OSINT & Zombie Journals—Part 2

The Nature of Sources

Primary & Secondary Sources

An archive is a primary source because the contents are documents usually authored by a person with direct knowledge of the topic; this includes public records completed by the subject.

A library is a secondary source because its documents are created from the primary sources, as are citations, abstracts,  bibliographic databases, etc..

Authoritative Sources

Evaluating the quality of a source is to ask questions like:

  • What is the reputation of the data, and the data-provider (including the publisher)?
  • Has this source of data been cited elsewhere?
  • What is the reliability of the source?
  • How can the source of the information be documented or qualified?
  • Is this a primary source or secondary source?
  • Is this a legally required or legally binding source?

Answers to the above questions should help you find the authoritative source. Zombies are never authoritative sources.

In the next article I will discuss evaluation methods, citations, and bibliographic databases.

Phone Numbers on the Web

The Phone Archive  says it searches USA based phone numbers usages and context snippets on webpages and documents found on the Web. This is operated by the same folks that run The Email Archive that I found less that useful earlier this week. This site is much more useful.

While they advertise this as searching US based phone numbers I found it useful for finding references to any phone number in the NA numbering plan. I found numbers in Canadian, Panama, and Caribbean islands.

I haven’t compared results to the large search engines, but this is a useful resource.

National Missing and Unidentified Persons System

If you are looking for someone in the USA and cannot find anything, you might want to look at NamUS.

According to the site, “the National Institute of Justice’s National Missing and Unidentified Persons System (NamUs) is a national centralized repository and resource center for missing persons and unidentified decedent records. NamUs is a free online system that can be searched by medical examiners, coroners, law enforcement officials and the general public from all over the country in hopes of resolving these cases.”

A reddit Barometer

Reddit is an entertainment, social networking, and news website where registered users submit content, such as text posts or direct links. This makes it a large online bulletin board.

Users vote submissions up or down to organize the posts and determine their position on the site’s pages. Content is organized by areas of interest called “subreddits”. The subreddit topics include news, gaming, movies, music, books, fitness, food, and photosharing, among many others.

For the investigator, reddit is a good barometer of the user’s interests, attitudes, and popularity. If you want to see the user’s barometer, SnoopSnoo provides reddit user and subreddits analytics.

On SnoopSnoo, the user analytics are computed by analyzing submissions and comments activity. Analysis is limited to the 1,000 most recent comments and submissions due to reddit’s API restrictions. The subreddits are automatically assigned topics by an algorithm. Subreddits with fewer than 1,000 subscribers or created within the last 30 days may not have been processed.

Ashley Madison Hack

The Ashley Madison hack has a lot of people running around like a bunch of headless chickens. The simple fact is, you cannot trust this data. Let me explain why this data must be treated with extreme caution.

Registration was free but you needed to buy credits to contact other members. Stolen credit card numbers appear in the data. Nobody has verified the number of real and active accounts. The website would allow new accounts to be set up without confirming the email, therefore, anyone could open an account using someone else’s name and email address as a prank or out of malice, and of course, the hackers could add names to the list before publishing it. This type of malicious prank is truly viscious in the 79 countries where homosexuality is illegal. For example, in Afghanistan, Iran, Mauritania, Nigeria, Qatar, Saudi Arabia and the United Arab Emirates, the punishment for homosexuality is death.

Here are my favorite headless chicken searches:

 

OPSEC & Social Network Sites

OPSEC

An investigator can use LinkedIn, Facebook, and other sites to build a profile of someone’s personal and work life, but like so many things in life, this is both good and bad. What might happen if it is done to your business’s employees? How might this hurt your company? Most businesses do not think about this and if they do, they usually consider key executives to be most at risk. This is entirely wrong!

Operational security (OPSEC) is the lens through which to view this risk. View each employee in terms of what he knows and to what he has access. This will change your entire outlook.

The janitor has keys and is in the building alone. Security guards possess sensitive information. The secretary to the VP of Marketing knows when you will launch a new product. Are you starting to get the picture? This leaves the problem of how to analyse the content of sites like LinkedIn and Facebook.

Facebook

For example, Facebook identifies your friends and family, and where they live. It knows your likes and dislikes. It knows your travel destinations. It knows posting habits and posts to which you will respond. All of this creates an OPSEC nightmare.

The Wolfram Alpha Facebook Report lets you see what information Facebook knows about you and your friends. It yields easy-to-understand charts, tables, and graphs in a personalized report.

This needs the account holder to log into Facebook before it will run, however, this will not stop an industrial spy, foreign agent, gangster, or terrorist. In certain dark corners of the Internet, hacking a social media account will cost about $350. Changing the privacy settings is a meagre deterrent. With the hacked account and the Wolfram Alpha Facebook Report, the crook or spy has everything he needs to plan the compromise of an employee.

LinkedIn & Spies

Using LinkedIn, researchers found the personal details of 27,000 intelligence officers that the researchers say are working on surveillance programs. They compiled the records into the ICWatch database, which is searchable by company, title, name, and location.

What might a skilled researcher find regarding your employees?

Solutions

The biggest part of dealing with this OPSEC risk is recognising that it exists. The rest of the solution involves a combination of strict social media policies, non-disclosure agreements, conditions of employment, and employment contracts coupled with employee indoctrination and training.

Finding Deleted Tweets

Paper.li is a web service that let’s members create a daily newspaper of sorts containing their favorite material that they then sharing it with their followers. Here are some points that the investigator should note:

  • A lot of content of these papers comes from Twitter.
  • These papers are archived.
  • Twitter users sometimes delete Tweets
  • Deleting Tweets on Twitter are not deleted on sites like Paper.li

Paper.li is a content curation service. A Content Curator is someone who continually finds, groups, organizes and shares the best and most relevant content on a specific issue online. These sites are a good place to find content deleted from the originating social networking site.

If you go to Paper.li and use their search feature, you won’t find anything unless your search is for the title of a paper. Their search doesn’t look within individual articles.

To find mentions of content from Twitter, or any other content, use the Site: operator. When using this search strategy, search by the Twitter account’s name and the user name (@username) along with any keywords that might apply to what you are looking for.

Finding Bozo Eruptions on Twitter

On Tuesday, 18 Nov 2014, Twitter announced that it has finished indexing every public tweet ever made since the social networking service launched in 2006.

Fortunately for investigators, Twitter does not provide bulk deletion. This means that most people will not take the time to examine their Tweets for Bozo Eruptions. However, batch deletions are possible, by using third-party sites like Tweet Deleter, Tweet Eraser and TwitWipe. If someone deletes some Tweets, Twitter admits that “Deleted tweets sometimes hang out in Twitter search, [but] they will clear with time.” Unfortunately, when a user deletes a tweet, it eventually disappears from Twitter’s search results, as well as from any accounts that follow the account along with any retweets of the deleted tweet.

Fear not intrepid investigator, fore hope and a lot of searching might uncover someone who copied into his own tweet a deleted tweet, which will remain as will any tweets quoted on sites elsewhere.

Operative Research

Operative research is the process of learning how things work in a particular area. As an investigator, I often have to learn how something works or the nature of the skills used in a certain area of human endeavour.

I sometimes start by interviewing people who are in the field, but more often, I do a literature search of the topic before conducting interviews. That leaves me with the task of locating relevant published material that will give me an overview of the topic and allow me to formulate a list of questions to ask during interviews.

The first task in this is to understand how the subject matter is indexed. That means understanding who might have a use for this material. For example, many military topics are also useful to engineers, construction companies, outdoorsmen, miners, sailors, and many more individuals and organisations. Another example would be the topic of physical security.

Once you know who might collect and catalog the subject material that interest you, learn what terms they might use to describe the material. Now add the words “library” and “subject guide” to your search. What you are looking for is a targeted collection of material. Once you find such a collection search the site using the site: operator.

Using the above search strategy in a recent search for information on evacuation of urban areas, I found urbansruvivalsite.com and its library of ebooks. While searching for data on electrical wiring led me to the Pole Shift Survival Information site and its library of publications about wire where I found tables of wire-gauge sizes. When trying to decipher old shorthand notes in a deceased lawyer’s file I found a library of publications about shorthand.

The focus of each of these ‘library’ sites is far removed from my interests, however, the people who created these sites had their own use for the information and that made my job easier.

Site Investigation Tools

When you start to investigate a particular Internet site, I suggest you begin with these resources.

Domain Dossier Investigate domains and IP addresses. Get registrant information, DNS records, and more—all in one report.

InterNIC Public Information Regarding Internet Domain Name Registration Services

Network Solutions’ Whois

DomainSearch.com  Search multiple top level domains at once to see if the domain name is in use. I use it to find the domain name in other top level domains.

Convert Host/Domain Name to IP Address and vice versa  Find the IP of a host machine (convert host to IP) or domain name (convert domain name to ip address) or find the name of one of the hosts at an IP address (convert ip address).

Using Traceroute Learn how to use and interpret traceroute results.

Additions thanks to Kirby:

hostcabi.net  Provides lot of information, but most importantly, it identifies other users of same Google Analytics account and all the sites using that account.

sitedossier.com  Sometimes shows older servers, which is useful when website has upgraded to cloud service or CloudFlare.

Forgotten But Not Gone

The European Union “right to be forgotten” law that allows individuals to demand the removal of links from Google’s EU search sites is starting to come into play.

The EU “Right to be Forgotten” is clearly a form of censorship in the 28 member nations and 4 other European countries that encompasses over 500 million people. Google has 90% of the search engine market there.

Demanding the removal of an indexed item only renews interest in the story. As the law only applies to Google and not the pages themselves or other search engines, traffic to the articles in question increases thanks to journalists calling attention to them once they receive notification that the article was removed from the EU sites. This is known as The Streisand Effect.

European Google search results for any name display the disclaimer that, “Some results may have been removed under data protection law in Europe,” even if nobody requested the removal of anything.

Of course, people will soon tire of writing about the removed articles and people will stop demanding the removal of indexed items.

Certainly, a free speech enthusiasts will start to collate all the missing search results and make them available. This has already started with Hidden From Google. This site archives articles that Google must remove from European Union search results. I’m certain a Twitter account like @gdnvanished will also appear to provide similar content.

The easiest way to circumvent this censorship is to search using the Google.com site instead of the local EU search sites—or better yet, use other search engines like DuckDuckGo, Yandex, and blekko.

Social Media Early Warning System

Today, Social Media (SM) informs about emergencies, scandals, and controversial events before the traditional media. The news media has become a second source that tries to improve the signal to noise ratio.

Using SM as an early warning system isn’t a new idea, but few organisations actually do it because they never get around to creating an organised process for this function.

How to Create a SM Early Warning System

I start the process by first identifying the subject matter that I need in my early warning system and what informational role it will play. This includes identifying who will receive its output and who must act upon its output.

Carefully plan how you will communicate with the rest of your organisation. This needs to include an emergency distribution list with alternative distribution methods if normal communication methods start to break down.

The people who must act upon your information must trust that you will give them timely and accurate information. They must also know what you won’t provide. Gaining ths trust and understanding will take time and good old-fashioned salesmanship.

Next, I start identifying sources that provide reliable information that I then store, aggregate, and evaluate. As these sources become more trusted, I begin grouping them by topic, special knowledge, geography, and other factors. I then start asking them for more contacts that are equally reliable. To manage my contacts or sources, I build Twitter Lists, Facebook Interest Lists, Google Plus Circles, and use other similar list tools.

I contact my sources by email, Skype, and other means to build a relationship based upon trust and common interests. I note their strengths, weaknesses, skills, contacts, biases, and other relevant characteristics. It is important for me to treat all my contacts with respect and to view them as colleagues, rather than people to order about. I also act as a source to all my contacts as this isn`t a one-way street. I make it clear that I am looking for help rather than someone circulating rumors and misinformation. I do this by letting my contacts know what I do and do not know while steering clear of all inflammatory aspects of the topic as SM tends to amplify these without adding factual data.

I have seen many attempts to use SM for this fail once they realise that for this to work, it must be a collaborative effort. They don`t want to give as much as they receive as that requires too much effort, trust, and organisation.

To organise a SM early warning system you need to start a decision tree that allows you to go through the research, evaluation, and verification process in a logical and orderly manner without missing any steps. Design the process to identify the original content source or creator, verify that it represents events truthfully, and that the context of the content is not intended to mislead the viewer.

Use your favourite flow-chart software to make a decision tree suitable for the type of content and SM that you typically handle. Keep it simple. Start with only yes/no decisions. Each person on the team should add to the decision tree for their tasks as they learn new sources and methods.

Divide the decision tree into three components. First, identify the original poster or creator of the content. Second, investigate the source or creator of the content to help determine his reliability, biases, and online history. Third, investigate the content itself for defects that indicate that it is a fake, an intentional hoax, or some form of propaganda.

Over time, the decision tree and its supporting documentation will make your team seem super-human in its ability to wade through large volumes of complex material to expose fakers and reveal the true story.