Archive for the 'Private Investigator' Category

Page 2 of 18

Eye Witnesses & Bears

I have never liked dealing with witnesses. They are fickle things that frustrate and annoy me. They change their stories or offer-up bizarre versions of events. Eye witnesses are the bane of any experienced investigator. A news item and my own failure to observe accurately this morning illustrate the dangers of relying on the eye witness.

The first item is comical the second not nearly so. Early this morning a taxi driver discharged his passenger and then got stuck in the snow. He called police saying he couldn’t get out of his car because there was a bear circling his car.

The bear turned out to be Bear, a Newfoundland dog.

The second example is something much more personal. I have been fighting a cold that migrated to my lungs. During an online interview I began to feel very disoriented and lightheaded. I had to stop the interview but I had no idea what was happening to me.

In a past life I was both a diver and a pilot. I was trained to recognise hypoxia and I had experienced it firsthand during operations. On a quiet morning, during an online interview, I was wholly unable to make out what was happening to me.

So many things can effect what an eye witness reports. The cab driver was a city guy with no experience with dogs or bears. He couldn’t distinguish between a bear and Bear the Newfoundland dog. I wasn’t in a high performance aircraft or underwater with a dodgy re-breather. My environment and mindset this morning made it impossible for me to realize that I was suffering from hypoxia brought on by a lung infection.

Witness testimony may be critical to most investigations, but please give me physical evidence that can be sent to a lab for analysis or documents that can be read, examined, and filed away until trial.

FinSpy & Browser Hygiene

Recently, I had run-in with the FinSpy trojan, or some variation of it. FinSpy is a component of the surveillance product FinFisher, a commercial trojan made and sold by Gamma International, a UK company. This thing was sold to some very nasty state actors, but now it’s in the wild. It allows the operator of the trojan to have complete access to the computer. Its design  makes it very difficult for the target or his anti-virus software to recognise its presence. It even permits the villain to activate the computer’s webcam and microphone to see and hear what is happening near the computer. Everything collected by the trojan goes to a command and control server located somewhere on the Internet.

This insidious thing tried to masquerade as Firefox. I think it was part of an image I examined for Exif data. It tried to ‘update” Firefox. The funny thing was that I wasn’t using Firefox, but a browser based on it. I was conducting the research within a Windows virtual machine hosted on a Linux distribution; therefore, it was unable to cause any damage.

What surprised me was that the subjects had seeded the site with information that would interest me to get FinSpy onto my PC. They created the site to gather intelligence on anyone who might investigate them. They are not state actors, just a bunch of criminals.

Chrome is Listening

So you want to use Chrome as your browser. Are you aware that it has recently been reported that a Chrome Bug Allows Sites to Listen to Your Private Conversations?

The best way to avoid this threat is as follows:

  • Go to chrome://settings/content
  • Scroll down to Media
  • Select “Do not allow any sites to access my camera and microphone.

This will disable Google’s Conversational Search, etc. but security will be increased.

I never liked the way Chrome ‘phoned home’ to Google with user tracking, bug tracking etc. I have also found extensions that had malware-filled updates. However, it is faster than Firefox, which over the course of a research project may save hours of extra time. I resisted using Chrome due to security & privacy issues.

I now use is Comodo Dragon, which is based on the open-source Chrome browser, however, it is more private and secure if used properly. I disable the camera & mic as SOP, so I haven’t investigated how Dragon responds to this exploit. The setting change that I outlined was in reference to the actual Chrome browser and this particular exploit, there may be more that I don’t know about.

I am very careful about exposing myself to the internet. My outward-facing computers don’t have cameras or mics to entirely circumvent malicious software like this and the likes of Finspy.

Fortress Firefox II

The browser is the most used outward facing software you will use. It interacts with suspect web sites and other internet sites. Firefox is still my first choice for security and plug-ins, even though Chrome offers a speed advantage that adds-up over the course of many hours of research, while this little problem makes me avoid MS Internet Explorer: Microsoft warns of critical IE9, IE10 zero-day-Just visit the wrong web site and get remote-code execution.

No matter which browser you use, it will require proper configuration. No browser blocks JavaScript and all third-party cookies by default. These are my first security concerns.

In Firefox, go to Tools>Add-ons>Plugins and set the Java Script and Toolkit to Ask to Activate. I also set all the other plugins to Ask to Activate as well. This prevents a plugin from activating at the wrong time and thereby sending out data to the site that caused it to activate. A malicious site may activate a plugin to have it to transmit data that can be used to thwart your investigation.

Third party cookies compile a long-term record of your browsing history. This is dangerous as it can reveal what you are investigating. In Options>Privacy>History select Never for third party cookies. In my sandbox, I have several versions of the browser with different settings. For example, I prefer to never accept cookies of any kind, but some sites need them to function so I have a version with normal cookies enabled.

Exif Viewers

In a past article, I explained Exchangeable Image File or Exif data and pointed you to www.regex.info, an easy to use exif viewer with a geo-locator. The regex.info Exif viewer allows you to enter the image URL or to upload an image for analysis. It doesn’t require JavaScript and it doesn’t have any widgets.

Another easy to use online exif viewer may be found at www.fotoforensics.com, but you must enable JavaScript to use it. You can use the URL of the picture instead of uploading the image.

The online exif viewer at www.gbimg.org has a lot of widgets on it.

My last discovery was the Exif site at http://www.findpicturelocation.com. Just upload the picture and it will show the location where it was taken. It only works with .jpg or .tif files. You must upload the image to the site, so who knows where it might end-up. This uses the Google API for the mapping. Not all pictures have the GPS coordinates in them.

Trolling RSS Feeds

RSS (Rich Site Summary) is a format for delivering regularly changing web content. Many news-related sites, blogs and other online publishers syndicate their content as an RSS Feed to whoever wants it.

I have written quite a lot about RSS in the past. The following are my choices for both installation on a PC and for a web-based reader.

RSSOwl

RSSOwl is cross-platform as it’s Java-based. It handles RSS, Atom and RDF in terms of feed formats. You must have Java installed, no matter where you run it. It cooperates with Firefox to add feeds to RSSOwl from the browser. Just go to the feed and copy the URL then go to RSSOwl and click on add feed and it knows where to find the feed. You can also drag and drop Feeds from Firefox into RSSOwl. RSS Owl has an embedded web browser, so you don’t have to open up a separate browser window to view links or to view the full version of feed items that are shortened. You do have to set this up under “Browser” in the Preferences menu option. Choose to Default to the Embedded Browser. To get the RSSOwl embedded browser to work properly with OneNote so that it includes the URL in pasted items, you must enable Java Script. I do not recommend doing this except on an isolated machine otherwise, malicious Java Script code could cause serious problems.

RssBandit

When I need to collect video and podcasts from RSS feeds, I turn to RssBandit. The embedded browser is MS Internet Explorer, therefore, it includes the pertinent URL when you copy to OneNote as the embedded browser is the same.

This is my favorite RSS reader overall, though, I have experienced occasional problems with exporting feeds for another implementation of the reader. This problem seems to stem from differences in the underlying OS on the importing computer. It can be an irritation when starting a project with tight deadlines.

RSSOwl has an edge for a group of researching working in a collaborative environment as it is easier to set-up and distribute to the group.

Web-based RSS Reader

The two most popular seem to be Feedly and Inoreader readers that offers similar features and options.

Inoreader offers secure HTTPS access and over 40 different customization options. If I must use a web-based reader this is the one.

I refuse to use Feedly because extensions like NoScript, Adblock, HTTPS Everywhere, etc. prevent the site from loading. I never use sites infested with stuff that my normal suite of extensions prevents from loading. You only have to encounter one ad with malicious code to cost you many hours of work to purge the problem code from your machine.

Sly Pols & Crats

There is nothing slipperier than a politician or bureaucrat trying to avoid accountability while extolling how transparent and open they are. These craven creatures turn our access to information laws into the proverbial greased pig. Continue reading ‘Sly Pols & Crats’

Taking Bitcoins to the Laundry

Bitcoins have interested me of late as I am writing my next book which is about issues of security, privacy, and anonymity while doing investigative internet research. Continue reading ‘Taking Bitcoins to the Laundry’

Bluetooth & Surveillance

I previously wrote about Bluetooth and Surveillance Detection and how Bluetooth could be used to determine if you were being followed.

Prior to a recent surveillance assignment, I scanned for nearby devices and was able to identify each of the other investigators’ mobile phones. This was not a good start. I required all the team members to demonstrate that they had shut off both Bluetooth and WiFi or at least set the Bluetooth signal to be hidden except to authorized devices and shut-off the WiFi.

Google Free Wednesday — Yahoo! Alerts

The apparent demise of Google Alerts forced me to turn to Talkwalker and Mention for alerts. However, Yahoo! Alerts offer some utility for keeping up with the world. In the past Yahoo! Alerts was only good for news. It now extends into the full web as catalogued by the Bing database. If you don’t already know it, Microsoft swallowed Yahoo! search whole in 2009. Perhaps we should call it Microhoo.

You need a Yahoo! account for Yahoo! Alerts. The results cannot be pushed to an RSS feed, they only arrive via email, Yahoo Messenger, or mobile device, depending on what you have set-up in your Yahoo! account. Not all alerts allow for delivery using all three of the above delivery options.

To create an alert, select Y! Search from the drop-down list on the right side of the opening page or select Y!Search from the list on the initial screen. Next sign-in to your Yahoo! account. In the Search keyword field add the search terms as you would in the normal Yahoo! search box. In the next drop-down list select what you want searched, I normally select Web or News. Finally select the frequency of the search. The search preview will only show anything added to the database in the last 24 hours.

What You See Matters

I don’t like doing surveillance work. It’s hectic and often unproductive, but somebody has to do it.

I have always preferred using a real camera whenever possible — the real SLR type with a long lenses. Knowing this, a colleague asked me to help out as the second man.

This white-collar type went from one office complex to another and coffee shop to coffee shop all morning. He met people and I got good pictures of the people he met. He went for lunch in a shopping mall food court. This was rather strange as he was wearing a $2000 suit. From the mezzanie I watched. He opened his briefcase and I took pictures of its contents.

The briefcase contained three intersting items, all were books. The titles were:

  • How To Survive Prison For The First Time Inmate: Take a look at a dangerous society within our society
  • Prison Guide: Prison Survival Secrets Revealed
  • The Suburban Inmate: A Man’s Guide To Surviving Prison

Now this shone an entirely different light upon what we were doing. You guessed it, he was settling his affairs before the sentencing.

Connect the Dots and the Dox

You don’t need to hack into a computer to learn about someone. Today, most people that I investigate leave a revealing online profile — I just have to connect the dots or the publicly available dox (documents).

Online malefactors try to do their misdeeds anonymously through an alias. Usually, they tend to reuse their aliases. It only takes one obscure use connected to the miscreant’s real name. Now I have the real name to run through the usual searches which will reveal other aliases, Facebook pages, and Twitter accounts, all of which yield titbits of useful information.

Business Interrupted

Managers sometimes tie themselves into knots worrying about the risk or threat rather than analysing the impact of interrupted business processes. My advice is to stop fretting about the cause and concentrate on alleviating the impact of the interrupted business processes.

To do this, defeat the problem in detail as follows:

  • Decide which processes are critical and which are not.
  • Determine how long any particular process can be interrupted before it’s loss become detrimental to operations, profitability, and customer satisfaction.
  • Design a plan of action to determine if the disruption will continue beyond the tolerable time limit.
  • Have a plan to replace each missing process.
  • Plan for the concurrent loss of several critical processes.

The key to a successful business continuity plan is concentrating on the critical day-to-day operations.

How does this relate to investigtion and research? The answer is quite simple:

  • Have you ever done a security survey?
  • Have you ever done a competitor SWOT analysis?
  • Have you ever done due diligence on a critial supplier?

Libelous Questions

I recently conducted a series of interviews that were quite sensitive in nature. This used to be a common occurrence for me. Today, it is less so. The prevalence of small electronic recording devices has curtailed my willingness to conduct such interviews. My concern is that you never know where the recording will go, nor do you know how it will be used or edited. You have no knowledge of the motives, ethics, or interests of the people who may at some point possess the recording.

Libel happens when you publish or make public a statement that is untrue about someone. Any investigator may inquire about things that prove to be untrue during an interview. Ask yourself what might happen if a snippet of the interview is published and it contains questions about something that was later proven untrue. The concept of the libelous question is well established in law. Investigators may have a certain privilege to ask questions but, this won’t stop someone from suing you. The public disclosure of private facts that might be part of an interview also causes concern. What if the interview reveals information that is not of public concern, and the release of which would offends someone? Unlike libel, truth is not a defense for what may be seen as an invasion of privacy.

You can never be certain that a recording device is not present. As a private investigator, I cannot search people and confiscate their electronic devices. Private investigators do not have any control over the people they interview, nor do they usually have control over the physical surroundings in which the interview occurs. This alters the nature of the questions asked and how they are put to the interview subject.

An extreme example from the U.S.A is one where a defense lawyer sat down with a prospective client in San Juan, Puerto Rico and asked about the GPS bracelet required by as a condition of bail. The prospective client told the lawyer that, “They speak to me through that thing”.  He filed a motion at the Puerto Rico State Superior Court to have the device removed before he interviewed prospective client. During that motion, he learned that it could be used to eavesdrop on their conversation without the lawyer or prospective client knowing. (http://www.thecrimereport.org/news/inside-criminal-justice/2013-10-caution-your-gps-ankle-bracelet-is-listening) A recording knowingly made by the interview subject is not the only thing investigators need to consider.

This does not mean that every question will result in a libel action or that every room is bugged. It does mean that being dragged into an expensive libel action or media circus is something to consider before you start asking questions – especially ones that are sensitive.

ICANN Wants to Close Whois

A working group for Internet regulators at ICANN wants to close all Whois databases. They what to force anybody needing this data to grovel before them before granting access. They are trying to centralize global control over a key component of the Internet. WHOIS allows you to find out who owns a domain name. Without this data, fraud and other crimes will become easier to commit and harder to solve.