Favicons on websites are graphic elements that show up in the form of a small icon – be it in a browser tab panel next to the website’s name, or in bookmarked links to websites.

You can also see favicons from the level of Google search, if you wrap a website’s name in quotation marks, such as seen in the search results below:

“osintme.com”

Links to favicons on specific target websites can be located by viewing the webpage’s source code. To do so, go: right click > view page source > search / find in a page function (typically Ctrl + F) and then search for one or more of the following values:

• file extension – for example .jpg, .png, .gif, .ico – traditionally, the dominant favicon file format has been .ico (“icon file”) and it still is frequently encountered, but you also have the commonly recognised image file extensions. The drawback of this approach to source code searching is that in a graphically rich website it will return multiple images that were embedded in it – not just the favicon.
• sizes= – searching for this value will allow you to return image files with a defined pixel size – favicons typically have specific sizes, for obvious reasons of fitting into browser tabs and bookmarks. Traditional favicon size is 16×16 pixels, but baseline sizes of 32×32 and 64×64 pixels are also relatively common nowadays. Larger favicon sizes usually cater to mobile devices, smart TVs, etc.
• rel=”icon” – you are searching for a parameter that defines the image used as a favicon. Often this might be the quickest and the most convenient search value to go for.

FAVICON TYPES & SIZES

• Regular desktop browser favicon – 16×16
• Taskbar shortcut icon – 32×32
• Desktop shortcut icon – 96×96
• Google TV – 96×96
• iPhones – 120×120; 180×180
• iPads – 152×152; 167×167
• Chrome web store icon – 128×128
• Android Chrome icon – 196×196

Favicons have several use cases, unrelated to our use case of website OSINT.

The most common of those include:

• Optimised browser tab navigation
• Better user experience in browser and on the web
• Increased search engine optimization score (SEO) for a website
• Brand recognition & reputation building
• Browser activity tracking – see this Vice article and a blog post by Bruce Schneier.

As I previously mentioned in a blog post on investigating phishing campaigns from several years ago: in the case of fraudulent websites, a favicon is often copied or directly linked from the original page that is being impersonated, in order to bolster the impression of legitimacy.

The most obvious aim of favicon research in this case is to identify rogue websites that impersonate legitimate entities. Sadly, some of the tools used in the last example no longer work – so here’s a ne