday to Friday guy."
'A Monday to Friday guy?' The fuck does that even mean?!’
"Yep," she responded, sounding a bit bothered. "He's probably there. Can I transfer you now?"
"Oh, sure, thank you!"
There was a click and a moment of silence. I ended the call.
This was a simple solution. It’s not flashy or fancy. It’s old school. It doesn’t require the latest OSINT tools or Python coding. We had a lead, but it wasn’t solid. One option would be spending hours and hours trying to maybe shore it up, and another was just to pick up the phone and ask.
Yes, I got lucky that the companies worked closely together. If that hadn’t been the case, I would have probably called the office of Company X and run a similar play, taking on slightly more risk.
What made the difference, I think, was taking a beat to reconsider all the options. There was another path here that would reduce the risk and provide a possible positive outcome.
Perhaps this is a lesson that 10-year-old me should have considered before calling that adults-only hotline back in 1995. Perhaps if I just paused, took a breath, and thought, “Should I actually do this?”
I know my parents would have been way less pissed…
This is gold!