Recently, when working at a client sites, I’ve taken to occasionally using Windows to Go. This is Microsoft’s little-used secure workspace feature for Windows. It allows you to boot into a secure workspace located entirely on a USB key. This enables you to use Windows without relying on the operating system, applications, or storage on the host device. It creates a secure workspace on any machine that can boot from a USB drive without trusting the host machine. I have even devised a way to use a Virtual Machine (VM) in this workspace. Because the workspace doesn’t rely on the host operating system, the workspace on the USB drive isn’t at risk of compromise from a host machine and the VM protects the USB workspace. This saves me from constant use of my ‘Safe Mode on steroids’ or reinstalling Windows from a drive image on a client’s machine. However, it is too slow and requires too much effort to maintain. A similar live Linux USB seems to offer faster performance and it is easier to maintain the VM.
Archive for the 'Private Investigator' Category
I wander through the nether regions of the Internet and Dark Net looking for data to support my clients’ causes. This exposes me to severe risks from the nasty creativity of Beelzebub’s demonic gangsters and hackers.
It seems that a Windows system only lasts about 1/2 hour before getting infected without some form of anti-virus (AV). I regularly boot a clean live Linux USB, and then scan for viruses. This is like Safe Mode on steroids. In most instances, I find something malicious missed by the typical AV programs. However, this is only a temporary measure.
I am migrating to Linux for Investigative Internet Research because very little Linux malware exists in the wild. I only need AV on the Linux file server (or an email server if I had one). I do this because an infected Windows computer may upload infected files or an uninfected one might access infected files on the Linux machine, which then allows it to infect other Windows systems. AV on the file server isn’t protecting the Linux system–it’s protecting the Windows computers from themselves. I recommend the paid version of ESET Antivirus and Security Software as it doesn’t try to upsell you on other services.
TrueCrypt, the ultimate encryption freeware, abruptly announced that the software is no longer secure after Microsoft ended support for Windows XP. It was the most popular application of its type and it was widely to communicate securely and encrypt sensitive files or folders. Currently, the TrueCrypt home page advocates moving to Microsoft BitLocker.
Unfortunately, in the Windows 10 Home edition, the full-disk BitLocker encryption must use a Microsoft account and the recovery key needed to decrypt your drive resides on Microsoft’s servers. With this arrangement, theoretically, a third party could decrypt your drives remotely. However, Windows 10 Pro doesn’t have this restriction: you can use BitLocker with a local account and keep your key out of the cloud.
Under such circumstances, users should stay away from both TrueCrypt and BitLocker and shift to some other free file encryption software.
Veracrypt entered market within months after Truecrypt died and seems to be the best of the alternatives. There are other free TrueCrypt alternatives like AESCrypt, FreeOTFE, and DiskCryptor. Here are the download sites for the alternatives:
I often go looking for simple sites created by the subject of an investigation. These simple or forgotten sites often appear at universities, at ISPs that offer free web space, and on free web space servers.
Did you know that Google Drive has always offered to host basic web sites for free. This will continue until August 31st, 2016. Google Sites will continue, but these sites cost a bit of money to operate.
Others, like GitHub, offer a very similar service. Amazon’s S3 cloud storage service offers static web pages for free. Occasionally, I find sites that use Dropbox to host files used or accessed by a free web site. Sometimes I find a domain that forwards to files hosted on Dropbox. Dropbox isn’t the only service that can be used to offer a static web page.
The Ashley Madison hack has a lot of people running around like a bunch of headless chickens. The simple fact is, you cannot trust this data. Let me explain why this data must be treated with extreme caution.
Registration was free but you needed to buy credits to contact other members. Stolen credit card numbers appear in the data. Nobody has verified the number of real and active accounts. The website would allow new accounts to be set up without confirming the email, therefore, anyone could open an account using someone else’s name and email address as a prank or out of malice, and of course, the hackers could add names to the list before publishing it. This type of malicious prank is truly viscious in the 79 countries where homosexuality is illegal. For example, in Afghanistan, Iran, Mauritania, Nigeria, Qatar, Saudi Arabia and the United Arab Emirates, the punishment for homosexuality is death.
Here are my favorite headless chicken searches:
- Ashley Madison Email Search
- Ashley Madison Email Search
- Ashley Madison Name & Address Search
- Ashley Madison Phone Number Search
In my last article on this topic, I asked the following questions:
- Should you include a warning about following links in your reports?
- Should you include a warning about visiting URLs in reports?
- Should you remove the links?
My answer is yes to all these questions. The content at the linked sites may not only change–it might plant malicious code on any computers used to visit it. This is more common than most private investigators recognise or admit. My research computers are almost immune to this but most other people do not go to the extremes that I do to avoid malicious code.
I do not like sending Word documents to clients. I much prefer sending PDF files. Unfortunately, much of my work is part of larger projects and the Word file allows a client to incorporate my work into other documents.
Sending Word documents has many risks but doing so is unavoidable in many cases. This leaves the investigator in a tight spot if he does not warn the recipient about the risks associated with visiting the links in the report. In addition to written warnings at the start of all reports, I now remove all links using Ctrl+Shift+F9. After being duly warned, to go to his doom, the reader must do more than just click a link.
I now include the following warning under the heading of Security Warning.
Warning about visiting reported links and URLs
All Universal Resource Locators (URL) or hyperlinks (links) cited in this report only report where we found data. We do not attest to the safety or security of any internet site or URL. Nor do we evaluate the security implications of visiting any URL.
Do not visit any cited URL or link without understanding the security risk of doing so. We only report the content associated with links, URLs, and Internet sites. You may compromise the security of your computer system and network by visiting URLs or links in this report.
If I recognise a site as an attack site or one that includes dubious code, I do report it, however, I have never had a request from a client that we evaluate the security risks of the sites from which I collect data. If I received such a request, I would turn away the job, as I do not have the expert staff to perform such complicated work.
Maintaining privacy during online research is as important as avoiding malicious code. Privacy begins with properly configuring the browser and installing the best oddons (for Firefox) such as HTTPS Everywhere and Self-Destructing Cookies (SDC).
This is a moderately complicated addon that requires the user to understand browser settings and how the browser handles cookies. Reading the addon documentation is required.
Normally, I don’t use different browser profiles because I might confuse profiles and make a mistake. ProfileSwitcher might change that.
This extension makes it easier to use different profiles in Firefox and Thunderbird. I have installed it successfully in Firefox and Comodo IceDragon, which is based on Firefox.
It adds two items to the File menu to start another profile or the profile manager. From the extension’s preferences, you can choose what to do when you launch another profile. It allows you to choose to close the profile in use or not and if you choose to run the profile manager in safe-mode, the current profile will be always closed. In the options, I set it to display the current profile in the status bar. This allows easier control over the profiles than using the clumsy process offered in Firefox.
On my dedicated research computers, this seems to work quite well. It works in a Virtual Machine (VM) and closing the profile running Hola seems to stop Hola in its tracks.
Many websites confine access permission to specific countries. If you live outside the US, you may get this a lot.
Hola is the easiest method. It comes in the form of a very intrusive browser extension that is free and easily installed. It is available for Chrome and Firefox. Just click the Hola icon in your browser’s toolbar and select a country. It will route your browsing activity through IP addresses in that country.
Remember, I said this thing was intrusive. If you are a professional investigator, you must always keep the rules of evidence (S. 30 & S. 31) in mind. Your computers must be free of malicious code or code that could change the content of the collected evidence. I always run Hola on a clean machine that is separate from other evidence collection. If you use Hola to collect evidence, then you will have to be a very good Internet Eyewitness.
My first objection to Hola for investigators is that it is only available for Windows, Mac OS X, and as an app for Android devices. It is easier and quicker to create a clean machine with Linux.
Secondly, Hola sends your web browsing through other servers. More importantly, it uses your computer’s idle bandwidth for other users. Sharing bandwidth with other users exposes your machine to outside threats other than the websites you visit. I have seen DNS Spoofing when using Hola that does not happen when using other methods. Unfortunately, you have to prepare for this if you want to route your browsing activity through other locations and not pay anything.
Third, you must disable Hola when not using it. Install it in a separate browser. For example, if you use Firefox for most things, then install Hola in Chrome to access geo-blocked content. When you are finished using Hola, close the browser.
Finally, you must really spend some time rehearsing the visual, logical, and reproducible nature of your testimony. If you do not, then you will not be able to reproduce the process of collecting the evidence in court. Explaining how Hola works is not something I want to do in court if the other side is sharp and scrappy.
Even with all my reservations, I still use Hola, particularly for reconnaissance prior to using other collection methods.
You might think the headline was written tongue-in-cheek. You might be right, but you lack relevant data upon which to draw that conclusion.
Nobody pays an investigator to collect data. You earn the big paycheck for interpreting and analysing data.
You must quickly collect data from a variety of sources knowing their content, date-range, and how this data relates to the matter at hand. Next, you must summarise what you find. Then, you must interpret how this data might add to the progress of your investigation. Finally, you must analyse the new data in view of how it either supports or refutes your mandate, objectives, or hypothesis.
If you start with a logical mandate, objective, or hypothesis, and collect relevant data upon which you apply a reasoned analytical process, then, based upon available data, you will never be wrong either.
If you are doing a background investigation, then the subject’s employment history is important data. Here are a few sites where a subject may post a resume.
Of course, the first stop is LinkedIn to start getting a handle on the subject’s employment history. Next, go to indeed.com for the US and ca.indeed.com for Canadians. Use the advanced search and enter the subject’s name in the phrase search. Then do the same for all of the words of his name.
Odesk.com is for hiring freelance professionals. Use the search box with ‘freelancers’ selected and search the subject’s name.
Resumebucket.com is an interesting site. I often get better results using the Google site: command and the person’s name than using the site’s search facility.
Beyond.com requires an account to search or you may use the Google site: command with the subject’s name.
You can also search the relevant local craigslist site and use the search facility to search the subjec’t name in quotations. Sometimes you will find brief resumes for people seeking work.
The monster.com job sites have a lot of resumes but you have to pay to search them. If you do enough searching then this is worth the cost.
When collecting data for a report, I come across data in a multitude of markup formats. A markup language is a format for annotating a document in a way that is distinguishable from the text. Each markup language has its own syntax. The differing syntax between languages creates a problem when I need to extract quotations, create citations, and create appendices. What I need is a program that can understand and convert document text annotated with different markup languages. It must handle footnotes, tables, definition lists, superscript and subscript, strikeout, enhanced ordered lists, and the render the text into a form usable by MS Word. It must also translate math equations into something useful.
If you have been struggling with this too, try a programme called panddoc. This programme will take a while to learn, but once you have experimented a little, you will learn how to solve most of your markup-to-report conversion problems.
Wearable cameras have some utility for the investigator. Here are three that are at the leading edge of this trend.
This has been around for about one year and it is about the size of an iPod shuffle. the newest version has an eight megapixel sensor and a wider angle lens with Wi-Fi and Bluetooth that allows using your mobile phone as a remote to control or you can transfer photos over Wi-Fi. The camera battery lasts for 30 hours and when you charge the battery with your computer you also offload the photos.
It doesn’t take video, just still images, but you can expect that to come in the future.
Logitech is better known for its keyboards, mice, and webcams. The Bemo is between wearable cameras and larger devices such as the HTC Re. It includes a clip, but its video must be activated by holding down the button. Part of this may be due to the product’s relatively slow Bluetooth connection back to the phone, a design that yields better battery life. The Bemo captures 8 megapixel photos and high-definition video.
This company is best known for smartphones. The Re is larger than the Bemo and lacks an integrated clip, but HTC has some accessories that allow it to be worn. In addition to video, also captures the highest-resolution photos at 16 megapixels and it has a wide-angle lens. The Re is always on and ready to capture as soon it’s picked up. It has a time-lapse mode to create a video made up of a day’s worth of stills without one having to be there.
None of these devices have a screen or flash and video shot in low-light may be blurry or grainy. They all connect to a smartphone which makes it easy to handle the captured images and video.