Telerecon: The OSINT Framework for Deep Telegram Analysis
Telerecon is a comprehensive OSINT reconnaissance framework for researching, investigating, and scraping Telegram.
For example: Input a target username, and Telerecon efficiently crawls across multiple chats gathering profile metadata, account activity, user messages, extracting potential selectors, ideological indicators, identifying named entities, constructing a network map of possible associates, and a EXIF metadata geo-map, amongst various other analytics.
Other features of Telerecon include scraping Telegram channels/groups, automated forward mapping for exploratory network analysis, and conducting a channel community census.
Installation
Download all files and save them to the directory of your choice.
(If you have git installed, this can easily be done by navigating to the desired directory, opening it in Terminal, and running the following command)
Navigate to the primary Telerecon directory and install the requirements.
pip install -r requirements.txt
Download and install spaCy NER language model (optional, but required for NER parsing feature)
python3 -m spacy download en_core_web_sm
Obtain your Telegram API details from my.telegram.org noting your API key, hash, and phone number (international format). It is recommended that you do this with a burner phone/sock puppet account.
In terminal, navigate to the installation directory (eg, Telerecon-main) and run setup.py
python3 setup.py
As prompted by the script, input your Telegram API key, hash, and phone number (these details will be saved locally).
Telegram may message you a verification code, to confirm setup. If so input the verification code.
If prompted to “Please enter your phone (or bot token):” then you may need to re-input your account phone number (international format). Telegram will then message you the code (in Telegram) to verify your login “Please enter the code you received:”. This may not occur until you first try to use the script functions for the first time.
Telerecon is now installed, run launcher.py to use.
Use
Run launcher.py
python3 launcher.py
Select an option from the menu
If overwhelmed, try using the sample targeting workflow provided later in the Readme.
Options
Get user information: Search a @username and return any public user information (username, first name, last name, phone number, UserID, Bio, Online status, profile picture).
Check user activity across a list of channels: Iterate through a txt/csv directory list of Telegram channels, looking for any messages by the target username. (Assumes directory list is in the primary Telerecon directory).
Collect user messages from a target channel: Collect and compile any messages from the target username in a target channel. Option to also download media (NOTE – media download slows collection).
Collect user messages from a list of target channels: iterate through a txt/csv directory list of Telegram channels, collecting and compiling any messages by the target username. Option to also download media (NOTE – media download slows collection). Assumes directory list is in the primary Telerecon directory.
Scrape all messages within a channel: Collect and compile messages in a target channel. Download full history, last 24 hours, or custom date range.
Scrape all t.me URLs from within a channel: parses a channel and extracts all t.me URLs mentioned within. This is designed to easily create a Telegram directory.
Scrape forwarding relationships into target channel: Scrape forwarding relationships into a target channel. Exporting a Gephi optimised adjacency list, and URL directory of the discovered channels.
Scrape forwarding relationships into a list of target channels: Iterate through a txt/csv directory list of Telegram channels, scraping forwarding relationships. Exporting a Gephi optimised adjacency list, and URL directory of the discovered channels. Afterwards can use terminal commands to merge outputs. (i.e. merge URLs lists = cat *.csv | sort | uniq > combined.csv)
Identify possible user associates via interaction network map: Assumes user messages have already been collected. Constructs a network visualisation showing replies/interactions with other users (useful for identifying possible associates).
10. Parse user messages to extract selectors/intel: Outputting a report containing any potential phone numbers, emails, or other selectors based on regex and key phrase targeting (the report includes citations for ease of verification). Key phrases are customizable by editing the script.
Extract GPS data from collected user media: Assumes user messages have already been collected. Creates a compiled spreadsheet of extracted EXIF metadata from all images, and a map visualization displaying any extracted GPS metadata.
Create visulisation report from collected user messages: Assumes user messages have already been collected. Creates a comprehensive analytics report showing user postage patterns over time (useful for pattern of life analysis etc).
Extract named entities from collected user messages: Assumes user messages have already been collected. Creates a report containing extracted Person, Organisation, Location, and date entities extracted by named entity recognition. While not perfect, this function can be useful in identifying key entities for further investigation within big datasets.
Conduct a subscriber census across a list of target channels: Iterate through a txt/csv directory list of Telegram channels, reporting the number of subscribers/members.
Parse user messages for ideological indicators: Assumes user messages have already been collected. Outputs a report containing keyphrases that could indicate ideology (the report includes citations for ease of verification). Key phrases are customizable by editing the script. Default function parses text to detect hate speech/racism, white-identity-motivated extremism, conspiratorial ideation, sovereign citizen, and incel terminology. Note: Context is key, mentioning a keyword does not make a user ideologically motivated. However, this function is still useful for rapidly assessing a target.
Example Targeting Workflow
Directory creation – Telerecon allows you to search across multiple channels and groups for a target user’s activity/posts. However, this requires the creation of a directory of target Telegram channels to search across (Ex. This may be all chats in a geographic area or a target ideological grouping.). If you know the URLs of specific channels, you can manually create your own directory by simply making a csv/txt file with the list of target Telegram URL’s on each line. Option ‘6’ can allow you to scrape URLs from pre-existing Telegram directories (i.e. nzdirectory) to quickly build a list. Option ‘7’ utilizes exploratory forward mapping to discover related channels/chat groups and produce a list. Option ‘8’ can be used for a more comprehensive list. This file must be placed in the primary Telerecon directory.
Targeting
Run launcher.py
Select ‘1’ and input a target username (i.e. @Johnsmith), return to the launcher
When asked whether you would like to scrape posts, select ‘y’. Alternatively, select ‘4’. Input target username (i.e. @Johnsmith) and channel list (i.e. targetchats.txt). Choose whether or not to include media (media will take significantly longer). After running, return to the launcher.
Select ‘9’, input target username (i.e. @Johnsmith). After running, return to the launcher.
Select ’10’, input target username (i.e. @Johnsmith). After running, to the launcher.
(Skip if you didn’t download media) Select ’11’, input target username (i.e. @Johnsmith). After running, to the launcher.
Select ’12’, input target username (i.e. @Johnsmith) and define a timezone. After running, return to the launcher.
Select ’13’, input target username (i.e. @Johnsmith). After running, return to the launcher.
The analysis will be output into the Collection folder.
Tamil S
Tamil has a great interest in the fields of Cyber Security, OSINT, and CTF projects. Currently, he is deeply involved in researching and publishing various security tools with Kali Linux Tutorials, which is quite fascinating.