Murder starts with your Mouth

The excellent book The Dark Side Of Man reports that David Luckenbill studied all of the murderers in a California county over a 10-year period and asked them why they killed their victims. All the death row inmates interviewed listed one of only two reasons for killing:

  • 34% said they killed because the victim challenged the killer’s authority
  • 66% said they killed because the victim insulted them in some way

What matters is the criminal’s perception. If he perceives a challenge or an insult, he is more likely to kill you.

This information provides a basis for planning a strategy for dealing with criminal violence.

Understand that the criminal is not operating under the same moral imperatives as his victim. A large proportion of violent criminals are psychopaths without any empathy for their victims. Never think, “He won’t shoot me because I wouldn’t shoot him in the same situation.” You would be wrong and this will cost you your life.

False bravado will also get you killed. Criminals learn to quickly judge people and use that judgement to manipulate them. Your bluff will be transparent and you will experience a violent response to your challenge.

Never insult an attacker. There is a big difference between screaming “GET AWAY FROM ME!” and screaming “GET AWAY FROM ME YOU MOTHERFUCKER!” Insulting an armed criminal will not yield positive results.

Be especially cautious during the times when the criminal is under the most stress and be chose your words carefully, especially at the early and end stages of the attack.

Develop a verbal response for the most likely scenarios you may face rather than thinking on the fly, just say exactly what you have practiced. Your script should avoid any challenging language or insults. Deliver your script in a calm monotone even if you are planning violent resistance. Surprise is a very potent weapon in your arsenal.

If you are in an environment that exposes you or your staff to the risk of criminal attack, then The Dark Side Of Man is a book you must read.

Know your enemy and plan to prevail.

Learning New Skills

All good investigators strive to learn new skills. Most skilled investigators are true readers. Some investigators are autodidacts.

To be an expert in your field, you should read one book about it every week. You heard me right, one book a week. But what happens when you are having difficulty getting through the book because you are encountering material that is over your head?

My solution to this is 3×5 index cards in two colors. I write down what is going well on one colour and what I am struggling with on another. Do this for small portions of the book at a time and use other resources to get a grasp of the problem area. Don’t move on until you overcome all the areas over which you struggle. If it is something you can practice hands-on in the real world, then do so. An example would be to actually use the the software you are reading about and work through the aspect that presents some difficulty. As you overcome the things you struggled with, write them on the going well cards but note that they were originally difficult.

Workshops for the Investigator

Finding useful information is time-consuming.  Properly evaluating information is time-consuming.   Organising information for analysis is time-consuming.  We  teach techniques that focus and refine your search results.  Then we teach you to evaluate the quality of what you find.  Finally, we teach you the best practices to organise your data for reporting.

For the Investigator, these time-consuming tasks are money in the bank if he can do the job in an organised and efficient manner.  Get a jump on the learning curve from an expert who knows the challenges facing the Investigator.

We tailor workshops for Investigators of varying experience and information literacy.

Sample topics include:

Research Strategy: plan a research strategy, choose the appropriate tools, and use them to full capacity

Evaluation Matrix: the Internet is renowned for harbouring unreliable information, but we teach you how to evaluate the data you find for relevance and quality.

Google: learn the good and bad of Google and how to use its most powerful features

More than Google: learn the strengths and weaknesses of other search engines and how to benefit from them.

The Deep Web: learn about the resources hidden from search engines.

Social Networks: learn the rules regarding the searching and using this data. Learn how to search this vast resource and how to analyse what you find.

MSOffice & OpenOffice: these are not typewriters! Learn how to use them as sophisticated information tools that save time and effort.

Information Management:  we show you the software tools and techniques that save your data and your time.

Secure Surfing: choosing the right browser and configuring it properly to leave the smallest footprint behind


Securing Firefox – Configuration Settings

This is about stopping the dreaded disease, Data Diarrhea. The websites you visit can leave behind a trail of data on your computer and in their server logs. All of this Data Diarrhea can identify the Investigator and this can complicate the problem he is trying to solve. Lax privacy & configuration settings may also leave the Investigator’s computer vulnerable to attack by hackers.

This article describes more advanced methods of customizing Mozilla applications, by editing the configuration files.

about:config entries

about:config is a feature of Mozilla applications which lists application settings (known as preferences) that are read from the profile files prefs.js and user.js, and from application defaults. Many of these preferences are not present in the Options or Preferences dialog. Using about:config is one of several methods of modifying preferences and adding other “hidden” ones.

Editing the user.js and prefs.js files are an alternative method of modifying preferences and recommended for very advanced users only. Unless you need a prefs.js and/or user.js file modified for a specific purpose, you should use about:config instead.

This article refers to the Firefox V. 9 edition of the browser. These entries may have adverse effects on Thunderbird and Mozilla Suite/SeaMonkey and older versions of Firefox. These settings will affect all profiles of the browser.

In Firefox, type about:config in the Location Bar (address bar) and press Enter to display the list of preferences. You may get a warning page next, just click OK and move on.

about:config > browser.display.use_document_fonts > change value to 0

0: Never use document’s fonts
1: Allow documents to specify fonts to use
2: Always use document’s fonts (deprecated)

Don’t let the site access to the fonts on your computer. That grants too much access that can be abused.

about:config > browser.sessionhistory.max_entries > change value to 2

The maximum number of pages in the browser’s session history, i.e. the maximum number of URLs you can traverse purely through the Back/Forward buttons. Default value is 50.  Set it to 2 so that the site you visit can’t see where you have been during your Investigative Internet Research (IIR) assignment.

about:config > > double click to false is a mechanism allowing web pages to store information with a web browser (similar to cookies) called “client-side session and persistent storage.” Although use of session storage is subject to a user’s cookie preferences, this preference allows it to be disabled entirely.

about:config > geo.enabled > double click to false

True is location aware browsing enabled. Default is true. You want to disable this. See for details of geolocation in Firefox.


Securing Firefox – General Privacy Settings

General Firefox Privacy Settings

The basic privacy settings in general settings, are found in the options bar in Firefox 9.0 (Firefox > Options > Options) or for iOS, Preferences.

  1. Content: Enable block popup windows and disable Javascript when it isn’t needed.
  2. Privacy: Enable the DNT (Do-Not-Track). For History, use custom settings. “Always use private browsing mode” should be enabled. “Remember my browsing history”, “Remember download history” and “Remember search and form history” should be turned off. “Accept cookies from sites”, but un-check “Accept third party cookies” as they aren’t needed often. Location bar: select “Suggest nothing”.
  3. Security: Enable “Warn me when sites try to install add-ons”, “Block reported attack sites” and “Block reported web forgeries”. Under Passwords, disable “Remember passwords for sites” and use a master password.
  4. Advanced – General – System Defaults: Disable “Submit crash reports and performance data”.
  5. Advanced – Network – Offline Storage: Check “Override automatic cache management and limit cache to 0MB space”. Further—you can un-check “Tell me when a website asks to store data for offline storage use”.
  6. Advanced – Encryption: Ensure both “Use SSL 3.0 and Use TLS 1.0” are enabled. Then click validation > check “When an OCSP server connection fails, treat the certificate as invalid”.



The Cost of Investigative Internet Research

Why does it cost so much just to look on the Internet?”

I get this question a lot, and too often from “professionals” who should know better. I will list a few of the reasons here.

To begin with, I never know how the research results will be used in the future. That means that the results must be properly documented so that it would be reproducible if someone else with similar skill did the searches at the same time as I did.

If at some future date what I find becomes important evidence, then how it was found, where it was found, when it was found, and what it actually looked like becomes very important. My report and the supporting material may be the only proof of the existence of the material being entered into evidence.

The computers must be free of malicious code (S. 31 Canada Evidence Act). We often set aside a computer for this purpose after doing some Spring-Cleaning.

The logic of the research process must be clear and easy to explain to anyone. This logic must be explained in the report. Search statements must be recorded. The project directory and file naming and structures must be logical and properly documented. The evidence must have a clear and documented chain of custody.

Providing this evidence requires skill, training, experience, software, computers, office space, support staff, and time.  Finally, did you know it takes at least twice as long to do the report as it does to do the research?


The New Neighbourhood

In the past, most investigations included ‘neighbourhood inquires’ where neighbours were questioned regarding the subject’s activities and lifestyle.

We still do neighbourhood inquiries, but over the last three decades this has produced less and less information of value, to the point that we now consider this an extraordinarily expensive investigative process.

Neighbours rarely share derogatory information or observations about the subject, and fewer still, even know the subject as most urban neighbourhoods are too transient and social contact is minimal.

Today’s neighbourhood isn’t tied to geography, but rather by Internet connectivity. The advent of virtual media has created virtual neighbourhoods that the Investigator must be adept at navigating and interrogating.

This new neighbourhood may reveal inappropriate pictures, drug and alcohol abuse, bad-mouthing of employers, co-workers, clients, and organisations. It may reveal poor communication skills and much worse – much of which is found exclusively online.

Unfortunately, inexpert interrogation and navigation of this neighbourhood has caused issues.

The ubiquity of Internet search engines and a lack of training and guidelines may put the Investigator in contravention of some laws if the resulting information creates a record of personally identifying information that is subsequently mishandled. Possession of Internet search results may impose either declared or implied responsibilities regarding the handling of the data in some jurisdictions.

A casual and undisciplined approach to Internet and social media searching raises questions regarding the competence, handling, fairness, storage, and analysis of the data. The role of the Investigator doing the searching should be clear from the outset. The sources and methods employed should also be clear throughout the search process and its reporting.

Virtual Identities

The subjects of an investigation do not line-up to tell the Investigator all his or her screen names and their related email addresses.

The Investigator must find the screen names and related email addresses from what he already knows at the beginning of the Investigation to build an online profile of the subject.

The Investigator must also recognise that screen names are often used by more than one person or a screen name may be used maliciously.

As the old New Yorker cartoon said, “On the Internet, nobody knows you are a dog”.

Navigation & Interrogation

The unstructured nature of data available on the Internet, and its density, creates problems for the searcher.

Google may say it found three million hits, but it will only show one thousand. The results will change depending on which version of Google searched and whence it is searched.

When searching for information about a person or company, the Investigator shouldn’t get bogged-down by search engine hits, but rather go straight to databases that have the right category of data for his purposes. This may mean searching sources not indexed by the search engines.

Google isn’t a substitute for knowledge and experience.

Je Suis un Flâneur

This falls in the category of:

What They Don’t Teach at Detective School.

Flâneur (feminine, “flâneuse”) translates literally as  a loafer or a person who loiters,  but the poet Charles Baudelaire defined it as a passionate observer.

“There is no English equivalent for the French word flâneur. Cassell’s dictionary defines flâneur as a stroller, saunterer, drifter but none of these terms seems quite accurate. There is no English equivalent for the term, just as there is no Anglo-Saxon counterpart of that essentially Gallic individual, the deliberately aimless pedestrian, unencumbered by any obligation or sense of urgency, who, being French and therefore frugal, wastes nothing, including his time which he spends with the leisurely discrimination of a gourmet, savoring the multiple flavors of his city.” (Cornelia Otis Skinner, Elegant Wits and Grand Horizontals, 1962, Houghton Mifflin, New York)

The essential elements of the flâneur are also the essential elements of being a good investigator, reporter, researcher, and any other job that requires a well-developed ability to observe and report.

The Autodidact Private Investigator

Autodidact (au·to·di·dact , -tō-ˈdī-ˌdakt, noun) is a person who has learned a subject without the benefit of a teacher or formal education; a self-taught person.A private investigator, is a person who can be hired by individuals or groups to undertake investigations.

The economic downturn has left a lot of Private Investigators moaning about a lack of work. That’s an economic hardship, if you haven’t planned for it, but it is also an opportunity. Now is the time to learn some new skills. Here are two great blog articles on how to go about it:

The Cheapskate’s Guide to Educating Yourself

How to Set Up Your Personal University

Why Ethical Hacker Training Fails

An excellent CI related blog, Brand Killer Robots, offers this fun comparison of the black-hat hacker and the good guy training people to protect their assets.

Why have Ethical Hacker Training companies got it so wrong?

We ask, just who are the people that you are sending on Ethical hacker training courses and why are you sending them?

So lets first look at the white hats.

Read more

Writing is Hard Work

Anybody who writes reports should have some books at hand to learn from, and for reference.

My first and best recommendation is William Zinsser’s On Writing Well. Then a serious study of The Modern Researcher by Jacques Barzun is a must. Barzun may not be pleasant reading, but he has guided untold graduate students successfully through the theses writing process. If you haven’t noticed, good investigation reporting has a lot in common with academic writing.

The Oxford English Dictionary, in some form, and Fowler’s Modern English Usage are absolutely necessary reference works. Fowler’s sorts out questions of usage. For example, when does one use licence instead of license (the first is a noun, while the second is a verb) or when to use iterate, reiterate, and reiterant.

Three more books make my list of required reading in this area:

  • The Craft of Research by Booth, et al.
  • A Manual for Writers of Research Papers, Theses, and Dissertations by Turabian, et al. (an easier read than Barzun)
  • How to Write a Lot by Paul J. Silvia. An excellent section of how to avoid pompous writing is worth the price of the book alone.

An article titled THE BOSS CAN’T WRITE by Philip Quinn, appearing in the Financial Post on Wednesday, November 14, 2007, illustrates the difficulties faced by employees and businesses due to poor literacy skills.

How to Become an Expert Investigator

The top performers are rarely more gifted than the also-rans, but they almost invariably outwork them. Scholars of elite performance speak of a 10-year rule: you have to put in a decade of focused work to master something to bring expert status within reach.

The expert Investigator develops two important cognitive skills. The first is the ability to group details and concepts into easily remembered patterns. Second, the expert also learns to quickly identify which bits of information in a changing situation to store in working memory so that he can use them later. This facilitates a continually updated mental model far more complex than that used by someone less practised, allowing him to see subtler dynamics and deeper relationships.

Finally, most experts have at least one crucial mentor.