Buscador is a Linux Virtual Machine that is pre-configured for online investigators and doxers.
Buscador – A VM for Hackers, Researchers & Investigators
Hackers can think of the Buscador OSINT virtual machine like an OSINT-focused version of Kali Linux. Based on Ubuntu rather than Debian, Buscador does not include the formidable set of cyber weaponry that Kali boasts, instead hand-picking a collection of useful OSINT, privacy, and capture tools into one stealthy package. Because avoiding detection is a goal of both investigators and hackers share, Buscador comes with Tor preinstalled and boasts other helpful privacy tools.
Buscador VM is also capable of being booted from a USB thumb drive on any available computer, as well as being loaded onto the hard disk and booted directly. This allows the flexibility of using it anywhere you have access to a computer, regardless of whether or not you have your personal device with you. At 3.5 GB, the VM image is compact and easy to carry on a flash drive that’s 8 GB or more.
Extensively documented in Mike Bazzell’s book, “Open Source Intelligence Techniques,” Buscador encourages good research habits and empowers researchers to find more clues in their investigations. Some familiar tools such as Maltego, Recon-ng, Creepy, Spiderfoot, TheHarvester, Sublist3r, and other tools we’ve covered on Null Byte are preinstalled.
It was developed by David Westcott and Michael Bazzell, and distributions are maintained on this page. The current build is 5GB and includes the following resources:
| Custom Firefox Browser & Add-Ons Custom Chrome Browser & Extensions Tor Browser Custom Video Manipulation Utilities Custom Video Download Utility Amass BleachBit EmailHarvester ExifTool EyeWitness Ghiro GIMP Google Earth Pro HTTrack Cloner InstaLooter KeePassXC Kleopatra Knock Pages LibreOffice LinkedInt Maltego | Metagoofil MediaInfo Metadata Anylisation Toolkit PhoneInfoga Photon ReconDog Recon-NG SkipTracer SocialMapper Spiderfoot StegoSuite SubBrute Sublist3r theHarvester Tinfoleak Twint Twitter Exporter VeraCrypt VLC Yubico Utilities |
You will need a Virtual Machine application in order to use this system. VirtualBox is free and will suffice for most investigations. Some users prefer a more robust option with VMWare Workstation for Windows or VMWare Fusion for Mac. Any of these options will get you started.
VirtualBox Installation and Configuration:
* Make sure you have latest version of VirtualBox and VirtualBox Extension Pack installed
1) In the VirtualBox menu, click on File > Import Appliance
2) Navigate to the OVA file that was downloaded (Buscador)
3) Choose this file and select “Import”
4) Before starting the new machine, highlight it and choose “Settings”
5) Under General > Basic, rename this machine as desired (Buscador?)
6) Under General > Advanced, change Shared Clipboard to Bi-Directional
7) Under System > Motherboard, increase the RAM if you have ample resources (half of total system)
8) Under Display > Screen, increase the Video Memory to 128MB is available
9) Under Shared Folders, click the “plus” on the right, choose folder to store evidence, select “Auto-Mount”
10) Click “OK” twice, then launch the new machine (Double Click)
11) Upon boot, log into the user “osint” with the password of osint
12) In the VirtualBox Menu, select Devices > “Insert Guest Additions CD Image”
13) Click “Cancel” when the dialogue box pops up.
14) Open Terminal (Tilex)
15) In Terminal, Create a directory on the Desktop titled vbox: mkdir ~/Desktop/vbox
16) Copy everything from the CD media on the Desktop to vbox folder (copy/paste)
17) In Terminal, input the following commands:
cd Desktop/vbox
chmod +x *.sh
./autorun.sh
(type password when prompted)
18) Allow the image to be installed, and reboot upon completion.
19) Start the Terminal in the new VM and type sudo adduser osint vboxsf
20) Provide the password as needed (osint)
21) Reboot
H8Mail – Email OSINT and password breach hunting.You should now have access to the shared directory in order to save data to the host operating system (evidence). It can be found in the File Manager (Home), on the left column, titled “sf_” followed by the name of the folder to which it is connected. This shared folder will also be on your desktop for easy access. You can make the machine full-screen, copy and paste text to and from the image, and you are ready to begin using the applications.
VMWare Installation and Configuration:
1) In the VMWare menu, select File > Import > Select OVA
2) Select the location where the VM will be imported. Click “OK” Click “Retry” if the initial import fails
3) Power on the VM and Login to the OS
4) Install VMware tools as appropriate for your version:
VMWare Fusion: In the menu, select Virtual Machine > Install VMware Tools
VMWare Workstation: In the menu, select VM > Install VMware Tools
VMWare Player: In the menu, select Player > Manage > Install VMware Tools. Note:
5) Open (Double Click) the VMware Tools CD mounted on the desktop
6) Right-click the file that is similar to VMware.xx.tar.gz and click Extract to, and select Desktop
7) Open Terminal (Select ‘No’ to avoid an update) and type cd Desktop/vmware-tools-distrib
8) Type sudo ./vmware-install.pl and enter password (OSINT).
9) Type Y when prompted about downloading from the Linux repository
10) Accept all default values by striking the enter/return key at every prompt.
11) Reboot the VM
12) Enable Shared Folders from the file menu: Settings > Options > Shared Folders (Always Enabled)
13) Add a Shared Folder by selecting the desired folder on the host OS
14) Create a shortcut to the shared folder on the desktop with the following command in the terminal:
ln -s /mnt/hgfs/foldername /home/osint/Desktop/Shared_Folder
PockINT – A Portable OSINT Swiss Army Knife for DFIR/OSINT professionalsA great feature of virtual machines is the use of Snapshots. These “frozen” moments in time allow you to revert to an original configuration or preserve an optimal setup. Most users install the virtual machine as detailed above, and then immediately create a snapshot of the unused environment. When your virtual machine eventually becomes contaminated with remnants of other investigations, or you accidentally remove or break a feature, you can simply revert to the previously created snapshot and eliminate the need to ever re-install.
VirtualBox use of Snapshots
1) Completely shut down the Virtual Machine
2) In the VirtualBox Menu, click on the Snapshots button in the upper right
3) Click on the blue camera icon to “take a snapshot”
4) Create a name and any notes to remind you of the state of the machine, such as “New Install”
5) Click OK
You can now use your virtual machine as normal. If you ever want to revert to the exact state of the machine that existed at the time of the snapshot, follow these instructions:
1) Completely shut down the Virtual Machine
2) In the VirtualBox Menu, click on the Snapshots button in the upper right
3) Select the desired snapshot to apply
4) Click on the blue camera icon with arrow to “restore snapshot”
5) Click Restore
Optionally, if you ever want to remove a snapshot, simply use the icon with a red X. This will remove data files to eliminate wasted space, but you cannot restore to that image once removed. It will not impact the current machine state. Many users remove old, redundant snapshots after creating newer clean machines.
VMWare Use of Snapshots (VMWare Workstation or Fusion, NOT Player)
1) Completely shut down the Virtual Machine
2) In the VMWare Menu, click on the Snapshots button in the upper right
3) Click on the camera icon to “take” a snapshot
4) Create a name and any notes to remind you of the state of the machine, such as “New Install”
5) Click Take
You can now use your virtual machine as normal. If you ever want to revert to the exact state of the machine that existed at the time of the snapshot, follow these instructions:
1) Completely shut down the Virtual Machine
2) In the VMWare Menu, click on the Snapshots button in the upper right
3) Select the desired snapshot to apply
4) Click on the camera icon with arrow to “restore” a snapshot
5) Click Restore
Optionally, if you ever want to remove a snapshot, simply use the “delete” icon. This will remove data files to eliminate wasted space, but you cannot restore to that image once removed. It will not impact the current machine state. Many users remove old, redundant snapshots after creating newer clean machines.
It is suggested to enable VMware autoprotect snapshots, set to daily, and limit the snapshot count to 3. Autoprotect snapshots are an easy way to always have a snapshot to revert to. The following steps will enable this feature.
1) Select the virtual machine and select VM > Settings
2) On the Options tab, select AutoProtect and select Enable AutoProtect
3) Select the “Daily” interval between snapshots
4) Select the maximum number of AutoProtect snapshots to retain (Recommended “3”)
5 Select OK to save your changes
After the maximum number of AutoProtect snapshots is reached, Workstation deletes the oldest AutoProtect snapshot each time a new AutoProtect snapshot is taken. This setting does not affect the number of manual snapshots that you can take and keep.
You can use a Yubikey as a second factor for login from your Virtual Machine:
VirtualBox (Stable):
In the Buscador Terminal, copy/paste each line and click Enter:
wget "https://raw.githubusercontent.com/Yubico/yubikey-personalization/master/69-yubikey.rules" -O /tmp/69-yubikey.rules wget "https://raw.githubusercontent.com/Yubico/yubikey-personalization/master/70-yubikey.rules" -O /tmp/70-yubikey.rules sudo mv /tmp/69-yubikey.rules /etc/udev/rules.d/69-yubikey.rules sudo mv /tmp/70-yubikey.rules /etc/udev/rules.d/70-yubikey.rules
Shut Buscador down completely
Insert Yubikey into computer
VirtualBox > Settings > Ports > USB > Click Icon with green “+”, select Yubikey, click OK
Remove Yubikey
Start Virtual Machine, boot completely into Buscador
Insert Yubikey
Attach Yubikey in VirtualBox > Device > USB . Yubikey
In the Terminal, type:
wget “https://raw.githubusercontent.com/beast-fighter/saves_the_day/master/activate_yubikey.sh”
chmod +x activate_yubikey.sh
./activate_yubikey.sh
When prompted, press Enter
When prompted to “Commit”, type y and hit Enter
Shut down Buscador completely
Remove Yubikey
Restart system, try to login with Yubikey (Fail)
Insert Yubikey, Login (Success) You may need to try password twice
VMWare (Experimental):
In the Buscador Terminal, copy/paste each line and click Enter:
wget "https://raw.githubusercontent.com/Yubico/yubikey-personalization/master/69-yubikey.rules" -O /tmp/69-yubikey.rules wget "https://raw.githubusercontent.com/Yubico/yubikey-personalization/master/70-yubikey.rules" -O /tmp/70-yubikey.rules sudo mv /tmp/69-yubikey.rules /etc/udev/rules.d/69-yubikey.rules sudo mv /tmp/70-yubikey.rules /etc/udev/rules.d/70-yubikey.rules
Shut Buscador down completely
Insert Yubikey into computer
Open the .vmx file of your VMware image in a text editor
Add the following at the end of the .vmx file: usb.generic.allowHID = “TRUE”
Save the .vmx file
Start Buscador
Go to USB devices in the VMWare Menu and click on the Yubico.com device.
In the Terminal, type:
wget “https://raw.githubusercontent.com/beast-fighter/saves_the_day/master/activate_yubikey.sh”
chmod +x activate_yubikey.sh
./activate_yubikey.sh
When prompted, press Enter
When prompted to “Commit”, type y and hit Enter
Shut down Buscador completely
Remove Yubikey
Restart system, try to login with Yubikey (Fail)
Insert Yubikey, Login (Success) You may need to try password twice
Download Buscador
Buscador for VirtualBox:
Version: 2.0
Release: January 2019
GDrive Download (OVA file)
Checksum (MD5):
09dd771716502771af5f2bb86835e6c2
This is an OVA file that should work in any version of VirtualBox, including Windows, Mac, and Linux.
Buscador for VMWare:
Version: 2.0
Release: January 2019
GDrive Download (OVA file)
Checksum (MD5):
27f2d1ba37d1a15531ff34a050012ef4
This is an OVA file that should work in any version of VMWare, including Workstation, Fusion, and Player.
Main website – inteltechniques
FAQs
What is the password for buscador OSINT? ›
Step 2Run Buscador for the First Time
After Buscador boots, you should find yourself at a login menu with a spooky OSINT guy, possibly a self-portrait of Mike Bazzell, as the wallpaper. The default username is osint, and you can log in with the password osint.
noun. browser [noun] (computing) a computer program for searching, especially on a worldwide network. search engine [noun] (computing) a computer program that helps users to find information on the Internet. searcher [noun]
What is the best OSINT virtual machine? ›- Tool #1: Trace Labs OSINT VM Version 2. Creator: Trace Labs (@TraceLabs)
- Tool #2: OSINT Framework. Creator: Justin Nordine (@jnordine)
- Tool #3: email2phonenumber. ...
- Tool #4: SpiderFoot. ...
- Tool #5: Phonebook.cz. ...
- Tool #6: sublist3r. ...
- Tool #7: theHarvester. ...
- Tool #8: GitGot.
Inspired by the infamous Buscador VM, the Trace Labs OSINT VM was built in a similar way, to enable OSINT investigators participating in the Trace Labs Search Party CTF's a quick way to get started and have access to the most popular OSINT tools and scripts all neatly packaged under one roof.
How is OSINT used by hackers? ›Hackers can use OSINT techniques to find vulnerabilities in an organization's web applications and infrastructure. This info could be used to exploit these weaknesses and gain access to sensitive data in their network. The accuracy of data found online can be unreliable.
How do I break into OSINT? ›To begin, select a single piece of information such as your full name, email address or username/alias, then start Google dorking and searching social media sites. Googles multitude of search operators is one of your most powerful skills, use it to find as much initial information as possible.
Does the CIA use OSINT? ›About the Job
As an Open Source Exploitation Officer (OSEO) for CIA, you will discover, collect, and assess foreign-based, publicly available information, also known as Open Source Intelligence (OSINT) in a dynamic, ever-expanding digital environment.
OSINT does not require its exponents to hack into systems or use private credentials to access data. Viewing someone's public profile on social media is OSINT; using their login details to unearth private information is not. In intelligence agency terms, OSINT is also information drawn from non-classified sources.
How long does it take to learn OSINT? ›This program is completely online and self-study once the modules are released and are delivered over 6 weeks period of time. One module is released each week to study, learn, and test your competency. Every week students will participate in a number of hands-on labs using the methodologies taught during that week.
Is OSINT free to use? ›Almost all of the tools that are linked to an OSINT Framework are free while the few remaining ones might ask for a small subscription fee.
What is an example of OSINT? ›
Open source data is any information that is readily available to the public or can be made available by request. OSINT sources can include: Newspaper and magazine articles, as well as media reports. Academic papers and published research.
Do private investigators use OSINT? ›OSINT is commonly used within a range of sectors, including the military, federal agencies, law enforcement, insurance, private investigations, the legal sector, and in investigative journalism.
Is OSINT legal? ›OSINT is completely legal because it only uses information that is available through “open sources”. This means that it doesn't include information that is kept within your organisation's database, but rather just information available from public sources.
What is Shodan search? ›Shodan (Sentient Hyper-Optimised Data Access Network) is a search engine designed to map and gather information about internet-connected devices and systems. Shodan is sometimes referred to as a search engine for the internet of things (IoT).
How does the government use OSINT? ›Government agencies use automated OSINT tools, alongside other cybersecurity tools, to detect and prevent cyberattacks. Analysts utilize these tools to monitor surface web and dark web paste sites, discussion forums, and digital marketplaces to uncover any discussion of breached data and planned cyberattacks.
What are the three types of OSINT? ›Different Kinds Of OSINT Gathering
OSINT gathering is done by using one of three primary methods, passive, semi-passive, and active. Using one rather than another is dependent on the scenario and the kind of intelligence that you are interested in.
OSINT is primarily used in national security, law enforcement, and business intelligence functions and is of value to analysts who use non-sensitive intelligence in answering classified, unclassified, or proprietary intelligence requirements across the previous intelligence disciplines.
How much do OSINT analysts make? ›How much does an Osint Analyst make? As of Jan 9, 2023, the average annual pay for an Osint Analyst in the United States is $85,570 a year. Just in case you need a simple salary calculator, that works out to be approximately $41.14 an hour. This is the equivalent of $1,645/week or $7,130/month.
Can you be a spy for the CIA? ›The first place most people hoping to land a spy job usually look is the U.S. Central Intelligence Agency (CIA). Though the CIA never has and never will use the job title “Spy,” the agency does hire a few select people whose job is to gather military and political intelligence from around the world—in essence, spies.
What can you get from OSINT? ›Conducting risk assessments: OSINT can gather information on an organization's operations, assets, and employees, allowing organizations to conduct thorough risk assessments and identify potential vulnerabilities or weaknesses in their networks.
Is Doxxing a OSINT? ›
Doxing is a form of Open Source Intelligence. The word originated from an abbreviation of the term “dropping documents.” Doxing is the dark side of OSINT. It is the act of compiling a dossier against the victim and publishing it online. Anyone can fall victim to doxing.
Why do we need OSINT? ›OSINT tools support enterprise security teams in identifying and responding to these risks. Social media networks provide real-time updates from on-the-ground threats near executives and other physical assets like offices, employees, and corporate events.
Is OSINT a skill? ›Open Source Intelligence (OSINT) are skills used for reconnaissance and data gathering using publicly available information (i.e,, search engines, public repositories, social media, etc.) to gain in-depth knowledge on a topic or target.
What is OSINT CIA? ›Open-Source Intelligence (OSINT) can be described as publicly available information appearing in print or electronic form including radio, television, newspapers, journals, the Internet, commercial databases, and videos, graphics, and drawings (From www.dni.gov)
What is passive OSINT? ›Passive OSINT: Collecting with a wide and invisible net
Information collected passively might include the headlining articles on a global online news source, or the popular posts of a public social media user. While in search of passive OSINT, users may also want to avoid drawing attention to their activities.
Law enforcement investigators can use geolocations to collect open source intelligence (OSINT), searching for clues on the whereabouts of potential suspects. This process of geographic research using publicly available information (PAI) is called Geolocation OSINT.
Can you make money from OSINT? ›Open Source Intelligence (OSINT) companies can make money a few ways. Most common is generating content and pulling in the associated advertising revenue. For example, Jane's Defence Weekly is a well-known OSINT publication. A large OSINT service, like Jane's, may also aggregate and sell collected data.
What is OSINT investigations? ›Open-source intelligence (OSINT) enables investigators to use open-source software to gather and analyse data from open-data sources. Social media investigation is a branch of OSINT that entails gathering and analysing information from social media networking platforms, blogs, forums, photo/video sharing platforms etc.
Can a private investigator track your IP address? ›A private investigator has the proper system and computer forensics training to follow these digital footprints criminals use to track down cell phone numbers, IP addresses, social media accounts, email addresses, and even specific devices to perpetrate these crimes.
What do private investigators use to search? ›To achieve this goal, Private Investigators employ many different methods and techniques. These can include canvassing neighborhoods, talking with people who may have useful information, running background searches on the target individual, as well as using surveillance.
How do private investigators track people down? ›
A licensed private investigator runs legal searches of cell phone records through databases, networking, personal contacts, and even various surveillance techniques. A private investigator is trained to work within the law on how to investigate any outgoing or incoming call records to keep the investigation ethical.
What is OSINT account? ›Open-Source Intelligence (OSINT) Meaning
Open Source Intelligence (OSINT) is a method of gathering information from public or other open sources, which can be used by security experts, national intelligence agencies, or cybercriminals.
Maltego – an OSINT tool for gathering information and bringing it all together for graphical correlation analysis. Metasploit – a powerful penetration testing tool that can find network vulnerabilities and even be used to exploit them.
How much do OSINT investigators make? ›On average, OSINT investigator jobs may earn you around $102,600 annually, or approximately $49.33 per hour.