Updated: Dec 28, 2022
Welcome back, my aspiring OSINT investigators!
There is SO much information available to us on the Internet that sometimes it can be overwhelming in its scope. It is up to the professional OSINT investigator to find the key data source and extract the necessary information.
In some investigations, we may have information on the Wi-Fi AP that the suspect connected to through various sources including their registry entries. In other cases, we might suspect that the suspect has used their phone as an AP to tether to other devices. In either case, the location of the AP may provide us information as to the location or movements of the suspect.
Wigle (Wireless Geographic Logging Engine)
Wigle.net is a website that consolidates location and other data on wireless networks around the world. This data is collected by volunteers who download an app to their phones and the app logs all the AP's they encounter and their GPS coordinates. All this data is then fed into the Wigle database. This data is then presented to users in an easy-to-use website and app like below.
If you are not familiar with Wi-Fi terminology and technology, go to the Wi-Fi section of Linux Basics for Hackers or the "Wi-Fi Hacking" chapter of Getting Started Becoming a Master Hacker.
Just a few key terms that you need here.
AP - the Wi-Fi Access Point
SSID- the Server-Side Identifier. This is the name that identifies the AP
BSSID- this is the globally unique MAC address of the device
Step #1: Finding the Location of the Suspect's AP
In some investigations, we may know the name of the AP the suspect has connected to and need to obtain the location. This may come from the suspect's Windows registry or the mobile device. In either case, Wigle can be helpful in locating the AP the suspect was connected to and, thereby, gain the location of the suspect.
For instance, let's assume the suspect's registry contains the AP SSID "Big Black". Let's also assume, we need to determine where the suspect had traveled to, where they may be a suspect in a crime.
Open the Wigle website and click on View. A drop down menu will appear and click on Basic Search.
We need to now enter the term "Big Black" in the SSID section of the search parameters such as below.
This reveals tens of these AP's with that SSID in the Western US. When we click on the AP with the MAC address f9:AB:54:53:B8:FE, the map reveals that this "Big Black" AP is located in southern Montana.
We can double click on this AP and zoom to find that it just outside Bozeman, MT.
To get a better picture of the location, we can zoom in and switch to satellite view. This reveals that this AP was recorded near this ranch on S. 19th Ave, south of Bozeman. It is likely that the AP is transmitting from that ranch, but the other possibility is that it may have been recorded from a vehicle passing on that road.
To determine if that AP SSID belonged to a location and ranch, we can search by the globally-unique MAC address or BSSID. If this BSSID appears in other locations, it is likely that this AP is mobile and not static, making our search more difficult.
Let's enter the BSSID and search the entire US. If it is a mobile AP, it will likely appear in other locations. When we search by this BSSID, we can see that the only location recorded of that BSSID it at that ranch near Bozeman.
That's where our suspect is or was located in the recent past!
Step #2: Locating a Target by Their Tethered AP SSID
In many cases, people use their phone as a tethering AP. You probably have done it. You needed a Wi-Fi AP at a remote location or where the available Wi-Fi was very slow or expensive. If you did, Wigle probably recorded it!
Let's navigate to the Las Vegas, NV area in the US on Wigle. There we can click on the Search button.
Let's assume that we know the target is using an iPhone. We can search for all AP's with iPhone in their name by using the wildcard % (this represents zero or any number of characters before the term) and before the word "iPhone" such as;
This should capture all AP's with an SSID that ends in the term "iPhone".
This type of generic search reveals--as you would expect--a multitude of iPhones being used as AP's in the Las Vegas area.
To narrow our search, we can add the user's name with the generic iPhone suffix such as jens-iPhone.
As you can see above, this narrowed our search considerably, revealing fewer AP's that all include the AP SSID jens-iphone.
By clicking on any of the jens-iphone instances, we can identify the exact location of jens-iphone on the Wigle map.
This location appears to be right next to the Tuscany Suites and Casino.
We can zoom in and switch to satellite view to find the precise location of this iPhone. As you can see below, jens-iphone appears in several location near the employee entrance and loading dock of Tuscany Suites and Casino
There is a very strong possibility that "jen" is an employee at that hotel?
Maybe what happens in Vegas really does stay in Vegas?
Wigle is one more tool that an OSINT investigator can use to attempt to locate a target. Given the name (SSID) of the AP the target has connected to in the past, (possibly from their registry) or interpolating their phone tethering name, we may be able to precisely determine their location.