Analyzing Telegram chats and channels.

Regular expressions in
OSINT in practice

cyb_detective

Picture source: https://freesvg.org/img/logo-telegram.png

Reading other people’s conversations in public Telegram chats can sometimes be very boring and tedious.
And unfortunately, often it may not yield any results.

But sometimes people inadvertently leave various personal data in public groups that can greatly advance an
investigation: emails, links to their social networks and sites, real names and surnames, phone numbers, and
much more.

This article will show you how to analyze Telegram chats faster and easier.

How to know which group chats a person is communicating in

There are a lot of bots in Telegram that use the username to find out which groups a user has joined. Most of
them are paid, but as a test they offer the opportunity to make a couple of requests for free. For example:

Such bots are quite a lot and you can find them on your own in directories or with the help of Telegram
search engines.

The effectiveness of the bot depends on the number of indexed groups in its database. And different bots
produce different results (because they have different databases of indexed groups).

Therefore, it is better to check one user in several bots at once.

lyzem.com

You can also search by username in Telegram search engines like https://lyzem.com/, but this does not
always yield any results (and always shows only a small fraction of the chats in which the user
participates).

Therefore, it is worth trying different methods. It is also worthwhile to search for a user’s nickname in
Google, as well as other services for Telegram searches, which I will discuss in the next section.

How to find Telegram chats by keywords

Another way to find in which group chats a person communicates is to simply check each chat related to his
profession, hobby, location (public group of a neighborhood or an apartment complex), etc.
Teledago https://cse.google.com/cse?&cx=006368593537057042503:efxu7xprihg#gsc.tab=0

You can do it with any Telegram search engines. You can find a list of them in my collection, but I prefer
Teledago more than any other.

This service is based on Google Custom Search Engine technology. It searches through dozens of domains at
once, which are indexed by data from Telegram:

Tgstat;

Telegramindex;

Telegramdb;

Telemetr;

and more.

To search only for chats, add “inurl:chat” to the search query

How to export Telegram chat history

This chat is just an example. I would not recommend communicate in such chats.

Open the Windows or MacOS version of Telegram client on your computer (the Linux version most likely
also has this function, but I haven’t checked).

Click on the three dots in the upper right corner of the screen.

Click “Export chat history”.

This chat is just an example. I would not recommend communicate in such chats.

4. Be careful when configuring chat export settings. If the chat is large, don’t forget to increase the file size
limit to the maximum (assuming you have free space on your hard drive).
This chat is just an example. I would not recommend communicate in such chats.

5. Click export and wait.

The export is completed.

6. When a message appears telling you that the export is complete, click “Show my data” to open the folder
with the result’s files.
Chat Export Files

7. That’s it! Now you can open files in a browser or text editor and analyze them.

Done! You can start analyzing!

Just in case, let me remind you that in Telegram, you can export the history not only of group chats, but also
of conversations between two people and posts of channels.

Some words about other messengers

Chrome Web Store

It’s worth clarifying that the methods described below (with minor syntax changes) are universal and can be
used to analyze not only Telegram chats, but also other popular messengers.

For example, WhatsApp has a “chat backup” function (More options > Settings > Chats > Chat backup)
and Viber has “email chat history”.

There are also various third-party applications for exporting chats. Such as Signal Backup or Discordmate —
Discord Chat Exporter . On Github and Chrome Web Store you can find similar solutions for a variety of
messaging and social networking applications.

What tools can be used to analyze chats

Picture source: https://github.com/dmuth/splunk-telegram/blob/main/img/pa-furry-stats.jpg

Below I’ll show you how to examine chats for important information using Sublime Text and Google
Sheets, but that doesn’t mean it’s the optimal solution.

You can also use any other text editors that support regular expressions, various command line utilities and
Chrome extensions to search using regular expressions (like find+).
In addition, you may like specialized tools for analyzing Telegram chats:

Splunk Telegram (visualizes data)

Telegram Message Analyzer (probably a little out of date)

Biba and Boba (finding correlations between people)

And now a little practice

Search for all messages from a specific person in the export results files

MacOs Finder

Select all the files, right-click and use the context menu to open them in Sublime Text.

If you are going to analyze several chats, then try to export each of them first, then collect all the files in
one folder and open messages from all chats to be analyzed at once. This will help save time.

2. Click Find -> Find in files, put this regular expression to the text field and click Find:

<div class=”from_name”>\nMatthew(.|\n)*?<div class=”body”>

Remember to replace Matthew with any username you are interested in.

3. This will open a new file with lines containing URLs from all currently open files.

4. To quickly go to the file where the link you are interested in is mentioned — just click on the line
number on the left.

Find potentially interesting information in the user’s messages

Open “Find results file”

Click Find — Find…

Put this regular expression in the search field:

https?:\/\/(www\.)?[-a-zA-Z0–9@:%._\+~#=]{1,256}\.[a-zA-Z0–9()]{1,6}\b([-a-zA-Z0–9()@:%_\+.~#?&
//=]*)
4. Click Find all

This will find all messages from a particular user that contain links to websites or accounts in Telegram.

Similarly, other potentially interesting data can be found:

Emails

[a-zA-Z0–9.!#$%&’+-/=?\^_`{|}~-]+@[a-zA-Z0–9-]+(?:.[a-zA-Z0–9-]+)

Regex for finding emails

Phone numbers in different formats:

[\+]?[(]?[0–9]{3}[)]?[-\s\.]?[0–9]{3}[-\s\.]?[0–9]{4,6}

Regex for finding phone numbers

Any six-digit number

\d{6}
Regex for finding any six-digit number (if you replace the digit 6 with another digit, you can find a number
with any number of digits)

Bitcoin Wallet Address

(bc1|[13])[a-zA-HJ-NP-Z0–9]{25,39}

Ethereum wallet address

0x[a-fA-F0–9]{40}
Similarly, you can find the wallet addresses of any cryptocurrency, as well as strings corresponding to many
different patterns.

Thank you so much for visiting my blog and reading the rest of this article!

More about how to compose regular expressions and use them for OSINT:

How regular expressions can be useful in OSINT. Theory and some practice using Google Sheets

More about how to use Sublime Text:

7 of my favourite simple Sublime Text features for finding and extracting text