Social Media & Threat Alerts

A Pew Research Poll indicates that college students are spending less time on Facebook and more on simplified instant messaging services like Snapchat, Instagram, WhatsApp and Yik-Yak. Campus safety officers haven’t caught up with this trend. They still check Facebook most consistently, followed by Twitter and Yik-Yak.

In my experience, very few organizations use social media threat alert software or employ a social media monitoring company. Everything that I have seen indicates that orgainsations that monitor social media for risk management usually monitor the wrong sites.

Turn Your PC into an iPhone

Some web sites cannot be viewed properly using Firefox. Sometimes it is an old site that requires MS Internet Explorer (IE) or it may be a site designed for mobile devices.

The User Agent Switcher extension adds a menu and a toolbar button to switch the user agent of a browser. It allows you to chose from three versions of IE or an iPhone. Selecting the iPhone user agent often reveals additional  functionality on the site. The extension is available for Firefox and will run on any platform that this browser supports including Windows, OS X and Linux.

Investigative Internet Research (IIR)

Sources & Methods

Clients do not pay you to find data. Clients pay you to tell them how the collected data helps or hinders their cause. How you report the nature of the sources used and the methods employed is critical.

Sources are the lifeblood of any investigator, but methods are what determine the success or failure of both the investigator and the investigation. In IIR, the identity of the source, its location, date, and breadth of content become critical to the investigation’s integrity. The investigator’s credibility depends on his explanation of his methods, which must include the search strategy, rights to access the material, and the path used to arrive at that source material.

The Internet Profile & Identity

In the industrialized countries, a person’s Internet profile is given far too much credence. If you become involved in Investigative Internet Research, then you must combine the Internet profile you develop with authoritative public records and content from a variety of database aggregators.

This is of critical importance as more than one person often uses the same screen name or a screen name may be used maliciously. The more data you collect, the more likely that you will attribute some data to the wrong person.

Mapping a person’s identity is nothing more than comparing gender, race, location, religion, friends, family, car, pictures, etc. to what you know about the subject and what you find in a variety of sources. This ensures that all the data is consistent and relates to only one person. It will also identify inconsistencies in the collected data, which you may choose to investigate. The identifiers are the subject’s name, along with age, gender, race, employer, location, religion, friends, family, car, pictures, etc..

Canadian Criminal Court Documents

The following lists the court documents that you should order when reviewing an accused’s involvement in a criminal prosecution in Canada.

In Canada, the charges are contained in the ‘Information‘. A person must swear under oath that the information about the crimes committed is true. This document usually contains a list of appearances and a synopsis of the verdict. It also identifies the victim and any co-accused.

The Bail or Recognisance will explain the conditions of the accused’s pretrial release. This may identify the sureties, where the accused must live, and other conditions such a a prohibition of having weapons.

Search warrants are a treasure trove of useful information because the police will meticulously explain their need for the warrant. However, court staff often try to prevent you access to these, but they are public record unless sealed by a court order.

Probation orders are like the Bail document in that they set out conditions. However, they also may indicate where the subject lived. In some cases, the probation order will be sent to another province. In that case, you know that during his probation, he was living in that province and a search of criminal court records in that province is indicated to see if he abided by the conditions of his probation.

Exhibits also represent a valuable source of information. Once a case is concluded, you may view the exhibits. Like search warrants, the court staff often tries to deny your access to exhibits. Persevere and demand access to the exhibits and you will eventually get to view them.

Searching Periscope & Meerkat

Periscope, the free iPhone app from Twitter is the clear winner against first-comer Meerkat. Periscope is mobile live streaming that lets the user share what is happening right now and relive it later thanks to the service’s saved streams feature.

At the moment, from the investigator’s perspective, Periscope and Meerkat offer an opportunity to see a lot of useless streaming video if you don’t know how to search effectively. Both are hard to search by keyword or topic–you usually have to search via people.

You can use Getxplore and link your Twitter account to them. This will then allow you to see current Periscope and Meerkat streams and then enter search quires to find the types of streams that you are looking for.

Another option is the Twitter search and programs such as Tweet Deck or Hootsuite which you can setup to constantly pull Periscope and Meerkat streams direct to you dashboard. Simply add #Periscope OR #Meerkat as a search term and now you will have access to every single live-streaming video that is shared to Twitter.

You can refine the search by geography as in  #periscope OR #Meerkat near:”Toronto, Ontario” within:50mi. To further filter results add keywords to make the search even more specific, (#periscope OR #Meerkat) AND (Jays OR Skydome).

Finding a Secure Workspace

Recently, when working at a client sites, I’ve taken to occasionally using Windows to Go. This is Microsoft’s little-used secure workspace feature for Windows. It allows you to boot into a secure workspace located entirely on a USB key. This enables you to use Windows without relying on the operating system, applications, or storage on the host device. It creates a secure workspace on any machine that can boot from a USB drive without trusting the host machine. I have even devised a way to use a Virtual Machine (VM) in this workspace. Because the workspace doesn’t rely on the host operating system, the workspace on the USB drive isn’t at risk of compromise from a host machine and the VM protects the USB workspace. This saves me from constant use of my ‘Safe Mode on steroids’ or reinstalling Windows from a drive image on a client’s machine. However, it is too slow and requires too much effort to maintain. A similar live Linux USB seems to offer faster performance and it is easier to maintain the VM.

Defence Against the Dark Arts

I wander through the nether regions of the Internet and Dark Net looking for data to support my clients’ causes. This exposes me to severe risks from the nasty creativity of Beelzebub’s demonic gangsters and hackers.

It seems that a Windows system only lasts about 1/2 hour before getting infected without some form of anti-virus (AV). I regularly boot a clean live Linux USB, and then scan for viruses. This is like Safe Mode on steroids. In most instances, I find something malicious missed by the typical AV programs. However, this is only a temporary measure.

I am migrating to Linux for Investigative Internet Research because very little Linux malware exists in the wild. I only need AV on the Linux file server (or an email server if I had one). I do this because an infected Windows computer may upload infected files or an uninfected one might access infected files on the Linux machine, which then allows it to infect other Windows systems. AV on the file server isn’t protecting the Linux system–it’s protecting the Windows computers from themselves. I recommend the paid version of ESET Antivirus and Security Software as it doesn’t try to upsell you on other services.

The Old YouTube Scrape Trick

The Old YouTube Scrape Trick

Don’t be fooled by the old YouTube scrape trick. A scrape is an old video downloaded from YouTube which is then presented as a new and original eyewitness account of a different event.

Defeating The Old YouTube Scrape Trick

Amnesty International provides a handy tool called YouTube DataViewer.  Enter the video’s URL and it will extract the clip’s upload time and all associated thumbnail images. This data isn’t readily accessible via YouTube, however, this two-pronged approach allows you to identify the earliest upload, which is probably the original version.  Conducting a reverse search on the thumbnails often uncovers web pages containing the original version of the video along with other uses of it.

Search Engines are NOT Neutral

If you believe that the search results from any search engine, let alone Google, are neutral and do not reflect the search engine’s owners interests and biases, then you are very niave or entirely delusional. To prosper in the ‘information age’ one must be skeptical, open minded, and use many search engines.

For example, Google monitors what we’re searching on and decides what search results are best for its own interests. In the USA, Google was the second-largest contributor to Obama, but Google protests that it doesn’t manipulate search results in his, and the democrat’s favour.

Some very enlightening information is now comming to light about how a small change the search algorithm may dramatically change the outcome of an election. I strongly suggest that you read Big Data Meets Popular Vote in today’s National Post.

Disk Encryption

TrueCrypt, the ultimate encryption freeware, abruptly announced that the software is no longer secure after Microsoft ended support for Windows XP. It was the most popular application of its type and it was widely to communicate securely and encrypt sensitive files or folders. Currently, the TrueCrypt home page advocates moving to Microsoft BitLocker.

Unfortunately, in the Windows 10 Home edition, the full-disk BitLocker encryption must use a Microsoft account and the recovery key needed to decrypt your drive resides on Microsoft’s servers. With this arrangement, theoretically, a third party could decrypt your drives remotely. However, Windows 10 Pro doesn’t have this restriction: you can use BitLocker with a local account and keep your key out of the cloud.

Under such circumstances, users should stay away from both TrueCrypt and BitLocker and shift to some other free file encryption software.

Veracrypt entered market within months after Truecrypt died and seems to be the best of the alternatives. There are other free TrueCrypt alternatives like AESCrypt, FreeOTFE, and DiskCryptor. Here are the download sites for the alternatives:

Finding Free, Forgotten, and Orphaned Sites

I often go looking for simple sites created by the subject of an investigation. These simple or forgotten sites often appear at universities, at ISPs that offer free web space, and on free web space servers.

Did you know that Google Drive has always offered to host basic web sites for free. This will continue until August 31st, 2016. Google Sites will continue, but these sites cost a bit of money to operate.

Others, like GitHub, offer a very similar service. Amazon’s S3 cloud storage service offers static web pages for free. Occasionally, I find sites that use Dropbox to host files used or accessed by a free web site. Sometimes I find a domain that forwards to files hosted on Dropbox. Dropbox isn’t the only service that can be used to offer a static web page.

To understand how this is done read How I moved my blog to Dropbox and How I moved my websites to Dropbox and GitHub.

Ashley Madison Hack

The Ashley Madison hack has a lot of people running around like a bunch of headless chickens. The simple fact is, you cannot trust this data. Let me explain why this data must be treated with extreme caution.

Registration was free but you needed to buy credits to contact other members. Stolen credit card numbers appear in the data. Nobody has verified the number of real and active accounts. The website would allow new accounts to be set up without confirming the email, therefore, anyone could open an account using someone else’s name and email address as a prank or out of malice, and of course, the hackers could add names to the list before publishing it. This type of malicious prank is truly viscious in the 79 countries where homosexuality is illegal. For example, in Afghanistan, Iran, Mauritania, Nigeria, Qatar, Saudi Arabia and the United Arab Emirates, the punishment for homosexuality is death.

Here are my favorite headless chicken searches: