Social media is dead, long live social media!

Is your intelligence target under 25 and not on Facebook? You might want to check the social media that kids nowadays are actually using!

My daughter always says: “Dad, Facebook is for old people!” It’s true, I’ve noticed that many people under the age of 25 aren’t on ‘traditional’ social media anymore. They are not on Facebook and they may give a confused look if confront them MySpace, GooglePlus or walkmans.

So, how and where do you find Generation Z on social media. Clearly, they still feel the urge to express themselves on the internet and they’re still out there, but mostly not with their real names. This makes OSINT much more challenging. On Facebook we could search for real names, we could search by phone number and in some cases we could find people through email addresses. Some of these techniques work on other social media platforms, some won’t. In any case, if you find a profile linked to one of your targets, you might come across further social media profiles that your intelligence target has backlinked on the one you have found.

I’ve noticed that many young people use TikTok, an app designer to share short music videos. It contains likes, friends and comments, similar to what we know from ‘traditional’ social media. Luckily, the TikTok app allows you to find profiles linked to phone numbers. For this, you need to install the app either on your burner phone or in an AndroidVM, then go to the profile page and tap the ‘add contact’ button on the top left. The red dot indicates that new contacts have been found.

1

Next up, choose the option in the middle, stating that would like to find contacts from your phone book. This of course means you have to add the phone numbers of your intelligence targets to the phone book first and give TikTok access to it.

2

Tapping ‘find contacts’ will show the amount of phone numbers that are linked to  TikTok accounts and it also gives you the choice to follow them. It looks like some of my contacts are actually using TikTok.

3.png

If you have a nickname, even one derived from other platforms, these can be looked up in the app itself too. TikTok will only allow you to search for the beginning of the nickname and not for parts in the middle or last portion of the name. In the following screenshot I looked for nicknames containing ‘James’ and I was only shown names starting with ‘James’. The reason this is relevant, is that I have often found TikTok accounts to use prefixes or suffixes on their regular nicknames. So instead of just ‘James’, you might find the user as ‘xyz.james’ or ‘james.1982’.                                       4.png

However, there is a workaround for this. Just like with Instagram, there are many sites that scrape TikTok and display the accounts and in many cases the content as well. One of the ones I like to use is PlayTik. PlayTik allows you to search for hashtags and accounts. Let’s find an account that somehow uses ‘f1nd1ng’ in the nickname.

6

There we go, two accounts containing the searchterm. Now you can have a look at the profile and check out any videos this profile has uploaded (and publically disclosed). It looks like this particular profile also links to further social media and websites, like I had mentioned before. Plus, the profile contains a video. Feel free to watch it!

7.png

Facebook may be fading (soon), but others platforms will replace it. Thus: Social media is dead, long live social media! The new platforms are not just for young people, so go and try them out (research them) yourselves!

Matthias Wilson / 13.09.2019

 

Building a Hells Angels Database with Hunchly

Today I will teach you about Hells Angels and Hunchly and how one of these two is useful when looking into the other.

In the past year, I have worked two cases in which I stumbled upon links to Hells Angels while investigating individuals. I was surprised how much information people affiliated with this group shared publically on Facebook and other social media sites. Whether they were just supporters or full members, it became quite clear that they did not care about data privacy. Most profiles had open friend lists, some of them displaying thousands of friends. Hells Angels affiliates are not hard to find. You will likely stumble across one of the following acronyms and/or terms on their profiles: AFFA (Angels forever, forever angels), HAMC (Hells Angels Motorcycle Club), Support 81 (8 = H, 1 = A), SYL81 (Support your local Hells Angels), Eightyone.

There are a couple more, but this article is not about the Hells Angels per se. Since these individuals have so much open information on Facebook, their profiles are the perfect playground to try out Michael Bazzel’s Facebook tool on IntelTechniques.

I had just finished working on the first case and subsequently erased all the data linked to that case, when a second case soon revealed links to Hells Angels as well. If only I had saved some data from my first case. I roughly knew where I could start off, but most of this knowledge came off the top of my head and was sketchy. Before I started the second investigation, I made sure I wouldn’t make the same mistake again and decided to use Hunchly to save my findings. That way, if a third case with the same links should ever occur, I will have a great starting point. For those of you who do not know, Hunchly is a web capture tool. It automatically collects and documents every web page you visit. The best part is that it indexes everything, so you can search within the data afterwards. Using this amazing tool allowed me to create a fully searchable Hells Angels database!

First off, I created a new casefile and then let Hunchly collect Facebook friends lists of people affiliated with my target or any Hells Angels in the area my target originated from. As some of the profiles had thousands of friends, I used a little Chrome extension (Simple Auto Scroll) to automatically scroll down friends lists, so they would be captured in whole. Whenever I looked at profiles and found information that could not be automatically indexed, I would take notes in Hunchly or tag (caption) pictures. I have learned that a lot of intelligence can be obtained by closely looking at pictures on social media. In the following example, one Hells Angels member had obscured the tags on his vest. Based on the information in his profile, it became clear that he must belong to the Aarhus chapter in Denmark. I tagged this picture, meaning it would pop up if I ever searched for “Aarhus” in Hunchly.

1

I ended up tagging all pictures that included chapter names, functions, nicknames or general indications on the location. If I am interested in finding the security chiefs and weapons masters, all I have to do now is search for “Sergeant at Arms” or known abbreviations. Looking for “arms” gives me several results in Hunchly.

2

The first two are displayed because I manually tagged these pictures and added a caption. The third result is from a webpage that Hunchly captured, in which the person actually listed “SGT At Arms” as his current occupation. Hunchly also allows you to refine searches. I can narrow these results down and, for example, only search for Sergeants at Arms in a specific chapter. Searching for “arms + sacramento” only reveals one result, which I had captioned with the information I saw in the picture. As you see, the picture is actually mirrored.

3

All collected data is saved offline. Should the online profile ever change, be locked down or deleted, I still have a version to work with. By using Hunchly and remembering to tag pictures with captions and also take notes on webpages, I have created a useful database on Hells Angels Facebook profiles. From here on, it is also always possible to go to the live versions of webpages, so any updates can also be captured within the same casefile.

If you are not using Hunchly yet, I suggest you have a look at it. The use case described above is just one of many. Furthermore, if you ever come across friendship requests from people named “AFFA” or “HAMC”, you might want to think twice before accepting them. Or else you might wind up in my Hells Angels database.

Matthias Wilson / 07.03.2019

The Golden Age of OSINT is over

Change is coming and it will greatly affect the way OSINT investigations are conducted in the future. Who knows, in a couple of years completely different skill sets might be needed to handle online investigations. Are we prepared?

In the OSINT community we constantly have to deal with changes. New tools and new platforms are always on the rise, just as old platforms and tools become obsolete in an instant. Staying updated is a continuous challenge, much more than just one person can handle. Luckily, most members of the OSINT community are willing to share any new discoveries, especially on Twitter. Therefore, following the hashtag #OSINT on Twitter, as well as numerous OSINT-related accounts, is the first and most important step when working in any area that requires OSINT skills.

There is always a lot of chatter on the future of OSINT and unlike many others, I do not think that Python is the future of OSINT. Does OSINT even have a future? Let us fast forward to the year 2022 and have a look at online investigations then.

roads ends2

January 2022:

Over the past years, more and more people have been made aware of their own data privacy and this has massively changed the way they use online services. What started with the release of the ‘Snowden documents’ in 2013 and continued with massive data breaches, such as the Cambridge Analytica case made public in 2018, has led to the desire to share less information publicly. This development basically made Facebook obsolete and new platforms have arisen in its place. Although Facebook still exists, the data it contains only has historic value and cannot be used for current investigations, much like Google+ or MySpace a couple of years back. Even though Facebook tried to turn the tide by changing privacy settings, the damage done by many the data breaches was too much to convince users to maintain a presence on the platform. Nowadays, social media is more anonymous than before, modern platforms do not require or request real names and information shared is not automatically distributed publicly. For OSINT investigations, this means that a real name might not provide a starting point to search for someone online. The main starting point is now an obscured username, which is hopefully unique enough to be used in investigations. How can we identify a username, if we just have a real name to start with?

In modern social media this is almost impossible. Unlike the old Facebook, which gave us a display name and an account name (mostly based on the real name), today’s social media does not reveal the real name. So, either you know the username to start with or you are pretty much screwed. Of course, another possibility is searching ‘historic’ sites that have linked usernames to real names, such as Facebook or maybe even Twitter. There are also commercial databases and people search engines that offer these services for a small fee. However, if someone was OPSEC-savvy before 2019, he or she most likely will not be found online easily in 2022. Even with a unique username, the information that can be obtained from social networks is marginal, since everyone is well aware of their own data privacy. If you are not a part of your targets network, you will not see anything. No updates, no pictures. Even likes and other forms of indirect communication between accounts will not be publicly disclosed. This rendered many of the Python tools developed over the past years obsolete, as the data that can be scraped is mostly useless.

With that said, how does OSINT look today? In general, we have shifted from the passive gathering of information to more active means of collecting data. I call it virtual HUMINT (VUMINT). The objective of VUMINT is to infiltrate target networks during investigations in order to see information that is not openly available and possibly even interact with the target on a ‘personal’ level. Whereas sock puppets in 2019 where mainly used to gain access to social networks in general, sock pockets nowadays are needed to gain access to specific profiles of our targets and their closed networks. Now, more than ever, it is important to have lifelike and tailor-made sock puppets to achieve this objective. A blog post from 2019 is still useful and gives a good description of sock puppets and how they should be setup: The OSINT Puppeteer. Building a sock puppet for a specific account is not something that is done in a short period time, so receiving results through VUMINT takes much longer than information gathering through passive OSINT. Naturally, there is no guarantee that a target will add you to his or her network, no matter how good the sock puppet is. This means you might invest a lot of time in the creation of a sock puppet without achieving any notable results. In certain ways, it is very similar to a target-centric phishing campaign.

Another challenge in modern OSINT is the vast dissemination of unverified or untrue information on the internet. Everyone can post everything online in an instant and everyone wants to have news in a heartbeat, making it harder for press and media to thoroughly research events before releasing information. Media and press institutes that fact-check and verify first are losing the battle against quick-releasing competitors. The customer’s demand for instant information over reliable information has flooded the internet with rumors and ‘fake news’. During investigations, more and more time is spent conducting OSINT research on the credibility of data found on specific targets. Finding the original source of the information, the so-called Patient Zero, assessing its trustworthiness and then determining how and if the information can be used in our investigations. Today, it is not the actual collection of open source data that is the key, but the actual evaluation of this material.

One thing that has not changed, is the fact that the global corporations behind online platforms, and thus intelligence services, still have the possibility to use all the personal data on users however they desire. While OSINT collection and intelligence has become more challenging for everyone outside of these corporations and intelligence services, it is easier than ever for them to make use of personal data. Whether it is tailor-made advertising or extensive profiling through intelligence services, our data and of course ourselves are now more transparent than ever. There is no hiding from global corporations or intelligence services anymore if we want to use online services. Luckily (or unfortunately), the personal data is not sold or leaked as much as it was a couple years ago, limiting the benefit of commercial databases.

In 2022, the Golden Age of OSINT in investigations is over. The trends that started around 2015, e.g. automating OSINT, do not work anymore. Instead of learning how to code, maybe we should focus on social engineering a bit more. A good OSINT investigator in 2022, first and foremost, needs to be a good intelligence analyst and have some strong Human Intelligence skills.

Thank goodness it’s still 2019!

Matthias Wilson / 04.01.2019

How Ray Reardon Solved a Blackmail Case

When playing snooker, you sometimes have to rely on your opponent making a mistake to win the game. When conducting investigations, we also have to rely on the suspect to make mistakes, in order to solve the case.

A while back one of our customers, a large German cosmetic company, had received threatening emails from an unknown perpetrator. This person threatened to sabotage the company’s supply chain and thus cause a production fallout. The emails where sent from an anonymous email address and we were not able to find any information on the originator through OSINT. Over the course of the next weeks, the perpetrator continued to send threats and demands in various emails. One of the demands was to transfer a large sum of money to a Bitcoin account.

Again, we went looking for information online, trying to track down this Bitcoin account. Once more, we turned up empty handed. We tried every trick in the book, including trying to lure the perpetrator into a trap using phishing emails, which only resulted in him sending the threats from different email-addresses each time.

The only consistent information was the Bitcoin wallet address and the name he used to sign the emails. This name was ‘Ray Reardon’. Judging from the content of the emails, we had a hunch that this person might actually be an insider. He apparently had extensive knowledge of the company’s supply chain and internal procedures. Knowing this, we sat down with the company’s security officer and discussed the next steps. Our technical approach using OSINT and even phishing was exhausted and we agreed upon covert investigations within the company. In the first step, the security officer identified everyone that could have the knowledge displayed in the emails. We received a list of eight employees and also some written documents from each of these employees. We compared the documents to the emails, hoping we might find specific phrases, terms or spelling mistakes that match. As with the steps before, this proved inconclusive.

The suspects worked in different shifts and the company’s employees had no access to private IT or phones during their worktime. Each employee entered and left the building through doors that only opened with their personally issued RFID tag. We pulled the login data and compared it to the times that the emails had been sent and could rule out five of the suspects, as they were definitely still in the building at their workspaces. Furthermore, we had the IT department check if any company computers had accessed the websites of the email providers used to send the threat emails. So far, we started off with OSINT, then tried social engineering (phishing) and were now down to an internal forensic investigation.

These steps enabled us to narrow down the amount of suspects from eight to three. The remaining three suspects were off duty at the time the emails had been transmitted. We started conducting intensive background checks on all three, including looking at their social media and online footprints. While the checks on two of the suspects did not provide any further leads, one check revealed that the last remaining suspect was really into snooker and competed in regional snooker tournaments. This small and seemingly irrelevant information actually helped solve the case. Remember the name used to sign the threatening emails? It turns out ‘Ray Reardon’ is actually a famous snooker player. Combined with the fact that the suspect wasn’t at work in the relevant time period, the use of the name ‘Ray Reardon’ proved to be a circumstantial piece of evidence that our customer then handed over to the German law enforcement agencies. Subsequently, it was enough to get a search warrant for the suspect’s home.

Our customer later reported that the police had found more evidence on the suspect’s computer and that he was tried and convicted for attempted blackmail.

Our investigation was the frame ball* in this case.

Snooker_Touching_Ball_Redfoto by barfisch under license CC-BY-SA 3.0

Matthias Wilson / 14.12.2018

*Snooker term: the last difficult shot required to win

Sieben Praxistipps für Jedermann

“Googeln können wir selbst!”. Diesen Satz hört man häufig, wenn man mit Kunden über OSINT-Recherchen spricht. Dass zu einer umfänglichen Recherche ein bisschen mehr als “googeln” gehört, wollen wir heute anhand einiger Beispiele aus dem Ermittleralltag darstellen.

  1. Pseudonyme in sozialen Netzwerken identifizieren

Immer mehr Personen nutzen in den sozialen Netzwerken Pseudonyme, so dass eine direkte Suche nach ihnen nicht möglich ist. Anstatt die Personen direkt zu identifizieren, hilft es häufig, die Zielperson indirekt über bekannte Familienangehörige oder Freunde zu recherchieren. Dazu versuche ich, eine befreundete Person mit offener Kontaktliste zu identifizieren, die ich dann nach der gesuchten Person durchsuche.

  1. Recherche in der Landessprache

Ermittler neigen dazu, nur in ihrer jeweiligen Muttersprache oder mit englischen Suchbegriffen zu recherchieren. Dies beschränkt das Suchergebnis erheblich. Wenn ich meine Recherche aber um Suchbegriffe in der jeweiligen Landessprache erweitere, kann ich meine Trefferanzahl um ein Vielfaches erhöhen. Sprachdefizite behebe ich mit diversen Übersetzungsprogrammen wie Google Translate und Co.

  1. Einsatz von OCR-Software

Häufig stoßen wir bei Recherchen auf Dokumente, die nicht durchsuchbar sind, weil sie beispielsweise eingescannt wurden. Insbesondere bei mehreren tausend Seiten kann dies sehr hinderlich sein. Dafür empfiehlt sich der Einsatz einer sogenannten OCR-Software (optical character recognition), die die Zeichen in dem Dokument erkennt und dieses in ein durchsuchbares Dokument umwandelt. Je besser die Qualität des Ausgangsdokumentes ist, desto besser ist auch das Ergebnis.

  1. E-Mail-Adressen über Passwortzurücksetzung bei sozialen Netzwerken recherchieren

Bei mehreren sozialen Netzwerken lassen sich über die Passwortzurücksetzungs-Funktion die E-Mail Adressen recherchieren, mit denen das jeweilige Profil angemeldet wurde. Dazu benötigt man lediglich den Benutzernamen. Teile der dann angezeigten E-Mail-Adresse werden zwar durch Sternchen weitgehend unkenntlich gemacht, dennoch lassen sich die E-Mail-Adressen meistens aus den erkennbaren Mustern rekonstruieren.

  1. Firmen-E-Mail-Adressen rekonstruieren

Fast jedes Unternehmen verfügt über eine Webseite mit entsprechender E-Mail-Systematik. Das am häufigsten genutzte Muster dürfte wohl vorname.nachname@domain.com sein. Bei Dienstleistern wie z.B. www.hunter.io lassen sich die Muster der E-Mail-Adressen zu den dazugehörigen Domains ganz einfach recherchieren. Kenne ich den Namen einer Person eines Unternehmens, sei es aus einem persönlichen Gespräch oder einer Recherche in sozialen Netzwerken, kann ich die E-Mail-Adresse nach der Firmensystematik mit hoher Trefferwahrscheinlichkeit rekonstruieren.

  1. WhatsApp Profilfoto

Im Rahmen von Recherchen stößt man häufig auf Nummern von Mobiltelefonen. Wenn man die Nummer in seinen Kontakten abspeichert, ist es ggf. möglich, bei WhatsApp das dazugehörige Profilfoto der Nummer zu sehen. Schon häufig konnten wir so weitere Erkenntnisse aus dem Foto ziehen.

  1. Geburtsdaten über Stayfriends recherchieren

Das Schulfreundenetzwerk www.stayfriends.de ist besonders in Deutschland bei den 30 –  60-jährigen populär. Wenn ein Profil zu einer Person vorhanden ist, ist es auch sehr wahrscheinlich, dass das Geburtsdatum hinterlegt wurde.

Ingmar Heinrich / 31.10.2018

Covert Operations in a Digital World

Even spies leave behind a digital footprint. Through social media profiles and various leaks they can be identified and their clandestine activities exposed. In the digital age it takes more time and effort to conceal covert operations, requiring new approaches as early as during their recruiting.

Covert Ops in a Digital World2.jpg

The recent uncovering of Russian GRU agents accused with the attempt to poison former Russian spy Sergei Skripal, as well as the exposure of Saudi Arabian spies in the murder of Jamal Khashoggi clearly show the problems intelligence services are facing when conducting covert operations.

Investigate journalists, such as the Bellingcat team, were able to identify the suspected culprits, often using crowdsourcing to do so. These two examples have proven how effective and timely the wisdom of the crowd can be. Another reason for the great results achieved in these online investigations, is the fact that the contributors to each investigation were highly motivated: they did not make these findings because they had to; they wanted to unravel the mysteries surrounding aforementioned cases.

Both times, blatant mistakes made by the operatives left a paper trail to follow, ultimately leading to the identification of several members of Russian and Saudi intelligence services. Not accounting for the various slipups, the main problem is that all culprits do work for their nation’s government and/or intelligence services and this was too transparent. The GRU operatives had addresses registered to known GRU locations, one of the Saudi operatives is seen in pictures where he appears to belong to the close protection team accompanying Saudi crown prince Mohammad Bin Salman on travels. These are just two examples showing links between the individuals and their governments.

The question remains, how an intelligence service can conduct covert operations that actually remain covert. One of the most obvious solutions to counter this problem is minimizing an operatives’ digital presence. This can be achieved fairly easy. Covert operatives should stay away from social media and press coverage. However, an old IT-saying states: “There is no patch for human stupidity.” Due to this, there will always be a margin of error, undisciplined individuals making exactly the mistakes leading to their public exposure. Massive CCTV coverage is causing another problem. It is impossible to travel nowadays without being filmed or photographed. As soon as these pictures of individuals are published in news and on social media, crowdsourcing kicks in. Maybe this individual was seen entering  a government building, maybe a former government co-worker recognizes him. Although the former co-worker should probably keep this information to himself rather than risking legal consequences (many have signed some form of non-disclosure agreement), this does not stop it from happening. Again, human error stands in the way.  In conclusion, intelligence services should try to rule out human error as much as possible. Regular screenings on intelligence employees aimed at searching for compromising information online could help counter these exposure threats in a timely manner. Another approach would be to decrease the amount of people who actually know of the covert operative. One radical, yet most likely successful approach could be keeping covert operatives away from government entities.

Let me elaborate on this. As soon as an individual enlists within a government entity and becomes part of this system, bureaucracy takes its toll and the individual is listed in numerous databases for mainly administrative reasons, also increasing the number of people who know of his existence. Travel expenses, payment processes and even journeys to known government sites leave plenty of breadcrumbs to follow and to identify someone as a government employee. In many countries, once you are on the government’s payroll, it is highly unlikely you will ever leave the comfort of having this government job and the benefits that come with it.

What if a covert operative never actually worked for the government?

The scenario I am about to explain might sound like it is from a Hollywood movie script, but it might be the only feasible way to conduct future covert operations. It all starts with proper recruiting. Identifying suitable candidates will be challenging and I will not discuss what traits are essential to become a perfect spy. Although former military members might be the first choice, their military service might be what uncovers them in the future. Let us look at the following fictional career:

A young, fit 18-year-old named James appears at a police or military recruiting office and expresses interest in an intelligence, investigation and/or special forces career. He achieves outstanding results in the following assessment center. These results are noted by the intelligence service, upon which they approach the potential recruit. Of course, intensive screenings are conducted beforehand and at no point is he invited to official government sites. All contacts are conducted by a dedicated handler. The used modus operandi is basically the same one used when acquiring HUMINT sources.

James receives an offer to work for the intelligence service but not in the intelligence service. He receives a scholarship to study political science at a renowned university, earning a degree which will provide the basis for his future civilian career. The scholarship is payed for by a complex system of front companies, eventually ending in some sort of charity. During his studies, James uses the semester breaks or long weekends to train the many skills needed for his covert intelligence service job. Officially, he is on long backpack tours around the world or other types of vacations. This training method takes much longer and is conducted individually at inconspicuous sites. However, after 3-4 years of part-time training and smaller operations during his university sojourn, James should be able to conduct covert operations.

After his studies, James receives a job in a worldwide consulting company. Of course, some strings were pulled in the background to enable and promote his civilian career. From time to time, James has to oversee projects in other cities or countries. This is the cover needed to enable worldwide travel to conduct covert intelligence operations. These projects could actually originate from government entities and thus fit to the intelligence operation.

After a certain time as a covert operative, James is removed from the operational line of duty. The compensation for his intelligence work could then be a non-covert job within the intelligence service (or another related government entity) or a severance pay.

This description is very short and is lacking many of the challenging details. I would like to point out a couple of interesting aspects to why this concept might actually be worth the effort:

  • The recruit could be dismissed at any time during the training program without major consequences. Other than his handlers, he does not have deep insight into the intelligence service, its locations or operations.
  • Providing a college education and kickstarting a promising civilian career, as well as offering an interesting field of work in the intelligence sector should prove extremely motivational.
  • The civilian career, when guided by the intelligence service, would deliver the best cover story for operations.
  • Failed operations could be denied easier by government entities. In this case, a statement like the recent Saudi “rogue operative theory”would pass easier.

Even though the ratio of supporting intelligence personnel assigned exclusively to such an external covert operative is higher than compared to the amount of supporting staff for regular intelligence employees, the external covert operative in total has less exposure to intelligence personnel. Regarding training, financial and operational planning, everything could be kept in a smaller yet highly professional scale.

Who knows, maybe these techniques are already in use by some intelligence services worldwide. That is probably the reason we never hear about it. Maybe the person sitting next to you on the plane is not just the business traveler he pretends to be.

Matthias Wilson / 24.10.2018