Be careful what you OSINT with

There are lots of neat OSINT platforms out there to make your life easier. But how many of you vet the software before using it? Not every platform should be entrusted with sensitive data as this case reveals.

1

In January 2019 I was tagged on Twitter, asking for my input on an OSINT platform named Lampyre. Before I use any type of software, I try to vet it as good as possible. This includes OSINT research on the company, asking tech-savy people I know for their opinion and ultimately reaching out to the company itself. No one had really heard of the software at that time, no one was using it, and I couldn’t really find much background information online. I ended up contacting Lampyre and asking them where they came from, what their background was and a couple of other questions. Unfortunately, they only sent evasive answers. They wouldn’t even tell me which country they were based in. I tried the software on one of my VMs and tested it with fake or non-relevant data. To be honest, I did like what I saw, but I decided not to use it operationally. As time passed, I noticed that many OSINTers started using the software and decided to have another look into the company and people behind it. It turns out, I was right not to use this platform. Lampyre isn’t who they claim they are. I teamed up with several helpful elves (to be honest, they did most of the work) and we found some pretty disturbing information.

Lampyre is apparently made by a company in Budapest (Hungary) called Data Tower. The company itself was registered in February 2019 and the CEO and sole shareholder is Laszlo Schmidt. The original address used to register the company leads to a law firm and the phone number that Data Tower provides belongs to another law firm in which Laszslo Schmidt is working as a lawyer. This information points to the fact that Data Tower is merely a shell company. So, how do you we get to the people behind Lampyre?

Looking into their online presence doesn’t lead to any notable individuals either. Some of the names used, such as John Galt, are most likely pseudonyms or fake accounts. Since searching for people didn’t provide any leads, we decided to look into the traffic that Lampyre sends to its back end in each query. The queries contain a brief description on what is requested and apparently the local language used by the developers is Russian, as each description is written not only in English but also in Russian.

2

Why should a company based in Hungary use Russian as their local language setting? Of course, the developers could be Russians working in Budapest, but again something just doesn’t seem right here: an organization that shows signs of being a shell company, the lack of transparency when directly confronted and now indications that point towards Russia. Decompiling the software showed further Russian language embedded in the code:

3

While this was being done, more OSINT research revealed a person named Andrey Skhomenko. This guy posted Python modules for Lampyre on Github and knew about the product in March 2018, way before it was released to public in October 2018. Andrey is based in Moscow and used to have a LinkedIn profile as well (which has been deleted in the meantime).

4

According to his LinkedIn, Andrey worked for the Russian Federal Security Service (also known as FSB) in the past and is now working for a company called Norsi-Trans. Norsi-Trans produces SIGINT and lawful interception equipment and software for the Russian government. It turns out that Norsi Trans also sells an OSINT platform called Vitok-ROI (or Vitok-OSINT).

5

The overall look of this platform reminded me of something I had seen before. Oh, that’s right! Both Lampyre and Vitok-OSINT have that Win95/Win98 appearance, not only in the network visualization, but also the software itself.

6

So far, this was just a gut feeling. Could anymore evidence be found that would link these two products and thus Norsi Trans and Data Tower? You bet? We pulled the certificates used by Lampyre and saw that they were registered in Russia and even more compelling: one of the certificates made a direct reference to Vitok.

7

This was the final nail in the coffin. Lampyre and Norsi Trans are in fact connected! While there is still plenty to be discovered, I think we have proof that Lampyre and Data Tower are not fully honest. And as everything you query in Lampyre is probably sent to Russian servers, I am happy I decided not to use this tool in my private and professional investigations. After all, Russia mandates decryption for domestic services.

Maybe Lampyre is Norsi Trans’ attempt to sell their software in the western world, maybe it is a rogue operation by a Norsi Trans employee (or a few). Although, I personally have doubts about that second theory. The software is quite powerful and receives regular updates. To create something like this, you’d surely need more than one person and having a rogue team within a company try to pull this off would surely not go unnoticed. What I find most interesting, is the fact that Andrey stated he had worked for the FSB. To put it in the words of one of my former colleagues: You don’t leave Russian intelligence services, you just change your cover and continue working for them.

Matthias Wilson / 23.03.2020

Using the Microsoft Video Indexer for OSINT

Working on a case in which you have to go through loads of videos? Wouldn’t it be awesome to just download the videos and have them automatically transcribed and indexed?

Imagine you are following a current event that is topic of multiple videos throughout the internet. In some cases, you might not have the time to watch each and every video yourself. Wouldn’t it be great to download all these videos into one database and have them indexed by spoken content, topics and even people that appear in the videos? And wouldn’t it be even better to be able to search for specific content in those indexed videos?

These features, and many more, are part of the tool-set that the Microsoft Video Indexer offers. Microsoft allows a trial account on this platform and it enables you to login with various different account types, among them also Gmail. Let me point out some aspects of this platform, that might be useful during OSINT investigations.

Let’s go back to August 2019. The G7 summit is taking place in France and we’re interested collecting information on this topic. This summit is all over social media and there is also quite some press reporting on it. We download videos from sources like Youtube. For this we can use Y2Mate. Either by copying the Youtube link to their website or by adding ‘pp’ to the original Youtube-URL as shown below. This will automatically redirect you to the site.

1

Remember, that we’re not just limited to Youtube videos. We can upload Youtube videos and any other video to the Video Indexer. It’s pretty self-explanatory, the only thing to be aware of is the video language. The default value is English. If working with videos in another language, I would advise manually adjusting the input language. I have come across issues when uploading longer videos. In case you come across problems here, trying splitting the videos.

2

Once the video is uploaded, it will be indexed by the platform and this is where the magic happens. Here are some of the features that are included in this process:

  • Facial recognition
  • Full transcript of the audio, including translations
  • Topic detection
  • Item/setting detection
  • Sentiment detection

Let’s have a look at one of the videos I uploaded:

3

The panel on the right has two tabs: insights and timeline. Under insights you will find an overview of individuals that were identified in the video and also recognized by the underlining facial recognition software. As you can see, a guy named Stefan de Vries was recognized and the bar below shows the sections in which he appears in the video (highlighted in black). It also links to Bing search results of this person. If a person is not recognized and indexed automatically, you can manually edit this.

4

Unknown #12 is in fact Angela Merkel. By clicking on the edit button on the top right, we can change the name. By giving the people the same name, they will be automatically merged. The following two insight categories index general topics discussed in the video and also label the scenes by what can be seen. Marking a topic or label will show the section in which this appears in the video. Clicking on that highlighted section will jump forward to that specific part in the video, which is always displayed on the left. Keep in mind, that these results are not always plausible. In my video, a scene showing Donald Trump starting to speak was labeled as toiletry (although some people consider him to be a douche).

5

Next up, named entities are extracted and the sentiment is evaluated. I assume the sentiment evaluation is based on the words used. Words such as good, great and awesome will likely lead to a positive sentiment rating. Remember that these words are not always used in the proper context by the speaker, so I usually ignore this feature.

6

Most of the data shown in the insight tab is based off the speaker transcription, which is displayed in the timeline tab. Although it works pretty well, you might need to manually edit some of the data. In this final sentence shown here, I manually edited something.: instead of “my Chrome”, the speaker said “Macron”.

7

Looking into a video in a foreign language? In this case you can use the translate function to make it (kind of) readable. Just click on the world icon and choose the output language and the complete text will be translated.

8

So, we’ve uploaded a few videos, manually edited a few things and now have a fully indexed database of videos to run queries on. Going back to the main page of your profile, you will be able to search for anything that has been indexed: text, keywords, people and labels.

9

Searching for “Trump” will display the search results and categorize them by result types, as they are listed above the search results. This is just an excerpt of all the results, but you can see that a person, spoken text, a named entity and even written text were found. Written text? That’s one point I almost forgot. The Video Indexer also OCRs written text in videos.

10

That was just a brief overview of the possibilities of Microsoft’s Video Indexer. I think it can be useful for some OSINT investigations and if you really think about using this more intensely, you might want to consider upgrading to a paid account.

I was actually thinking about uploading talks from conferences, so I could create a database in which I could query specific OSINT topics without having to watch the complete videos. A TL;DR for videos 😊

Matthias Wilson / 08.03.2020

The Impact of OSINT on Christmas

Proper intelligence is vital to prepare military and law enforcement operations or to provide information to political and business leadership prior to decision making. However, these are not the only people relying on good intelligence to get the job done. I had the honor of interviewing a very special person on his views of intelligence and how his organization utilizes it for one of the most challenging tasks known to mankind.

Sir, it is such an honor to have you here. Tell us a little about yourself. What exactly is your job and how does it involve intelligence work?

I go by many names, but please just call me Santa. I am in charge of a large organization tasked with bringing joy and fun to children worldwide on Christmas Eve. While I’m pretty sure you all know what I do during the Christmas night, not many people know what happens prior to this.

My organization and I have roughly 24 hours to deliver presents to children who deserve them. In order to accomplish this, a lot of planning is necessary and this planning is based on the information I receive from an intelligence agency within my organization. In Santa’s Secret Service, or S3, we mainly conduct GEOINT along with OSINT to make sure everything runs smooth on that one special night. Oh, and don’t confuse us with the Amazon web service.

Santa, while most of my readers are acquainted with terms such as GEOINT and OSINT, could you please explain what they are and possibly provide a use case from your organization.

Sure. I only have a limited timeframe to make sure I deliver everything to the right address. The route I take has to be carefully planned. The number of children on this world is steadily growing, more deliveries leave less room for mistkes. Even though my sleigh travels at an incredible speed…

How fast and how does that work?

I’m afraid that is classified. In order to properly plan the route, I rely on precise satellite imagery and maps. Imagery and maps from search engine providers are not up to date and commercial satellite imagery is not detailed enough. Keep in mind, my team has to figure out the best way into a chimney. We need a resolution of less than 0.3m to do so. Before Christmas, my sleigh is outfitted with an ultra high resolution imaging system and flies several sorties. While the actual collection of the imagery does not take that long, creating maps and the final route based on this is a bit more time-consuming. The whole process I just described is referred to as geospatial intelligence, or GEOINT.

Wow, that alone is probably a large amount of data collected each year. How do you process such massive amounts of data?

We have our own server infrastructure at S3. Located in vicinity of the North Pole, our energy consumption is lower than usual, because we have a natural cooling system.

 What happens after you have mapped the world?

I forgot to mention one thing. In order to plan the route, we need to know who will receive a delivery. Luckily, I have information on the address of each child from a classified source. But, does this child even deserve anything? We have to figure out who was naughty and nice. A lot of this is done through open source intelligence, or OSINT.

While we could use classic signals intelligence (SIGINT) to tap into communications and try to answer the question who is naughty or nice, we have found that OSINT provides the best “bang for the buck”. S3 has a very large team of OSINTers, who mainly monitor social media activities.

What exactly is your team looking into?

My OSINTers start off looking into profiles of the children, but not only to see how they behave. Depending on the region they live in, the platforms they use will differ. From Ask.fm to Weibo, there are many differnt sources to look at. We have seen TikTok blow up over the past months, but we also still obtain a lot of information from “older” platforms such as Facebook and Pinterest. These platforms also provide leads on the interests of our targeted subjects, which enables my organization to match them with the perfect present. We not only look at the children, but also monitor profiles of their family and friends, since relevant information is hidden here as well. As you can see, this is all a very deep intrusion into personal privacy. Therefore, we have very strict rules on how to handle this data, a massive auditing and compliance system and constant trainings for my team. If you thought GDPR was challenging, you wouldn’t want to know how much effort we put into protecting the privacy of our subjects!

Many children nowadays are active in closed communications, such as messengers, or they have restricted public access to their acounts by changing their privacy settings. How do you cope with this?

There are two different approaches we can take here. The first one is what you would call virtual HUMINT, or VUMINT. We try to place someone within a closed chat group using a false persona. For example, a group of friends has a WhatsApp channel with 20 participants. Using OSINT, we create a sock puppet credible enough to be invited into this group. In cases in which this works, we then can then instantly monitor 20 people. Of course, such actions are subject to much stricter rules and regulations that normal OSINT and are not performed often.

The second approach would be a classic computer network operation, or “hacking” an account. This is very rarely done and the methods and techniques are highly classified.

What about children who don’t have access to modern communications?

In this case, we rely on classic human intelligence, or HUMINT. Throughout the world, we have a network of sources directly providing us information. A lot of this is hearsay, so we try to confirm information with other sources before processing it. This actually also applies to data won through OSINT.

However, I would like to point out that at the end of the day we will never gather everything on everyone. Have you ever wondered why a spoiled and misbehaved child you knew received a nice present anyway? No matter how much effort we put into intelligence collection, there will always be a delta between what information is out there and which information we have obtained. I think that is the nature of intelligence work in general.

Circling back to OSINT, how does S3 ensure that they are up to date on new tools and techniques?

We do OSINT to enable OSINT. Of course, we follow #OSINT on Twitter and we also have someone monitoring osint.team as well as various blogs such as osintcurio.us and your blog.

Wow, I’m honored to have made it on S3’s reading list. I know you are quite busy, so we can wrap it up here. Is there anything else you would like to add?

Merry Christmas, happy OSINTing and I wish you all the best in 2020!

cropped-desktop-2.png

Matthias Wilson / 22.12.2019

Car Spotting and OSINT

Looking for specific car? Next to googling it, you could try a car spotting site to find pictures that might provide further leads for your OSINT investigations.

A while back, @Wondersmith_Rae wrote a great article on maritime OSINT. In this, vessel tracking sites were mentioned, which allow us to identify ships and monitor their movements. Wouldn’t it be neat to have something similar for cars?

While we will never be able to track and identify cars just as good as we can track large ships, this article will provide some useful hints that can help with OSINT on vehicles. But which data is relevant when researching cars and motorcycles? As most vehicles are mass-produced, research based solely on the manufacturer, model and color might be a bit challenging. So, we will need unique identifiers such as the VIN or license plate.

The VIN, or vehicle identification number, is a 17-digit code which is assigned to every vehicle when it’s manufactured. The are several paid databases that will enable looking-up a VIN and retrieving information on the vehicle and possibly its history. If you don’t want to spend money, just try googling the VIN. Since it is so unique, you probably won’t receive a lot of results and thus not many false positives.

1.png

One of my favorite free sites to obtain information on VINs and vehicles in the US is Poctra. This site crawls the web for salvage vehicles and archives all available information and pictures. Let us see what Poctra reveals on the VIN I had googled.

2.png

High-res images, the location of the auction, mileage and sometimes even a license plate. There are plenty of pivot points to conduct more OSINT here.

If we have a license plate, and the car is something a car spotter might take interest in, we might find images of it on various car spotter websites. Next to PlatesMania, my favorite site is Autogespot. Both allow to search by license plate.

Enough theory, time for a practical example. Arsenal London football player Pierre-Emerick Aubameyang was often seen with a Ferrari LaFerrari. Even though he lives in London, this vehicle does not carry a British license plate. A great repository of license plates can be found at World License Plates, in case you have to figure out which country the license plate originates from first. It turns out that Aubameyang’s Ferrari is registered in Germany. His license plate is AIB-Q 1414. Let us see if we can find this car on Autogespot.

By clicking on “More Filters” on the top right of the website, we can define our query.

3

This leads to several results, each containing multiple high-res images. Not all images are publicly accessible if you are not a paying member of Autogespot, but there is a workaround to retrieve the pictures hidden behind the paywall. We’ll get to that in a minute.

4.png

The top left entry shows that Aubameyang’s Ferrari was spotted in London on 21 September 2019 and that this sighting contains 10 pictures. The spotter also links his Instagram account, which might lead to further images. So, make sure you always pivot your investigations to these additional profiles as well.

5.png

6

Sometimes, we can retrieve the other pictures from Autogespot even without paying for a premium account. Just copy the URL of the page you are on and query it in Google.  Then have a look at the image results. Here are the other nine images:

7.png

The information we now obtained is once more useful as a pivot point for further investigations. Maybe we can geolocate the exact location the vehicle was parked at and thus know where Aubamayeng was on 21 September 2019 after lunch. Maybe these pictures could provide evidence that a vehicle was damaged prior to a current insurance claim. There are many reasons why tracking and identifying vehicles may be useful. When researching license plates, keep in mind that a simple search engine query or query within social media might also lead to results. In our case, it leads us to results on Twitter, Instagram and press articles, next to the car spotter sites we have looked at already.

8.png

There are plenty of other platforms worldwide that track vehicles and allow queries by license plate, another one of my personal favorites is Nomerogram (Номерограм) in Russia. This site not only displays luxury cars, but also every-day, ordinary cars. I guess this is related to Russian’s love of dashcams, resulting in a massive amount of video and imagery on all kinds of traffic participants.

9.png

With the techniques and sources shown above, a vehicle can be manually tracked to a certain extent. This tracking, however, will rely on geolocating the image. To practice this, I recommend participating in the @quiztime geolocation challenges on Twitter. In a future blog article, I’ll look at Wigle and see how this platform could help track cars as well.

Until then, have fun looking up exotic cars on the aforementioned sites. That is, unless you prefer going through pictures of banged-up, rusty Ladas on Nomerogram. Hey, I’m not judging!

Matthias Wilson / 07. December 2019

Researching Right-Wing Extremism in Central Europe

How to start investigations on right-wing extremists? Work your way through multiple social media platforms and combine information to generate leads!

The recent Iron March Leak once again showed the extent of right-wing extremism within our society. This leak provided a massive mount of data to conduct online investigations. While Iron March was shut down, the individuals behind it still use many other platforms to disseminate their thoughts and ideas and to communicate among each other. Of course, the new communication channels they use won’t be found with a mere Google search. In order to find such sites, we will have to follow the digital breadcrumbs across various social media networks. In this article, I would like to show starting points for OSINT research and how to work your way through different platforms to identify potentially relevant information when tracking down right-wing extremists.

Looking through social media, we will unfortunately find lots of people that follow a racist or fascist ideology. These people might not be the actual targets we are looking for, but they could lead us to them. Especially in Germany and other central European countries, many people have left Facebook and Twitter after their accounts were temporarily suspended or deleted upon sharing hate speech, which under certain circumstances is a criminal offence. They found refuge on the Russian Facebook-clone VKontakte (short: VK) and Gab, as an alternative to Twitter. In order to access information on these platforms, we will of course have to create sockpuppets. VK also allows logging on with a Facebook-account, as do many other social media platforms.

Let us start our research from scratch. First, we will have to identify individuals that might be worth investigating. Since many of these individuals think of themselves as “patriots” in Germany, searching for this term might lead to some initial results on VK.

1

2.png

Et voilà, the first VK-group to investigate. As you can see, this group also cites a Facebook-page. However, the Facebook-presence has been deleted and does not exist anymore. Going through the posts on this page and having a look at the members clearly shows that we are on the right track. Below are profile pictures of some of the members. Many images shown here, such as the swastika, are banned by law in Germany. Yet, on VK German citizens are free to display their ideology without any notable repercussions.

3

While the information posted within the VK-Group “German Patriots” might not lead to real extremist sites, the information shared by members of the group on their personal profiles could get us there. With no way of automating the next step, one of the most important OSINT traits is now needed: perseverance. This means we will have look at a number of these personal profiles manually to find new leads. Instead of going through all 2000+ member-profiles, let us concentrate on the ones with the most disturbing profile pictures. One interesting aspect during this investigation, is the fact that many people that can be found here have Russian-ancestry. This means we might also find information on another Russian social platform called Odnoklassniki (short: OK). Keep this in mind when conducting OSINT on people of Russian origin.

It doesn’t take long and we find hints towards the use of other platforms and communication channels outside of VK. Some individuals have posted their Skype-usernames, some link Telegram channels. One post from January 2018 describes an independent message board outside of Facebook and VK. The author invites people to join this outside platform by commenting or liking the post, after which he will get in contact with them and invite them to the newly created site. Interestingly, he doesn’t disclose the name or URL of his VK and Facebook alternative.

4

The author hasn’t publicly been active on VK since this post, although he did access it just two days ago. VK displays the last time of user activity, a useful feature to determine if the account is still active, even if nothing is publicly posted.

5

Regarding the unspecified platform mentioned above, I remembered stumbling upon such a site while conducting a similar search on Facebook. There I had also started by looking for profiles and pages containing derivations of “patriot”. This led me to a page called “Patrioten-Treff”, promoting a Facebook-like platform.

6.png

It turns out that this project started in early or mid-2017 and by December 2017/January 2018 it had opened to public. It was exactly the type of right-wing extremist forum I was looking for.

7.png

8.png

Online shops, racist discussions, team speak servers, organized events; “Patrioten-Treff” had it all. By linking the information I had found on VK and Facebook, it is likely that the person I had come across on VK was actually part of the team behind this new right-wing social media alternative. By early 2019 it was offline, but the content displayed there was more radical than anything seen on standard social media. Regarding the reason it shut down, it could be out of lack of funding. Before “Patrioten-Treff” was taken down, they requested funding to cover the expenses. Payment could be made by Bitcoin, direct transfer, Alipay and Paypal. Again, providing further leads to conduct OSINT investigations.

9.png

Patrioten-Treff had 2,500 users and was not even able to raise 80 Euros a month. I guess right-wing extremists are a bit stingy. Next to financial support, content moderators were needed. These moderators would communicate using WhatsApp.

10.png

While Patrioten-Treff is currently offline, the Facebook-page continues to be active every once and while. A recent post from September 2019 shared a Telegramm channel of the German neo-Nazi party Der III. Weg.

11

In this cross-domain investigation, manually searching for information on one social media platform led us to a plethora of new starting points to dive into. From VK to Skype, from Facebook to Telegram, from Bitcoin to WhatsApp; there are now plenty of leads to follow up upon. Not all leads can be investigated with OSINT, but this type of intelligence might provide the information we need to conduct Virtual HUMINT (VUMINT), enabling an infiltration of the new message board, Telegram channels or WhatsApp groups. I didn’t go that far, but I’m sure someone or some organization did.

By the way, the methodology described above can also be used to track other extremist groups. I wonder if other groups are just as cheap as the right-wing that couldn’t raise 80 Euros to host a website?

Matthias Wilson / 01.12.2019

Communications Security on Iron March – An Intelligence Analysis

How do right-wing extremists secure their communications? The recent Iron March data leak gives insight into how its members tried to communicate outside the message board.

The recent leakage of a massive white supremacist message board named Iron March  sparked a wave of independent investigations by people all of over the world. The data contained in this leak provides many leads to practice OSINT skills in various disciplines. Whether it is googling usernames, correlating email addresses to social media profiles or looking up information on some of the domains shared on this message board; the breached data is a starting point for a plethora of different OSINT methods. Of course, I couldn’t resist and also took a dive into this leak as well! I decided to have a look at the content that was posted on Iron March. Not so much OSINT here, it is more general intelligence analysis I will be applying. One of the challenges was actually defining a clear goal. What did I want to unravel here? Did I want to reconstruct organizational structures? Did I want to investigate individuals and their backgrounds? Did I want to look at certain events?

Without narrowly defined intelligence requirements and thus key intelligence questions that should be answered, approaching such a big amount of data in a methodological way is nearly impossible. After reading the first couple of Iron March messages, I realized that the users often discussed others means of communication outside of the message board. So, I decided that my first goal would be to analyze the communications, security measures and the evolution of communications within this network. Having a better understanding of this topic will surely help the OSINT community to understand where to look for further information during this investigation.

When Iron March was set up, many users migrated from a previous platform called ITPF. Background information on both platforms can be found here. The first posts on Iron March clearly showed, that the users would regularly communicate outside of the message board as well. Among the these outside channels were mainly Skype, MSN, AIM and Facebook.

“You should download Skype it is a good service. Also you can use it just like MSN; you can type, I type most of the time.” Post on 23.09.2011 by Kacen (ID2)

“Not sure if you’re interested but I thought I’d ask, I’m launching a study group for American Fascism/Nationalism quite soon via facebook.” Post on 24.11.2011 by American_Blackshirt (ID35)

Eventually, members of Iron March even set up Skype groups to ensure communications. This enabled them to communicate directly with each other without delay, as it would have been on Iron March. At the time, Skype appeared secure to the members of the message board and was soon the preferred outside communication channel. Occasionally, other channels would also be used to communicate, sometimes even including gaming platforms.

“We have a good number of people in the Skype group and you should join.” Post on 25.01.2011 by Blood and Iron (ID3)

“do you have facebook, or steam, bf3 battlelog or something where us 2 can converse?” Post on 02.07.2012 by unkown

 The main reason people would use external messengers to communicate, was that they were more practical than using Iron March’s private messaging system. To gain access to Iron March PMs, the site had to be open in the browser. MSN and other messengers were client-based and could run in the background, immediately informing users of incoming messages. By late 2012, AIM and MSN were also still used frequently, something that would soon change after Microsoft discontinued MSN as a service in 2013.

“Hobbit, do you have MSN? A lot more practical than talking through PMs.” Post on 27.06.2012 by Damnatio Memoriae (ID279)

“Alright, I’ll get back to you again tomorrow, with my AIM, MSN, and SKYPE info.“ Post on 10.10.2012 by social_justice (ID17)

As early as mid 2012, many users were slowly turning away from Facebook, stating privacy issues as their main reason.

“I don’t use facebook anymore, it gives too much information away even if you use a proxy and false information, it’s an easy way to keep a “paper trail” on someone, so to speak.” Post on 03.07.2012 by Nebuchadnezzar II (ID288)

The use of external channels remained mostly unchanged until 2015, when new messaging and chat services started to appear on Iron March. Telegram and Tox were among the most popular services and were viewed as more secure than Skype. This also led to the exchange of Tox IDs, so the members could identify each other on the chat application.

“I need to get in contact with you. Download Tox and make an account with a secure login.” Post on 08.08.2015 by Fascism=Fun (ID7962)

“Another thing I wanna recommend is to use Telegram or Tox instead of Skype for organisational procedures and meetings. These are really good ways of communicating, and I know of three NatSoc and Fascist organisations within the U.S that use these services because of their security.” Post on 05.02.2016 by TheWeissewolfe (ID9304)

The post above is actually from the deputy leader of the infamous Atomwaffen Division. Whenever someone was interested in joining this organization, they were told to use Tox or Telegram for further communications. However, there was still a reasonable amount of doubt regarding the security of these new communication channels. Discussions about adding an extra layer of encryption ensued.

“Yeah I’m well aware the skype is compromised. Literally everything Microsoft is and has been for over a decade. Tox isn’t but it’s a WIP. Discord I don’t know much about but no doubt it is too. Secure channels aren’t really possible without doing your own encryption.” Post on 21.05.2016 by Xav (ID9476)

While most members of Iron March were very naïve in terms of operational security or communications security, some members had a fairly good understanding of the risks in open communications. One of these members was Atlas (ID9174), who claimed to be responsible for network and computer security for the British group National Action.

“Hi, I’m in charge of computer and online network security with National Action.” Post on 23.08.2015 by Atlas (ID9174)

Atlas often provided guidance on the use of secure emails and encryption with PGP. Overall, members were made aware not to use Hushmail and to rely on Protonmail or Tutonota instead. When sending emails to other providers they were to use PGP. He even wrote a PGP guide for National Action and distributed it on Iron March as well.

“Good job I just designed a PGP guide for National Action then, I’ll email you it, what’s your email?” Post on 01.09.2015 by Atlas (ID9174)

Other activities included checking the security of hosting servers. One of the most interesting conversations I have found in this dump so far was between Atlas and the founder and leader of the Atomwaffen Division, Odin. In September 2015, Odin reached out to Atlas regarding issues with PGP.

“Hello comrade I need to have my pgp shit setup properly and to be able to use it for communications with certain people before this weekend. I would be very greatful if you could help me.” Post on 14.09.2015 by Odin (ID7600)

Although many security measures were put in place, a lot of members of Iron March still were fairly confident that their activities had not drawn the attention of law enforcement yet. Some even openly expressed their total negligence of security openly on the message board. There was more fear of being doxed by left-wing organizations than becoming a target of police investigations.

“I’m glad you all understood the necessity for security. Here on IM I was shot down for daring to suggest such a necessity on the basis of: We don’t need it, we’re not ISIS. I ripped off all my ideas from some corny website anyway (that website being my blog btw lol).” Post on 04.05.2015 by Atlas (ID9174)

“The use of TOR, fake names, and these secure channels is more of security culture thing – we are not being actively monitored by say, the government (at least that is my personal opinon based on the information I have) but it encourages people to act more sensibly so they don’t get themselves doxed by leftists. I don’t like hearing about workplaces getting phoned up or individuals being exposed in the newspapers. Since the mirror article on my a couple of years ago practically everyone has been able to maintain a degree of anonymity. Obviously if they ever decide to raid anyone they are not going to find anything that can be used to build a case around them.” Post on 10.04.2016 by Daddy Terror (ID7)

Given the fact, that Daddy Terror (ID7) was the leader of the National Action movement in Great Britain, this statement is truly remarkable and shows how safe some of the members of these extremist communities felt in their online communications. Next to the platforms already revealed above, there were several other communications channels that were occasionally mentioned, e.g. Discord and even MySpace in the early days of Iron March. In the end, the use of external secure communications and additional encryption were blasted when the message board itself was hacked in 2017 and the data was recently leaked, exposing the identities and ideas of many members.

Thank god the Iron March admins didn’t have proper security measures in place and hopefully this data leak will help law enforcement worldwide investigate some of the malicious activities planned and discussed on the message board. Until then, I’ll continue to dig into this data, together with other OSINT enthusiasts, and see what stories can be unraveled next.

Matthias Wilson / 09.11.2019

 

The Importance of Grammar in Forensic Linguistics

1

Commas matter and grammar matters. Especially when you deal with threat letters, poison pen letters or even ransom notes. In this case, grammatical errors, misspellings or unique writing styles might reveal the person behind the mischievous texts. Are you dealing with one author or multiple individuals? Can you link these letters to other reference documents, e.g. internal employee emails? The art of analyzing written documents in investigations is a subset of forensic linguistics.

While I won’t go through any real examples in the following article, I would like to share my experience when dealing with such cases. First up, I won’t even try to get into graphology. This is the analysis of handwriting, in an attempt to evaluate personal characteristics or the psychological state of the writer.

Graphologist: “The author is a male and he is very angry, possibly holding a grudge against the recipient.”

Intel analyst: “No shit, sherlock. The handwriting is sloppy and why else would he write a poison pen letter?”

The most important tool for me is a set of highlighters. If dealing with multiple documents, I found it easer to print them out and to mark peculiarities with the highlighters and also add handwritten notes of my own. I use different colors for different categories. One for spelling mistakes, one for grammatical errors, one for the use of uncommon words or unique word-creations and lastly the final color for certain style elements.

Let’s start off with the first category: spelling mistakes. Many people have distinct spelling mistakes they constantly make. And not always will they recognize mistakes when proof-reading their own work. Sometimes these mistakes might also indicate if the author is a native speaker or not. A German writing an English text might automatically use Telefon instead of telephone. Furthermore, many languages capitalize nouns, so look out for this as well. Other spelling mistakes may derive from auto-correct functions in office. When I open Word, it assumes I’ll write in German and does the autocorrect based on the German dictionary. Newer versions of Word notice I’m typing English after about one sentence and then automatically adjust, older versions might need a manual reset. When typing or writing quickly, one may produce clerical errors, such as forgetting letters, adding letters or switching letters. In this case, always check to see how letters are allocated on the keyboard to understand the origin of these typos. Keep in mind that different countries use different keyboard-layouts!

The next one is a bit more tricky. I have to admit, my grammar isn’t the best. I usually just know that something looks weird, without being able to grasp the actual reason or grammar rule. So, in this phase of investigations I often google certain grammar rules to make sure my hunch was right. From simple things such as mixing up your and you’re, to the inproper use of commas, there are many different errors that might show up in multiple documents. One important thing to remember is, that it will be the sum of indicators that lead to successfully solving the case. It most likely won’t just be one blatant error.

Depending on an individual’s background, they may have a different spelling of words. It may vary between British or American English, it may contain colloquial terms or even slang and different dialects. Everything that differs from the standard form of writing in the specific area you are working in, should be marked with a highlighter. Using modern-day slang might indicate a younger person, old-fashioned terms will probably not be used by a kid. I once had a case, in which the author creatively invented new curse words I had never heard of before. Some of them where so hilarious, I actually added them to my personal vocabulary. Another example would be the use of local dialect. In Germany bread rolls are named differently in many regions: Brötchen, Wecken, Semmel, Schrippe, Krossen, Normale, Rundstücke; these are all the same thing! I’m sure similar examples can found in other languages and for more relevant terms as well. Try to figure out which region the word originates from. Again, a little googling can be helpful here.

Next up, concentrate on the style of writing. Is there anything that sticks out? Specific punctuation, such as the frequent use of exclamation marks or multiple dots…. Also, concentrate on the sentence structure. Is the author using short sentences or is he fond of long-winding sentences? Does the whole document read as if it were written by the same person? A shift in style may indicate that some part was copied from another document. Finally, have a look at the format: font, size, line spacing, alignment. After marking all documents according to the above points, it’s time to spread them out and get a birds-eye view of all of them. Sometimes, this will reveal more similarities or conspicuous features shared by multiple documents.

No, for the most important aspect: Assume your adversary, the author, is well aware of his distinct mistakes and style of writing! He might try to deceive us. Chaning the usual format, by using odd fonts or changing the alignment are easy to recognize, but sometimes an author will substitute some of his unique identifiers with another. Mostly by doing the exact opposite of what his style of writing is usually known for. Someone that uses long and complex sentences might break these down into short and concise sentences, making the letter look more like an old telegram. Obvious spelling mistakes might be implemented as well, to put us on the wrong track. However, anything that is deliberately done will likely follow a certain pattern. It is our job to identify this pattern.

Of course, there is much more that can be done when handling cases like these. Analyzing handwriting by overlaying different sets of handwritten words on each other is one technique that might help. This works really well in MS Office, since the office suite has some pretty impressive features to handle images. Furthermore, fingerprint identification (dactyloscopy), analyzing the paper, trying to trace back emails; a broad variety of methods can be applied here. Maybe even the graphologist, if you’re that desperate. As with all intelligence analysis, it is important to never fully rely on just one method. Combine what you have at hand to achieve the best result.

After this brief introduction to the topic of forensic linguistics, I will prepare an example for a future article, highlighting the aforementioned. I just have to figure out who I want to blackmail or send a poison pen letter to. Maybe one of the scammers from a previous project.

Matthias Wilson / 01.10.2019