Archive for the 'Private Investigator' Category

Page 2 of 18

Black Suits & Dark Glasses

I went to a meeting with a client to help solve a problem one of his customers was having. Sitting in the reception area, I witnessed a wondrous spectacle. In struts a guy in a black suit wearing dark glasses and earwig. He looks around ominously and then talks into his sleeve. Next, the great man enters surrounded by a phalanx of black suits, dark glasses, and earwigs. This is Canada. Private bodyguards don’t exist here. They are just for show-offs who like to look important or for those tricked into hiring some feckless cannon fodder.

It turned out that this was the guy with the problem. My client realised that he was ineptly handling the symptoms rather than treating the disease. He had received threats. He had suffered vandalism to his home and car. He couldn’t in any way identify his persecutor. However, he was a senior executive of a company in an industry that sometimes attracts threats and acts of violence.

When the great man was asked how he had received the threat, he said that he received it on his unlisted cell phone, so it must be a serious threat perpetrated by dangerous people. I Googled the cell phone number. Lo and behold, there it was in a Kijiji ad for some stuff he was selling. The picture of the stuff included the front of his house and enough of his car to identify its make, model, and colour.

His name appeared on the title for his house along with that of his wife. Searching his name in social media sites, I was able to identify his children and wife. I found that his son went to hockey practice at the arena where his car was vandalised.

In half an hour I learned where he lived, his cell phone number, identified his family, where his children went to school, and learned his son’s hockey schedule. More importantly, the social media content related to his family members also identified him. This led me to conclude that it was possible that he was not the target. Of course, the wife and kids didn’t have bodyguards.

Each of his bodyguards was questioned regarding their training and experience. It wasn’t surprising to me that they were repurposed security guards with no training. The agency providing the bodyguards did not conduct any investigation nor did the client’s employer.

Without any idea who in the family was being targeted, new security arrangements were made. The house and office got uniformed security guards. The client and his wife got reliable security drivers. We put in place new security arrangements for the children. All social media content was expunged. I ensured that the police and telephone company became involved.

Further investigation produced a list of suspects. The police tied one of these to the vandalism of the client’s car. Police interrogation led to a confession. The offender turned out to be the teenage daughter’s jilted suitor who was also a player on a rival hockey team.

Veracity of Online Images & Video

My mother advised me not to believe everything I read remains true today as it was 50 years ago. Today, this advice extends to online video and images.

Hoax imagery and video abounds online. A fake video of an eagle trying to fly off with an infant in a Montreal park is only one example. Students at the National Animation and Design Centre created this ‘Golden Eagle Snatches Kid’ video. Their skill was impressive. It took a frame-by-frame analysis to uncover the fake. Frames that lacked the eagle’s shadow revealed it to be a hoax.

Free editing software like VLC Media Player or Avidemux Video Editor can help split video into frames, but locating and investigating the person who posted the video proves more productive in most cases. The following is a short outline of how I approach this problem.

First, start listing the places you find the item and user names that posted it. Look for the first instance of the item by filtering by date. Try to find the first instance as this may be the original and the original poster of the item. Compare video thumbnails to find the earliest and largest as that may be the original. Search the thumbnails in Google Image Search, TinEye, and Bing. However, searching TinEye, et al, will require an image with high contrast and distinctive colour combinations.

Next, try to identify the person who first posted it. Sometimes, discovering the creator of the item is easy because it was posted on a Facebook page or on YouTube, but usually it was just duplicated there and originates elsewhere. Search all text associated with the item—tags, descriptions, user names. Use everything as search terms. Search all the user names to identify the people. Use sites to LinkedIn, Facebook, etc., to get a feel for the background of the people you may later contact.

Once you have found the likely source of the item, examine and question the source to establish his reliability. You need to engage this person to establish that he created the video or image and that it isn’t a hoax or an altered version of something he still possesses.

What was the Weather Like?

Wolfram Alpha is an interesting answer engine. It answers questions by computing the answer from curated, structured data, rather than providing a list of web pages that contain the search words like normal search engines.

Investigations often hinge on local conditions such as weather. When I need to estimate the weather conditions or compare someone’s description of the weather to actual conditions, I type in a search term like “what was the weather in toronto on july 1, 1967″. Sometimes, Wolfram Alpha has no data from which to formulate an answer such as happened with this search. If you substitute the years 1950 or 2000 you get answers, but not for 1967.

Of course I verify what I get from Wolfram Alpha through official sources.

How to be an Internet Eyewitness

Eyewitness testimony is the weakest evidence an investigator can collect. The vessel that contains this evidence is subject to illness, death, corruption, and a myriad of defects that compromise the evidence. Being a trained investigator does not make you immune to all these weaknesses.

How we access and share information and how we communicate has changed dramatically over the last 30 years. This evolving technology is changing how we conduct investigations. It is changing how we observe criminal activity. The number sources of evidence available in some investigations have become overwhelming.

The Investigator as an Internet Eyewitness

The key to believable evidence gathered from the Internet is that it is visual, understandable, and could be reproduced if someone else did it at the same time as when it was originally collected.

When I review an investigation, I apply these criteria to determine if it was done by an expert or a bodger.

Investigators are taking on the role of eyewitness by observing evidence that might not be visible to any other available investigator as it appears only momentarily in internet venues. To be a reliable eyewitness, the investigator needs to create a record of what he or she sees at any particular point in time. This must be done in the same manner as handwritten notes. However, these records must provide a visual representation of the evidence collected. With Investigative Internet Research, the computer’s camera and mic, along with software that records screen activity, become the investigator’s notebook.

Typically, screenshots combined with written eyewitness reports, are used to record what an investigator observes in social media and other internet sites. However, screenshots and written reports do not provide a full representation of the research process or the evidence uncovered.

Twenty pages of social media content along with text detailing each screenshot is time consuming to produce and mind-numbing for a Judge or jury to endure. The Judge and jury need an eyewitness to tell them what happened and to illustrate why they should believe this evidence.

As with any eyewitness testimony, two corroborating witnesses are much better than one. The second eyewitness improves the credibility of the evidence presented in the courtroom. The consistency of the eyewitness testimony needs to be established through documentation as would be done with traditional witness statements given at different times to police before trial.

Follow the Script

Wherever possible, rehearse the visual, logical, and reproducible nature of the witness testimony to produce a clean copy of the investigators’ witness testimony. Don’t be afraid to script the testimony. Don’t be afraid to admit scripting the recorded testimony. Explain, if asked, that the recorded collection process is just a representation of what you did without any irrelevant material or wasted time. Explain that the recorded collection process is what really happened as it happened.

Visual

The hallmark of a good report is that it looks organised and complete without being over crowded with text and other material. The recorded testimony of the investigators must also be organised and complete without any extraneous content. Sometimes, accomplishing this requires scripting and rehearsal.

The investigator’s recorded process of collection must present the page as he saw it and the viewer must see and hear the investigator as he goes through the collection process. Just because you did this before and scripted the presentation of your collection process does not make the recorded content any less valid.

Understandable

Above all else, be logical. The collection process must proceed in a straight line from a clearly explained starting point to the next logical point. Continue in like fashion until you reach a logical conclusion.

Explain the logic and connections in the accompanying report. Your report will probably need elements from PowerPoint, screen shots, images, graphs, etc. to accomplish this. Use visual aids to make connections and illustrate logic!

Explain how you got there. Explain what you saw. Explain the importance of what you found. Explain material that meets the elements of the offence or supports the continuation of the offence in some way.

Reproducible

The viewer must see and hear the second investigator doing the same thing as the first investigator. The viewer must see the second investigator collect the same material as the first one. Doing this will require some scripting and rehearsal.

Raw Evidence

Some situations happen too fast to allow scripting and rehearsal. In that case, you will have to use the raw recording of the IIR that captured the evidence. Even if you are creating a scripted and rhearsed presentation of the collected evidence, you should have a recording of the original IIR collection effort.

New Bing Image Search

Images that appear on a web site offer many insights into the people who created the site. They tell you if they have the money to buy copyrighted content, or that they took the time to create their own imagery to get across their message. The imagery may also tell you that they don’t respect copyright law. The use of the same image on several sites may indicate a relationship between the sites that use the image.

Bing now offers an image search facility that allows you to paste the specific image URL into the search box at Bing.com/images.  If you have a picture that you want to match, then you may upload it directly to Bing.com/Images and Bing will search for matches. To match an image, submit a URL, or upload an image, just click on image match.

When you come across an image on a site you find in the Bing Web results, go to Bing Image search and clear the search box. That will make the Image Match link appear next to the search box. When using this, the best approach is to have Bing Web open in one tab and Bing Images in another. As you click on Web results, they will open in a new tab between Bing Web and Bing Images. To isolate the images you wish to search, in Firefox, right click the image and click on view image. This will take you to the image itself and its unique URL. This makes it easier for Bing to isolate the image it is trying to match.

Eye Witnesses & Bears

I have never liked dealing with witnesses. They are fickle things that frustrate and annoy me. They change their stories or offer-up bizarre versions of events. Eye witnesses are the bane of any experienced investigator. A news item and my own failure to observe accurately this morning illustrate the dangers of relying on the eye witness.

The first item is comical the second not nearly so. Early this morning a taxi driver discharged his passenger and then got stuck in the snow. He called police saying he couldn’t get out of his car because there was a bear circling his car.

The bear turned out to be Bear, a Newfoundland dog.

The second example is something much more personal. I have been fighting a cold that migrated to my lungs. During an online interview I began to feel very disoriented and lightheaded. I had to stop the interview but I had no idea what was happening to me.

In a past life I was both a diver and a pilot. I was trained to recognise hypoxia and I had experienced it firsthand during operations. On a quiet morning, during an online interview, I was wholly unable to make out what was happening to me.

So many things can effect what an eye witness reports. The cab driver was a city guy with no experience with dogs or bears. He couldn’t distinguish between a bear and Bear the Newfoundland dog. I wasn’t in a high performance aircraft or underwater with a dodgy re-breather. My environment and mindset this morning made it impossible for me to realize that I was suffering from hypoxia brought on by a lung infection.

Witness testimony may be critical to most investigations, but please give me physical evidence that can be sent to a lab for analysis or documents that can be read, examined, and filed away until trial.

FinSpy & Browser Hygiene

Recently, I had run-in with the FinSpy trojan, or some variation of it. FinSpy is a component of the surveillance product FinFisher, a commercial trojan made and sold by Gamma International, a UK company. This thing was sold to some very nasty state actors, but now it’s in the wild. It allows the operator of the trojan to have complete access to the computer. Its design  makes it very difficult for the target or his anti-virus software to recognise its presence. It even permits the villain to activate the computer’s webcam and microphone to see and hear what is happening near the computer. Everything collected by the trojan goes to a command and control server located somewhere on the Internet.

This insidious thing tried to masquerade as Firefox. I think it was part of an image I examined for Exif data. It tried to ‘update” Firefox. The funny thing was that I wasn’t using Firefox, but a browser based on it. I was conducting the research within a Windows virtual machine hosted on a Linux distribution; therefore, it was unable to cause any damage.

What surprised me was that the subjects had seeded the site with information that would interest me to get FinSpy onto my PC. They created the site to gather intelligence on anyone who might investigate them. They are not state actors, just a bunch of criminals.

Chrome is Listening

So you want to use Chrome as your browser. Are you aware that it has recently been reported that a Chrome Bug Allows Sites to Listen to Your Private Conversations?

The best way to avoid this threat is as follows:

  • Go to chrome://settings/content
  • Scroll down to Media
  • Select “Do not allow any sites to access my camera and microphone.

This will disable Google’s Conversational Search, etc. but security will be increased.

I never liked the way Chrome ‘phoned home’ to Google with user tracking, bug tracking etc. I have also found extensions that had malware-filled updates. However, it is faster than Firefox, which over the course of a research project may save hours of extra time. I resisted using Chrome due to security & privacy issues.

I now use is Comodo Dragon, which is based on the open-source Chrome browser, however, it is more private and secure if used properly. I disable the camera & mic as SOP, so I haven’t investigated how Dragon responds to this exploit. The setting change that I outlined was in reference to the actual Chrome browser and this particular exploit, there may be more that I don’t know about.

I am very careful about exposing myself to the internet. My outward-facing computers don’t have cameras or mics to entirely circumvent malicious software like this and the likes of Finspy.

Fortress Firefox II

The browser is the most used outward facing software you will use. It interacts with suspect web sites and other internet sites. Firefox is still my first choice for security and plug-ins, even though Chrome offers a speed advantage that adds-up over the course of many hours of research, while this little problem makes me avoid MS Internet Explorer: Microsoft warns of critical IE9, IE10 zero-day-Just visit the wrong web site and get remote-code execution.

No matter which browser you use, it will require proper configuration. No browser blocks JavaScript and all third-party cookies by default. These are my first security concerns.

In Firefox, go to Tools>Add-ons>Plugins and set the Java Script and Toolkit to Ask to Activate. I also set all the other plugins to Ask to Activate as well. This prevents a plugin from activating at the wrong time and thereby sending out data to the site that caused it to activate. A malicious site may activate a plugin to have it to transmit data that can be used to thwart your investigation.

Third party cookies compile a long-term record of your browsing history. This is dangerous as it can reveal what you are investigating. In Options>Privacy>History select Never for third party cookies. In my sandbox, I have several versions of the browser with different settings. For example, I prefer to never accept cookies of any kind, but some sites need them to function so I have a version with normal cookies enabled.

Exif Viewers

In a past article, I explained Exchangeable Image File or Exif data and pointed you to www.regex.info, an easy to use exif viewer with a geo-locator. The regex.info Exif viewer allows you to enter the image URL or to upload an image for analysis. It doesn’t require JavaScript and it doesn’t have any widgets.

Another easy to use online exif viewer may be found at www.fotoforensics.com, but you must enable JavaScript to use it. You can use the URL of the picture instead of uploading the image.

The online exif viewer at www.gbimg.org has a lot of widgets on it.

My last discovery was the Exif site at http://www.findpicturelocation.com. Just upload the picture and it will show the location where it was taken. It only works with .jpg or .tif files. You must upload the image to the site, so who knows where it might end-up. This uses the Google API for the mapping. Not all pictures have the GPS coordinates in them.

Trolling RSS Feeds

RSS (Rich Site Summary) is a format for delivering regularly changing web content. Many news-related sites, blogs and other online publishers syndicate their content as an RSS Feed to whoever wants it.

I have written quite a lot about RSS in the past. The following are my choices for both installation on a PC and for a web-based reader.

RSSOwl

RSSOwl is cross-platform as it’s Java-based. It handles RSS, Atom and RDF in terms of feed formats. You must have Java installed, no matter where you run it. It cooperates with Firefox to add feeds to RSSOwl from the browser. Just go to the feed and copy the URL then go to RSSOwl and click on add feed and it knows where to find the feed. You can also drag and drop Feeds from Firefox into RSSOwl. RSS Owl has an embedded web browser, so you don’t have to open up a separate browser window to view links or to view the full version of feed items that are shortened. You do have to set this up under “Browser” in the Preferences menu option. Choose to Default to the Embedded Browser. To get the RSSOwl embedded browser to work properly with OneNote so that it includes the URL in pasted items, you must enable Java Script. I do not recommend doing this except on an isolated machine otherwise, malicious Java Script code could cause serious problems.

RssBandit

When I need to collect video and podcasts from RSS feeds, I turn to RssBandit. The embedded browser is MS Internet Explorer, therefore, it includes the pertinent URL when you copy to OneNote as the embedded browser is the same.

This is my favorite RSS reader overall, though, I have experienced occasional problems with exporting feeds for another implementation of the reader. This problem seems to stem from differences in the underlying OS on the importing computer. It can be an irritation when starting a project with tight deadlines.

RSSOwl has an edge for a group of researching working in a collaborative environment as it is easier to set-up and distribute to the group.

Web-based RSS Reader

The two most popular seem to be Feedly and Inoreader readers that offers similar features and options.

Inoreader offers secure HTTPS access and over 40 different customization options. If I must use a web-based reader this is the one.

I refuse to use Feedly because extensions like NoScript, Adblock, HTTPS Everywhere, etc. prevent the site from loading. I never use sites infested with stuff that my normal suite of extensions prevents from loading. You only have to encounter one ad with malicious code to cost you many hours of work to purge the problem code from your machine.

Sly Pols & Crats

There is nothing slipperier than a politician or bureaucrat trying to avoid accountability while extolling how transparent and open they are. These craven creatures turn our access to information laws into the proverbial greased pig. Continue reading ‘Sly Pols & Crats’

Taking Bitcoins to the Laundry

Bitcoins have interested me of late as I am writing my next book which is about issues of security, privacy, and anonymity while doing investigative internet research. Continue reading ‘Taking Bitcoins to the Laundry’

Bluetooth & Surveillance

I previously wrote about Bluetooth and Surveillance Detection and how Bluetooth could be used to determine if you were being followed.

Prior to a recent surveillance assignment, I scanned for nearby devices and was able to identify each of the other investigators’ mobile phones. This was not a good start. I required all the team members to demonstrate that they had shut off both Bluetooth and WiFi or at least set the Bluetooth signal to be hidden except to authorized devices and shut-off the WiFi.

Google Free Wednesday — Yahoo! Alerts

The apparent demise of Google Alerts forced me to turn to Talkwalker and Mention for alerts. However, Yahoo! Alerts offer some utility for keeping up with the world. In the past Yahoo! Alerts was only good for news. It now extends into the full web as catalogued by the Bing database. If you don’t already know it, Microsoft swallowed Yahoo! search whole in 2009. Perhaps we should call it Microhoo.

You need a Yahoo! account for Yahoo! Alerts. The results cannot be pushed to an RSS feed, they only arrive via email, Yahoo Messenger, or mobile device, depending on what you have set-up in your Yahoo! account. Not all alerts allow for delivery using all three of the above delivery options.

To create an alert, select Y! Search from the drop-down list on the right side of the opening page or select Y!Search from the list on the initial screen. Next sign-in to your Yahoo! account. In the Search keyword field add the search terms as you would in the normal Yahoo! search box. In the next drop-down list select what you want searched, I normally select Web or News. Finally select the frequency of the search. The search preview will only show anything added to the database in the last 24 hours.