Archive for the 'Search Strategies' Category

ProfileSwitcher

Normally, I don’t use different browser profiles because I might confuse profiles and make a mistake. ProfileSwitcher might change that.

This extension makes it easier to use different profiles in Firefox and Thunderbird. I have installed it successfully in Firefox and Comodo IceDragon, which is based on Firefox.

It adds two items to the File menu to start another profile or the profile manager. From the extension’s preferences, you can choose what to do when you launch another profile. It allows you to choose to close the profile in use or not and if you choose to run the profile manager in safe-mode, the current profile will be always closed. In the options, I set it to display the current profile in the status bar. This allows easier control over the profiles than using the clumsy process offered in Firefox.

On my dedicated research computers, this seems to work quite well. It works in a Virtual Machine (VM) and closing the profile running Hola seems to stop Hola in its tracks.

Accessing Geo-blocked Content with Hola

Many websites confine access permission to specific countries. If you live outside the US, you may get this a lot.

There are three ways around this. The first is using a VPN. The second is using a third-party DNS server. The final method is Hola.

Hola is the easiest method. It comes in the form of a very intrusive browser extension that is free and easily installed. It is available for Chrome and Firefox. Just click the Hola icon in your browser’s toolbar and select a country. It will route your browsing activity through IP addresses in that country.

Remember, I said this thing was intrusive. If you are a professional investigator, you must always keep the rules of evidence (S. 30 & S. 31) in mind. Your computers must be free of malicious code or code that could change the content of the collected evidence. I always run Hola on a clean machine that is separate from other evidence collection. If you use Hola to collect evidence, then you will have to be a very good Internet Eyewitness.

My first objection to Hola for investigators is that it is only available for Windows, Mac OS X, and as an app for Android devices. It is easier and quicker to create a clean machine with Linux.

Secondly, Hola sends your web browsing through other servers. More importantly, it uses your computer’s idle bandwidth for other users. Sharing bandwidth with other users exposes your machine to outside threats other than the websites you visit. I have seen  DNS Spoofing when using Hola that does not happen when using other methods. Unfortunately, you have to prepare for this if you want to route your browsing activity through other locations and not pay anything.

Third, you must disable Hola when not using it. Install it in a separate browser. For example, if you use Firefox for most things, then install Hola in Chrome to access geo-blocked content. When you are finished using Hola, close the browser.

Finally, you must really spend some time rehearsing the visual, logical, and reproducible nature of your testimony. If you do not, then you will not be able to reproduce the process of collecting the evidence in court. Explaining how Hola works is not something I want to do in court if the other side is sharp and scrappy.

Even with all my reservations, I still use Hola, particularly for reconnaissance prior to using other collection methods.

Online Resume Searches

If you are doing a background investigation, then the subject’s employment history is important data. Here are a few sites where a subject may post a resume.

Of course, the first stop is LinkedIn to start getting a handle on the subject’s employment history. Next, go to indeed.com for the US and ca.indeed.com for Canadians. Use the advanced search and enter the subject’s name in the phrase search. Then do the same for all of the words of his name.

Odesk.com is for hiring freelance professionals. Use the search box with ‘freelancers’ selected and search the subject’s name.

Resumebucket.com is an interesting site. I often get better results using the Google site: command and the person’s name than using the site’s search facility.

Beyond.com requires an account to search or you may use the Google site: command with the subject’s name.

You can also search the relevant local craigslist site and use the search facility to search the subjec’t name in quotations. Sometimes you will find brief resumes for people seeking work.

The monster.com job sites have a lot of resumes but you have to pay to search them. If you do enough searching then this is worth the cost.

How to be a Facebook Spy

If you need access to someone’s Facebook profile this is how to accomplish that task.

Set up an appealing Facebook account, then request to be friends of some people friended by the subject. Wait until some of them accept your friend request. With mutual friends in hand, request to be the subject’s Facebook friend. The subject will see that you have mutual friends and he should accept you as a friend. Then you have access to his profile, photos, postings, and perhaps you may find what you need. However, there are a few legal issues to consider.

If you are an Investigator, and your subject is represented, then asking permission to see his or her page is contact with a represented litigant. In Canada, if the opposing litigant is represented by council, then you may not contact him or her in person, by telephone, or electronically. In most cases you have to ask to be listed as a friend to view the subject’s Facebook page. Doing this will be considered improperly making contact with the litigant and whatever you find will be deemed inadmissible.

However, what you find in Google, other search engines, and unrelated Facebook pages may be used as the basis for a motion for the production of the subject’s entire Facebook page as happened in KOURTESIS V. JORIS (2007) O.J. No. 2677 (Sup. Ct.).

Survival in the Netherworld

Over the last couple of years we have seen a trend developing in the nether regions of the Internet that is changing how I conduct research. This netherworld is populated by malign crooks who create sites loaded with malicious code.

I now conduct a lot of research using fresh installs of Linux and the programmes that I need for each job. I conduct the research from behind my own anonymizing proxy and an assortment of VPNs. Browsers operate in a sandbox to prevent movement of malicious code from an attack site to other programmes on my machine.

This is a nasty environment. It takes time and experience to operate in this infernal region. In two years I have learned a lot, but most of all, I have learned how little I really know. The crooks are much further along the learning curve in this environment.

Finding Deleted Tweets

Paper.li is a web service that let’s members create a daily newspaper of sorts containing their favorite material that they then sharing it with their followers. Here are some points that the investigator should note:

  • A lot of content of these papers comes from Twitter.
  • These papers are archived.
  • Twitter users sometimes delete Tweets
  • Deleting Tweets on Twitter are not deleted on sites like Paper.li

Paper.li is a content curation service. A Content Curator is someone who continually finds, groups, organizes and shares the best and most relevant content on a specific issue online. These sites are a good place to find content deleted from the originating social networking site.

If you go to Paper.li and use their search feature, you won’t find anything unless your search is for the title of a paper. Their search doesn’t look within individual articles.

To find mentions of content from Twitter, or any other content, use the Site: operator. When using this search strategy, search by the Twitter account’s name and the user name (@username) along with any keywords that might apply to what you are looking for.

Operative Research

Operative research is the process of learning how things work in a particular area. As an investigator, I often have to learn how something works or the nature of the skills used in a certain area of human endeavour.

I sometimes start by interviewing people who are in the field, but more often, I do a literature search of the topic before conducting interviews. That leaves me with the task of locating relevant published material that will give me an overview of the topic and allow me to formulate a list of questions to ask during interviews.

The first task in this is to understand how the subject matter is indexed. That means understanding who might have a use for this material. For example, many military topics are also useful to engineers, construction companies, outdoorsmen, miners, sailors, and many more individuals and organisations. Another example would be the topic of physical security.

Once you know who might collect and catalog the subject material that interest you, learn what terms they might use to describe the material. Now add the words “library” and “subject guide” to your search. What you are looking for is a targeted collection of material. Once you find such a collection search the site using the site: operator.

Using the above search strategy in a recent search for information on evacuation of urban areas, I found urbansruvivalsite.com and its library of ebooks. While searching for data on electrical wiring led me to the Pole Shift Survival Information site and its library of publications about wire where I found tables of wire-gauge sizes. When trying to decipher old shorthand notes in a deceased lawyer’s file I found a library of publications about shorthand.

The focus of each of these ‘library’ sites is far removed from my interests, however, the people who created these sites had their own use for the information and that made my job easier.

Site Investigation Tools

When you start to investigate a particular Internet site, I suggest you begin with these resources.

Domain Dossier Investigate domains and IP addresses. Get registrant information, DNS records, and more—all in one report.

InterNIC Public Information Regarding Internet Domain Name Registration Services

Network Solutions’ Whois

DomainSearch.com  Search multiple top level domains at once to see if the domain name is in use. I use it to find the domain name in other top level domains.

Convert Host/Domain Name to IP Address and vice versa  Find the IP of a host machine (convert host to IP) or domain name (convert domain name to ip address) or find the name of one of the hosts at an IP address (convert ip address).

Using Traceroute Learn how to use and interpret traceroute results.

Additions thanks to Kirby:

hostcabi.net  Provides lot of information, but most importantly, it identifies other users of same Google Analytics account and all the sites using that account.

sitedossier.com  Sometimes shows older servers, which is useful when website has upgraded to cloud service or CloudFlare.

Motherpipe

Do you want a search engine that does the following:

  • doesn’t keep details on what you are searching for
  • doesn’t store your IP address
  • doesn’t use cookies
  • doesn’t track you
  • doesn’t send your search term to the site you clicked on
  • doesn’t store or share your search history
  • doesn’t share your personal information
  • doesn’t have servers in the U.S.A.
  • doesn’t hide the search results amongst a deluge of ads

Try Motherpipe. It operates privacy oriented search engines at motherpipe.com, motherpipe.co.uk, motherpipe.de and motherpipe.se that don’t do things I don’t want done.

It gets its data from Yahoo!Bing. It offers the search operators “site:” and Boolean operators “AND” and “OR“. It also searches Twitter anonymously.

Forgotten But Not Gone

The European Union “right to be forgotten” law that allows individuals to demand the removal of links from Google’s EU search sites is starting to come into play.

The EU “Right to be Forgotten” is clearly a form of censorship in the 28 member nations and 4 other European countries that encompasses over 500 million people. Google has 90% of the search engine market there.

Demanding the removal of an indexed item only renews interest in the story. As the law only applies to Google and not the pages themselves or other search engines, traffic to the articles in question increases thanks to journalists calling attention to them once they receive notification that the article was removed from the EU sites. This is known as The Streisand Effect.

European Google search results for any name display the disclaimer that, “Some results may have been removed under data protection law in Europe,” even if nobody requested the removal of anything.

Of course, people will soon tire of writing about the removed articles and people will stop demanding the removal of indexed items.

Certainly, a free speech enthusiasts will start to collate all the missing search results and make them available. This has already started with Hidden From Google. This site archives articles that Google must remove from European Union search results. I’m certain a Twitter account like @gdnvanished will also appear to provide similar content.

The easiest way to circumvent this censorship is to search using the Google.com site instead of the local EU search sites—or better yet, use other search engines like DuckDuckGo, Yandex, and blekko.

Saving Bozo Eruptions for Posterity

During research projects I sometimes come across astounding levels of stupidity posted for all to see. Sometimes this occurs in obscure corners of the interweb, sometimes it’s done on Twitter.

If I think an instance of stupidity might become important in the future, I manually archive the web page or Tweet by submitting it to the Wayback Machine using the Save Page Now option.

This doesn’t work with all sites, but when it works, the “Bozo Eruption” will be available on an authoritative site in the future. There won’t be any question that the eruption occurred if someone has second thoughts and removes it from the site.

How to Use Boolean to Improve Social Media Monitoring

Twitter and Boolean Searching

Twitter has a robust search facility  that includes Boolean search operators. Twitter Support provides the following table of search operators.

Twitter defaults to the AND operator when you include search terms to the search statement. Don’t forget to use the -sign for NOT to eliminate search terms and OR to broaden the search. To get the results that you really want, you can filter the search results using the selections on the left side of the results page or you can start your search on the Advanced search page. Always search for variations of hashtags, spellings, and sentiment words in order to capture the largest number of tweets possible.

Unearthing a GeoSocial Footprint

I try to learn something every day. Today, I learned about GeoSocial Footprints. A geosocial footprint is the combined bits of location information that a user divulges through social media. Now I had to learn an easy way to unearth someone’s geosocial footprint.

First, I had to find an easy way to uncover which social media (SM) a person uses. To do that, I found an add-on for Firefox called Identify. This extension used to help you explore an individual’s web identity across SM sites. However, it is not compatible with V. 26 or later. It was also not compatible with Comodo IceDragon.

That left me with trying Hoverme. This is an add-on for Chrome that provides a SM profile when you mouse a name on SM sites. You will supposedly be able to view the social web profile of the subject by mousing over the profile picture in Facebook, etc.. It should provide links to the person’s profiles on sites such as Facebook, LinkedIn, Delicious, etc..

I tried installing it in Comodo Dragon, which is built on the open source Chrome browser and doesn’t phone home to Google like Chrome. Unfortunately, Hoverme needs the Kynetx browser extension that many apps require. It’s like Greasemonkey for Firefox, but to install this you need to set-up an account or use Facebook or Google to sign-in. This means I might be giving away too much information. This also means that to collect evidence safely, I will have to install it on a sandbox machine or in a VM and then do my main collection on another machine. I would do this because I don’t know what Kynetx might be doing to the machine that is collecting the evidence and I don’t know what information this might be giving away to unknown parties.

I guess it’s back to good old-fashioned Investigative Internet Research to uncover which SM sites someone uses. From there, I will have to figure-out how to collect, collate, validate, and explain all this geosocial footprint stuff.

Veracity of Online Images & Video

My mother advised me not to believe everything I read remains true today as it was 50 years ago. Today, this advice extends to online video and images.

Hoax imagery and video abounds online. A fake video of an eagle trying to fly off with an infant in a Montreal park is only one example. Students at the National Animation and Design Centre created this ‘Golden Eagle Snatches Kid’ video. Their skill was impressive. It took a frame-by-frame analysis to uncover the fake. Frames that lacked the eagle’s shadow revealed it to be a hoax.

Free editing software like VLC Media Player or Avidemux Video Editor can help split video into frames, but locating and investigating the person who posted the video proves more productive in most cases. The following is a short outline of how I approach this problem.

First, start listing the places you find the item and user names that posted it. Look for the first instance of the item by filtering by date. Try to find the first instance as this may be the original and the original poster of the item. Compare video thumbnails to find the earliest and largest as that may be the original. Search the thumbnails in Google Image Search, TinEye, and Bing. However, searching TinEye, et al, will require an image with high contrast and distinctive colour combinations.

Next, try to identify the person who first posted it. Sometimes, discovering the creator of the item is easy because it was posted on a Facebook page or on YouTube, but usually it was just duplicated there and originates elsewhere. Search all text associated with the item—tags, descriptions, user names. Use everything as search terms. Search all the user names to identify the people. Use sites to LinkedIn, Facebook, etc., to get a feel for the background of the people you may later contact.

Once you have found the likely source of the item, examine and question the source to establish his reliability. You need to engage this person to establish that he created the video or image and that it isn’t a hoax or an altered version of something he still possesses.

WebMii

I have written about pipl.com before and often find it useful when I am trying to track-down people. Unfortunately, its usefulness is limited if the subject person lives outside the U.S.A..

When searching people outside the US, I turn to WebMii. This has data sets for specific countries which you can select or you can select all by selecting ‘International’  as the region.

You may also search by keywords to get a list of people associated with the keywords. However, this has never worked for anything I have searched. Searching by company or brand name often returns useful results, but selecting a region failed to change the results in any search that I have done.