The Nexus Analyst: Understanding your Customer’s Requirements

Nexus is ‘an important connection between the parts of a system’, according to the dictionary. In an intelligence environment, OSINT has the same function. Another example of how OSINT can provide important leads for HUMINT and SIGINT in Afghanistan.

Open Source Intelligence (OSINT) is all about perseverance and following bread crumbs that lead to key findings. To be honest, you won’t always find the smoking gun and in some cases you might miss it. That’s one thing I have learned: No matter how hard you look, you are always likely to miss out on something. That is why the OSINT community on Twitter is so important. New tools and techniques are shared there and help broaden your own set of skills on a daily basis. Another important lesson, is to always have clearly defined objectives, the so-called Key Intelligence Questions (KIQ), when conducting OSINT research. What specifically is your intelligence customer asking for? This means you have to understand the ultimate goal and your customer’s mindset to a certain extent.

My concept called Interdisciplinary Intelligence Preparation of Operations (I2PO) relies on OSINT to support other intelligence collection types (ICT), such as Signals Intelligence (SIGINT) or Human Intelligence (HUMINT), and vice versa. Therefore, the OSINT analyst must understand the specific requirements for each ICT. If you deliver a phone number or email address to a HUMINTer, he might give you puzzled looks. Again, I would like to demonstrate my point with an OSINT case that might easily happen this way in military intelligence and intelligence services. In a previous blog post, we had HUMINT information as a starting point for OSINT. This time, we have a couple of Key Intelligence Questions.

Imagine we are forward deployed OSINT analysts in Afghanistan. We not only provide information on the general situation in our area of operations, but also support the adjacent HUMINT and SIGINT teams. Our HUMINTers want to know a little more about the family ties of their intelligence targets and the networks surrounding these people (KIQ 1). The SIGINTer just needs some selectors such as phone number and email addresses, which he could task in his SIGINT systems (KIQ 2). One of the intelligence targets happens to be Mohammad Atta Noor, a key power broker in Northern Afghanistan.

We start out with a simple Google search and we soon find an interesting site containing bios of Afghan VIPs: afghan.bios.info. The entry on Mohammad Atta Noor is quite detailed and also reveals the name of one his sons, Tariq Noor.

Next up we conduct a Google search on Tariq Noor in combination with the name of his father. This leads us to Tariq’s Twitter account, where he is pictured together with his father.

1.png

Twitter also suggests further accounts to follow, one of them being Khalid Noor. It turns out that this is another son of Mohammad Atta Noor.

2.png

So far, we have names and pictures of two sons. Knowing that Mohammad Atta Noor has even more children, we could continue our search and identify the other children, while trying to obtain pictures and more data on them. However, let us focus on Tariq and Khalid first. As their father is a successful businessman, it is likely that his sons have businesses of their own, or are maybe even connected to their father’s companies.

To check this, we again have a look at the Afghan company register (www.acbrip.gov.af). Since we cannot search for individuals here, we assume that Tariq and Khalid have companies named after themselves. This search within the Afghan company register produces good results. The first result when looking for Khalid Noor even gives us the phone number of Mohammad Atta Noor and a bit of his family history with the names of Mohammad Atta Noor’s father and grandfather.

3

Mohammad Atta Noor is the president of the Khalid Noor LTD and states his father’s name is Haji Noor Mohammad and his grandfather’s name is Mirza Mohammad Gul. In Arabic and Central Asian countries, this information is valuable when distinguishing same-named persons. A look into the shareholders of this company reveal not only that Khalid is a shareholder, but also mentions other business partners (and their family history, as well as phone numbers). All this information helps build a network chart including the relevant family ties. This is the information our HUMINT team was looking for (KIQ 1). Of course, the phone numbers answer the Key Intelligence Question our SIGINT Team had (KIQ 2). A query for Tariq Noor produces similar results, including phone numbers of Tariq and his business partners.

4

All in all, following OSINT bread crumbs led to amazing key findings. Now this information can be used for HUMINT operations, when trying to infiltrate the networks around Mohammad Atta Noor and, as mentioned, also to task SIGINT operations. A perfect example of I2PO!

In conclusion, this way to work makes me refer to an OSINT analyst within military and intelligence services as a ‘Nexus Analyst’, an analyst in between ICTs. Someone that knows what HUMINT or SIGINT really need to conduct their missions successfully and who takes this into account when browsing the web.

Matthias Wilson / 28.11.2018

Learning from Aircraft Spotters for Competitive Intelligence

Aircraft spotters use tracking sites to obtain information on flight paths, enabling them to take pictures of aircraft taking off or landing at airports. Did you know that these tracking sites and methods could also be useful when conducting OSINT investigations?

Today I would like show another aspect of OSINT when it comes to competitive intelligence (CI). Wikipedia defines CI as ‘the action of defining, gathering, analyzing, and distributing intelligence about products, customer, competitors’ in order to support decision making processes in companies. Depending on the actual case, we will do research in a variety of different sources, ranging from company databases, to credit rating services, and in some cases even deep-dive into social media. However, every once and while we might have to look into something more exotic.

The following case is completely fictional, but could easily take place as described.

German Special Forces are currently looking for a new light support helicopter. Two companies are in the race for this very lucrative contract: Airbus with its new H-145M design and a second company, which employs us to gather information on the Airbus product.

One of the key intelligence questions our customer wants us to answer is about the performance of the H-145M. We find out that Airbus conducts its testing at the airfield in Manching near Munich, Germany. Whenever aircraft fly through public airspace, they are required to switch on their ADS-B systems, which allows them to be tracked, avoiding collisions with other aircraft and thus ensuring flight safety. I would like to point out, that certain military or government flights are conducted without enabling ADS-B tracking. Another relevant point is that the tracking depends on a network of mostly private ADS-B receivers and is lacking full global coverage. However, Germany has a pretty decent coverage.

Using ADS-B tracking sites such as flightradar24.com, we can collect data on any relevant flights. As an alternative, we can also buy our own ADS-B tracker for as little as 20 euros and set it up in the vicinity of the airport. This information could prove valuable to our customer, when assessing the overall performance of the competitor’s product.

Today happens to be one of the test days and two helicopters take off from the airfield in Manching. These two are the pre-series H-145M models that we are looking for. For future reference, we can always identify them by their registration numbers.

1

Registration details a H-145M

The following picture shows the flight path during these tests. Looking at the flight path might give an indication on what exactly was tested.

2

We also obtain detailed information regarding the speed and altitude of these flights. This might lead to clues on the peak performance values.

3

Of course, our work does not end here. We continue to track every movement of the two identified helicopters. Future operations might even include getting high-resolution videos or photos of the helicopters and maybe even HUMINT to receive a couple more details.

This scenario unravels just one of the ways in which data from ADS-B tracking sites can be utilized. It can also be helpful when tracking specific flights or monitoring smaller airfields to find a specific plane. In the future I will provide another case in which the tracking of an airplane led to an important intelligence finding.

Until then, why you don’t you have a look at the traffic above yourself!

Matthias Wilson / 08.11.2018

Vlog Post: OSINT – A Starting Point for other Intelligence Gathering Disciplines

After playing around a bit with different video production platforms, I think we finally found something that suits our needs. In the future we will try to produce short and informative videos for the tl;dr fraction. Warning: These might contain humor and sarcasm!

This is a first try, feel free to comment and provide feedback.

Matthias Wilson / 25.10.2018

Covert Operations in a Digital World

Even spies leave behind a digital footprint. Through social media profiles and various leaks they can be identified and their clandestine activities exposed. In the digital age it takes more time and effort to conceal covert operations, requiring new approaches as early as during their recruiting.

Covert Ops in a Digital World2.jpg

The recent uncovering of Russian GRU agents accused with the attempt to poison former Russian spy Sergei Skripal, as well as the exposure of Saudi Arabian spies in the murder of Jamal Khashoggi clearly show the problems intelligence services are facing when conducting covert operations.

Investigate journalists, such as the Bellingcat team, were able to identify the suspected culprits, often using crowdsourcing to do so. These two examples have proven how effective and timely the wisdom of the crowd can be. Another reason for the great results achieved in these online investigations, is the fact that the contributors to each investigation were highly motivated: they did not make these findings because they had to; they wanted to unravel the mysteries surrounding aforementioned cases.

Both times, blatant mistakes made by the operatives left a paper trail to follow, ultimately leading to the identification of several members of Russian and Saudi intelligence services. Not accounting for the various slipups, the main problem is that all culprits do work for their nation’s government and/or intelligence services and this was too transparent. The GRU operatives had addresses registered to known GRU locations, one of the Saudi operatives is seen in pictures where he appears to belong to the close protection team accompanying Saudi crown prince Mohammad Bin Salman on travels. These are just two examples showing links between the individuals and their governments.

The question remains, how an intelligence service can conduct covert operations that actually remain covert. One of the most obvious solutions to counter this problem is minimizing an operatives’ digital presence. This can be achieved fairly easy. Covert operatives should stay away from social media and press coverage. However, an old IT-saying states: “There is no patch for human stupidity.” Due to this, there will always be a margin of error, undisciplined individuals making exactly the mistakes leading to their public exposure. Massive CCTV coverage is causing another problem. It is impossible to travel nowadays without being filmed or photographed. As soon as these pictures of individuals are published in news and on social media, crowdsourcing kicks in. Maybe this individual was seen entering  a government building, maybe a former government co-worker recognizes him. Although the former co-worker should probably keep this information to himself rather than risking legal consequences (many have signed some form of non-disclosure agreement), this does not stop it from happening. Again, human error stands in the way.  In conclusion, intelligence services should try to rule out human error as much as possible. Regular screenings on intelligence employees aimed at searching for compromising information online could help counter these exposure threats in a timely manner. Another approach would be to decrease the amount of people who actually know of the covert operative. One radical, yet most likely successful approach could be keeping covert operatives away from government entities.

Let me elaborate on this. As soon as an individual enlists within a government entity and becomes part of this system, bureaucracy takes its toll and the individual is listed in numerous databases for mainly administrative reasons, also increasing the number of people who know of his existence. Travel expenses, payment processes and even journeys to known government sites leave plenty of breadcrumbs to follow and to identify someone as a government employee. In many countries, once you are on the government’s payroll, it is highly unlikely you will ever leave the comfort of having this government job and the benefits that come with it.

What if a covert operative never actually worked for the government?

The scenario I am about to explain might sound like it is from a Hollywood movie script, but it might be the only feasible way to conduct future covert operations. It all starts with proper recruiting. Identifying suitable candidates will be challenging and I will not discuss what traits are essential to become a perfect spy. Although former military members might be the first choice, their military service might be what uncovers them in the future. Let us look at the following fictional career:

A young, fit 18-year-old named James appears at a police or military recruiting office and expresses interest in an intelligence, investigation and/or special forces career. He achieves outstanding results in the following assessment center. These results are noted by the intelligence service, upon which they approach the potential recruit. Of course, intensive screenings are conducted beforehand and at no point is he invited to official government sites. All contacts are conducted by a dedicated handler. The used modus operandi is basically the same one used when acquiring HUMINT sources.

James receives an offer to work for the intelligence service but not in the intelligence service. He receives a scholarship to study political science at a renowned university, earning a degree which will provide the basis for his future civilian career. The scholarship is payed for by a complex system of front companies, eventually ending in some sort of charity. During his studies, James uses the semester breaks or long weekends to train the many skills needed for his covert intelligence service job. Officially, he is on long backpack tours around the world or other types of vacations. This training method takes much longer and is conducted individually at inconspicuous sites. However, after 3-4 years of part-time training and smaller operations during his university sojourn, James should be able to conduct covert operations.

After his studies, James receives a job in a worldwide consulting company. Of course, some strings were pulled in the background to enable and promote his civilian career. From time to time, James has to oversee projects in other cities or countries. This is the cover needed to enable worldwide travel to conduct covert intelligence operations. These projects could actually originate from government entities and thus fit to the intelligence operation.

After a certain time as a covert operative, James is removed from the operational line of duty. The compensation for his intelligence work could then be a non-covert job within the intelligence service (or another related government entity) or a severance pay.

This description is very short and is lacking many of the challenging details. I would like to point out a couple of interesting aspects to why this concept might actually be worth the effort:

  • The recruit could be dismissed at any time during the training program without major consequences. Other than his handlers, he does not have deep insight into the intelligence service, its locations or operations.
  • Providing a college education and kickstarting a promising civilian career, as well as offering an interesting field of work in the intelligence sector should prove extremely motivational.
  • The civilian career, when guided by the intelligence service, would deliver the best cover story for operations.
  • Failed operations could be denied easier by government entities. In this case, a statement like the recent Saudi “rogue operative theory”would pass easier.

Even though the ratio of supporting intelligence personnel assigned exclusively to such an external covert operative is higher than compared to the amount of supporting staff for regular intelligence employees, the external covert operative in total has less exposure to intelligence personnel. Regarding training, financial and operational planning, everything could be kept in a smaller yet highly professional scale.

Who knows, maybe these techniques are already in use by some intelligence services worldwide. That is probably the reason we never hear about it. Maybe the person sitting next to you on the plane is not just the business traveler he pretends to be.

Matthias Wilson / 24.10.2018

Harvesting Intel on India’s Nuclear Command – When OSINT meets SIGINT

Using OSINT to enable SIGINT. Imagine you are a SIGINT analyst keeping track of India’s nuclear forces. Luckily, you have some OSINT skills, which enable you to find selectors related to the former commander-in-chief of these forces. This could be a door opener to the current leadership…

So far, I have written short posts on how OSINT can support military decision makers as well as being a vital part of HUMINT operations. The key statement is that each intelligence collection type (ICT) requires a certain amount of OSINT to successfully prepare and conduct operations. This is a concept I call ‘Interdisciplinary Intelligence Preparation of Operations’, in short: I2PO.

One of the most secretive ICTs is Signals Intelligence (SIGINT). In many cases SIGINT services or SIGINT branches within services are isolated from other ICTs, thus making a cooperation between them challenging. This is one reason why SIGINT should incorporate dedicated OSINT capabilities, especially when doing preparatory research on new target areas or specific target decks.  On the one hand, OSINT could provide general information on the telecommunications infrastructure of a target area and on the other hand, OSINT could actually provide valuable selectors to task.

There are many different ways on how to support SIGINT with OSINT using the vast variety of OSINT tools and skills. In the following example, I would like to point out how to acquire additional selectors for a certain target deck.

Let us assume we are SIGINT analysts working on the India target desk, specifically the desk tasked with conducting SIGINT against India’s nuclear forces. A country’s nuclear forces are among the most highly protected and secretive assets. Finding SIGINT leads and selectors to gather credible information is an almost impossible task in this context. I assume the direct communication of these forces is secure and hardened. As a result, collecting official military communications from their dedicated channels can be ruled out. What other chances do we have to gather intelligence on our target?

SIGINT, as all other ICTs, feeds off mistakes that our targets make. If people were OPSEC-aware, we would not find so much information on the internet, HUMINT sources would not be so talkative and eavesdropping in on communications would not reveal that much. With this in mind, let us find a hands-on, doable approach towards our target. Sometimes people use non-secure communications to transmit confidential information. Our targets might do the same. So our first step would be to identify targets and their non-official selectors, hoping these could be tasked and provide valuable intelligence.

Unfortunately, none of the current leadership of India’s nuclear forces, the Strategic Forces Command (SFC), is overt enough to provide us with additional non-official selectors. To start, we look at the former leadership, expecting that they might still be in contact with some of the current administration. Press reporting indicates that the previous commander in chief of the SFC, Lieutenant General Amit Sharma, handed over his command in July 2016. This is close enough for us to assume that General Sharma will still occasionally get in touch with his former comrades.

Next up is an extensive Google search on General Sharma. As a high-ranking former member of the military, he might have directorships or board memberships in civilian companies. In our case he does not, so searches in company databases remain negative.

One of my favorite Google dorks is ‘filetype’, specifically looking for PDFs or PPTs. PDFs and PPTs often contain a lot of information, which helps give an overview of the target and sometimes provides leads for further research.

india google results

This search results in several hits, mainly being studies and conferences in which General Sharma participated. However, the first hit is actually the gold nugget we have been looking for. In India, the Department of Public Enterprises hosts a database containing former CEOs, directors and government officials; including short résumés.

Let’s have a look a General Sharma’s résumé:

bio data

Now we have a private email address and a mobile phone number belonging to General Sharma. These two selectors are tasked and a metadata analysis is conducted on both. Maybe he is in contact with his old comrades in the Strategic Forces Command. This is the door opener we needed to successfully approach our goal. We can also look up the address, which seems to be his home address. Sometimes this will also lead to further selectors.

I also hope that General Sharma did not use Dropbox to save the nuclear launch codes. Haveibeenpwnd lists his email and password as one of those hacked in the Dropbox data leak mid-2012.

As this examples shows, it is essential for SIGINT analysts to include OSINT research into their daily workflow.

Disclaimer: Although the data shown is real, the complete scenario described here is fictional. I have no idea if this information is known or used by intelligence services, nor do I have any insight on the assumption that India’s Strategic Forces Command is an intelligence target.

Matthias Wilson / 08.10.2018

Asset Tracing using EXIF Data

Geolocation Verification was a topic in this blog last week. The previous post presented one method to geolocate a picture based on different reference points within the picture.

In some cases geolocating a picture is even easier, provided the picture contains georeferenced EXIF metadata. EXIF (Exchangeable Image File Format) is a standard ancillary tag used by digital cameras. Next to various camera settings, such as focal length and exposure time, EXIF metadata could include descriptions of the picture and be geotagged with GPS coordinates as well. Many smartphone users have the so-called ‘location services’ constantly switched on, thus resulting in their pictures being enriched with GPS coordinates.

The following example is based on a real investigation. The names and locations were altered to ensure the safety of the involved persons.

An asset tracing case has us looking for financial and property assets belonging to a German banker named Hans P. Extensive OSINT research on Hans P. remains unsuccessful.  The focus of this investigation will now be on family and friends of Hans P. We identified two of Hans’ children on Facebook. His eldest daughter, Anna H., recently married and had set a wedding webpage using the platform ZOLA. This website reveals that the wedding took place at a large unknown estate. The actual location of this estate was not easily given away on the website. The overall information, however, points towards the mediterranean region. On this site, Anna also thanks her father for financing this wedding and providing his estate for the celebration.

website5.png

Example of a ZOLA wedding site

This is an indication that Hans P. is in fact in possession of the aforementioned estate. The website also features many professional pictures, as well as the possibility for wedding guests to upload their own pictures. We look at each picture using a browser extension which shows if the picture contains EXIF data or not. Luckily, one of them does.

IMG_1242

Our next step is to extract the EXIF data using fotoforensics.com. The EXIF data extracted from the picture contains information on the type of phone used and also the exact GPS coordinates from which it was taken. This location is directly displayed on Google Maps.

fotoforensics

The estate  is located near the Italian city of Tuscania. After figuring out the specific street address, we check this in the local real estate and property register.

Bingo! The estate was purchased four years ago and currently belongs to Hans’ wife. Since Hans’ wife does not originate from a wealthy family, nor has she ever worked, we assume that this asset was in fact purchased with money provided by Hans P.

By the way: The wedding picture contains the EXIF data shown. Feel free to try this out yourself!

Matthias Wilson / 12.09.2018

Asset Tracing mittels EXIF Daten

Geolocation Verification war bereits letzte Woche Thema in diesem Blog. In dem vorangegangenen Post wurde gezeigt, wie der genaue Standort eines Bildes mittels verschiedener Bezugspunkte ermittelt werden kann.

In manchen Fällen kann der Standort eines Bildes aber noch einfacher ermittelt werden, vorausgesetzt das entsprechende Bild enthält die georeferenzierten EXIF-Daten. EXIF (Exchangeable Image File Format) ist ein Standardformat für das Abspeichern von Metadaten in digitalen Bildern. Neben Kameraeinstellungen (Brennweite, Belichtungszeit, etc.) können diese Metadaten Bildbeschreibungen und GPS-Koordinaten enthalten. Viele Nutzer von Smartphones haben die sogenannten Ortungsdienste bei Smartphones standardmäßig eingeschaltet und reichern somit geschossene Bilder mit GPS-Koordinaten an.

Das folgende Beispiel basiert auf einem tatsächlichen Ermittlungsfall. Zum Schutz der beteiligten Personen wurden jedoch Standort und Namen geändert.

Im Rahmen eines Asset Tracings müssen wir die Vermögenswerte des deutschen Bankers Hans P. ermitteln. Umfangreiche OSINT-Recherchen zu Hans P. bleiben ohne Erfolg, der Schwerpunkt der Ermittlungen wird nun auf nahe Angehörige verlagert. Mittels Facebook können zwei Kinder von Hans P. identifiziert werden. Die älteste Tochter Anna H. hat kürzlich geheiratet und hierzu sogar eine eigene Webseite auf der Plattform ZOLA eingerichtet. Auf dieser Webseite ist ersichtlich, dass die Hochzeit auf einem unbekannten Anwesen stattfand, dessen genauer Standort leider nicht angegeben ist. Die Bilder lassen jedoch auf den mediterranen Raum schließen. Anna H. bedankt sich zudem auf der Webseite dafür, dass Ihr Vater diese Hochzeit bezahlt hat und dass sie auf seinem Anwesen stattfinden konnte.

website5.png

Beispiel einer ZOLA Hochzeitswebseite

Hier haben wir also einen Hinweis darauf, dass dieses Anwesen im Besitz von Hans P. sein könnte. Auf der Webseite befinden sich weiterhin viele professionelle Bilder eines Fotografen und zudem ein Forum, in dem Hochzeitsgäste ebenfalls Bilder hochladen können. Wir nutzen ein Browser Plugin, welches anzeigt, ob die Bilder EXIF-Daten enthalten und werden zum Glück fündig.

IMG_1242

Als nächsten Schritt lassen wir dieses Bild mit der Webseite fotoforensics.com analysieren. Neben Informationen zum Handy, mit dem das Foto gemacht wurde, enthalten die EXIF-Daten genaue Koordinaten des Aufnahmeorts. Dieser Standort wird uns direkt in Google Maps angezeigt.

fotoforensics

Es handelt sich hierbei um ein Anwesen nahe der italienischen Stadt Tuscania. Über den ermittelten Straßennamen wird nun eine Abfrage im italienischen Grundbuch vorgenommen.

Ergebnis und Siegerehrung: Das Grundstück wurde vor vier Jahren erworben und ist auf die Ehefrau von Hans P. registriert. Da diese keiner wohlhabenden Familie entstammt und zudem keine Berufstätigkeit vorzuweisen hat, ist davon auszugehen, dass die Mittel zum Kauf der Immobilie von Hans P. stammen.

PS: Das Hochzeitsbild enthält tatsächlich EXIF-Daten. Viel Spaß beim Extrahieren und Analysieren!

Matthias Wilson / 12.09.2018

Strava als Ermittlungstool

Strava, ein Soziales Netzwerk zum Tracking sportlicher Aktivitäten mittels Wearables,  war in der Vergangenheit in Verruf geraten, weil aus seiner Globalen Heatmap anhand der aggregierten Aktivitäten der Nutzer unzählige militärische Basen, Patrouillenwege sowie geheime Einrichtungen diverser Nachrichtendienste abgelesen werden konnten. In die Heatmap hineingezoomt, gelangte man sogar zu den Profilen der einzelnen Sportler. OPSEC sieht anders aus.

Der Aufschrei war groß, etliche Militärs erwogen kurzerhand ein generelles Verbot der Fitness-Tracker. Strava reagierte umgehend, aktualisierte die Heatmap und verpflichtete sich, „die Privatsphäre unserer Sportler zu respektieren und eventuelle Bedenken bezüglich der Sensibilität einzelner Informationen zu adressieren“.

Doch auch nach der Aktualisierung der Heatmap, lassen sich aus den von Strava veröffentlichten Daten sensible Informationen gewinnen. Strava selbst weist auf seiner Webseite explizit darauf hin, dass trotz eingeschalteter Erweiterter Privatsphäre „Aktivitäten immer noch an öffentlichen Orten wie dem Flyby, Gruppenaktivitäten und in Segmenten sowie in öffentlichen Clubs und Herausforderungs-Bestenlisten sichtbar sind.“ Im Klartext heißt das, über die Segmentbestenlisten gelangt man zu den Namen und Profilen der einzelnen Sportler.

Wie lässt sich diese Erkenntnis nun für Ermittlungen verwenden?

Stellen wir uns folgendes Szenario vor: Am sogenannten Amphibientümpel im Forstenrieder Park südwestlich von München wird am 18.07.2017 eine unbekannte Männerleiche gefunden. Anhand der gefundenen Spuren lässt sich mit Sicherheit sagen, dass das Opfer am späteren Fundort getötet wurde. Durch die Obduktion kann der Tatzeitraum relativ genau eingegrenzt werden: am späten Nachmittag des 16.07.2017.

Der Forstenrieder Park ist bei Sportlern äußerst beliebt. Tagtäglich sind Dutzende Läufer, Wanderer und Radfahrer auf dem Waldweg, neben dem die Leiche gefunden wurde, unterwegs. Möglicherweise hat einer von ihnen am Tattag etwas Auffälliges beobachtet?

strava1

Die in OSINT geschulten Ermittler prüfen unter anderem auf Strava, ob der besagte Waldweg ein Lauf-Segment ist. Und tatsächlich wurden auf dem Segment am ermittelten Tattag zwei Bestleistungen erzielt. Über die Bestenliste gelangen die Ermittler zu den vollständigen Namen der Sportler und darüber zu den Nutzerprofilen inkl. Profilbildern.

strava2

Einer der beiden Sportler hat die Erweiterte Privatsphäre aktiviert, so dass man seine Aktivitäten auf seiner Profilseite nicht einsehen kann, wenn man ihm nicht folgt. Dazu müsste der Nutzer seine Erlaubnis geben.

Der andere Sportler dagegen hat alle Informationen öffentlich gemacht. Er nutzt Strava schließlich, um sich mit anderen Sportlern zu messen. Die Ermittler können sich durch seine Aktivitäten klicken und sehen, dass er den Lauf, bei dem er auf dem Segment die Bestzeit aufgestellt hat, um 16:59 Uhr startete. Er war zum vermuteten Tatzeitpunkt also ganz in der Nähe des Tatorts.

strava3

Dank der Klarnamen ist es den Ermittlern ein Leichtes, den Sportler ausfindig zu machen. Sie kontaktieren ihn umgehend und bitten ihn um Mithilfe bei der Aufklärung des Verbrechens. Der Läufer hatte von dem Fund der Leiche noch gar nichts mitbekommen. Aber er erinnert sich, dass ihm bei seinem Lauf etwas aufgefallen war: In unmittelbarer Nähe des Amphibientümpels, halb zwischen den Bäumen, hatte ein Kleintransporter eines örtlichen Handwerksbetriebs gestanden. Das war ihm zwar merkwürdig vorgekommen, er hatte der Beobachtung aber keine weitere Bedeutung beigemessen. Doch dieser Hinweis führte schlussendlich zur Ergreifung des Täters.

Die Quintessenz: OSINT sollte integraler Bestandteil aller Ermittlungen sein. Im vorliegenden Fall konnte durch OSINT-Methoden ein Zeuge ermittelt werden, der die entscheidenden Hinweise zur Aufklärung des Gewaltverbrechens lieferte. Dazu bedarf es aber versierter Ermittler…

Sebastian Schramm / 24.08.2018

Interdisciplinary Intelligence Preparation of Operations – (I2PO)

Whether you are

  • a HUMINT case officer in military intelligence,
  • a detective in the police force,
  • a SIGINT analyst in an intelligence service,
  • an investigator supporting or conducting due diligence businesses cases,
  • or a journalist researching for a new article,

you should have extensive knowledge of OSINT techniques.

Now why should these roles, especially the HUMINTer or SIGINTer, be proficient at OSINT? The following article will explain a concept of work that I call ‘Interdisciplinary Intelligence Preparation of Operations’, I2PO in short. The basic idea is that every element working within an intelligence cycle requires OSINT knowledge to either prepare, enable, conduct or support operations. In the future, I will also make a point on how this concept easily transfers to business cases, such as due diligence checks, and journalism as well.

First, let us define what OSINT actually is. Open Source Intelligence is acquiring information from generally  accessible sources. This includes data found on the internet as well as within traditional print media, TV- and radio broadcasts. I tend to use the term ‘generally accessible’ as opposed to ‘publicly available’ or ‘openly accessible’, as the data is accessible, however, sometimes in closed networks, behind paywalls or not traceable without extensive knowledge of OSINT. This, in my opinion, rules out the use of ‘publicly’ or ‘openly’, which implies that everyone could access the data easily.

Another important aspect is the term ‘intelligence’ within OSINT. Merely collecting data is not OSINT. Connecting the dots, looking for missing links, assessing the data and producing customer driven reporting is what makes intelligence out of it. This requires knowledge, experience and instinct; a combination which is very hard to replicate using fully automated OSINT tools. Thus, the most important element of OSINT is the analyst, no matter how many software-based tools and gadgets he or she uses.

Before considering how OSINT should be used in combination with other intelligence collection types (ICT), I want to point out some of the advantages when working with OSINT. OSINT data is usually available the moment you start working on a case and often published in near- or real-time, especially when following events on social media. Cases in which you work in a real-time environment, with changes occurring momentarily, bring us to the most important OSINT rule:

If you see it, save it!

You will never know if the data will still be there the next time you intend to look for it.

Depending on the case, you will also be dealing with mass data (or big data). This is where a certain degree of automation might be helpful, keeping in mind that the final assessment shouldn’t be performed solely by an AI. When speaking of quantity, you must consider the quality of the collected data as well. Especially in times like these, verifying information and filtering out disinformation is vital!

After years of work within government intelligence structures and working on business cases, I have therefore developed the concept of I2PO to define my work. This is also something I use as a theoretical basis in the OSINT and INTEL classes I teach. As mentioned before, the general idea is that many different jobs require OSINT skills in order to successfully achieve their goals. Therefore, I highly recommend an interdisciplinary approach. This means not only relying on one ICT, but also having an understanding on how OSINT can support HUMINT and SIGINT operations, police investigations and business cases and vice versa, just as well as OSINT provides information for decision makers as a standalone ICT.

In the following weeks, I will post examples of I2PO in different lines of work (e.g. SIGINT, HUMINT, police investigations, due diligence, journalism and more) to emphasize and further explain this concept.

To start out, I’ll describe I2PO when applied in a military intelligence environment supporting military operations.

I2PO to Support Military Operations

Military operations, such as the ongoing coalition missions in Afghanistan and Iraq, have heavily relied on intelligence collection through SIGINT and HUMINT in the past. These two ICTs demand a large amount of preparatory work and in times in which our adversaries are more cautious and OPSEC-aware, these two ICTs are hitting boundaries. HUMINT sources are having a harder time receiving information from core target networks and communications encryption is on the rise, creating new challenges for SIGINT. At the same time, the amount of information available through the extensive use of social media, even in the aforementioned crisis areas, is vastly growing on a daily basis. In Syria for example, information on troop movements or combat actions find its way across Twitter in near real-time.

In order for decision makers on the battlefield to react to situational changes in a timely manner, it is essential to have forward deployed intelligence elements able to conduct OSINT as it happens. In many cases, this work is done by special OSINT teams, many of them not even being in the actual combat zone. This will always lead to a time delay when disseminating information to the final intelligence customer and decision maker. As with tactical SIGINT or HUMINT, which are close to or in some cases organic to their intelligence customers, tactical OSINT is the answer. Sending a dedicated OSINT analyst forward to support operations is one solution. However, training existing intelligence personnel, enabling them to independently conduct OSINT on a case-by-case basis is another option. On these terms, the training would enable personnel to answer requests for information as they come in, rather than relaying these requests to another element, thus again resulting in a time delay.

This is what I understand as I2PO. Having an all-source analyst who is able to conduct OSINT research and to immediately verify the collected information when needed in time critical situations to support before, during and after military operations. In this example, two different skill sets (one being the all-source analytical expertise) being used in an interdisciplinary approach is the core factor of I2PO.

Matthias Wilson / 16.08.2018