Recently, when working at a client sites, I’ve taken to occasionally using Windows to Go. This is Microsoft’s little-used secure workspace feature for Windows. It allows you to boot into a secure workspace located entirely on a USB key. This enables you to use Windows without relying on the operating system, applications, or storage on the host device. It creates a secure workspace on any machine that can boot from a USB drive without trusting the host machine. I have even devised a way to use a Virtual Machine (VM) in this workspace. Because the workspace doesn’t rely on the host operating system, the workspace on the USB drive isn’t at risk of compromise from a host machine and the VM protects the USB workspace. This saves me from constant use of my ‘Safe Mode on steroids’ or reinstalling Windows from a drive image on a client’s machine. However, it is too slow and requires too much effort to maintain. A similar live Linux USB seems to offer faster performance and it is easier to maintain the VM.
I wander through the nether regions of the Internet and Dark Net looking for data to support my clients’ causes. This exposes me to severe risks from the nasty creativity of Beelzebub’s demonic gangsters and hackers.
It seems that a Windows system only lasts about 1/2 hour before getting infected without some form of anti-virus (AV). I regularly boot a clean live Linux USB, and then scan for viruses. This is like Safe Mode on steroids. In most instances, I find something malicious missed by the typical AV programs. However, this is only a temporary measure.
I am migrating to Linux for Investigative Internet Research because very little Linux malware exists in the wild. I only need AV on the Linux file server (or an email server if I had one). I do this because an infected Windows computer may upload infected files or an uninfected one might access infected files on the Linux machine, which then allows it to infect other Windows systems. AV on the file server isn’t protecting the Linux system–it’s protecting the Windows computers from themselves. I recommend the paid version of ESET Antivirus and Security Software as it doesn’t try to upsell you on other services.
The Ashley Madison hack has a lot of people running around like a bunch of headless chickens. The simple fact is, you cannot trust this data. Let me explain why this data must be treated with extreme caution.
Registration was free but you needed to buy credits to contact other members. Stolen credit card numbers appear in the data. Nobody has verified the number of real and active accounts. The website would allow new accounts to be set up without confirming the email, therefore, anyone could open an account using someone else’s name and email address as a prank or out of malice, and of course, the hackers could add names to the list before publishing it. This type of malicious prank is truly viscious in the 79 countries where homosexuality is illegal. For example, in Afghanistan, Iran, Mauritania, Nigeria, Qatar, Saudi Arabia and the United Arab Emirates, the punishment for homosexuality is death.
Here are my favorite headless chicken searches:
- Ashley Madison Email Search
- Ashley Madison Email Search
- Ashley Madison Name & Address Search
- Ashley Madison Phone Number Search
Disconnect Search is a specialized VPN that lets you search privately using Google, Bing, and Yahoo search engines. They say they don’t log searches, IP addresses, or any other personal info.
Using Disconnect search, your ISP shouldn’t see your search terms as they don’t have access to your searches. Normally, when you click a result link, the site you go to may see your search terms, but Disconnect should prevent this. Search engines save your searches, which can be connected to your real name or IP address. Disconnect should anonymize your searches.
The Great Google Escape
Google’s products are fast, intuitive and reliable–but they are not free. You pay Google with your identity, behaviour, habit, and preference information. Google then collates and analyses this data and sells it to advertisers and gives it to government and intelligence services. The longer Google does this, the more valuable the data becomes. This raises some very real privacy and security concerns for people who use Google.
There are solutions to this privacy and security issue. The first obvious solution is to avoid putting all your digital eggs in one basket. Use a different email and calendar provider. Use Firefox not Chrome as a browser. Use providers in Europe to take advantage of European Union privacy laws.
Sign in to your Google account and Use Google Takeout to export your data to a downloadable ZIP file from all the Google products. Getting out of Gmail is easy–getting out of Calendar and Contacts not so much. Google sets file standards for their calendar and address-book to make migration awkward. However, migrating to mailbox.org in Germany seems to go ahead without any real difficulty. It even allows you to encrypt your emails and other files before storing them on the server. Best of all they do not scan your data and try to monetize it. However, it costs €1 per month.
If you use the free Google Drive, consider using the Omnicloud from Germany’s Fraunhofer Institute, which allows you to encrypt all data locally before uploading it to the cloud.
Install a tracker blocker such as Ghostery and Self-Destructing Cookies (SDC) in Firefox to guard against browser cookies and use a search engine like Duck Duck Go which does not record your search history.
Are you uncomfortable with how much Google knows about you? Google makes a lot of money mining your search history. A Boston-based privacy company Abine has a solution to this problem.
The Blur Private Search service prevents Google from linking a search query to you. Search results appear normally, except your search, IP address, and the links that you click on can’t be identified or connected to you by the search engine. It is easy to set-up and use—you don’t have to sign-up using Gmail or other service. Create an account using a throw-away email address.
Nothing is perfect. Private Search only works with Firefox because Chrome tells Google about everything you do all by itself. It won’t protect you from other search engines like Bing or Yahoo.
In my last article on this topic, I asked the following questions:
- Should you include a warning about following links in your reports?
- Should you include a warning about visiting URLs in reports?
- Should you remove the links?
My answer is yes to all these questions. The content at the linked sites may not only change–it might plant malicious code on any computers used to visit it. This is more common than most private investigators recognise or admit. My research computers are almost immune to this but most other people do not go to the extremes that I do to avoid malicious code.
I do not like sending Word documents to clients. I much prefer sending PDF files. Unfortunately, much of my work is part of larger projects and the Word file allows a client to incorporate my work into other documents.
Sending Word documents has many risks but doing so is unavoidable in many cases. This leaves the investigator in a tight spot if he does not warn the recipient about the risks associated with visiting the links in the report. In addition to written warnings at the start of all reports, I now remove all links using Ctrl+Shift+F9. After being duly warned, to go to his doom, the reader must do more than just click a link.
I now include the following warning under the heading of Security Warning.
Warning about visiting reported links and URLs
All Universal Resource Locators (URL) or hyperlinks (links) cited in this report only report where we found data. We do not attest to the safety or security of any internet site or URL. Nor do we evaluate the security implications of visiting any URL.
Do not visit any cited URL or link without understanding the security risk of doing so. We only report the content associated with links, URLs, and Internet sites. You may compromise the security of your computer system and network by visiting URLs or links in this report.
If I recognise a site as an attack site or one that includes dubious code, I do report it, however, I have never had a request from a client that we evaluate the security risks of the sites from which I collect data. If I received such a request, I would turn away the job, as I do not have the expert staff to perform such complicated work.
Maintaining privacy during online research is as important as avoiding malicious code. Privacy begins with properly configuring the browser and installing the best oddons (for Firefox) such as HTTPS Everywhere and Self-Destructing Cookies (SDC).
This is a moderately complicated addon that requires the user to understand browser settings and how the browser handles cookies. Reading the addon documentation is required.
As I make my way through the infernal regions of the Internet, I have had to start using new tools. The most disconcerting form of torment has been the change to Linux to avoid malicious code. This has forced me to start using alternatives to Microsoft Office for some work.
There is nothing more disconcerting than changing word processing software. Nothing is in the right place and productivity decreases dramatically. I’m not sure which of the two flavours of the open source alternatives I like best–I lean towards LibreOffice at this point.
Some people who don’t really work for a living will say it’s stupid to try to attempt to use Microsoft Office on Linux, but they don’t have to quickly produce reports on a daily basis. I have tried running MS Office 2010 (32 bit) with some success using Wine. This makes report creation easier and faster. However, this isn’t as stable as using LibreOffice–but that’s perdition for you.
Do you want a search engine that does the following:
- doesn’t keep details on what you are searching for
- doesn’t store your IP address
- doesn’t track you
- doesn’t send your search term to the site you clicked on
- doesn’t store or share your search history
- doesn’t share your personal information
- doesn’t have servers in the U.S.A.
- doesn’t hide the search results amongst a deluge of ads
It gets its data from Yahoo!Bing. It offers the search operators “site:” and Boolean operators “AND” and “OR“. It also searches Twitter anonymously.
Guerrilla Mail is a temporary, disposable email service. It lets you to easily set-up random email addresses. If accessed through Tor, it ensures that no one can connect your IP address with a Guerrilla Mail address.
Encrypting messages for webmail is awkward. You must copy and paste messages into text windows and use PGP to scramble and unscramble them. To avoid this, you can use a privacy-focused email host like Riseup.net and Mozilla Thunderbird with the encryption plugin, Enigmail, along with another plugin called TorBirdy that routes email through Tor.
Google Drive and Dropbox don’t provide privacy. Onionshare is an open-source program that lets you send big files via Tor. When you use it to share a file, it creates a Tor Hidden Service, which is a temporary and anonymous website hosted on your computer. Give the recipient of the file the .onion address for that site, and they can securely and anonymously download it using their Tor Browser. The person who is receiving the file doesn’t need OnionShare. All they need is to open the URL you send them in Tor Browser to be able to download the file.
For now it only runs as a bare-bones command-line tool on the Tor-based operating system Tails, which can be launched on Windows or Mac machines.
If you’re trying to send a secret file then it’s important to send this URL secretly. I recommend you use Off-the-Record encrypted chat to send the URL. This provides an end-to-end encrypted conversation over services like Google Talk and Facebook chat that prevents Google or Facebook from having access to the contents of your conversation.
Since 2009 Microsoft’s Code of Conduct has been applied to more and more of their online services. Under this Code of Conduct, users are prohibited from using it in “any way that promotes or facilitates the sale of ammunition and firearms” (See bullet point #13). You have to trust that Microsoft’s definition of “promotes or facilitates the sale of ammunition and firearms” is the same as yours and that one of their robots doesn’t delete all your data. Not recognising this risk could mean the loss of all your investigation reports and data. A lot of my investigations have included large volumes of data on firearms and ammunition. Imagine the damage to your reputation, if at a crucial juncture in the investigation, some Microsoft employee or robot decides my data and reports are “promoting guns” and deletes everything.
Most of Microsoft’s online services are covered by their “Code of Conduct”. This includes Windows Live, Office 365, Microsoft Sharepoint, Bing.com, Outlook.com, Windows OneDrive, Exchange Online, MSN and more.
Searching for firearms and ammunition data on Bing may already produce censored results as a result of the Code of Conduct.
Only Skype, Microsoft Azure and XBox Live are now exempt. I expect Skype will be the next to come under the Code of Conduct.
Windows OneDrive, formally Microsoft SkyDrive, is part of Windows 7, Windows 8, Windows 8 for Phones and Windows 8 for Tablets. If you handle information about firearms you should avoid these products. You could find your account terminated and all your emails, contacts, calendar, and everything else deleted.
If you use Microsoft Office and the Office 365 service to share files about guns, then you will eventually find everything has gone down the memory hole.
Microsoft’s Code of Conduct can affect everything an investigator does. Searching, email, voice calls, storing data, and preparing reports are all potentially at risk if you use these services in relation to firearms and ammunition related topics. Now ask yourself how Microsoft knows the content of your data and think about the confidentiality and security of your data.
You must have a due diligence process in place before starting to even look for online and cloud services. You have to read and understand the implications of all the stuff hidden in the fine print.
I know you still want to use Google without giving away all your personal data. To accomplish this while using Firefox, use the Searchonymous extension. With this, you can stay signed into your Google account while searching and Google won’t know it’s you doing the search. It also gets rid of most of the annoying ads.
Recently, I had run-in with the FinSpy trojan, or some variation of it. FinSpy is a component of the surveillance product FinFisher, a commercial trojan made and sold by Gamma International, a UK company. This thing was sold to some very nasty state actors, but now it’s in the wild. It allows the operator of the trojan to have complete access to the computer. Its design makes it very difficult for the target or his anti-virus software to recognise its presence. It even permits the villain to activate the computer’s webcam and microphone to see and hear what is happening near the computer. Everything collected by the trojan goes to a command and control server located somewhere on the Internet.
This insidious thing tried to masquerade as Firefox. I think it was part of an image I examined for Exif data. It tried to ‘update” Firefox. The funny thing was that I wasn’t using Firefox, but a browser based on it. I was conducting the research within a Windows virtual machine hosted on a Linux distribution; therefore, it was unable to cause any damage.
What surprised me was that the subjects had seeded the site with information that would interest me to get FinSpy onto my PC. They created the site to gather intelligence on anyone who might investigate them. They are not state actors, just a bunch of criminals.