View
3
Download
0
Category
Preview:
Citation preview
www.snowdropconsulting.co.uk
Snowdrop Consulting Ltd
Assisting Your Fraud Examination With Online & Open Source Intelligence
Dr Stephen Hill
Sn
ow
dro
p C
on
su
ltin
g L
td
Investigating Online
It has been estimated that roughly 90% of
valuable intelligence comes from open sources
According to the CIA open sources often equal
or surpass classified information in monitoring
and analysing issues including terrorism,
proliferation, and counterintelligence…
Sn
ow
dro
p C
on
su
ltin
g L
td
Open Source Intelligence (OSINT)
Open source intelligence is intelligence from publicly
available sources – open refers to ‘overt’
Monitoring, finding, selecting, reviewing, reporting,
informing
Used to assist in intelligence gathered on an individual
for example
Region, cultural background, historical data (what
have they done in the past that they may do in the
future?)…
Sn
ow
dro
p C
on
su
ltin
g L
td
Sn
ow
dro
p C
on
su
ltin
g L
td
Technological Development & Challenges for Online Investigations
Sn
ow
dro
p C
on
su
ltin
g L
td
Sn
ow
dro
p C
on
su
ltin
g L
td
Dark Net
Sn
ow
dro
p C
on
su
ltin
g L
td
The Hidden Wiki
Sn
ow
dro
p C
on
su
ltin
g L
td
Forums & IRC
Sn
ow
dro
p C
on
su
ltin
g L
td
Fake or Real?
www.snowdropconsulting.co.uk
Snowdrop Consulting Ltd
Search Techniques
& Useful Sites for Intelligence
Sn
ow
dro
p C
on
su
ltin
g L
td
Getting Online
Sn
ow
dro
p C
on
su
ltin
g L
td
IP Address
IP addresses can be either static or dynamic
Static IP addresses never change
Static IP addresses reveal information including
the continent, country, region, and city in which a computer is located; the ISP
(Internet Service Provider) that services that particular computer
Dynamic IP addresses are temporary and are assigned each time
a computer accesses the Internet
They are, in effect, borrowed from a pool of IP addresses that are
shared among various computers
Static IP addresses are considered somewhat less secure than
dynamic IP addresses, as they are easier to track for data mining
purposes…
Sn
ow
dro
p C
on
su
ltin
g L
td
IP and DNS
Every computer that hosts data on the Internet has a unique
numerical address (IP Address)
For example, the numerical address for the Facebook.com is
173.252.110.27
People don’t want to remember long strings of numbers
Domain Name System (DNS) was developed
DNS, a critical part of the Internet's technical infrastructure,
correlates a numerical address to a word
To access the Facebook website, you could type the IP into the
address box of your web browser. But most people prefer to use
facebook.com…
Sn
ow
dro
p C
on
su
ltin
g L
td
Understanding the URL
File or directory name:
Full path name—
leading directories and
file name—of the file
holding the information
Server name:
Internet
domain name
on the Web
Protocol:
Internet
protocol to
use
http:// acfe.com / training-events
what-to-get how-to-get-there:// where-to-go /
Sn
ow
dro
p C
on
su
ltin
g L
td
The Uniform Resource Locator (URL)
http://www.acfe.com/uploadedFiles/ACFE_Website/Content/rttn/2012-report-to-nations.pdf
Sn
ow
dro
p C
on
su
ltin
g L
td
The Uniform Resource Locator (URL)
Sn
ow
dro
p C
on
su
ltin
g L
td
Search Engines
When to use a search engine to search the Web?
You have a narrow or obscure topic or idea to research
You are looking for a specific site
You want to search the full text of millions of pages
You want to search for particular types of documents, file types, source locations, languages, date last modified, etc...
Sn
ow
dro
p C
on
su
ltin
g L
td
Google Alerts
Sn
ow
dro
p C
on
su
ltin
g L
td
Search Engines
http://duckduckgo.com
Sn
ow
dro
p C
on
su
ltin
g L
td
Cluster/Visual Search Engines
www.cluuz.com/
Sn
ow
dro
p C
on
su
ltin
g L
td
Slash Tag – Blekko Original
https://edit.blekko.com/
Sn
ow
dro
p C
on
su
ltin
g L
td
Image & Video Location Search
http://www.jotpix.com
Sn
ow
dro
p C
on
su
ltin
g L
td
Google/Bing Image Search
Sn
ow
dro
p C
on
su
ltin
g L
td
Google/Bing Image Search
Sn
ow
dro
p C
on
su
ltin
g L
td
Faceifi App
http://faceifi.com/
Sn
ow
dro
p C
on
su
ltin
g L
td
Sn
ow
dro
p C
on
su
ltin
g L
td
Blog Searching
http://www.icerocket.com/
Sn
ow
dro
p C
on
su
ltin
g L
td
Meta Search Engines
Searches multiple search engines like Google, Yahoo, Yandex...
http://www.dogpile.co.uk/
Sn
ow
dro
p C
on
su
ltin
g L
td
Meta Search Engines
http://www.ixquick.com/uk/
Sn
ow
dro
p C
on
su
ltin
g L
td
Where to Find Search Engines?
www.searchenginecolossus.com
Sn
ow
dro
p C
on
su
ltin
g L
td
Finding Stolen Goods
http://www.marktplaats.nl/
http://www.craigslist.org
http://www.ebay.com
http://www.gumtree.com
http://www.qoop.nl/
http://www.ebay*?
* ccTLD - .nl, .de, .jp
Sn
ow
dro
p C
on
su
ltin
g L
td
Deep Web (People) Search
Sn
ow
dro
p C
on
su
ltin
g L
td
Deep Web (People) Search
Sn
ow
dro
p C
on
su
ltin
g L
td
Deep Web (People) Search
Sn
ow
dro
p C
on
su
ltin
g L
td
A Criminal Hotspot?
Sn
ow
dro
p C
on
su
ltin
g L
td
Deep Web Example
Sn
ow
dro
p C
on
su
ltin
g L
td
Advanced Search Techniques
Phrase searching: “fraud in Scotland”
Boolean search*: AND fraud, NOT corruption
Google Alternative: +fraud, -corruption
Boolean search: fraud OR scam OR swindle
Boolean search*: Thomas NEAR Edison
Filetype:pdf, xls / Info:URL / Site:domain name …
* http://www.exalead.com/search
Sn
ow
dro
p C
on
su
ltin
g L
td
Truncation & Wildcards *
investigat* = investigate, investigated, investigation etc
psych*ist = psychologist, psychiatrist
"Dr ** Director of Snowdrop Consulting“ = ?
"the * population of Amsterdam is" = ?
Note: You can have up to 4 wildcards in a row (****)
Sn
ow
dro
p C
on
su
ltin
g L
td
Spelling & Typos
Remember words are can be spelt differently
or there may be a misspelt word or typo on the
website you are looking for...
Tyres & Tires, colour & color
cigarettes,香煙, papierosy (English, Chinese, Polish?)
Stephen Hill, Steven Hill, Steve Hill
Serach Engine, Fraud Invesdigation...
Sn
ow
dro
p C
on
su
ltin
g L
td
Typo Apps
http://typohound.com
Sn
ow
dro
p C
on
su
ltin
g L
td
Translation Tools
http://translate.google.com
Sn
ow
dro
p C
on
su
ltin
g L
td
Translation Tools
http://transl8it.com
Sn
ow
dro
p C
on
su
ltin
g L
td
The “social” in social media implies a conversation The difference between social media and the TV is that with the latter, viewers seldom engage with the programme-makers of the show that they are watching…
Social Media Investigations
Sn
ow
dro
p C
on
su
ltin
g L
td
So who uses Social Media?
Sn
ow
dro
p C
on
su
ltin
g L
td
Search Strategy: Know Social Media ID
Search KnowEm, NameChk, or Snitch Name for site
matches
Conduct site-specific searches
Browse/search subject’s network (if access allowed)
Sn
ow
dro
p C
on
su
ltin
g L
td
Search Strategy: Unknown Social Media ID
Use meta-search tools for name search
Look for identifiers like hometown, age, birthday
ID family members or cohabitants via public records,
then search for their identities on social networks
Sn
ow
dro
p C
on
su
ltin
g L
td
How to Query a Social Media
Username
If you have the details of a users online name
then run the following queries on Google:
Johnsmith Site:www.facebook.com
“Johnsmith” Site:www.facebook.com
You could then try:
site:twitter, site:myspace, site:google+
Sn
ow
dro
p C
on
su
ltin
g L
td
How to Query a Social Media
Username
You may also wish to look at the following queries on
Google:
“Johnsmith” Site:www.ebay.co.uk
Platinum engagement ring Site:www.ebay.co.uk
Or
site:craigslist, site:oodle, etc
Or
02076083445 Site:www.ebay.co.uk
Stolen vehicle?
site:exchangeandmart.co.uk
Sn
ow
dro
p C
on
su
ltin
g L
td
Facebook Trick
It is possible to use Facebook to recognise a
photo to identify ‘tags’ associated to a photo
Upload a photo into your profile (sock puppet) and
identify what ‘tags’ are derived from it…
Kim Lau
Sn
ow
dro
p C
on
su
ltin
g L
td
Facebook Trick
It is possible to use Facebook to identify
someone via the ‘account finder’ options
Go to your Facebook login page (sock puppet)
Do not login but click on ‘Forgot Password’
You need to know the email address of the person
you wish to identify
Facebook will then prompt with a photo asking if this
is you…
Sn
ow
dro
p C
on
su
ltin
g L
td
LinkedIn Advanced Search
Sn
ow
dro
p C
on
su
ltin
g L
td
Twitter Search & Analysis
http://topsy.com
Sn
ow
dro
p C
on
su
ltin
g L
td
Twitter Alerts Tool
http://tweetalarm.com
Sn
ow
dro
p C
on
su
ltin
g L
td
Facebook Search
Http://www.facebooksearch.com
Sn
ow
dro
p C
on
su
ltin
g L
td
Facebook Group Search
http://www.facebook.com/search.php?sfxp=1&c1=10&c2=141&type=groups&q=420
Sn
ow
dro
p C
on
su
ltin
g L
td
Facebook Group Search
Sn
ow
dro
p C
on
su
ltin
g L
td
Twitter Search
http://www.bing.com/maps
Sn
ow
dro
p C
on
su
ltin
g L
td
Social Media Integration
Many sites require logins or a certain degree of
connection to see specifics
Site integration is increasing
Look for the weakest link
Example:
Foursquare/Facebook updates are only accessible by
“friends”
Users may sync and publish updates to Twitter
Twitter updates are publicly available
Also consider looking on MySpace & YouTube...
Sn
ow
dro
p C
on
su
ltin
g L
td
You Never Know!
http://www.youtube.com
www.snowdropconsulting.co.uk
Snowdrop Consulting Ltd
Tracing a Domain Owner
Sn
ow
dro
p C
on
su
ltin
g L
td
FIFA World Cup Scam
Sn
ow
dro
p C
on
su
ltin
g L
td
FIFA World Cup 2014
Sn
ow
dro
p C
on
su
ltin
g L
td
FIFA World Cup 2014
Sn
ow
dro
p C
on
su
ltin
g L
td
FIFA World Cup 2014
Sn
ow
dro
p C
on
su
ltin
g L
td
WHOIS Lookup
http://whois.domaintools.com
Suspects domain name
Sn
ow
dro
p C
on
su
ltin
g L
td
WHOIS Lookup
http://whois.domaintools.com
Sn
ow
dro
p C
on
su
ltin
g L
td
IP/DNS Lookup Sites
http://whatismyipaddress.com
http://whois.domaintools.com
http://centralops.net
http://www.infosniper.net
http://viewdns.info
http://www.w3snoop.com
Sn
ow
dro
p C
on
su
ltin
g L
td
Wayback Machine
http://archive.org/web
Sn
ow
dro
p C
on
su
ltin
g L
td
Sn
ow
dro
p C
on
su
ltin
g L
td
www.snowdropconsulting.co.uk
Snowdrop Consulting Ltd
Security Online
Sn
ow
dro
p C
on
su
ltin
g L
td
Disguising your ID
Every time you surf the Internet, your IP
address is publicly visible to everyone on target
network resources...
Sn
ow
dro
p C
on
su
ltin
g L
td
Sock (Finger) Puppets
4 steps to create a sock puppet:
Create fake ID – use name generator
Create fake profiles/user accounts on Facebook etc.
Fake/disguised email, phone, and IP details
Consider payment method – pre-paid credit card…
Sn
ow
dro
p C
on
su
ltin
g L
td
Disguising your Online ID
http://www.fakenamegenerator.com/
Sn
ow
dro
p C
on
su
ltin
g L
td
Documenting Social Media
Intelligence
Record URL’s (especially Facebook)
Email communications (keep copies of relevant
correspondence)
Screen capture – Print screen, Save As or
apps such as ‘Camtasia’ or ‘HTTrack’
Depending on nature of case keep hard copies
of screen shots, emails etc…
Sn
ow
dro
p C
on
su
ltin
g L
td
Digital Case File
Documentation
Dates, times, accounts, IDs, images, video, chat,
messages
Recordings
Screen records of the detailed investigation
Website Details
HTML, links, bookmarks, etc…
Sn
ow
dro
p C
on
su
ltin
g L
td
Disguising your IP Location
Proxy and VPN services re-route your Internet traffic
and change your IP
A Proxy is like a Web filter
Proxy will only secure traffic via the Internet
browser using the proxy server settings
A VPN encrypts all of your traffic
VPNs replace your ISP and route all traffic through
the VPN server, including all programs and
applications...
Sn
ow
dro
p C
on
su
ltin
g L
td
Disguising your IP Location
There are many products on the market to enable you
to hide your IP address…
Sn
ow
dro
p C
on
su
ltin
g L
td
TOR
https://www.torproject.org/index.html.en
Sn
ow
dro
p C
on
su
ltin
g L
td
Useful Link
http://www.i-intelligence.eu/resources/links
www.snowdropconsulting.co.uk
Snowdrop Consulting Ltd
Assisting Your Fraud Examination With Online & Open Source Intelligence
Dr Stephen Hill
Email: shill@snowdropconsulting.co.uk
Twitter: @SnowdropInfo
Recommended