百度地图 – Mit Baidu Maps unterwegs auf Chinas Straßen

Andere Länder andere Sitten. Es muss nicht immer Google sein. Heute präsentiere ich euch eine Möglichkeit, wie man in China eine Adresse in Augenschein nehmen kann. 

Google Street View ist für OSINT Ermittler heute unabdingbar. Insbesondere für den Bereich der Geolocation Verification spielt das Tool eine entscheidende Rolle. Die Abdeckung mit aktuellem Bildmaterial wird von Tag zu Tag besser. In Großstädten wie Paris und London ist das Google Street View Car teilweise schon mehrfach durch die Straßen gefahren, so dass man sogar eine historische Veränderung nachvollziehen kann. Sogar in vermeintlichen Entwicklungs- u. Schwellenländern existiert eine solide Abdeckung. So kann ich mich problemlos virtuell in ein abgelegenes Dorf in der Slowakei begeben, um die Adresse in Augenschein zu nehmen, an der sich angeblich ein Unternehmen befinden soll.

Leider gibt es aber immer noch viele weiße Flecken auf der Google Street View Landkarte. Dies liegt weniger an Google als an regulatorischen und/oder sicherheitsbedingten Gründen in den verschiedenen Ländern.

In Deutschland scheitert es vor allem am schwierigen Verhältnis der Deutschen zum Datenschutz. Nur in wenigen Großstädten existiert aus dem Jahr 2009 veraltetes Bildmaterial, das teilweise auch noch verpixelt ist. Der Rest ist digitales Entwicklungsland.

PNG 1Abdeckung mit Google Street View (blaue Schattierungen) in Deutschland im Vergleich mit den Nachbarstaaten

Auch in China existiert keine Abdeckung mit Google Street View (ausgenommen Hongkong). Dies hat aber vor allem mit regulatorischen Auflagen der Volksrepublik zu tun. Aber China wäre nicht China, wenn es keine Alternative gäbe. Die chinesische Suchmaschine Baidu verfügt ebenso wie Google über einen Kartendienst, der ebenfalls eine Street View Variante bietet. Allerdings ist nicht das ganze Land abgedeckt, sondern bisher nur die Großstädte und Wirtschaftsmetropolen. Für Ermittler, die beispielsweise eine Due Diligence eines neuen Geschäftspartners in China durchführen, bietet Baidu somit die Möglichkeit, die Adresse vorab in Augenschein zu nehmen. Sollte sich an der Adresse anstatt der Werkshallen nur ein Kiosk befinden, sollte ich stutzig werden.

PNG 2Abdeckung Baidu Total View (blaue Schattierungen) im Großraum Shanghai

Eine große Herausforderung ist die sprachliche Hürde. Baidu ist in Chinesisch und die automatische Übersetzung der Webseite funktioniert nicht immer, so dass ich einzelne Textabschnitte herauskopieren muss.

Ich erreiche den Kartendienst von Baidu, indem ich auf der Startseite oben rechts auf地图 (übersetzt Karte) klicke.

PNG 3

Der Kartendienst ist grundsätzlich ähnlich wie Google Maps aufgebaut. Oben links befindet sich das Eingabe- und Suchfeld (roter Rahmen). Unten rechts sind die drei verschiedenen Kartenansichtsvarianten Straße (grüner Rahmen), Satellit (gelber Rahmen) und Total View (violetter Rahmen).

PNG 4

Den größten Erfolg habe ich, wenn ich direkt eine chinesische Adresse in das Suchfeld eingebe. Wenn ich beispielsweise eine Firma in China untersuchen soll, erhalte ich die Adresse sehr wahrscheinlich von der Webseite des Unternehmens.

Als Beispiel soll die Volkswagen (China) Investment Co. Ltd. (大众汽车(中国)投资有限公司), ein Tochterunternehmen des deutschen Autobauers, dienen. Auf der Webseite des Unternehmens www.vw.com.cn  finde ich unter Kontakt den genauen Firmennamen und die Adresse der Gesellschaft, natürlich unter Zuhilfenahme von Google Translate.

Den chinesischen Namen der Adresse kopiere ich in das Eingabefeld von Baidu Maps und erhalte einen Treffer. Danach wechsele ich in den Total View Modus und setze die kleine Kamera vor das Gebäude.

PNG 7

Im Baidu Total View Modus habe ich dann wie bei Google Street View die Möglichkeit, die Kamera zu drehen, herein und heraus zu zoomen und die Straße entlang zu fahren. In unserem Fall erkenne ich das Volkswagen-Gebäude am markanten Schriftzug davor.

PNG 8

Natürlich ist es nicht immer so einfach wie in diesem Fall. Sehr häufig ist es notwendig, das Umfeld der Adresse in Baidu Total View abzusuchen, um den gewünschten Treffer zu erhalten.

Ich hoffe, ich konnte mit diesem kurzen Blogeintrag eine praxistaugliche Beschreibung über Baidu Total View geben. Am besten ihr spielt ein bisschen mit dem Tool, um die Leistungsfähigkeit selbst zu bewerten. Wenn ihr Fragen oder Anmerkungen habt, dann schreibt es gern in die Kommentare.

Ingmar Heinrich / 30.11.2018

The Nexus Analyst: Understanding your Customer’s Requirements

Nexus is ‘an important connection between the parts of a system’, according to the dictionary. In an intelligence environment, OSINT has the same function. Another example of how OSINT can provide important leads for HUMINT and SIGINT in Afghanistan.

Open Source Intelligence (OSINT) is all about perseverance and following bread crumbs that lead to key findings. To be honest, you won’t always find the smoking gun and in some cases you might miss it. That’s one thing I have learned: No matter how hard you look, you are always likely to miss out on something. That is why the OSINT community on Twitter is so important. New tools and techniques are shared there and help broaden your own set of skills on a daily basis. Another important lesson, is to always have clearly defined objectives, the so-called Key Intelligence Questions (KIQ), when conducting OSINT research. What specifically is your intelligence customer asking for? This means you have to understand the ultimate goal and your customer’s mindset to a certain extent.

My concept called Interdisciplinary Intelligence Preparation of Operations (I2PO) relies on OSINT to support other intelligence collection types (ICT), such as Signals Intelligence (SIGINT) or Human Intelligence (HUMINT), and vice versa. Therefore, the OSINT analyst must understand the specific requirements for each ICT. If you deliver a phone number or email address to a HUMINTer, he might give you puzzled looks. Again, I would like to demonstrate my point with an OSINT case that might easily happen this way in military intelligence and intelligence services. In a previous blog post, we had HUMINT information as a starting point for OSINT. This time, we have a couple of Key Intelligence Questions.

Imagine we are forward deployed OSINT analysts in Afghanistan. We not only provide information on the general situation in our area of operations, but also support the adjacent HUMINT and SIGINT teams. Our HUMINTers want to know a little more about the family ties of their intelligence targets and the networks surrounding these people (KIQ 1). The SIGINTer just needs some selectors such as phone number and email addresses, which he could task in his SIGINT systems (KIQ 2). One of the intelligence targets happens to be Mohammad Atta Noor, a key power broker in Northern Afghanistan.

We start out with a simple Google search and we soon find an interesting site containing bios of Afghan VIPs: afghan.bios.info. The entry on Mohammad Atta Noor is quite detailed and also reveals the name of one his sons, Tariq Noor.

Next up we conduct a Google search on Tariq Noor in combination with the name of his father. This leads us to Tariq’s Twitter account, where he is pictured together with his father.

1.png

Twitter also suggests further accounts to follow, one of them being Khalid Noor. It turns out that this is another son of Mohammad Atta Noor.

2.png

So far, we have names and pictures of two sons. Knowing that Mohammad Atta Noor has even more children, we could continue our search and identify the other children, while trying to obtain pictures and more data on them. However, let us focus on Tariq and Khalid first. As their father is a successful businessman, it is likely that his sons have businesses of their own, or are maybe even connected to their father’s companies.

To check this, we again have a look at the Afghan company register (www.acbrip.gov.af). Since we cannot search for individuals here, we assume that Tariq and Khalid have companies named after themselves. This search within the Afghan company register produces good results. The first result when looking for Khalid Noor even gives us the phone number of Mohammad Atta Noor and a bit of his family history with the names of Mohammad Atta Noor’s father and grandfather.

3

Mohammad Atta Noor is the president of the Khalid Noor LTD and states his father’s name is Haji Noor Mohammad and his grandfather’s name is Mirza Mohammad Gul. In Arabic and Central Asian countries, this information is valuable when distinguishing same-named persons. A look into the shareholders of this company reveal not only that Khalid is a shareholder, but also mentions other business partners (and their family history, as well as phone numbers). All this information helps build a network chart including the relevant family ties. This is the information our HUMINT team was looking for (KIQ 1). Of course, the phone numbers answer the Key Intelligence Question our SIGINT Team had (KIQ 2). A query for Tariq Noor produces similar results, including phone numbers of Tariq and his business partners.

4

All in all, following OSINT bread crumbs led to amazing key findings. Now this information can be used for HUMINT operations, when trying to infiltrate the networks around Mohammad Atta Noor and, as mentioned, also to task SIGINT operations. A perfect example of I2PO!

In conclusion, this way to work makes me refer to an OSINT analyst within military and intelligence services as a ‘Nexus Analyst’, an analyst in between ICTs. Someone that knows what HUMINT or SIGINT really need to conduct their missions successfully and who takes this into account when browsing the web.

Matthias Wilson / 28.11.2018

I2PO – From HUMINT to OSINT to SIGINT

Sometimes even seemingly irrelevant information leads to key findings. In this case, the mere existence of a company led to unraveling the phone number of the son of Afghan Vice President Abdul Rashid Dostum.

Interdisciplinary Intelligence Preparation of Operations, I2PO, is a concept on combining the different types of intelligence collection to achieve the best results. In the following example, I will demonstrate a perfect case of an intelligence workflow that starts with Human Intelligence (HUMINT), utilizes Open Source Intelligence (OSINT) and lastly provides leads for Signals Intelligence (SIGINT).

Imagine you are part of a SIGINT team, dedicated to Afghan politics. While reading some HUMINT reporting, you come across a report regarding Batur Dostum, the son of the Vice President of Afghanistan, Abdul Rashid Dostum. The report informs about Batur’s businesses in Northern Afghanistan. One of the businesses mentioned is Batur Mustafa LTD.

This provides a starting point for OSINT research. While googling this company will not produce any notable results, a query within in the Afghan Central Business Registry (ACBR) might lead to some useful information. Luckily, the database in is English, so we will not have to use any translation tools. The ACBR database does not enable you to search for individuals, but we have the company name.

1

The result of this query gives us plenty of relevant data. Not only do we receive information on the company itself, but also on its shareholders and their personal data. This includes names, father names, phone numbers and residencies.

2

This is our target! Batur Dostum, the son of Abdul Rashid Dostum. He owns 50% of the company shares and his phone number is listed. The next step would be to task his phone number in our SIGINT collection. While we are at it, we should also task the phone number of the other shareholder and vice president of the company.

3

It is highly likely that this phone number might also produce decent SIGINT results.

As you can see, a piece of information that might seem irrelevant to start with led to a key finding and the possibility to enable further intelligence operations.

Matthias Wilson / 19.11.2018

Learning from Aircraft Spotters for Competitive Intelligence

Aircraft spotters use tracking sites to obtain information on flight paths, enabling them to take pictures of aircraft taking off or landing at airports. Did you know that these tracking sites and methods could also be useful when conducting OSINT investigations?

Today I would like show another aspect of OSINT when it comes to competitive intelligence (CI). Wikipedia defines CI as ‘the action of defining, gathering, analyzing, and distributing intelligence about products, customer, competitors’ in order to support decision making processes in companies. Depending on the actual case, we will do research in a variety of different sources, ranging from company databases, to credit rating services, and in some cases even deep-dive into social media. However, every once and while we might have to look into something more exotic.

The following case is completely fictional, but could easily take place as described.

German Special Forces are currently looking for a new light support helicopter. Two companies are in the race for this very lucrative contract: Airbus with its new H-145M design and a second company, which employs us to gather information on the Airbus product.

One of the key intelligence questions our customer wants us to answer is about the performance of the H-145M. We find out that Airbus conducts its testing at the airfield in Manching near Munich, Germany. Whenever aircraft fly through public airspace, they are required to switch on their ADS-B systems, which allows them to be tracked, avoiding collisions with other aircraft and thus ensuring flight safety. I would like to point out, that certain military or government flights are conducted without enabling ADS-B tracking. Another relevant point is that the tracking depends on a network of mostly private ADS-B receivers and is lacking full global coverage. However, Germany has a pretty decent coverage.

Using ADS-B tracking sites such as flightradar24.com, we can collect data on any relevant flights. As an alternative, we can also buy our own ADS-B tracker for as little as 20 euros and set it up in the vicinity of the airport. This information could prove valuable to our customer, when assessing the overall performance of the competitor’s product.

Today happens to be one of the test days and two helicopters take off from the airfield in Manching. These two are the pre-series H-145M models that we are looking for. For future reference, we can always identify them by their registration numbers.

1

Registration details a H-145M

The following picture shows the flight path during these tests. Looking at the flight path might give an indication on what exactly was tested.

2

We also obtain detailed information regarding the speed and altitude of these flights. This might lead to clues on the peak performance values.

3

Of course, our work does not end here. We continue to track every movement of the two identified helicopters. Future operations might even include getting high-resolution videos or photos of the helicopters and maybe even HUMINT to receive a couple more details.

This scenario unravels just one of the ways in which data from ADS-B tracking sites can be utilized. It can also be helpful when tracking specific flights or monitoring smaller airfields to find a specific plane. In the future I will provide another case in which the tracking of an airplane led to an important intelligence finding.

Until then, why you don’t you have a look at the traffic above you yourself!

Matthias Wilson / 08.11.2018

Sieben Praxistipps für Jedermann

„Googeln können wir selbst!“. Diesen Satz hört man häufig, wenn man mit Kunden über OSINT-Recherchen spricht. Dass zu einer umfänglichen Recherche ein bisschen mehr als „googeln“ gehört, wollen wir heute anhand einiger Beispiele aus dem Ermittleralltag darstellen.

  1. Pseudonyme in sozialen Netzwerken identifizieren

Immer mehr Personen nutzen in den sozialen Netzwerken Pseudonyme, so dass eine direkte Suche nach ihnen nicht möglich ist. Anstatt die Personen direkt zu identifizieren, hilft es häufig, die Zielperson indirekt über bekannte Familienangehörige oder Freunde zu recherchieren. Dazu versuche ich, eine befreundete Person mit offener Kontaktliste zu identifizieren, die ich dann nach der gesuchten Person durchsuche.

  1. Recherche in der Landessprache

Ermittler neigen dazu, nur in ihrer jeweiligen Muttersprache oder mit englischen Suchbegriffen zu recherchieren. Dies beschränkt das Suchergebnis erheblich. Wenn ich meine Recherche aber um Suchbegriffe in der jeweiligen Landessprache erweitere, kann ich meine Trefferanzahl um ein Vielfaches erhöhen. Sprachdefizite behebe ich mit diversen Übersetzungsprogrammen wie Google Translate und Co.

  1. Einsatz von OCR-Software

Häufig stoßen wir bei Recherchen auf Dokumente, die nicht durchsuchbar sind, weil sie beispielsweise eingescannt wurden. Insbesondere bei mehreren tausend Seiten kann dies sehr hinderlich sein. Dafür empfiehlt sich der Einsatz einer sogenannten OCR-Software (optical character recognition), die die Zeichen in dem Dokument erkennt und dieses in ein durchsuchbares Dokument umwandelt. Je besser die Qualität des Ausgangsdokumentes ist, desto besser ist auch das Ergebnis.

  1. E-Mail-Adressen über Passwortzurücksetzung bei sozialen Netzwerken recherchieren

Bei mehreren sozialen Netzwerken lassen sich über die Passwortzurücksetzungs-Funktion die E-Mail Adressen recherchieren, mit denen das jeweilige Profil angemeldet wurde. Dazu benötigt man lediglich den Benutzernamen. Teile der dann angezeigten E-Mail-Adresse werden zwar durch Sternchen weitgehend unkenntlich gemacht, dennoch lassen sich die E-Mail-Adressen meistens aus den erkennbaren Mustern rekonstruieren.

  1. Firmen-E-Mail-Adressen rekonstruieren

Fast jedes Unternehmen verfügt über eine Webseite mit entsprechender E-Mail-Systematik. Das am häufigsten genutzte Muster dürfte wohl vorname.nachname@domain.com sein. Bei Dienstleistern wie z.B. www.hunter.io lassen sich die Muster der E-Mail-Adressen zu den dazugehörigen Domains ganz einfach recherchieren. Kenne ich den Namen einer Person eines Unternehmens, sei es aus einem persönlichen Gespräch oder einer Recherche in sozialen Netzwerken, kann ich die E-Mail-Adresse nach der Firmensystematik mit hoher Trefferwahrscheinlichkeit rekonstruieren.

  1. WhatsApp Profilfoto

Im Rahmen von Recherchen stößt man häufig auf Nummern von Mobiltelefonen. Wenn man die Nummer in seinen Kontakten abspeichert, ist es ggf. möglich, bei WhatsApp das dazugehörige Profilfoto der Nummer zu sehen. Schon häufig konnten wir so weitere Erkenntnisse aus dem Foto ziehen.

  1. Geburtsdaten über Stayfriends recherchieren

Das Schulfreundenetzwerk www.stayfriends.de ist besonders in Deutschland bei den 30 –  60-jährigen populär. Wenn ein Profil zu einer Person vorhanden ist, ist es auch sehr wahrscheinlich, dass das Geburtsdatum hinterlegt wurde.

Ingmar Heinrich / 31.10.2018

Harvesting Intel on India’s Nuclear Command – When OSINT meets SIGINT

Using OSINT to enable SIGINT. Imagine you are a SIGINT analyst keeping track of India’s nuclear forces. Luckily, you have some OSINT skills, which enable you to find selectors related to the former commander-in-chief of these forces. This could be a door opener to the current leadership…

So far, I have written short posts on how OSINT can support military decision makers as well as being a vital part of HUMINT operations. The key statement is that each intelligence collection type (ICT) requires a certain amount of OSINT to successfully prepare and conduct operations. This is a concept I call ‘Interdisciplinary Intelligence Preparation of Operations’, in short: I2PO.

One of the most secretive ICTs is Signals Intelligence (SIGINT). In many cases SIGINT services or SIGINT branches within services are isolated from other ICTs, thus making a cooperation between them challenging. This is one reason why SIGINT should incorporate dedicated OSINT capabilities, especially when doing preparatory research on new target areas or specific target decks.  On the one hand, OSINT could provide general information on the telecommunications infrastructure of a target area and on the other hand, OSINT could actually provide valuable selectors to task.

There are many different ways on how to support SIGINT with OSINT using the vast variety of OSINT tools and skills. In the following example, I would like to point out how to acquire additional selectors for a certain target deck.

Let us assume we are SIGINT analysts working on the India target desk, specifically the desk tasked with conducting SIGINT against India’s nuclear forces. A country’s nuclear forces are among the most highly protected and secretive assets. Finding SIGINT leads and selectors to gather credible information is an almost impossible task in this context. I assume the direct communication of these forces is secure and hardened. As a result, collecting official military communications from their dedicated channels can be ruled out. What other chances do we have to gather intelligence on our target?

SIGINT, as all other ICTs, feeds off mistakes that our targets make. If people were OPSEC-aware, we would not find so much information on the internet, HUMINT sources would not be so talkative and eavesdropping in on communications would not reveal that much. With this in mind, let us find a hands-on, doable approach towards our target. Sometimes people use non-secure communications to transmit confidential information. Our targets might do the same. So our first step would be to identify targets and their non-official selectors, hoping these could be tasked and provide valuable intelligence.

Unfortunately, none of the current leadership of India’s nuclear forces, the Strategic Forces Command (SFC), is overt enough to provide us with additional non-official selectors. To start, we look at the former leadership, expecting that they might still be in contact with some of the current administration. Press reporting indicates that the previous commander in chief of the SFC, Lieutenant General Amit Sharma, handed over his command in July 2016. This is close enough for us to assume that General Sharma will still occasionally get in touch with his former comrades.

Next up is an extensive Google search on General Sharma. As a high-ranking former member of the military, he might have directorships or board memberships in civilian companies. In our case he does not, so searches in company databases remain negative.

One of my favorite Google dorks is ‘filetype’, specifically looking for PDFs or PPTs. PDFs and PPTs often contain a lot of information, which helps give an overview of the target and sometimes provides leads for further research.

india google results

This search results in several hits, mainly being studies and conferences in which General Sharma participated. However, the first hit is actually the gold nugget we have been looking for. In India, the Department of Public Enterprises hosts a database containing former CEOs, directors and government officials; including short résumés.

Let’s have a look a General Sharma’s résumé:

bio data

Now we have a private email address and a mobile phone number belonging to General Sharma. These two selectors are tasked and a metadata analysis is conducted on both. Maybe he is in contact with his old comrades in the Strategic Forces Command. This is the door opener we needed to successfully approach our goal. We can also look up the address, which seems to be his home address. Sometimes this will also lead to further selectors.

I also hope that General Sharma did not use Dropbox to save the nuclear launch codes. Haveibeenpwnd lists his email and password as one of those hacked in the Dropbox data leak mid-2012.

As this examples shows, it is essential for SIGINT analysts to include OSINT research into their daily workflow.

Disclaimer: Although the data shown is real, the complete scenario described here is fictional. I have no idea if this information is known or used by intelligence services, nor do I have any insight on the assumption that India’s Strategic Forces Command is an intelligence target.

Matthias Wilson / 08.10.2018

Asset Tracing using EXIF Data

Geolocation Verification was a topic in this blog last week. The previous post presented one method to geolocate a picture based on different reference points within the picture.

In some cases geolocating a picture is even easier, provided the picture contains georeferenced EXIF metadata. EXIF (Exchangeable Image File Format) is a standard ancillary tag used by digital cameras. Next to various camera settings, such as focal length and exposure time, EXIF metadata could include descriptions of the picture and be geotagged with GPS coordinates as well. Many smartphone users have the so-called ‚location services‘ constantly switched on, thus resulting in their pictures being enriched with GPS coordinates.

The following example is based on a real investigation. The names and locations were altered to ensure the safety of the involved persons.

An asset tracing case has us looking for financial and property assets belonging to a German banker named Hans P. Extensive OSINT research on Hans P. remains unsuccessful.  The focus of this investigation will now be on family and friends of Hans P. We identified two of Hans‘ children on Facebook. His eldest daughter, Anna H., recently married and had set a wedding webpage using the platform ZOLA. This website reveals that the wedding took place at a large unknown estate. The actual location of this estate was not easily given away on the website. The overall information, however, points towards the mediterranean region. On this site, Anna also thanks her father for financing this wedding and providing his estate for the celebration.

website5.png

Example of a ZOLA wedding site

This is an indication that Hans P. is in fact in possession of the aforementioned estate. The website also features many professional pictures, as well as the possibility for wedding guests to upload their own pictures. We look at each picture using a browser extension which shows if the picture contains EXIF data or not. Luckily, one of them does.

IMG_1242

Our next step is to extract the EXIF data using fotoforensics.com. The EXIF data extracted from the picture contains information on the type of phone used and also the exact GPS coordinates from which it was taken. This location is directly displayed on Google Maps.

fotoforensics

The estate  is located near the Italian city of Tuscania. After figuring out the specific street address, we check this in the local real estate and property register.

Bingo! The estate was purchased four years ago and currently belongs to Hans‘ wife. Since Hans‘ wife does not originate from a wealthy family, nor has she ever worked, we assume that this asset was in fact purchased with money provided by Hans P.

By the way: The wedding picture contains the EXIF data shown. Feel free to try this out yourself!

Matthias Wilson / 12.09.2018