2016-08-25



Computer Investigations and Use of Social Media

Recorded on August 25, 2016 with JJ Goulbourne



This 1 hour course is designed to provide basic and advanced knowledge in the use of social media during investigations. Social media can be a gold mine of information for investigators who know how to properly access and explore cyber space for information. This course is designed for commissioned private investigators or non-commissioned investigators required to gather information for court presentations. Additional material has been added and updates have been made to the original presentation. In addition, attendees will be provided with a host of tool and resources to assist them with their investigations.

JJ Goulbourne is currently the IT Manager for the Barry Lawrence Regional Library and has been with the Lawrence County Sheriff’s Office for the past 10 years. Prior to that, he was with the Christian County Prosecutor’s Office as an Investigator and System Administrator. He previously worked for the Greene County Prosecutor’s Office for 5 years as System Administrator and 1 of 3 Investigators, and a Reserve Deputy with the Greene County Sheriff’s Office assigned to the Training Division as a Firearms Instructor. He spent 4 years as an IT Technician with the Greene County Information Systems Department. He has a total of 23 years law enforcement experience. He is a Military Veteran with 16 years Military experience.

Watch the Webinar

This webinar was presented as a part of the ServeNowEDU Webinar series. To watch other previously recorded webinars and to register for upcoming webinars, visit ServeNowEDU.

Resources and Summary

You can view the resources provided by JJ Goulbourne for this webinar below.

The Do’s and Don’ts of Exploring the Dark Web with Tor Browser

5 Key Policy Considerations

Search For & Get Coordinates

9 Must-Have OSINT Tools

Online Investigations Cheat Sheet

Sample Social Media Investigations Policy

Social Media Cheat Sheet

Social Media Terms Defined

Top 10 Multi-Platform Social Networking Websites and Forums

The Do’s and Don’ts of Exploring the Dark Web with Tor Browser

You may have heard a lot about the so-called Deep Web and Dark Web lately. The Deep Web is the part of the Internet that houses 90+ percent of the web yet it’s completely tucked away from the easy access we’ve come to enjoy from search engines. The Dark Web, on the other hand, is a smaller portion of these Deep Web that’s only accessible with special software like the Tor browser.

Now you’re probably asking, is the Deep Web and Dark Web even legal? Technically, yes. There are many websites that exist within the Dark Web that provide illegal products or services, but generally speaking the Deep Web and Dark Web in and of themselves are legal. They can actually be a fantastic resource of knowledge and power when used mindfully.

If you’re curious about taking a gander into the unknown, be prepared. Due to the anonymous and vulnerable nature of the Dark Web, it’s important to keep in mind certain things you should and shouldn’t do when accessing it.

Do: Get Started with Tor

To access the Dark Web, you’ll need to download the Tor browser for free. Just visit Tor’s website and click Download Tor.

Note: Tor is available for Windows, Mac and Linux operating systems.

Once you download and install Tor, you’ll have to go through a very quick setup process. Tor will ask you whether you want to connect directly to the Tor Network or use your own secure connection. For all intents and purposes, click Connect to get onto the Tor Network. It’ll take a few seconds, but in a moment the Tor browser will launch. You’re ready to go.

Don’t: Confuse Deep Web with Dark Web

Tor isn’t for accessing the Deep Web. It technically could, but so could any other browser. In fact, you’re probably very often within the Deep Web and you don’t even know it.

Search engines crawl the Internet by visiting one web page, then all of the links on that page, then all of the links on those pages and so on. But what about when there aren’t any links? When you’re on Facebook and you search through content or perhaps on a Flash website with pop-up information, you didn’t click any links. You searched or stayed on the same page, yet you’re viewing different content. This is the Deep Web because it’s not indexable by current search engines.

The Dark Web is not separate from the Deep Web, but rather it is a portion of the Deep Web. Specifically, it’s the portion neither standard search engines nor standard web browsers can access.

Tor’s browser connects to what’s called the Tor network, which establishes an anonymous connection that protects against network surveillance and tracking. In addition to being able to access any website you can in a standard browser, you can also access Dark Web URLs that end in .onion.

Do: Use Directories to Browse Safely and Responsibly

So once you’re on the Tor browser, you’re probably at a loss. Tor doesn’t provide you with links to start surfing the Dark Web, so it’s up to you to find them instead.

One of the most comprehensive resources for the Dark Web in Tor is The Hidden Wiki. It’s accessible in the Tor browser at http://zqktlwi4fecvo6ri.onion. (Yes, most Onion URLs are confusing like that.)

Important: It’s crucial that you understand before visiting this website that it does include links to illegal and disturbing services alike. Take the time to finish reading this entire article before riding into the Dark Web without training wheels so you can avoid dangerous corners. Browse at your own risk.

The Hidden Wiki is a huge directory that provides links to Onion websites with various services, secure email, secure social networks and more.

What’s powerful about Tor is it enables anonymous voices to be heard very loudly than on regular parts of the Web. Perhaps you’re an activist or someone in an oppressed nation that wants to protect your identity. Tor securely enables this.

Don’t: Click Suspicious Links or Partake in Criminal Activity

While the Dark Web might be home to a wealth of valuable information and services, it’s also notorious for being incredibly dangerous. Many websites that operate within the Dark Web are home illegal drug trafficking, human trafficking, child pornography, theft, gore and much more.

Be cautious of any link that you choose to click because some can be deceptive. Of course avoid any and all links that advertise any of the above or any illegal, disturbing, or harmful content you don’t wish to see.

Again, browse at your own risk. Ultimately, use anonymous web browsing and your access to the Dark Web in an appropriate and legal manner.

5 Key Policy Considerations

Scope. Determine what areas the policy needs to cover. Once the scope is determined, consider the areas below that apply to the areas you have chosen to cover in your policy.

Official Use. Social media tools can be used for many purposes and are valuable for many day to day operational activities in law enforcement agencies. It is integral that authorization for and administration of any department sanctioned sites are clearly articulated.

Personal Use. Content posted by law enforcement, even off-duty and under strict privacy settings, has the potential to be disseminated broadly and fall into the hands of defense attorneys, criminals, and members of the community. Any improper postings can ultimately affect an individual’s credibility, employment status, and their agency as a whole.

Legal Issues. Issues such as First Amendment rights, records retention and public records laws, and other federal and state statutes must be considered while crafting a policy. Many legal issues surrounding social media have not yet been settled within the court system, so having clear guidelines in place becomes even more imperative.

Related Policies. Many issues surrounding social media use may be resolved by citing other policies that are already in place within your agency, including Internet Use, Personal Mobile Devices, Electronic Messaging, Code of Conduct, and Media Relations.

Search for & get coordinates

You can search for a place using its latitude and longitude coordinates, as well as get the coordinates of a place you've already found on Google Maps.

Search for a place using latitude and longitude coordinates

To find a place on Google Maps using latitude and longitude coordinates, follow the steps below.

Computer Android iPhone & iPad

Open Google Maps

In the search box at the top, type your coordinates. Here are examples of formats that work:

Degrees, minutes, and seconds (DMS): 41°24'12.2"N 2°10'26.5"E

Degrees and decimal minutes (DMM): 41 24.2028, 2 10.4418

Decimal degrees (DD): 41.40338, 2.17403

A pin will show up at your coordinates.

Get the coordinates of a place

To find the coordinates of a place on Google Maps, follow the steps below.

Open Google Maps.

Right-click the place or area on the map.

Select What's here?

A card appears at the bottom of the screen with more info.

Note: If you're using Maps in Lite mode, you won't be able to get the coordinates of a place.

Tips for formatting your coordinates

Here are some tips for formatting your coordinates so they work on Google Maps:

Use the degree symbol instead of “d”.

Use periods as decimals, not commas.

Incorrect: 41,40338, 2,17403. Correct: 41.40338, 2.17403.

List your latitude coordinates before longitude coordinates.

Check that the first number in your latitude coordinate is between -90 and 90 and the first number in your longitude coordinate is between -180 and 180.

9 Must-Have OSINT Tools

Open source intelligence (OSINT) refers to intelligence that has been derived from publicly available sources. In this photostory, we cover the most popular and important OSINT tools for a security researcher. Basically, OSINT tools are used in the reconnaissance phase to gather as much information about the target as possible. These open source intelligence tools utilize artificial intelligence features to mine data from the Web about all possible matches to the desired target.

With OSINT tools, the reconnaissance process gets streamlined, enabling a more efficient narrowing-down to the target. Using open source intelligence tools drastically reduces the number of permutations and combinations to be dealt with, in respect of information gathered. This leads to an effective combination of classical social engineering attacks on the target, which in turn can be used to harvest more information. OSINT can also be used for effective target discovery and subsequent phishing attacks.

1. Maltego

Maltego is an extremely powerful OSINT framework, covering infrastructural reconnaissance and personal reconnaissance. The infrastructural component of Maltego enables the gathering of sensitive data about the target organization, email addresses of employees, confidential files which are handled carelessly, internal phone numbers, DNS records, IP address information, geo location of the network, MX servers, and so on. The gathering of such data – known in Maltego as transformations -- needs to be creatively and thoughtfully engineered in order to get the best results. Maltego’s personal reconnaissance on the other hand helps in the harvesting of person-specific information, such as social networking activity, email addresses, websites associated with the person, telephone numbers, and so on. This happens with the use of search engines on the Internet, which Maltego effectively communicates with to gather all this information.

2. Shodan

Shodan is an acronym for Sentient Hyper Optimized Data Access Network. Unlike traditional search engines that crawl the website to display results, Shodan attempts to grab data from the ports. Developed by John Matherly, Shodan is available as a free version as well as a professional, paid version. The free version provides up to 50 results, beyond which one needs to procure the paid version. Creative usage of the Shodan OSINT tool helps find the vulnerable services in a Web server, which is a very important aspect of the vulnerability assessment phase. Various filters such as country, port, operating system and host names are available with this tool.

3. Metagoofil

Metagoofil is a very powerful OSINT information gathering tool, developed by Edge Security. In essence, Metagoofil is used to extract metadata from the target. It supports various file types, including pdf, doc, xls and ppt. This open source intelligence tool can also be used to extract MAC addresses from these files, thus giving the attacker a fair idea of what kind of network hardware is being used at the target installation. In tandem with the instincts and intelligence of the attacker, Metagoofil can be used to guess type of operating system, network names, and so on. A brute force attack can then be performed, once enough information is garnered from the metadata of the files. With the metadata obtained through Metagoofil, it is possible to extract path information, which can be used to map the network. The results are displayed in HTML format.

4. GHDB

Google happens to be the most powerful OSINT tool for a user to perform attacks, and forms the basis for GHDB – the Google Hacking DataBase. Using Google, an SQL injection on a random website can be performed within 0.2 Google seconds. Specially crafted words given as input to Google are named as dorks, or googledorks. These GHDB dorks can be used to reveal vulnerable servers on the Internet, to gather sensitive data, vulnerable files that are uploaded, sub-domains, and so on. Effective usage of GHDB can make the hacking process considerably easier. Exploit DB maintains a collection of googledorks under a section named GHDB.

5. The FOCA

The FOCA is a network infrastructure mapping tool that can be used for OSINT. It can analyze metadata from various files, including doc, pdf and ppt files. FOCA can also enumerate users, folders, emails, software used, operating system, and other useful information. Customization options are also available in this OSINT tool. For more juicy information and details about insecure methods, there is a crawl option provided. The metadata can be extracted from a single file or from multiple files. The FOCA is thus a great tool in the reconnaissance phase, to extract information from the metadata.

6. EXIF data viewers

Smartphones and digital cameras use a standard to specify formats for images and sounds that are recorded using them. This standard is called the exchangeable image file format (EXIF). Various EXIF data viewers are available. They provide details such as type of camera, focal length, type of lens, and so on. Most importantly, EXIF data viewers provide the geo location information that is stored for each image. In fact, by default, all smartphones have the GPS setting switched on. So, this can potentially leak the location where the image was taken. The accuracy is such that the latitude and longitude will be provided by the EXIF data viewer when extracting the EXIF data, thus leaking very private information.

7. Social Engineer Toolkit

Social Engineer Toolkit is an open source tool to perform online social engineering attacks. The tool can be used for various attack scenarios including spear phishing and website attack vectors. Social Engineer Toolkit works in an integrated manner with Metasploit. It enables the execution of client-side attacks and seamless harvesting of credentials. With Social Engineer Toolkit, one can backdoor an executable and send it to the victim. It can automatically create fake login pages of a given website and spawn a server to listen to returning connections.

8. Cyberstalking tools for reconnaissance

There are several websites and OSINT tools available online that can be used to find public information about a particular person. The PeekYou and Lullar websites enable gathering of information about a person that is available on various social networking sites. The Wayback Machine is a website that can be used to find previous versions of webpages, enabling one to see websites in their earlier avatars. These reconnaissance tools come in handy for cyberstalking or executing social engineering attacks. EDGAR, the electronic data gathering, analysis and retrieval system, is another website providing access to company information that might otherwise be difficult to obtain. Then there is YouGetSignal, providing OSINT tools to check for phone numbers, IP addresses, whois data, geo location, tracing, and so on.

9. Passive Recon

Mozilla Firefox has a lot of security add-ons in the form of plugins. One such powerful OSINT plugin is Passive Recon. As the name suggests, this tool does not query the domain directly. In fact it looks up all the public databases for gathering as much information as possible about the target. Passive Recon passively provides whois information, MX records, DNS information, and other useful data. Significantly, due to the passive nature of Passive Recon, the owner of the domain you are querying is not alerted.

Online Investigations Cheat Sheet

Click on the image below to enlarge.

Sample Social Media Investigations Policy

Policy: CONDUCTING SOCIAL MEDIA INVESTIGATIONS

Date:

PURPOSE:

The purpose of this policy is to develop guidelines on using social media for conducting criminal investigations and gathering intelligence data. It is the intent of the [ name of entity] to ensure that the [personnel of the (name of entity) ] are aware of what the Investigator is doing and why, as well as protect citizens’ privacy, civil rights and liberties while conducting said investigations.

While social media has become more important during certain investigations, it is only one tool. The [name of entity] uses many tools and methods, all of which are lawful and have a valid purpose. While all uses of social media for law enforcement purposes must be lawful, this policy will detail when it is authorized and used. It must be noted that not every intelligence or investigative operation will require this entity to access social media sites.

This policy will also describe why and how the [name of entity] will capture social media information during an investigation.

LEVELS OF USE:

The [name of entity] Investigator may operate in various roles when seeking and gathering information from social media sites during an official investigation.

The first level, apparent/overt status; is when the Investigator is not concealing his identity and is viewing open source information (OSINT). For example, the investigator may view a subject’s open Facebook page, LinkedIn profile, or Twitter page to find out any relevant information. In instances where user profiles and pages have no privacy settings and are open to any viewer.

In the second level, discreet status; the Investigator’s law enforcement identity is not overt because the information-gathering efforts would be hampered if the law enforcement identity was discovered.

The final level, covert, is when the Investigator’s efforts require concealing his identity by using an undercover social media identity in an attempt to gather necessary information or intelligence.

SOCIAL MEDIA MONITORING TOOLS:

This Agency may employ various social media monitoring tools to aid the Investigator in conducting an official social media investigation to aid in the prosecution of individual(s).

OFFICIAL USE:

The use of any and all tools and resources used to conduct social media investigations will be for official use only and at no time whatsoever will be utilized for personal gain.

PROCEDURES, AUDITING & MONITORING:

When conducting investigations using social media, the Investigator will be required to document such activities by completing a report and attaching it to the case file, thus informing the [head of entity] or designee that an official social media investigation was conducted for the purpose of information or intelligence gathering to aid in the resolution of the case.

RELATED POLICIES:

List any and all that apply including dates implemented.

This policy is subject to modification and revision as deemed necessary by the Prosecuting Attorney.

_________________________
[name of official]
[title]

Social Media Cheat Sheet

Click on the image below to enlarge.

Social Media Terms Defined

Application Programming Interface (API) - An API is a documented interface that allows one software application to interact with another application. An example of this is the Twitter API.

Collective Intelligence - Collective intelligence is a shared intelligence that emerges from the collaboration and competition of many individuals and appears in consensus decision-making in social networks.

Crowdsourcing - Crowdsourcing, similar to outsourcing, refers to the act of soliciting ideas or content from a group of people, typically in an online setting.

Engagement Rate - Engagement rate is a popular social media metric used to describe the amount of interaction -- likes, shares, comments -- a piece of content receives.

Geotag - A geotag is the directional coordinates that can be attached to a piece of content online. For example, Instagram users often use geotagging to highlight the location in which their photo was taken.

Exif Data - EXIF is short for Exchangeable Image File, a format that is a standard for storing interchange information in digital photography image files using JPEG compression. Almost all new digital cameras use the EXIF annotation, storing information on the image such as shutter speed, exposure compensation, F number, what metering system was used, if a flash was used, ISO number, date and time the image was taken, white balance, auxiliary lenses that were used and resolution. Some images may even store GPS information so you can easily see where the images were taken!

Algorithm: process or set of rules used to perform a task; algorithms are used to generate online search results and other online procedures.

Top 10 Multi-Platform Social Networking Websites and Forums

Sources:
http://www.guidingtech.com/50281/dos-donts-deep-web-surfing/
https://support.google.com/maps/answer/18539?co=GENIE.Platform%3DDesktop&hl=en
http://www.computerweekly.com/photostory/2240160106/Nine-must-have-OSINT-tools/2/1-Maltego

Show more