Center of Excellence Column: Unlocking GitHub for OSINT

This week in the Social Links Center of Excellence Column, we’re looking at using GitHub as a source for OSINT. Investigating suspects involves plenty of creative problem-solving, as an ongoing case usually requires more than simply checking the most popular online platforms. To expand your toolbox, we’re sharing our insights to show you a non-obvious source of information for investigators.

Let’s jump in!

What is GitHub?

First things first, many people’s impression of GitHub is that it’s “just a website for developers” or “a platform for source code hosting.” While these points are correct, it’s not the full story. GitHub is actually a social media platform. Here are the core elements of the website:

• Profiles. Accounts have profile pictures, bios, links to other social media pages, organizations, and personal details.
• Collaboration. The platform enables discussions, project forking (copying the code for personal development), and pull requests (suggesting changes to the code).
• Networking. Users can subscribe to other profiles and repositories (source code) and track the activities of codebases.

So, going onto the GitHub Homepage, a logged-in user will see a news feed, updates from people they follow, and subscriptions. Additionally, notifications about the latest activities in the repositories, pull requests, and even project suggestions would be visible. Looks very much like a social media platform, right?

GitHub as an OSINT Source

Since the website is so similar to social platforms, SOCMINT (Social Media Intelligence) techniques can provide plenty of insight for experts. An investigator can simply understand a developer’s social network, which organizations they work in, special interests, and skills by studying the user’s profile. However, this is not all that hides under the Git mechanism.

On the platform, developers sign every code change (called a “commit” on the platform) with their name and email. However, it’s pretty common for developers to use different emails and aliases for commits due to misconfigurations. 

So, let’s say we have an anonymous GitHub account as our target. We can study their projects to find the different usernames and email addresses that the person uses. Moreover, given that the platform launched in 2008 and the current user base is around 100M, it’s possible to collect a person’s entire career history easily.

Using GitHub for OSINT Investigations

Let’s look at a practical example to better illustrate the potential of GitHub as a source of information. Imagine we are dealing with a hacker who’s causing problems with malware. We only have a link to the target’s GitHub repository. First, we have tools that can greatly help our investigation—octosuite, GitFive, and Gitcolombo.

Let’s imagine a scenario where we’re looking for the suspect’s personal email, social media accounts, and real name. With the help of GitFive, we put in the repository of the target, and the tool identifies other mail addresses belonging to the suspect. Additionally, the software also provides the usernames tied to the address.

After we have the different email addresses, we look at the suspect’s aliases. One handy feature of GitFive is that the tool can search for name variations to see if there are any matches. So, in a few clicks, we get the possible aliases of the target in addition to their real name. Using this information, we can continue our investigation on other social media platforms to see if any handles match existing accounts.

And that’s the end of our piece about GitHub as an OSINT source. Investigators must consider all possible avenues during a case. Experts can stay one step ahead of malicious actors by using all the resources at their disposal.