News and Social Media
October 29, 2018, Wizards of OSINT by Emmanuelle Welch
Featured in Pursuit Magazine: http://pursuitmag.com/osmosis-2018-wizards-of-osint/
Earlier this month, about 300 online investigators converged to Las Vegas’ Excalibur hotel for the fourth edition of Osmosis 2018, the annual online social media and open-source intelligence (OSINT) investigation summit organized by Hetherington Group. The “Dark Web Knights” were out to acquire the best techniques to chart Dark Web investigations.
Looking for a little help from friends to crawl through the Dark Web, to follow the scent of kush markets, locate data leaks, and zero in on stolen merchandise? Lending hands were plentiful at Osmosis, the annual online social media and open-source investigation summit. Demystifying the underbelly of the Internet was a main motif of the conference, attended by about 300 investigators, a.k.a. the “Dark Web Knights.” The open-source sleuths were mostly from the U.S. and Canada, though some come from as far as Australia, the U.K. and Namibia. The audience of law enforcement, government agencies, and private firms was lured by the prospect of adding new techniques to their OSINT toolboxes, as well as networking and socializing in the flesh with pals from Twitter and the IntelTechniques forum.
The definition du jour for #OSINT, as per security consultant and OSINT yoda Justin Seitz on one recent podcast is: “Pretty much anything that you can access online that doesn’t involve clandestine sources and secrecy.” That includes the Dark Net.
Anthony Reyes, president at High Technology Crime Investigation Association (HTCIA), pulled out different Darkware tools, i.e. software used to access the Dark Web, including IRC client HexChat and the encrypting IRC proxy, DIRT. “IRC is making a come-back!” Reyes announced with apparent glee. “IRC was the beginning of the Dark Web, and it’s back as part of the Dark Web,” he reminded the younger crowd. But the main tools remain the best-known darknet technology, the Tor browser, followed by the anonymous I2P network, peer-to-peer network ZeroNet, and BitTorrent client Tribler. “For a more secure setup of these, use a browser you never use otherwise, such as Opera or Vivaldi,” Reyes recommended.
His presentation on the data left behind by Tor on one user’s computer, even when used from a USB drive, was an eye-opener to many. Knowing the vulnerabilities that can expose an investigator can also prove useful to determine if Joe Subject or Jane Suspect has been visiting the Dark Web. Steps include reviewing a computer’s registry for deleted programs, looking for traces of Tor use in the RAM, or digging for the meek-client.exe file, which, if still on a computer, reveals that Tor was used and is gone. Sounds a tad technical? It was at times, but the idea is that even a non-techie can investigate in the Dark web much further than initially thought.
Dark Net Investigations
Because of the constant threat of malware and looming infection by Botnets, a Dark Web investigation often starts with a virtual machine (Kali Linux in Virtual Box appears to be a favorite). Instructors also mentioned remote virtual machines such as Amazon WorkSpaces, Paperspace, or MacStadium, or using a PC after some adjustments to protect a user’s anonymity: “This laptop has no Microsoft and no Adobe so that I can’t trip,” explained OSINT expert trainer Kirby Plessas during a live demonstration.
For the methodical investigator who likes to read a manual before plunging head-first, Plessas gave plenty of tips on how to locate Dark Net vendor and buyer bibles on Reddit and to stay current on Dark Net news and tools. So-called Dark Web search engines don’t really search the Dark Web, but Torch was many experts’ favorite engine for Dark Net links searching.
Most dark markets require users to log in but don’t require verification. Plessas showed how to collect nuggets of information on a dark market, such as an image hotlinked on a server, a portion of a PGP key, a username, burner phone number, or clues lefts by buyers: “I always look at the ratings, because people call sellers by different user names,” she said, examining a listing for heroin that garnered rave reviews. Bitcoin addresses are also key.
Digital forensics expert Eric Huber, Vice President of International and Strategic Initiatives of NW3C, devoted an entire session to virtual currency investigations, mostly decentralized cryptocurrencies. Not too many eyes glazed over the neat deck of slides on blockchain technology and various crypto-crimes, because Huber managed to make it wildly entertaining. Again, an investigator doesn’t need advanced cypto-forensic tools to make progress on a case involving the now ubiquitous Bitcoin transaction, from ransomware attacks to concealment of assets to money laundering, Huber told the crowd.
In fact, you often need to go back to traditional investigative methods: “Don’t forget that there is a lot of paper involved. After a search warrant, you may end up with pieces of paper, sometimes with a string of numbers. A bitcoin transaction number…” Since every Bitcoin transaction is recorded in a public ledger, anyone can download the entire transaction history of bitcoins and analyze it or parse it in blockchain.info or Block Explorer. Advanced tools can tell if a transaction came from a particular wallet, to a particular Dark Net market.
More advice for investigating the Dark Net came from no less than Andrew Lewman, former CEO at the Tor project, and vice president of the Dark Owl. During his presentation on investigating an onion site, in this case a dump of credit card information, he showed a method (detailed in this blog post) that involves firing up “developer tools” in your preferred browser and watching the conversation with the web server. This alone can provide a ton of information, he told the audience.
As social media sites clamp down access and change, causing some of our investigative methods to go obsolete, we need to constantly think of new ways to get data – and data that isn’t presented to us on our screen.
So does looking at the code of a web page. “Through the source code, look for everything unique,” recommended Kirby Plessas. In fact, this is one of my main takeaways from Osmosis, and from this vibrant and growing community of open source investigators: As social media sites clamp down access and change, causing some of our investigative methods to go obsolete, we need to constantly think of new ways to get data—and data that isn’t presented to us on our screen. Inspecting lines of code in “devtools consoles” isn’t nearly as rousing as an evening of partying in a Vegas penthouse with a magician and a game of beer pong, but all it takes is some time, a curious mind, and a little help from friends.
Andrew Fordred, a hacker at large, forensic investigator, and founder of Intelligence-i1, is the unassuming Beatle of OSINT. A cult hero of the IntelTechnique forum, he came to Osmosis from Namibia (distributing colorful souvenirs to a lucky bunch!) and taught the roomful of investigators how to “Expose dirty business with a little help of some friends.” His OSINT strategy includes a mix a free and paid software (Fordred was a beta tester for Justin Seitz’s Hunchly, a tool for documenting and authenticating web captures that is a favorite of many OSMOSIS attendees.)
He also contributed to the Automating OSINT Python course and visual link analysis tool Maltego, which has free versions. Other free “friends” recommended were The Harvester and Fear the FOCA, a tool used mainly to find metadata and hidden information in the documents its scans. “In essence,” concluded Fordred, no one tool completes the OSINT or online investigation process.”
Also: Avoid «street light vision,” as in “searching only where there is more light.”
Better Than Dumpster Diving
Ask Amber Schroader founder of Paraben Corp. about the mass adoption of “Internet of Things” platforms, and the IoT forensics expert will tell you that “it’s better than dumpster diving.” Schroader gave a captivating presentation on everyday devices that are recording and storing data for years (who is guilty of synching their phone to a rental car’s sound system to listen to music?) and end up assisting tremendously in investigations, even murder cases.
Indeed, robot vacuum cleaners that map the house and suddenly work around a dead body can become a major piece of evidence to date the time of death. Not to mention Amazon’s Alexa who, by all means, should be called if you’re running around the house, chased by a stranger, so that your digital friend can record the events in the cloud.
Schroader gave tips on expanding your imagination to consider all possible embedded and attached devices containing data, from peacemaker to smart sweaters that “send you hugs.” For instance, when a vehicle forensics examination turns out to be very expensive, find out if the driver was wearing a Fitbit tracker that may contain the same data, retrievable at a fraction of the cost. These devices are, in Schroader’s words, “’forensic sprinkles’ because they make life so much better.”
October 15, 2018, 25 Takeaways, Quotes and Tools from the 2018 OSMOSIS Conference by Brian Willingham
After years of going to conferences of a large national organization (that will go unnamed) and coming back less than fulfilled, I found it fantastic to attend a conference that was oozing with brilliant people more closely aligned with what I do on a daily basis.
This year’s venue, Excalibur Hotel, was not my favorite; however, OSMOSIS is an absolutely terrific conference. After hearing rave reviews over the past few years from the likes of Kelly Paxton, Eli Rosenblatt, Rachele Davis and Marcy Phelps, I am so glad I made it.
If your business involves gathering investigative intelligence online, it’s a can’t-miss, and I suggest you sign up for next year right now. The networking alone was worth the price of admission.
Here are some of my takeaways, quotes and tools:
1 “Big Brother is not watching you – unless you have given him a reason to.” — Anthony Reyes, former NYPD officer
2 FOCA – Metadata analysis tool finds hidden information in documents.
3 Searx.net – “Privacy respecting” metasearch engine that combs through multiple search engines, including Google and Bing.
4 Virtual currency is at least 10 years away from being widely adopted.
5 Street Light Vision (from Andrew Fordred)
A man is looking for his keys under a streetlight. A woman approaches him and asks him what he is doing.
“I am looking for my keys,” says that man.
With no car in sight, the woman asks, “Where did you park your car?”
Pointing to a dark parking lot, the man says, “It’s over there.”
“Well, why aren’t you looking over there?” the puzzled woman asks.
“Because there is more light over here.”
6 dnsLytics – Chrome extension that helps you get information about an IP address, domain name and provider.
7 Favorite VPN? I asked about a dozen people (much smarter than I am) about their favorite VPN. NordVPN seemed to be most widely used, followed by Privacy Internet Access (PIA). (Personally, I use PIA.)
8 Talking about leaving data “artifacts,” Anthony Reyes said, “Somewhere out there, there is a footprint.”
9 Hunchly – Tool for online investigators that captures pages as you search, leaving a full audit trail that can hold up in court. So if that webpage disappears a day after you found it, Hunchly will keep a record of it. And even though the founder of Hunchly, Justin Seitz, wasn’t there for the conference, he was there in spirits … literally. 😉 [Thanks, Justin!]
10 Wigle – Collection of wireless routers.
“A canary token is a web URL, email address, document file and so on which will trigger an action if it’s ever accessed. In the case of a web URL, the canary token is the address of a unique yet nonexistent page on the website of the company that issued the token. If someone were to ever attempt to access that page, the web server would notice (because it would attempt to serve that nonexistent page to whoever requested it). The server will then notify the owner of the canary token that someone tried to access it.”
12 Yandex Image Search – The Yandex image search engine for facial recognition is extraordinarily powerful. I uploaded some images from my personal photo collection, and it was easily able to identify a number of photos of me on the web. Neither Google Images nor Bing Images came even close.
14 Jaleo has some amazing, really authentic Spanish food.
15 Bing Image Search – The Bing Image search has a feature that lets you search only a portion of the photo if, for example, you want to search a portion (like a background) to determine where the picture was taken.
16 “Computer forensics is like dumpster diving, but only better. It’s clean and neat.” — Amber Schroader
17 Internet of things – Think privacy is dead? You might be right, at least if you are using any of the new internet of things devices such as your Fitbit (which is being used in several murder cases) and Alexa (which has been known to “unknowingly” send recordings of conversations).
18 “At times, our work can feel like finding a needle in a needle stack.” Don Colcolough
19 The Tor browser can cycle through IP addresses, making it really, really challenging to track down the true user.
20 Read Notify – Lets you know when email you’ve sent gets read.
23 Nox App Player – Android emulator for Windows and Mac so you can run Android apps on your computer.
24 When conducting searches on Google for international subjects, change your VPN’s IP address to the country that you are searching, and you will get completely different results.
25 Too much red wine can give you a headache. And it might make you sleep in a bit. And miss a bit of a conference.
October 16, 2017, A Private Investigator’s Review of the 2017 OSMOSIS Conference by Rachele’ Davis
What IS OSMOSIS?
OSMOSIS stands for Online Social Media and Open Source Investigation Summit. This year’s conference took place in Myrtle Beach, South Carolina October 8-11. It was the third annual conference, but this private investigator’s first to be in attendance.
OSMOSIS touts itself to be “North America’s most comprehensive conference for online investigators.” With its offerings on such topics as website link analysis, OSINT techniques, smartphone data, hacking meet-up and hook-up apps, public records, hostile profiling, the dark web, and ethics, I’d say it was quite comprehensive, especially for a 2 1/2 day conference.
I am a private investigator who uses online social media and open sources in every one of my investigations, so I was looking forward to attending OSMOSIS all year. It did not disappoint.
Who Is In Charge of OSMOSIS?
Cynthia Hetherington of Hetherington Group out of New Jersey is the creator and founder of OSMOSIS. She chose fellow investigator, Cynthia Navarro, to mc the event. Ms. Navarro, owner of Finnegan’s Way, was an excellent choice, keeping the conference on schedule and flowing from one speaker to the next.
Each speaker had 1 to 2 hours of speaking time, which was perfect for providing a wide array of topics and for keeping the audience alert and attentive. Even the few speakers whose topics aren’t exactly in my purview were interesting to listen to and I still learned something from each of them.
Kirby Plessas spoke rapid-fire english at a pace equal to that of Vanessa Huxtable’s fast-talking friend, Kara. But I’m pretty sure it’s just because of the wealth of information in that woman’s head that she can’t help but to squeeze as much knowledge into her audience that two hours would allow. Ms. Plessas spoke about website link analysis and provided a huge array of resources for us. As the first speaker, she set a high bar for the rest of them.
Josh Huff, a digital forensics analyst, had a bit of a dry delivery but spoke on OSINT techniques for social media investigations and shared a great case study with us. He spent most of his time giving helpful tricks on investigating Facebook, Twitter, and Instagram, the heaviest hitters in social media today.
Amber Schroader was perhaps my favorite speaker at the conference. She iQs a witty, well-spoken, superb public speaker that keeps the attention of the audience through frequent humor that I found quite endearing. Ms. Schroader relates so well to her audience, you can’t help but to like her. In addition to being crazy smart and a leading authority on smartphone data usage in investigations, I really just wanted to be her friend. Although I don’t have any digital forensics experience myself, she sure hit home on the importance and value of utilizing it in investigations. Oh, and Amber taught us all that the cloud is just someone else’s computer.
Emmanuelle Welch wrapped up our first day with the ever-so-lovely topic of hacking the meet-up and hook-up apps. Although her presentation involved sticky content at times, simply because of the nature of the topic, Ms. Welch handled it with professionalism and ease. Her french accent was lovely to the ears and her good sense of humor showed throughout her talk. I learned more about Grindr, Scruff, Happn, Tinder, Plenty of Fish, OK Cupid, and Adult Friend Finder than I care to admit to anyone. Don’t even get me started on hook-up lingo. Eeeewww.
Mike Dores hit off day two of the conference with using public records for skip tracing and asset location. I thoroughly enjoyed Mike’s presentation simply for the large number of resources he so generously shared with us. Mike has been in the investigations game for a long time and has a wealth of knowledge when it comes to using public records. He also gave some very straight advice about using proprietary databases and how they actually work. Mike was another favorite of mine.
Paul Raffile was next with using OSINT in corporate security. This is not a topic of particular interest to me personally, but Paul gave a dynamite case study example that was of great value to those who work in the corporate security sector. Even though this is not my area of expertise, I still took away several valuable resources and bits of knowledge from Paul’s presentation.
Chad Los Schumacher followed with connecting the digital dots. Again, Chad’s topic was not of particular interest to me for the most part, but it was highly interesting. It was apparent early on that Chad is a super smart fella who does his job very well. Accolades to him as well for stepping in last minute for a speaker who was unable to attend last minute. And a big congratulations on his marriage that took place just days before his presentation.
David Benford ended day two with hostile profiling through OSINT and smart devices. I loved listening to Mr. Benford speak, as he is a colleague from the UK and we all know British accents are the absolute best. David provided some outstanding case studies and wonderful examples on how to find geographic data through open sources and the smart devices we all so readily use today. He gave us example after example of how easy it is to unlock a person’s identifying information starting with just one or two small bits of information. As a side, I would absolutely shut down all devices when David Benford is in the room. Otherwise, he’ll figure a way that leads right to your doorstep in a matter of minutes.
The final day of the conference started with Jeff Bedser speaking on the dark web. His rendering of the surface web, deep web, and dark web is something I’ll never forget. He digested it all in a way that even the dullest of minds could understand. Mr. Bedser’s knowledge of dark web happenings is truly remarkable. It’s a whole other world in itself that I myself hope never to have to touch. I admire individuals like Jeff Bedser and Chad Los Schumacher who delve into the darkness so the rest of us don’t have to.
Cynthia Hetherington ended with an hour talk on ethics in open source investigations. I had listened to webinars and interviews with Cynthia before, but I’d never heard a live talk in person. She is even better live than she is while I’m sitting at my computer. Cynthia also has a terrific sense of humor and a knowledge base that is stunning. I don’t know anyone else who could keep an entire audience engaged through a talk on ethics. Somehow, she kept my attention and also taught me more about the law as it applies to my profession than I knew when I walked into the room.
In addition to the fabulous variety of speakers, OSMOSIS gave ample time for networking and interacting with the many vendors who attended and made the conference possible. Hot breakfasts and lunches were provided every day, as well as snacks and drinks.
On the first official day of the conference, a bits n bytes session was planned in which ten different practitioners spoke on ten different topics at round tables. Attendees were able to sit for about ten minutes at each table of their choosing and learn from some of the best. This was a great idea that was carried out beautifully.
So if you’re contemplating attending OSMOSIS 2018 (osmosiscon.com) in Las Vegas next year, stop riding the fence and just sign up. It will be well worth your time, money, and travels. I hope to see you all there!
OSMOSIS press release – April 4, 2017
OSMOSIS 2017, Myrtle Beach, S.C. – Registration is now open for 2017’s OSMOSIS Conference. This annual Online Social Media & Open Source Intelligence Summit (OSMOSIS) has confirmed an impressive group of experts in the field of open-source intelligence. These experts will present and demonstrate some of the most in-depth insider techniques and training.
Among this years’ list of OSMOSIS presenters:
David Benford, all the way from the UK, and his explosive ‘Hostile Profiling’ presentation.
FrenchPI.com’s Emmanuelle Welch takes us through ‘Intelligence use in dating apps’.
Mike Dores presents his expertise in public record search to demonstrate the best practices of skip tracing for debtors, witnesses and defendants.
OSMOSIS 2017 will also include presentations from investigative and security industry leaders Kirby Plessas (Plessas Networks), Amber Schroeder (Paraben Corporation), and Justin Seitz (Hunchly and Automatingosint.com).
OSMOSIS 2017 is being held from October 8– 11, 2017 at the Sheraton Myrtle Beach Convention Center Hotel located at 2101 North Oak Street, Myrtle Beach, SC, 29577. For more information or to register, visit www.OSMOSIScon.com.
Follow us on: