Let's Get On With Mastodon

We have seen an explosion in growth and increasing interest in Mastodon – so, what is it and how do we investigate the platform? In this blog, we’ll focus on tools and techniques to investigate both the users, and those who host Mastodon servers (also known as ‘Instances’).

What is Mastodon?

Mastodon is a social network, but there are some key points that make it different. For starters, it’s an open-source platform – unlike Twitter or Facebook. Mastodon is decentralized, meaning that there is no one server, company or person running it. Posts are limited to 500 characters and are displayed in chronological order (not based on an algorithm).

How does decentralisation work?

Anyone can create their own version of Mastodon (called an Instance) and set their own rules. Those who join that particular instance will be required to comply to the moderation and rules applied by the owner and community that creates them.

How do these Instances communicate with one another?

Users can also follow users within other instances – this is referred to as ‘Federation’. While each instance of Mastodon is privately operated, their users can still communicate with members of other servers, kind of like email (you can communicate with other people using different email providers). Some instances are invitation-only and communities who want to remain private don’t have to communicate with other Instances.

As an example, go to https://fediverse.party/en/portal/servers/ to see the different types of themes applied to servers – each of these servers is geared towards something specific, but can still see posts from other servers.

What about attribution?

Operational security (OPSEC) encompasses the infrastructure, tools, and techniques you use to manage your online footprint or your "attribution". In an online context, this is largely referring to the ability of a third party to identify who you are, who you work for, and your intent and capability, among other things.

For Mastodon, there are a few things to keep in mind:

• Data is not end-to-encrypted, and administrators of servers can potentially see that content/information. This could include subscriber information for your account – the email address you signed up with, your name and phone number, IP address, and details about your browser and device.

• Mastodon does not collect and conduct monetization of user data, like mainstream social media platforms, but this does not stop a server administrator collecting user data to sell or use for nefarious purposes.

• Physical and cyber security of servers is likely lower than commercial platforms.

• As with any public-facing social platform, users who expose details of their lives online open themselves up to various risks.

Remember, anyone can set up a Mastodon instance. This means that it’s hard to know if a server owner is truly who they say they are.

What are the implications of using of this platform?

Mastodon is different, and these differences have implications:

• Anti-abuse tools exist, but don’t operate from a central authority and therefore, there is not an established set of rules across the entire Mastodon community. This is different to platforms such as Facebook.

• The server administrator is responsible for setting and enforcing rules on his/her instance, and those rules can vary. For example, a Mastodon community that promotes violent extremism, or a group of users associated with human exploitation, can establish their own rules and server standards, and this creates another online setting that can facilitate illegal activity.

• Most mainstream social media platforms usually have established processes for responding to subpoenas and requests from law enforcement agencies. Whilst some more popular Mastodon instances will support law enforcement data requests, others will not.

• Instances and users can obfuscate information about who they are, making investigations difficult.

Creating Accounts

To sign up, a user only needs to have an email address, and the ability to verify that email.

The sites https://joinmastodon.org/servers or https://instances.social provide various servers that you can join (you need to make an account with at least one server) – you can choose to join a generic or topic-specific server depending on your operational requirements and accessibility.

In most cases, you can follow any other person on the Mastodon network, regardless of which server their account is hosted (unless that server has been made private). Within Mastodon, you can easily move your profile to a different server at any time without losing any followers e.g., you receive an invite to join another server of higher interest.

Searching for a User

Searching for a particular user generally requires a combination of third-party tools, and native searching with an account, like most social media. To search natively within the platform, you may require the username and the server to find a person of interest. Even if you don’t know the server, however, it is still worth attempting to locate the profile with just the username. Keep in mind that Mastodon servers are designed to bring back limited results, and only allow limited filtered searching.

Two third-party tools to conduct key word searches across different Mastodon instances are https://search.noc.social/ and https://fediverse.info/explore/people. It is important to note that these are not strictly username searches, but keywords that may appear on a person’s profile. These tools have significant limitations, one being the inability to search within posts (called Toots on Mastodon)

As reported by many sources any people have moved to Mastodon from Twitter. Fortunately for the purpose of OSINT, many people have kept the same username. In order to maintain persistent monitoring of persons or groups of interest the following tools can be used to identify the Mastodon server a Twitter user has migrated to, and therefore locate them on the new platform. They both require you to have a Twitter account, but are easy to use and can be found at https://fedifinder.glitch.me/# and https://debirdify.pruvisto.org/.

Searching Hashtags

We have established that searching Mastodon can be quite difficult, at least in comparison to some other social networks. However, if a user seeks to promote their message or chooses to relate their activity to a location, event, thing, or person, they’ll likely use a hashtag. Again, we can search natively within the platform or by using https://mastovue.glitch.me. Use a well-connected instance and use the “federated” search option to broaden results.

Tracking hashtags can be helpful in monitoring events or conducting area assessments using "ground truths" from insights made accessible through Mastodon (and other social media). For this use-case, begin by conducting keyword investigations of an area (ideally using multiple keywords), and then aim to locate high-yield accounts worth monitoring. This should help you to better understand area atmospherics and establish social pattern-of-life for an area.

Searching Mastodon Servers: Macro

The site https://fediverse.observer/map is useful for community profiling and contains an online map showing Mastodon servers worldwide (based on server location). You can browse active Mastodon servers and collect information about each instance, especially those that have been created to serve a specific location, such as a city or country. The map can also be used to profile the number of servers per country or understand a server’s location when investigating.

The Fediverse statistics tool https://fediverse.observer/stats can enable assessments about the online environment and trends, such as the uptake of Mastodon or future changes. This is useful for understanding peaks and troughs in activity and interest in the platform over time, and understanding community reactions to major global events, or significant actions that greatly impact the online environment. Whilst the exactness of what is occurring may be difficult to define, the inferences will remain useful.

Observable HQ allows for interactive real time visualisation, which shows the number of new users and posts on Mastodon Instances in the last 6 hours, 24 hours, 72 hours or the last month.

Searching Mastodon Servers: Micro

As already mentioned, anyone can create their own Instance of Mastodon. On one hand, the community can create its own rules (which might be illegal in nature), but on the other hand, the server has its own domain, and this opens up significant opportunities for investigation.

We can use a variety of online tools to gain information about a server. In most cases, we simply need to copy and paste the server domain into each of these sites and record the relevant data points for our investigation. This might lead to investigational leads (external to OSINT) or pivot points that we can then search through other online sources.

• Go to https://www.whoisxmlapi.com/ to find registrant information

• Go to https://dnsdumpster.com/ to locate data about possible subdomains, server locations and other IP related information

• Go to https://browserleaks.com/ip/ to find or help verify IP Information

• Go to https://builtwith.com/ and https://urlscan.io/ to assist with profiling the domain, systems, and structure. This can reveal links to other sites to pivot on.

• Go to https://fediverse.observer/, a Mastodon specific tool, to discover some technical information about a server of interest

A note on IP addresses: An IP address is a unique identifier for a device connected to the internet (or a local network). Larger entities are likely to have domain-specific servers – the IP is not shared with other domains. Smaller/hobby websites are likely to share an IP with other sites on the same server. IPs may provide information about the location, connections, and history of a web presence – but there are limitations, such as data accuracy or the fact that unrelated websites may be hosted on a single server. As with all things OSINT, verifying your findings is very important!

Summary

Searching for specific Mastodon users generally requires a combination of third-party tools, and native searching with an account, much like other social media. But what sets Mastodon apart is the ability to obtain information about the particular server that hosts the information – this can be completed on both a macro and micro scale. As with all social media investigations, we seek to gather the relevant data points for our investigation. This might lead to investigational leads (external to OSINT) or pivot points we can search through other online sources.

Further reading on Mastodon: https://www.secjuice.com/mastodon-osint-a-comprehensive-introduction/

If you are interested in more detailed OSINT training, please look at our in-person training courses, or our online, self-paced options here. Alternatively, contact us on training@osintcombine.com to learn about our bespoke training offerings.