Hunting YouTube Content

A successful hunt for data includes dragging your prey home and preparing it for consumption. If you have a hungry client to feed, then you will have to chop-up your prey into digestible chunks, cook it properly, and then serve it up all pretty-like on a fancy platter, because clients are picky eaters.

Here is what you need to make a delightful repast of what you find on YouTube.

After the disappearance of Google Reader, Feedly became the new standard in RSS readers. However, Feedly is much more than an RSS reader. It allows you to collect and categorize YouTube accounts.

For example, you can monitor the YouTube accounts of politicians, activists, or anybody else who posts a lot of YouTube videos. You get the latest uploads to their YouTube accounts almost instantly. This continuous stream of updated content can be viewed and played in Feedly and does away with individual manual searches of known YouTube accounts.

Of course, Feedly has other uses, but the YouTube use is the greatest time saver. The time saved can be applied to summarizing the video content and analyzing it in terms of how it relates to your client’s objectives.

Inoreader is another feed reader that can organise YouTube account feeds into folders along with a limited number of feeds from Twitter, Facebook, Google+ and VKontakte. It also allows the user to gather bundles of subscriptions into one RSS feed and export them to another platform to go along with the YouTube content.

Just paste the URL of a YouTube video into Amnesty International’s YouTube Dataviewer to extract metadata from the videos. The tool reveals the exact upload time of a video and provides a thumbnail on which you can do a reverse image search. It also shows any other copies of the video on YouTube. Use this to track down the original video and the first instance of the video on YouTube.

A lot of fake videos appear on YouTube. Anything worth reporting needs to be examined to see if it is a possible fake. The Chrome browser extension Frame by Frame lets you change the playback speed or manually play through the frames. While this is the first step in uncovering a fake, it is however, an easy way to extract images from the video for inclusion into a report.

Of course, you will use the Download Helper browser extension, which is available for both Firefox and Chrome, to help download the videos. Just remember to set the maximum number of ‘concurrent downloads’ and ‘maximum varients’ to 20 and check ‘ignore protected varients’ to speed the process.

To make a long list of videos to download, you can use the browser extension, Copy All Links, or Link Klipper or Copy Links in Chrome, to make a list of the links to every video you find. In addition to using this list in your report, you can turn it into an HTML page and then let Download Helper work away on it for hours by downloading all the videos for you.

Collecting all this video is the easy part. Sitting through all of it to extract useful data and then analysing it to see how it helps or hinders your client’s interests is the painful and expensive part, but it is the only way cook-up what the client wants to eat.

Forcing Firefox to Open Links in a New Tab

During a training class I watched everybody trudge around looking for lost search results. They tried reloading results pages, only to get distored results. They kept losing the search engine results page and were getting lost in a sea of tabs. They wanted to know how to get “google search results” to open in a new tab.

Here is my solution for getting tabs to open where I want them to. In Firefox, go to ‘about:config’ in the address bar. In the config window search for these settings and change them as follows:

  • browser.search.openintab – if true, will open a search from the searchbar in a new tab if you use the return key to trigger the search
  • browser.tabs.loadBookmarksInBackground – if true, bookmarks that open in a new tab will not steal focus
  • browser.tabs.loadDivertedInBackground – Load the new tab in the background, leaving focus on the current tab if true
  • browser.tabs.loadInBackground – Do not focus new tabs opened from links (load in background) if true
  • browser.tabs.opentabfor.middleclick – if true, links can be forced to open a new tab if middle-clicked.

This is the type of ‘boring stuff’  that you must master if you want to do Investigative Internet Research and make any money at it. Clients won’t pay for wasted time. You may know where to hunt for data, but you need to also know how to get it into the larder before it goes bad.

The PI & OSINT

Finding and verifying social media content is becoming a greater concern for private investigators (PIs) and their clients. Unfortunately, most PIs do not possess the skills and resources to do this beyond the most rudimentary level.

Some investigation companies will try to build an in-house operation. They will buy technology, or spend money on subscriptions to tools that claim to do the work with a click of a button. This usually proves to be a costly expedition into the unknown that ends in failure. The purchased tools do not live up to their claims or clients usually want something the purchased tools and subscriptions don’t deliver.

Some investigation companies will send staff to courses to learn about sources. These are billed as Open Source Intelligence (OSINT) courses. Unfortunately, the OSINT concept usually misses the “intelligence” part, and it is more about gathering raw information than producing usable investigative reporting.

The ‘intelligence’ part is the expensive part. It involves time to conduct the analysis and many hours of learning to present the analysis along with the sources and methods reporting.

Producing a report that goes beyond the OSINT concept is not a secretarial task. Once you go beyond the popular OSINT concept, you start doing Investigative Internet Research (IIR).

Why You Can’t Dictate an IIR Report

Proper IIR reporting does not rely on haphazard Internet searches and does not dump a disorganised load of raw data from the Internet into a client’s inbox. Reports summarize then analyse the collected data and then explain the sources and methods used to collect data.

The researcher must understand how to use Word and other software because he cannot dictate IIR reports. A dicta-typist cannot produce an IIR report for the following four reasons:

  1. The person transcribing the dictation will not place images, graphs, and video clips properly yet, a picture, screenshot or video is worth a thousand words.
  2. There is no efficiency at all in dictating a URL and plenty of mistakes would result.
  3. Some Web site names are hard to pronounce and would lead to misspelling (although you might spell them out, there is still a risk).
  4. Whoever writes the report must have all the collected material at hand in order to create footnotes and appendices.

Now you know why the person doing the IIR must also prepare the report.

In the next few articles I will describe the tools and techniques that actually work, but there is no magic button that does the analysis for you.

News–A Better Form of Gossip

Things like Reddit can add to the chaos and anxiety surrounding a fast moving event. For example, the sub-edit on the Boston bombing just added to the chaos.

Reddit is a major media property where others, who should know better, quote the observations of Reddit editors. However, it is really a platform like Twitter. It only does corrections AFTER something is published. This can and does wreck lives especially when the traditional media piles on to amplify the effect. 

Both Buzzfeed and Reddit falsely named a missing student as a Boston bomber, when in fact, he committed suicide before the bombing.

To many, Twitter looks up-to-date as erroneous data is retweeted repeatedly. A Tweet from the hacker collective Anonymous to its hundreds of thousands of followers illustrates this effect when it identified the deceased student and that Reddit had discovered his identity. The denizens of heavily trafficked corners of the Internet quickly accepted that the deceased student was one of the people responsible, and that Reddit was the first to uncover this.

Journalists fed the rumor mill and jumped to conclusions in their reporting. This only fed the frenzy. Eventually, authorities found the body of the missing student and proved that he committed suicide before the bombing.

The Mac & Malware

Like many Mac users, I’m not too concerned about malware. Traditionally, the vast majority of these were directed at Microsoft OS platforms. But recent headlines prompted me to consider two pieces of Mac software: Avast Mac Security and Malwarebytes for Mac.

Malwarebytes seems particularily useful if you download software from questionable sources. I’m still not certain AV software is really needed.

Self-defence in Jail

In July 2016, Ontario Superior court Judge Edward Morgan wrote an astounding judgement in favour of self-defence in R. vs. Michael Short.

Short shivved an assailant in a provincial jail. While Short is a violent gang member, the Judge understood that he had the right to defend himself with a weapon, even in a jail. This Judge understood the poorly managed jails offered no protection to inmates facing unprovoked attacks.

Let’s hope more judges exhibit this level of understanding when faced with prosecutions of ordinary citizens who are forced to defend themselves.

Apple or Bust

My Linux experience seems to match that of Darryl Daugherty (@DarrylDaugherty) who is an IT start-up survivor turned commercial investigator and OSINT operator in Bangkok, Thailand. Like Darryl, with Linux, I spent too much time configuring and patching while never knowing what will break. The Apple is easier to live with–set it up once, harden it, and get to work.

I have been learning how to use the Apple computers for IIR. Thanks to many friends like Darryl who have used them for years, I feel like I am in good hands.

To avoid expensive errors while learning, I’m starting with a refurbished Mini made after 2010. These older models will upgrade to current versions of OS X (El Capitan) and they continue to enjoy Apple Software Updates.

You may ask, why a refurbished machine? The answer is simple, if I buy from Apple, then I get a full warranty on the machine. If I make a horrendous mistake in some security settings and modifications and permanently lock myself out of the machine (like not having the recovery key in FileVault2), then it won’t cost so much to start over.

Escaping Windows–Mac OS X

As you can see, I no longer trust MS Windows to keep my data private.

One alternative is OS X, which is a series of Unix-based graphical interface operating systems (OS) developed by Apple Inc. It is designed to run on Macintosh computers. It has been pre-installed on all Macs since 2002. This is a proven and reliable performer. Unfortunately, the switch to Apple can be expensive as it really does require Apple hardware for optimum performance.

The advantage of OS X is that it runs MS Office and that keeps the natives calm, even if they have to hunt and peck through the GUI to find things. The open source LibreOffice and Open Office are different enough from Word (and Excel) to drive the writers in your organisation, me included, absolutely mad. There really is a steep learning curve for a new word processor and spreadsheet software. Keeping MS Office also allows you to keep your templates intact. However, even on OS X, MS Office creates its own threat surface.

If you must harden MS Office by eliminating all macro’s, portable templates, and most of it’s network and workgroup features, then that is the point where LibreOffice or Open Office becomes a better option.

There is little risk of a serious malware infection of OS X itself, especially if you use Little Snitch.  OS X is easier to configure for online security as most of the work has been done for you. This isn’t the case with most versions of Linux.

Hunchly & Casefile

As I move away from Windows due to privacy and security issues, I have been looking for new software for Investigative Internet Research (IIR). Taking Casefile from one OS to another has not created any problems.

I have been watching the development of Hunchly and have tried it on Windows, Mac, and the recent Linux release with success and it works well with Casefile. Browser-based tool Hunchly  creates local copies of every page visited during a session, and organises them into a searchable database for future reference. Hunchly is a Google Chrome extension. I have some privacy and security concerns about using Chrome, but the IIR world isn’t a perfect place.

Hunchly permits the use of “selectors,” such as a name or phone number that save you from manually searching each page for the terms. In my opinion, this feature alone is worth the purchase price. The other useful features include:

  • being able to add notes to what you find
  • you can download notes as a Word document
  • all collected data is stored, tracked and accessed on your local machine–no security or privacy concerns about cloud use
  • you can export Hunchly data to a Casefile or Maltego graph.

Hunchly isn’t a replacement for Maltego, but it is a good tool for smaller IIR tasks that might later require the use of Maltego. The ability to export to Casefile or Maltego can help with further research and reporting the linkages within the collected data.

The Politics of Prohibition & the AR-15

All the unreasoned hoopla about the AR-15 brought on by the Orlando shooting is driven by treacherous pantywaists, commies, and crooks of all stripes. Their primary tool for gaining a prohibition of owning this rifle is the ignorance of urban voters. For the most part, these voters know nothing about existing gun laws, firearms, self-defence, hunting, or military service.

Partisan politics plays a large role in this. Gay and Muslim voters form a significant constituency for the left of centre political parties. This demands that these parties cannot acknowledge that religion or culture forms the foundation for many such atrocities. Therefore, the politicians cannot blame Muslim culture for creating this mass murderer. Certainly, they cannot blame the gay victims for not being manly enough to fight for their lives.

The Orlando shooter was a state licenced armed security guard and a poster child for gun control. He underwent two extensive background checks and a medical exam that determined that he had no condition that precluded preforming armed duties. He was fingerprinted and all his identity papers were examined. He completed 60 hours of firearms training. He was required to renew his armed guard licence each year. The FBI investigated the shooter on two occasions and, it appears, actually removed him from the terror watch list. They cannot blame the FBI, Florida state bureaucrats, or the shooters employer, a government contractor, for lax or inept enforcement of laws or company policy.

Nor can politicians blame the police for not following the lessons learned from other mass shootings like the ecole polytechnique shooting in Montreal. They can’t blame the tragically delayed and disorganised police response that caused more deaths. That only leaves one whipping boy, the AR-15—never mind that the Orlando shooter didn’t use an AR-15 but an Sig Sauer MCX.

What else could have been done–ban guns outright? When another terrorist attacks what then—ban homosexuality so the terrorists won’t hate us so much? The simple truth is, we can’t ban our way to safety, however, we can overreact and turn our society as dangerously totalitarian as anything ISIS can imagine.

Windows Telemetry

In August 2015, Microsoft delivered some ‘optional’ updates to Windows 7 and Windows 8 users (KB3075249, KB3080149 and KB3068708) that would provide the same telemetry data.

To disable this in Win 7 & 8, go to Start and type in services in the search box. Then click on Services. Go down the list in the left-hand pane and select Diagnostics Tracking Service and right click Properties. In Properties change Startup type to Disabled.

Windows 10 comes with the telemetry feature enabled by default and this collects user activity and sends it to Microsoft. Once installed, it looks like there is no way to disable it completely using the Settings app for Home and Pro editions of Windows 10. Only Enterprise users can turn it off by editing the registry. The best practice is to install Win 10 using the Microsoft’s Media Creation tool (see Windows 10 as Spyware) and then confirm that the telemetry is shut-off in the registry.

Due to complaints about Microsoft’s practices, the updates that scrape data from your computer now appear as telemetary updates or as security updates to IE. As more people object, expect these updates to appear in a different guise.

Disabling the WIN 10 Upgrade Nagging

In June 2016, this nagging became much more intrusive. MS began squatting on your machine with the Win 10 install files. They then began installing Win 10 without warning on unsuspecting users.

Given the privacy and security concerns with Win 10, you may not  want to be nagged to update, here’s how to stop the Windows 10 upgrade notifications and run Windows 7 or 8 forever.

There are a few methods which worked in the past but no longer stop the nagging and surreptitious install of Win 10. Never10 is the current tool that most easily disables the upgrade.

Windows 10 as Spyware

Current users of Windows 7 or 8 have been offered free upgrades to Windows 10. This would be tempting except for the liability that this may create. As we all know, there is no such thing as a free lunch.

Many experts deem lots of the new so-called features to be spyware. It is one thing to find an application misbehaving; it is entirely different to use an OS designed to allow Microsoft (MS) to monetize your data and squat on your computer hard drive. Built into the Windows 10 OS are spying and data-mining features that deliver data to MS which MS then uses to generate profits.

The long-winded Microsoft Services Agreement runs to 40,000 words of impenetrable legalese and you must agree to everything in it to get your new OS. Unfortunately, or is it predictably, the agreement appears to grant Microsoft the right to read, save, and share anything stored on or accessed using any computer running MS Windows as well as any computer using MS products or services. By default, all of this snooping is turned on and I have serious concerns that it may be impossible to entirely prevent this snooping.

Portions of Microsoft’s privacy policy, which is part of the services agreement, indicates that the MS may use a keylogger to collect users’ data. This means, if you open a file and type, MS has access to what you type, and the file containing the what you type. This may also apply to voice information from speech processing software. Of course, MS offers a way to shut-off all this logging, but you have to believe that it actually works and stays off.

If you are careful in planning your upgrade to Windows 10, and if you have the technical knowledge, then you can probably upgrade the OS while preserving your professional obligation to protect client confidentiality and privacy, at least initially.

To maintain privacy and confidentiality you should use Microsoft’s Media Creation tool. This gives you a copy of the OS installation files. You’ll need at least a 6 GB USB drive. You can use it on multiple PCs. During an upgrade, the installation will look to see if you already have a product key. To do a clean install you may need to have your Windows 7 or 8 product key. You should tape it on your PC. Keep the USB since there’s no other way to get back to Windows 10 if anything unexpected happens. Doing the installation otherwise may allow MS to scrape data from your computer.

By clicking on “Express Settings” during installation you give away your contacts, calendar details, text and touch input, location data, and a whole lot more. It is clear that MS wants to monetize the confidential information on your computer. This creates a serious liability for Canadian private investigators who maintain personal identifiers and other confidential information on Windows 10 machines. Under Canada’s Personal Information Protection and Electronic Documents Act (PEPIDA), by accepting the terms of the Microsoft Services Agreement you have chosen to share this information and in most cases that may be illegal. Accepting this agreement may also put private investigators in contravention of their licencing statutes.

If you click on the small “Customise settings” button at installation, you must toggle many settings on two pages to ‘off’. Don’t forget to include Wi-Fi Sense. Using the Privacy App to turn-off the data stream to MS for those who have already installed the OS using “Express Settings” will be even more confusing to the average user. After doing all the above, Windows 10 continues to send confidential data to MS unless you dig into the registry and group policy editor. Stopping the snooping will disable many features like the digital assistant Cortana that MS is marketing as a reason to upgrade to Windows 10. However, what I am describing here only describes what we can see. Without conducting packet-level analysis, we you don’t really know what data is being sent back to Microsoft, and by which service.

You will also need to go into Windows Firewall and turn-off the rules that allowed a whole slew of Microsoft applications to transmit information.

Windows 10 Home comes with full-disk BitLocker encryption. To enable it, you must use a Microsoft account and the recovery key needed to decrypt your drive resides on Microsoft’s servers. Doing this violates your professional obligations. However, Windows 10 Pro doesn’t have this restriction: you can use BitLocker with a local account and keep your key out of the cloud. Most investigators would use Windows 10 Home and theoretically, a third party could decrypt their drives remotely.

The data stream from your PC to MS is bad enough, but somebody will learn to intercept this data stream and this will leave you open to a targeted attack. If the hacker releases the stolen data and it is tracked back to you or your computer, then your career is likely over. You can expect some form of action under PEPIDA and/or prosecution under your licencing statute. This data breach will almost certainly result in a civil suit and adverse publicity. Who would hire a PI or researcher like that?

Another concern is how updates are delivered. Like Bittorrent, Win 10 updates will be distributed from other Win 10 PCs  This presents an extreme risk, as you don’t know where the update is really coming from. You have to know enough to choose how your updates are delivered.

Privacy & the PI

Let’s address this situation realistically from the perspective of the PI or researcher determined to use Windows 10.

Let’s assume that you are a trusting individual. You trust MS government officials, litigants, lawyers, and everybody else to not understand or care that you accepted the Microsoft Service agreement that grants MS access to all your confidential data and the right to save and share it. You must also trust that your own technical expertise is up to the task of properly installing Windows 10 to circumvent all the efforts of MS to access your data.

At the outset, you pay extra for the Pro version to set-up disk encryption with a local account because you are security conscious.

First, you try to install the OS without it being connected to the Internet to ensure it doesn’t scrape data from your PC. This doesn’t work, as it needs connectivity to complete the installation. You discover that you must use the clean install method (using Microsoft’s Media Creation tool) described above to isolate your PC from the Internet to ensure that MS doesn’t scrape data from you computer during the installation. There are reports of Win 10 install files being placed on your computer on Patch Tuesday to use your PC to further distribute the OS installation files. You must learn how to get your patches from only a trusted source and to prevent MS from using your PC to distribute the OS.

Second, upon ensuring that it will not scrape data from your PC during installation, you toggle two pages of settings to ‘off’ and lose many of the new features.

Third, you edit registry and group policies to staunch the continuing flow of data to MS. Doesn’t everybody know how to do this without damaging the usability of the OS?

Fourth, in Windows Firewall, you turn-off the rules that allow MS applications to transmit information to MS.

Fifth, you then choose how your updates are delivered to prevent updates from untrusted sites. You ensure that updates come from trusted computers in your own network.

Sixth, you conduct packet-level analysis and shut-off any service that continues to send data to MS. Doesn’t everybody know how to do this and have the time to do it?

Finally, with every update and patch, you do a packet-level analysis to make sure your privacy and security is intact.

Of course, sending all this private and confidential data to MS is not necessary to have a functioning OS and applications. It is only necessary for MS profits and probably some government snooping.

Next, how to stop the Win 10 install nagging.