Building a Hells Angels Database with Hunchly

Today I will teach you about Hells Angels and Hunchly and how one of these two is useful when looking into the other.

In the past year, I have worked two cases in which I stumbled upon links to Hells Angels while investigating individuals. I was surprised how much information people affiliated with this group shared publically on Facebook and other social media sites. Whether they were just supporters or full members, it became quite clear that they did not care about data privacy. Most profiles had open friend lists, some of them displaying thousands of friends. Hells Angels affiliates are not hard to find. You will likely stumble across one of the following acronyms and/or terms on their profiles: AFFA (Angels forever, forever angels), HAMC (Hells Angels Motorcycle Club), Support 81 (8 = H, 1 = A), SYL81 (Support your local Hells Angels), Eightyone.

There are a couple more, but this article is not about the Hells Angels per se. Since these individuals have so much open information on Facebook, their profiles are the perfect playground to try out Michael Bazzel’s Facebook tool on IntelTechniques.

I had just finished working on the first case and subsequently erased all the data linked to that case, when a second case soon revealed links to Hells Angels as well. If only I had saved some data from my first case. I roughly knew where I could start off, but most of this knowledge came off the top of my head and was sketchy. Before I started the second investigation, I made sure I wouldn’t make the same mistake again and decided to use Hunchly to save my findings. That way, if a third case with the same links should ever occur, I will have a great starting point. For those of you who do not know, Hunchly is a web capture tool. It automatically collects and documents every web page you visit. The best part is that it indexes everything, so you can search within the data afterwards. Using this amazing tool allowed me to create a fully searchable Hells Angels database!

First off, I created a new casefile and then let Hunchly collect Facebook friends lists of people affiliated with my target or any Hells Angels in the area my target originated from. As some of the profiles had thousands of friends, I used a little Chrome extension (Simple Auto Scroll) to automatically scroll down friends lists, so they would be captured in whole. Whenever I looked at profiles and found information that could not be automatically indexed, I would take notes in Hunchly or tag (caption) pictures. I have learned that a lot of intelligence can be obtained by closely looking at pictures on social media. In the following example, one Hells Angels member had obscured the tags on his vest. Based on the information in his profile, it became clear that he must belong to the Aarhus chapter in Denmark. I tagged this picture, meaning it would pop up if I ever searched for “Aarhus” in Hunchly.

1

I ended up tagging all pictures that included chapter names, functions, nicknames or general indications on the location. If I am interested in finding the security chiefs and weapons masters, all I have to do now is search for “Sergeant at Arms” or known abbreviations. Looking for “arms” gives me several results in Hunchly.

2

The first two are displayed because I manually tagged these pictures and added a caption. The third result is from a webpage that Hunchly captured, in which the person actually listed “SGT At Arms” as his current occupation. Hunchly also allows you to refine searches. I can narrow these results down and, for example, only search for Sergeants at Arms in a specific chapter. Searching for “arms + sacramento” only reveals one result, which I had captioned with the information I saw in the picture. As you see, the picture is actually mirrored.

3

All collected data is saved offline. Should the online profile ever change, be locked down or deleted, I still have a version to work with. By using Hunchly and remembering to tag pictures with captions and also take notes on webpages, I have created a useful database on Hells Angels Facebook profiles. From here on, it is also always possible to go to the live versions of webpages, so any updates can also be captured within the same casefile.

If you are not using Hunchly yet, I suggest you have a look at it. The use case described above is just one of many. Furthermore, if you ever come across friendship requests from people named “AFFA” or “HAMC”, you might want to think twice before accepting them. Or else you might wind up in my Hells Angels database.

Matthias Wilson / 07.03.2019

Why Primary Sources Matter

Hurray! German company data is now available in OpenCorporates! Does this mean I don’t have to pay for the official company register access anymore?

This morning I confronted my boss Christian with a fact that I had found on the internet yesterday evening. Although he claimed to be the director of his company, I could not find him on OpenCorporates. For those of you who do not know what this platform does: OpenCorporates is the largest open database of companies and company data in the world. The site claims to have over 160 million companies indexed. As of yesterday, they added 5 million German companies to their database. Should I believe Christian or OpenCorporates in this matter?

When I conduct due diligence and background checks, OpenCorporates is among one of the first platforms I use. As good as it is, OpenCorporates is still a secondary source and when it comes to reliable and present-day information, I rather choose to trust primary sources.

Don’t get me wrong, secondary sources such as the aforementioned or compliance tools like LexisNexis are amazing and are really helpful to get an overview of what you are dealing with, but they all have little flaws. In some cases, the data is not as up-to-date as it should be, in other cases they are lacking essential information, such as the company shareholders. The worst-case scenario is when data is falsely aggregated during the import-process, linking the wrong entities to each other. Throughout my investigations, I have stumbled upon these issues more than once when using secondary sources.

Based on yesterday’s import of the German company data into OpenCorporates, I decided to check my own employer: Corporate Trust, Business Risk & Crisis Management GmbH. This is what OpenCorporates provided:

sources

There are some flaws in this dataset, because I am sure Christain would love to see his name in here as well. After all he founded the company and has been the director of Corporate Trust ever since. This is not just a problem within OpenCorporates, I have seen similar issues quite often in expensive commercial compliance databases as well. As you can see, the dataset is also missing information on the company’s shareholders. Even when this information is contained in compliance databases, it is sometimes outdated.

These are the reasons I always try to use primary sources, such as official government company registers, whenever possible. OpenCorporates is a great starting point to tell me where to look for more detailed information, especially since it offers the possibility to search for individuals (something that many government company registers lack), but the official company registers provides the real intelligence. This is where things can get challenging. Let us have a look at the company register in Germany, our Handelsregister. It requires a formal registration, which is only available in German. No credit card payments are possible, only direct debit. For many countries, this alone may prove to be an obstacle. On the bright side, once you have access to this database, you will gain access to the original company documents, including a list of shareholders for private limited companies.

In other countries, you can only gain access to the national company registers if you are a resident of that country and in most cases against payment. Unfortunately, nothing in life is free (except the amazing British Companies House). So when it comes to obtaining all relevant and up-to-date data, a bit more is required than just the access to (free) secondary sources.

Just to be sure about Christian, I checked our company in the official German company register. Turns out he is listed as director in the Handelsregister after all.

Matthias Wilson / 06.02.2019

How a Corporate Takeover Went into a Tailspin within Days

When companies change ownership, key employees often get busy looking for new jobs. Some also take intellectual property with them on the way out the door. Here is how a real-world case unfolded – and how investors can prevent such calamities from happening.

The moment the investment started sputtering and stalling was the day the head engineer quit his job. His resignation letter, hand-delivered to the CEO in the morning, hit the new private equity investors of the company like a bucket of ice water. They had only recently acquired the southern German plant manufacturer for a load of cash. The engineer, a key figure in the company, had assured the new owners just the day before, again, that he would stay on in the new era.

As the news of his sudden departure reached the asset managers, they instantly realized the momentousness of his decision. But before they could even discuss how to deal with the consequences, more resignations turned up within hours. Three senior sales people and service technicians quit by lunchtime, a serious upheaval in the midsized company. According to the grapevine emerging that day, they did not believe that their future was golden under the new ownership.

The acquisition had been rather expensive in the first place. It was after all a seller’s market in the German corporate world. Potential investors from all corners of the globe – Europe, the Middle East, China, the U.S. – were lining up around the block to buy up German “hidden gems”. Midsized, globally successful, family-owned businesses.

The backdrop to this phenomenon was fast-growing private wealth, which to this day has been giving private equity investments a massive shot in the arm. Whereas PE assets under management totaled approx. $ 30 billion worldwide in 1992, they had reached $ 4,000 billion (=4 trillion) by 2015, according to the private equity marketplace Palico based in Paris. By 2020, Palico predicts the PE market will have doubled to $ 8 trillion. But the demand for attractive investment opportunities already far exceeds the supply. And thus investors are jumping at the chance to snatch up, among other things, successful German engineering companies. They are seen as solid and reliable, like the plant builder in southern Germany.

iStock-1056730980.jpg

When the Music Stopped Playing

We were hired as investigators to look into the sudden personnel departures and found that the head engineer had started a new Ltd. company in a neighboring country not far from his previous job. The financier of the new venture was a local entrepreneur with deep pockets. Meanwhile, a first wave of customers began canceling their contracts with the plant manufacturer and signed up with the brand-new competition, who were offering competitive prices for their services.

We scrutinized the laptop computers left behind by the departing staff. A breadcrumb trail of bits and bytes showed that customer lists and tens of thousands of engineering documents had miraculously left the building in recent months. Most of them in the last two weeks before the resignation wave.

Also, part of a business plan was discovered, outlining the new Ltd.’s strategic direction. The document’s time stamps suggested that its creators had lied about their intentions for quite some time.

Armed with the assembled proof, the plant manufacturer filed a criminal complaint, a likely breach of competition law, with the local prosecutor’s office. The case is now a government investigation that will probably drag on for years, outcome unknown. It is unclear, too, whether the plant manufacturer’s business will continue to flourish as it did in the past forty years. All it took was a data breach and a few disgruntled key employees to turn a rock-solid investment into a liability within a few days.

Investors beware: prepare for such scenarios. Because cases like this happen every week.

Collect background information about key personnel before the takeover, so that there are no surprises. Look into the IT situation: how well protected are the company’s ‘crown jewels’? Are there any open barn doors that may be used to squirrel away intellectual property? And finally, talk to the key personnel early in the game and keep your promises to them. They will judge you by your actions, not your words.

Sebastian Okada / 28.01.2018

Vlog Post: Swipe right for OSINT

Tinder is not only great to meet other people, but also for OSINT. Finding matches can provide starting points for social engineering and further OSINT research.

You want to identify soldiers on a specific, isolated miltiary base? Or find employees of a large company for a social engineering approach? Or maybe just check if someone you know is using Tinder?

Try setting up a fake Tinder account and spoofing the GPS on your phone to the location you expect your target to be. Alternatively you can also use an Android emulator, such as Bluestacks, on your computer.

Matthias Wilson / 23.11.2018

It’s a Match! Combining Tools & Methods for Email Verification

Email permutators and the browser extension LinkedIn Sales Navigator have been on the market for quite a while. Both are among the basic tools of trade for marketing and sales. Combined, they make a powerful OSINT tool for email verification.

Let’s imagine the following white-collar crime scenario. We are investigating a fraud case and screen one of the suspects: Fritz Marchow. He has a LinkedIn profile but what we do not know is his email address.

Most people use rather unsophisticated email addresses based on a variation of variables such as firstname, lastname, middle and nickname or the respective initials and use a common email provider. Therefore, it is not rocket science to guess these combinations.

An email permutator will do most of the work and, hence, save us a lot of time. Our tool of choice is Email Permutator+, since it allows us to permutate addresses for three domains at the same time.permutator

We fill in the information we have: our suspect’s first- and lastname. We choose the domains manually. We start with gmail.com and yahoo.com and pick outlook.de as the third option, since our case is set in Germany. The tool permutates 102 email addresses, waiting to be copied to our clipboard.

permutator2

We have already installed the LinkedIn Sales Navigator for Gmail Lite browser extension from the chrome web store. Now all we have to do is open our Gmail account and paste the copied list in the ‘to’ field of an email that we are composing. While we hover over the addresses with the cursor, we see the details appear in the Sales Navigator sidebar on the right.

permutator3

It’s a match! Hovering over fritzmarchow@outlook.de the Sales Navigator shows the LinkedIn profile that belongs to this address. We now have our suspect’s confirmed email address. If there is no matching LinkedIn profile for one of the addresses we are hovering over, the Sales Navigator will show that.

On a side note: Hovering over any Gmail address will also reveal a corresponding Google account with first- and lastname and the profile picture or an initial in case no picture has been added. This is an easy method for verifying gmail addresses. Sometimes this also works for other email providers as well, such as Hotmail.

In our case, we have another match hovering over fritzmarchow@gmail.com. Recognizing the same profile picture he used for LinkedIn we now have a second email address that can be attributed to our suspect.

permutator4

Email permutation has its limitations. It can only use a number of preset variables. As with most OSINT tools: Combined with the LinkedIn Sales Navigator it will most likely not solve your case. However, it adds another puzzle piece. In the end, many of those make up an overall picture.

It is worth mentioning that this tool ONLY uses publicly available data and it cannot help finding the email address of people who want to keep it hidden.

Sebastian Schramm / 16.11.2018

Sieben Praxistipps für Jedermann

“Googeln können wir selbst!”. Diesen Satz hört man häufig, wenn man mit Kunden über OSINT-Recherchen spricht. Dass zu einer umfänglichen Recherche ein bisschen mehr als “googeln” gehört, wollen wir heute anhand einiger Beispiele aus dem Ermittleralltag darstellen.

  1. Pseudonyme in sozialen Netzwerken identifizieren

Immer mehr Personen nutzen in den sozialen Netzwerken Pseudonyme, so dass eine direkte Suche nach ihnen nicht möglich ist. Anstatt die Personen direkt zu identifizieren, hilft es häufig, die Zielperson indirekt über bekannte Familienangehörige oder Freunde zu recherchieren. Dazu versuche ich, eine befreundete Person mit offener Kontaktliste zu identifizieren, die ich dann nach der gesuchten Person durchsuche.

  1. Recherche in der Landessprache

Ermittler neigen dazu, nur in ihrer jeweiligen Muttersprache oder mit englischen Suchbegriffen zu recherchieren. Dies beschränkt das Suchergebnis erheblich. Wenn ich meine Recherche aber um Suchbegriffe in der jeweiligen Landessprache erweitere, kann ich meine Trefferanzahl um ein Vielfaches erhöhen. Sprachdefizite behebe ich mit diversen Übersetzungsprogrammen wie Google Translate und Co.

  1. Einsatz von OCR-Software

Häufig stoßen wir bei Recherchen auf Dokumente, die nicht durchsuchbar sind, weil sie beispielsweise eingescannt wurden. Insbesondere bei mehreren tausend Seiten kann dies sehr hinderlich sein. Dafür empfiehlt sich der Einsatz einer sogenannten OCR-Software (optical character recognition), die die Zeichen in dem Dokument erkennt und dieses in ein durchsuchbares Dokument umwandelt. Je besser die Qualität des Ausgangsdokumentes ist, desto besser ist auch das Ergebnis.

  1. E-Mail-Adressen über Passwortzurücksetzung bei sozialen Netzwerken recherchieren

Bei mehreren sozialen Netzwerken lassen sich über die Passwortzurücksetzungs-Funktion die E-Mail Adressen recherchieren, mit denen das jeweilige Profil angemeldet wurde. Dazu benötigt man lediglich den Benutzernamen. Teile der dann angezeigten E-Mail-Adresse werden zwar durch Sternchen weitgehend unkenntlich gemacht, dennoch lassen sich die E-Mail-Adressen meistens aus den erkennbaren Mustern rekonstruieren.

  1. Firmen-E-Mail-Adressen rekonstruieren

Fast jedes Unternehmen verfügt über eine Webseite mit entsprechender E-Mail-Systematik. Das am häufigsten genutzte Muster dürfte wohl vorname.nachname@domain.com sein. Bei Dienstleistern wie z.B. www.hunter.io lassen sich die Muster der E-Mail-Adressen zu den dazugehörigen Domains ganz einfach recherchieren. Kenne ich den Namen einer Person eines Unternehmens, sei es aus einem persönlichen Gespräch oder einer Recherche in sozialen Netzwerken, kann ich die E-Mail-Adresse nach der Firmensystematik mit hoher Trefferwahrscheinlichkeit rekonstruieren.

  1. WhatsApp Profilfoto

Im Rahmen von Recherchen stößt man häufig auf Nummern von Mobiltelefonen. Wenn man die Nummer in seinen Kontakten abspeichert, ist es ggf. möglich, bei WhatsApp das dazugehörige Profilfoto der Nummer zu sehen. Schon häufig konnten wir so weitere Erkenntnisse aus dem Foto ziehen.

  1. Geburtsdaten über Stayfriends recherchieren

Das Schulfreundenetzwerk www.stayfriends.de ist besonders in Deutschland bei den 30 –  60-jährigen populär. Wenn ein Profil zu einer Person vorhanden ist, ist es auch sehr wahrscheinlich, dass das Geburtsdatum hinterlegt wurde.

Ingmar Heinrich / 31.10.2018

The Sunny Side of Geolocation Verifications

The sun is a useful helper in investigations and geolocation verifications. Looking at shadows in pictures could reveal the moment of capture. This helps debunking false information.

Three weeks ago we showed you how to use EXIF data in pictures to receive indications on the location and precise moment of capture. Unfortunately, not all pictures contain EXIF data, or even worse: the EXIF data could be falsified. The shadow cast in pictures enables us to check if the sun position correlates with the exposure time contained in the pictures’ metadata.

Let us look at the following picture:

IMG_5542_2

I claim, that this picture was taken in front of my office on April 11, 2018 at 10:30am. True or false?

An evaluation of the EXIF data confirms that the coordinates and exposure time back my claim. The following screenshots depict the results of the fotoforensic check on fotoforensics.com. Try it yourself, the picture actually contains the EXIF data.

  1

2.png

Case closed, information verified? Not really, because I altered the EXIF data in the picture. While the coordinates were left unchanged, the exposure time was modified. To verify this, we’ll take a closer look at the picture and dissect it into it’s single pieces of information. Hereby, we will concentrate on the shadow cast by the tree on the left.

Bild1-eng.png

Next we will use the website suncalc.org to check the casted shadow. Suncalc uses Google Maps to diplay results and the existing satellite imagery on Google is good enough to pinpoint each tree. In the first step, tree 1 will be used as the reference point (red marking). It is important to know the precise location of your reference point, or else the final results may be distorted. Afterwards, we add the presumed exposure time. The result of this actually shows, that the cast shadow (black arrow) of tree 1 fell towards the west, and not towards tree 2 as shown in our picture.

Bild2-eng.png

EXIF data canbe manipuliated, however, no one can change the course of the sun. Without any doubt the exposure time in the picture’s metadata is wrong.  Now, let us cross check the actual exposure time. The picture was taken on April 25, 2018 at 02:58pm.

Bild3-eng.png

This method can be used in many different ways. Imagine someone stands trial and presents  a picture of himself containing EXIF data to prove that he or she was at a certain location at a certain time. Or it can be used to verify propaganda pictures and videos of ISIS in Syria, supposedly containing images of an attack the previous day.

Matthias Wilson / 02.10.2018