OSINT isn‘t always about the actual content that is collected. Sometimes timestamps and other metadata can be just as useful in investigations.
In my previous job as a SIGINT analyst I wasn‘t always lucky enough to actually intercept the content of communications. Sometimes encryption methods made it impossible to actually see or hear what people were transmitting to each other. In such cases, the analysis of metadata (e.g. phone numbers, date and time, communication type, duration) became almost as important as the analysis of content itself.
We all have certain patterns of life that define how, when and where we communicate. Furthermore, specific events might also have an impact on our communications. In the SIGINT world, I learned how to read metadata in order to assess a target’s behavior and likely actions. Let me give you two quick fictional examples for this.
1. A mafia group regularly communicates using cell phones. They call each other almost daily, just like you or me would also make phone calls to close colleagues on a daily basis. However, every once in a while no phone calls are registered for a period of 2-3 days. Information received from other sources indicate that during these time periods meetings of mafia senior leadership take place and they all switch off their phones so they can‘t be tracked. So the next time a complete network goes silent, we can assume that there is a meeting again.
2. An employee working in a defense research and development lab is not allowed to use his or her phone during work hours. If this is known, then gathering metadata on this phone could easily reveal on which days the employee was actually at work.
Information like this can be used to create a pattern of life based on metadata. The same can also be done in OSINT. In some cases, it might be relevant to know a target‘s daily schedule. This is where social media such as Facebook and Twitter can be useful. Again, keep in mind we are not necessarily looking at the content of a post or (re)tweet, but at the time it was broadcasted. Maybe even the device it was sent from.
Let‘s have a look at some of my tweets over the course of a few months. Each dot represents one tweet. The x-axis shows the dates and the y-axis the time of day I tweeted something. Based on this information you can see when I would usually started my daily tweeting (green line) and when I finished for the day (red line). So my Twitter activities go from roughly 06:00am to 08:00pm.
Next you might notice a Twitter pause sometime in September (orange box). Guess what happened here?
I was on vacation and took a break from my Twitter account! Therefore, if you were to define my pattern of life based on my Twitter activities, you would easily detect any anomalies. A long pause: maybe I‘m on vacation again. A change of general tweeting times: maybe I‘m in a different time zone. No more tweets during the day: maybe I‘m not allowed to tweet at work anymore. Each time you detect such an anomaly, you should start digging into it and see what the actual reason for this change is.
In the aforementioned example I used Twitter, but pattern of life analysis in OSINT basically applies to any service in which communications or interactions have a time stamp, and that‘s basically every social media platform or message board.
So, the next time you notice I‘m offline for a bit, just wish me a happy and relaxed vacation!
Matthias Wilson / 16.07.2019