I have taken some time off lately, and utterly enjoyed it! But it was about time I did some writing again... No Week in #OSINT yet, but something else.

Because I wanted to share my thoughts on what I call "black box OSINT" tools 👇

https://sector035.nl/articles/blackbox-osint

With version 4.2.0 Mastodon added full text search. People asked for a better guide, so I am trying to create one. If I missed something or there is a mistake, please let me know in the comments. You can write a comment by replying to this post in the Fediverse, simply copy the URL, search for it in your Fediverse-client and reply to it.

Limitations of Mastodon search

Because the Fediverse is distributed, there is no way to search through all posts. You can only search through posts that are known to the instance that you are using. That are posts from accounts on the same instance, the posts reposted by accounts on your instance and posts from accounts that are followed by at least one account of your instance.

While there is the saying that elephants don’t forget anything, Mastodon software is intentionally forgetful. By default it forgets (removes from it’s database) posts from other servers that are older than 7 days. That means that you can probably only find posts from other instances from within the last 7 days. Correction: The Mastodon setting for removing posts from other instances is turned off by default. It depends on the setting of your instance how far back you can find posts from other instances.

Finally, you can find only posts that are public and from an account that set their posts to be searchable. The default of the default setting is set for posts to not be searchable. Admins can change the default for the default and users can override it either way.

Exception: You can always search through your own posts, posts that mention you and posts you faved.

Mastodon Search Operators

Post content
wordA wordB By default Mastodon will look for all words that you entered (separated by a space) in any order anywhere in the post.
“wordA wordB” With quotation marks, you will only get results that contain those words in that order without any words between them. They may be separated by multiple spaces, line breaks or even special characters.

User
from:username shows you posts from the user with the username username. For people from other instances, you have to use the full username. Eg: from:[email protected]
from:me yields posts from yourself.

Time
before:2024-04-25 shows posts that were before 25th of April 2024. Without posts posted on 2024-04-25.
after:2024-04-25 shows posts that were posted after 25th of April 2024. With posts posted on 2024-04-25.
during:2024-04-25 shows posts that were posted on 25th of April 2024. Short form for after:2024-04-25 before:2024-04-26

All three operators use your local timezone not UTC like it was on Twitter. I am not aware of an option to narrow search down to hours or minutes.

Language
language:en finds posts in English. language:de German posts. You can use all ISO-639-1 language codes and a few ISO-639-3 ones.

Type
is:reply to only get replies.
is:sensitive to only get posts with a content notice.

Features
has:media for posts with attached images or videos.
has:image for posts with attached images.
has:video for posts with attached videos.
has:link for posts with URLs.
has:poll for posts with polls.
has:embed for posts with embeds. Not previews, actual embeds like a video that you can watch without leaving your client.

Index
in:library Your own posts, posts that mention you and your favs.
in:public Public, searchable posts known to your server.
in:all Combines both options and is the default. You don’t need to use this explicitly.

Exclude
You can exclude a searchterm -wordA or any of the other operators -is:reply. There is + as well, but because the default behaviour is to combine the operators, you don’t need that.

Source: Testing and Mastodon source code.

Combining operators/filters

You can combine multiple operators to narrow down your results. Mastodon will only show posts that match all operators. I am not aware of an option to search for posts that match either one operator or another one.

Funfacts/quirks

is: and has: are treated the same way. As a result you can either search for has:image or is:image and get the same results. In the case of replies, this is misleading. has:reply does not find posts that have replies, but posts that are replies.

https://lucahammer.com/2024/04/25/mastodon-advanced-search-guide-and-operators

#Fediverse #Mastodon

Here's another short Monday update with some OSINT tips and news, thanks to:

@polianalytical @gralhix and the awesome GingerT/cqcore

https://sector035.nl/articles/2024-05