Tools and Techniques to Keep Your Online Investigations Anonymous and Secure - 2021 LAW ENFORCEMENT HANDBOOK
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
2021 LAW ENFORCEMENT HANDBOOK: Tools and Techniques to Keep Your Online Investigations Anonymous and Secure
LAW ENFORCEMENT HANDBOOK Table of Contents 21 OSINT Research Tools ...................................................................................................................................... 3 Tracking Online Drug Dealers Flash Report ....................................................................................................... 16 Silo for Research Data Sheet .............................................................................................................................. 20 Silo for Research: Dark Web Data Sheet............................................................................................................ 22 Keep your online investigations anonymous and secure, even on social media and the dark web Silo for Research is a secure and anonymous web browsing solution that enables users to conduct research, collect evidence and analyze data across the surface, deep and dark web. Silo for Research is built on Authentic8’s patented, cloud-based Silo Web Isolation Platform, which executes all web code in a secure, isolated environment that is managed by policy, providing protection and oversight of all web-based activity. Law enforcement and criminal investigators can accomplish their goals without introducing risk to the organization or revealing intent. All web activity is logged and encrypted, so compliance teams can be sure that investigations comply with chain-of- custody policy. FULL ISOLATION: All web code is executed on Silo servers, not end-user devices CLOUD-BASED: Turn-key, cloud-hosted solution that creates a clean instance every time MANAGED ATTRIBUTION: Configure the browser fingerprint and egress location ACCESS SURFACE, DEEP OR DARK WEB: One-click access to any destination without tainting your environment WORKFLOW ENHANCEMENTS: Integrated tools for content capture, analysis and storage COMPLETE AUDIT OVERSIGHT: Encrypted audit logs of all web activity are captured in one place and easily exported
Introduction To help investigators make use of the vast expanse of
information available on the surface, deep and dark
to 21 OSINT web, Authentic8 experts have curated at list of the
most useful tools. With these resources, investigators
Research Tools can simplify their research and improve productivity.
21 OSINT RESEARCH TOOLS
1. OSINT Framework: Find Free OSINT Resources
https://osintframework.com/
WHAT IT IS
OSINT Framework indexes a multitude of
connections to different URLs, recommending
where to look next when conducting an
investigation. It also provides suggestions on
what services can help analysts find specific
data that might aid in their research.
USE CASE
When you plug a piece of data (such as an
email address, phone number, name, etc.)
into the framework, it returns all known online
sources that contain information relevant
to that data. OSINT Framework also offers
a list of potential resources where more
information related to that particular source
can be found.
2. IDA Pro: Perform State-of-the-Art Binary Code Analysis
https://www.hex-rays.com/products/ida/
WHAT IT IS
The source code of the software isn’t always
available. A disassembler like IDA Pro
translates machine-executable code into
readable assembly language source code,
enabling research specialists to analyze
programs that are suspected to be contain
malware or spyware.
USE CASE
An incident response team loads a malicious
artifact found on a breached server into
IDA Pro to further analyze and understand
its behavior, potential damage and method
of traversal. IDA Pro can also be used as
a debugger to aid analysts in reading and
examining the hostile code.
4
21 OSINT RESEARCH TOOLS
3. Creepy: Gather Geolocation Information
https://www.geocreepy.com/
WHAT IT IS
Creepy is a geospatial visualization tool that
centralizes and visualizes geolocated information
pulled across multiple online sources.
USE CASE
Once the plugin is configured, a user can feed
the tool a social media artifact. Creepy draws
all available locations on the map, allowing the
user to see where the devices were located
when the information was posted.
4. Maltego Transform Hub: Mine, Merge and Map Information
https://www.maltego.com
WHAT IT IS
Integrate data from public sources,
commercial vendors and internal sources via
the Maltego Transform Hub. All data comes
pre-packaged as Transforms, ready to be
used in investigations. Maltego takes one
artifact and finds more.
USE CASE
A user feeds Maltego domain names,
IP addresses, domain records, URLs or
emails. The service finds connections and
relationships within the data and allows
users to create graphs in an intuitive point-
and-click logic.
5
21 OSINT RESEARCH TOOLS
5. DNSdumpster: Find and Look Up DNS Records
https://dnsdumpster.com/
WHAT IT IS
DNSdumpster is a free domain research tool
that can discover hosts related to a domain.
Finding visible hosts from the attackers’
perspective is an important part of the
security assessment process.
USE CASE
After a user enters a domain name,
DNSdumpster identifies and displays all
associated subdomains, helping map an
organization’s entire attack surface based on
DNS records.
6. TinEye: Reverse Image Search
https://tineye.com/
WHAT IT IS
TinEye is an image-focused web crawling
database that allows users to search by image
and find where that image appears online.
USE CASE
An investigator uploads an image to TinEye
or searches by URL. TinEye constantly
crawls the web and adds images to its
extensive index (as of August 2021, over 48
billion images).
6
21 OSINT RESEARCH TOOLS
7. Shodan: The Search Engine for the IoT
https://shodan.io/
WHAT IT IS
Websites are just one part of the internet.
Shodan allows analysts to discover which
of their devices are connected to the
internet, where they are located and who is
using them.
USE CASE
Shodan helps researchers monitor all
devices within their network that are directly
accessible from the internet and therefore
vulnerable to attacks.
8. Wayback Machine: Explore Billions of Webpages
https://web.archive.org/
WHAT IT IS
Wayback Machine analyzes websites
published across time, allowing researchers
to review how the webpage looked when it
was originally launched or updated, revealing
data that may no longer be visible or
searchable through regular search engines.
USE CASE
Suppose a website was seized by the FBI,
but the original content is no longer there.
Researchers can use Wayback Machine to
reveal information that the site may have
contained prior to the raid.
7
21 OSINT RESEARCH TOOLS
9. Have I Been Pwned: Find Out if Your Account Has
Been Compromised
https://haveibeenpwned.com/
WHAT IT IS
The service exposes the severity of the risks
of online attacks, while helping victims of data
breaches learn about compromises of their
accounts. Users can subscribe to receive
breach notifications and search for pwned
accounts and passwords across domains.
USE CASE
Users can securely enter email addresses
and passwords to find out if they have been
hacked. The site returns a complete list of
breaches where specific accounts have been
exposed, and it lists what types of data (email
addresses, names, passwords, locations, etc.)
have been stolen.
10. CipherTrace: Follow the Money
https://ciphertrace.com/ciphertrace-maltego-transform/
WHAT IT IS
Maltego CipherTrace is a popular security
research and forensics tool that uses the
Bitcoin blockchain to track funds. CipherTrace
uses identifiers for criminal, mixer, dark
market, gambling, ATM and exchange
activities. It comes in the form of a Maltego
Transform plugin.
USE CASE
Create directed graphs to track an asset's
final destination, even when a Bitcoin mixer
attempts to launder the funds.
8
21 OSINT RESEARCH TOOLS
11. Voter Records: Search Anyone’s Public Records
https://voterrecords.com/
WHAT IT IS
Voter Records is a free political research
tool that contains more than 70 million voter
registration records. Details include related
public records, political party affiliations,
relatives, location, current and previous
addresses and more.
USE CASE
A researcher could gain comprehensive
information about any person’s affiliations,
location and connections.
12. Whitepages: Find People and Perform Background Checks
https://www.whitepages.com/
WHAT IT IS
Whitepages offers reverse name, address and
phone number lookup and returns high-level
information on any individual or business.
USE CASE
A useful tool for verifying that the persons a
researcher is dealing with are who they say
they are. Investigations can locate people
and businesses, verify their addresses,
look up phone numbers and even perform
complete background checks.
9
21 OSINT RESEARCH TOOLS
13. Fake Name Generator: Disguise Your Identity
https://www.fakenamegenerator.com/
WHAT IT IS
Fake Name Generator produces an entire
new false identity for a person, including
detailed contact information, a mother’s
maiden name, street address, email, credit
card numbers, phone number, social security
number and more.
USE CASE
A fake identity can be useful for filling out
online forms without giving out personal
details, using it as a pseudonym on the
internet, testing payment options with
randomly generated credit card numbers and
all other types of research where an analyst
doesn’t want to expose his or her real identity.
14. CityProtect: Explore Crime Maps
https://www.cityprotect.com
WHAT IT IS
CityProtect is a crime visualization site. Users
provide a location within the U.S., along
with some other parameters, and detailed
crime reports are delivered. The reports are
rendered geospatially.
USE CASE
A user can analyze quantified criminal
behavior in a geographic area over time to
help build an intelligence-lead brief.
1021 OSINT RESEARCH TOOLS
15. Torch Search Engine: Explore the DarkNet
http://xmh57jrzrnw6insl.onion/ (Tor browser is required to open link)
WHAT IT IS
Torch, or TorSearch, is a search engine designed
to explore the hidden parts of the internet.
Torch claims to have over a billion darknet
pages indexed and allows users to browse the
dark web uncensored and untracked.
USE CASE
Torch promises peace of mind to researchers
who venture into the dark web to explore
.onion sites. It also doesn't censor results — so
investigators can find all types of information
and join discussion forums to find out more
about current malware, stolen data for sale or
groups who might be planning a cyberattack.
16. Dark.fail: Go Deeper into the Darknet
https://dark.fail/
WHAT IT IS
Dark.fail has been crowned the new hidden
wiki. It indexes every major darknet site
and keeps track of all domains linked to a
particular hidden service.
USE CASE
Tor admins rely on Dark.fail to disseminate
links in the wake of takedowns of sites like
DeepDotWeb. Researchers can use Dark.fail
when exploring sites that correlate with the
hidden service.
1121 OSINT RESEARCH TOOLS
17. PhishTank: Use PhishTank to Research Suspected Phishes
https://www.phishtank.com/
WHAT IT IS
PhishTank is a free community site where
anyone can submit, verify, track and share
phishing data. PhishTank also provides an open
API for developers and researchers to integrate
anti-phishing data into their applications.
USE CASE
Users submit suspicious URLs via email, and
PhishTank identifies, verifies, tracks, confirms
and publishes phishing site on its webpage.
18. HoneyDB: Community-Driven Honeypot Sensor Data Collection
https://riskdiscovery.com/honeydb/
WHAT IT IS
HoneyDB has multiple honeypots throughout
the internet waiting to be attacked. The
service logs complete details of an attack
(including IP address) and the binary that
was used to execute it, then lists them in its
database. HoneyDB enables users to run a
reverse search on IOCs and correlates it back
to campaigns happening on its honeypots.
USE CASE
A campaign that uses a unique exploit to
commit a wide-spread attack on every system
possible would most likely infect one or more of
the honeypots. A user then accesses detailed
information on the attack to gather information
about its intentions and perpetrators.
1221 OSINT RESEARCH TOOLS
19. ThreatMiner: IOC Lookup and Contextualization
https://www.threatminer.org
WHAT IT IS
ThreatMiner is a threat intelligence portal
designed to enable an analyst to research
indicators of compromise (IOCs) under a
single interface. That interface allows for
not only looking up IOCs but also providing
the analyst with contextual information.
With this context, the IOC is not just a data
point but a useful piece of information and
potentially intelligence.
USE CASE
Identify and enrich indicators of
compromise to have a better understanding
of attack origins.
20. VirusTotal: Analyze Suspicious Files and URLs
https://www.virustotal.com/
WHAT IT IS
VirusTotal inspects items with over 70
antivirus scanners and URL/domain
blacklisting services. Scanning reports
produced by VirusTotal are shared with the
public to raise the global IT security level and
awareness about potentially harmful content.
USE CASE
Users can select a file from their computer
using their browser and send it to VirusTotal.
Results are shared with the submitter, and
also between the examining partners, who
use this data to improve their own systems.
1321 OSINT RESEARCH TOOLS
21. ExploitDB: The Most Comprehensive Exploit Collection
https://www.exploit-db.com/
WHAT IT IS
The Exploit Database is an archive of public
exploits and corresponding vulnerable
software, developed for use by penetration
testers and vulnerability researchers. Exploits
are collected throughout the internet and
through user submissions, then archived for
community use.
USE CASE
The Exploit Database is a repository for
publicly available exploits, making it a
valuable resource for those who need
actionable data at their fingertips.
Silo for Research: Secure, Anonymous Online Investigations
https://www.authentic8.com/products/silo-for-research
WHAT IT IS
Silo for Research is a purpose-built solution
for conducting online research without
exposing analysts’ digital fingerprint. Safely
pursue investigations across the surface,
deep or dark web from a cloud-based
browsing interface while controlling how you
appear online.
USE CASE
Blend in with the crowd and avoid tipping
off your suspect. Manipulate your location,
time zone, language and keyboard settings,
device type, browser and much more.
Keep investigative browsing completely
segregated from your device to prevent
infection, tracking or identification that could
spoil your investigation or make you a target.
14FLASH REPORT
Tracking Online Drug Dealers
Drug Dealers Use Social Media to Sell Illegal Narcotics
The continued rise of social media over the past ten years has led to drug dealers using various social media platforms
to sell illegal narcotics on the surface web. Investigators need a safe and anonymous browsing and research framework
that allows them to investigate social media drug dealers without the risk of being identified or infecting their endpoint
with malicious web code. This workflow will cover how the Silo Web Isolation Platform and managed attribution solution
can be utilized to identify and investigate social media drug dealers anonymously.
Identifying and Investigating Drug Dealers on Social Media with Silo for Research
The first step when conducting an investigation using Silo for Research is to select a regionally appropriate egress
location and a user agent string that matches regional norms. (For the sake of this workflow, we will use the U.S. and
Google Chrome running on a Windows 10 machine as the user agent string.) This process allows investigators to blend
in as locals of that area.
When conducting research on social media, there are various data capture tools included with Silo for Research
that can be used for gathering intelligence. This first is a video download tool that allows investigators to simply
download any video currently playing on their screen to save as evidence. The second is a screenshot tool that gives
investigators the ability to take a screenshot of an entire page. The screenshot tool also gives investigators the ability
to edit the screenshot by including boxes, arrows and text to highlight important information, as well as the ability to
include the URL of where the screenshot was taken. This allows investigators to easily return to that page to gather
additional intelligence.
By conducting a search on Twitter for #xanax, the Twitter user @phillipeguz was identified as an account using Twitter
to market and sell illegal narcotics. Shown on this profile is information on how to place an order, including a website,
email address and phone number. This information can now be run through additional search engines to possibly
identify the owner of the account.
15FLASH REPORT | TRACKING ONLINE DRUG DEALERS
Resources for Site Ownership Research
WHOIS records provide top-level domain information such as exact dates of registration, addresses, names and phone
numbers associated with the domain. Additionally, it provides web host information. @phillipeguz posted the website
cannabisbozz420 dot wixsite dot com on their Twitter feed as a location to purchase the illegal narcotics. Using
https://urlscan.io/, a report was generated for this site.
Breakdown of URLscan.io Result Panels
1. “Summary” provides a top-level summary of what country the site is hosted in.
2. “HTTP” details how many HTTP connections are made during initial load.
3. “Links” details what other sites are linked to on the main page.
4. “IP/ASN” details the IPs of everything used upon initial load and the geographic location as well as ASN.
5. “IP Detail” contains the exact city/state/country an IP address is assigned to, and redirects.
6. “(Sub)domains” identifies how many subdomains a top level-domain contains.
Example Analysis of Result Panels
According to the generated report, cannabisbozz420 dot wixsite dot com/weed/about uses hosting primarily in the
United States but also has hosting in Germany. This means that the distribution could also include locations outside the
United States. On the website, the site owners also listed packaging locations in the United States, Germany, Australia,
New Zealand, Switzerland, Sweden, Ireland and Poland. The following screenshot from their website depicts their
packaging locations around the world. It appears that the domain was registered by godaddy.com. This information
could be used to send out a subpoena or court order to godaddy.com to find out who registered the domain with them.
16FLASH REPORT | TRACKING ONLINE DRUG DEALERS
Phone Number Reverse Lookup
The phone number +1-802-438-8671 was also listed as contact information for ordering narcotics from this Twitter
page. Having this number available is extremely valuable for the investigation. The number can be run through a
reverse phone number search engine to identify the subscriber information. The following screenshot is from a report
generated by https://www.whitepages.com/phone/1-802-438-8671 for the listed phone number.
Example Analysis of Result Panels
Although there is no identity listed for the number and the number is associated with a voice over internet protocol
(VoIP), there is some valuable information that can be pulled from the report. Seeing that the number has a Rutland,
Vermont, area code is telling: due to the website listing a packaging location on the East Coast, it is possible that the
East Coast is their shipping headquarters.
17FLASH REPORT: TRACKING ONLINE DRUG DEALERS Searching for Additional Social Media Profiles by Email The third piece of contact information listed on this Twitter page is the email address kushgreens345 at gmail dot com. Once a possible email address is identified for a target, it can be run through https://verifyemailaddress.com to verify that it is a legitimate email address. Once an email address is verified, a subpoena or court order can be sent to the email provider to identify who owns and operates that email address. The screenshot below depicts the results from https://verifyemailaddress.com for the email address kushgreens345 at gmail dot com, and it is in fact a legitimate email address. Conclusion With drug dealers increasingly utilizing social media to distribute illegal narcotics, investigators need a safe and anonymous method to investigate and capture social media data. This workflow covered how Silo for Research can be used by investigators to safely and anonymously investigate and capture data from social media drug dealers. Silo for Research is an integrated solution for conducting secure and anonymous web research, evidence +1 877-659-6535 collection and data analysis from the surface, deep and dark web. It’s built on Authentic8’s patented, cloud- www.authentic8.com based Silo Web Isolation Platform, which executes all web code in a secure, isolated environment that is managed by policy, providing protection and oversight of all web-based activity. © Authentic8, Inc. All rights reserved. 09072021 18
DATA SHEET
DATA SHEET
Silo for Research
Safe and anonymous access to all areas of the web
Silo for Research embeds security, identity and data policies directly into the browser, eliminating the risk of the web,
and protecting your applications and data from exploits and misuse.
Silo for Research is a purpose-built solution for conducting online research without exposing analysts’ digital fingerprint.
Safely pursue investigations across the surface, deep or dark web through an isolated, cloud-based browsing interface
while controlling how you appear online.
Protect Your Identity and Your Investigation
Adversaries exploit tracking mechanisms in traditional browsers to uncover analysts’ identity and intent — and spoil the
investigation or retaliate against them. Silo for Research manages the details they see, so analysts don’t arouse suspicion.
Manage Attribution
Blend in with the crowd while conducting sensitive
online investigations. Silo for Research equips
HOW THE BROWSER BETRAYS YOU
investigators with dozens of options to spoof their
geolocation, utilizing Authentic8’s global network of Traditional browsers disclose a range of
internet egress nodes. information about you to the websites you visit.
But building a complete “location narrative” requires • Passed by your browser: device type, OS,
more than just changing egress. Investigators using Silo software/plugins installed, time zone, audio/
for Research can control a range of details including: video devices
• Browser fingerprint: time zone, language, keyboard, • Stored in your browser by websites: cookies,
operating system, device type, web browser HTML5 local storage
• Network address: physical location, internet • Derived from content displayed: HTML5
provider, subscriber information canvas fingerprinting, audio
• Data transfer and protection: isolated browsing
session, one-time-use browser (no persistent By combining these details, the subjects of your
tracking), policy control to restrict upload/download, investigation can get a highly unique picture
copy/paste, etc. of who you are. Once they realize they’re
under investigation, they could hide, feed you
Isolate Browsing disinformation or retaliate — online or in real life.
Ensure 100% segregation between your device — including
the apps and data it holds — and all that’s encountered
during online investigations — like trackers, malware and
more — across the surface, deep and dark web.
19DATA SHEET
Silo for Research is built on Authentic8’s patented, cloud-based Silo Web Isolation Platform, which executes all
web code in a secure, isolated environment that’s managed by policy. All web activity is logged and encrypted so
compliance teams can be sure that the tools are being used appropriately.
And, each session is launched as a one-time-use browser, ensuring cookies and supercookies don’t follow
investigators, even between sessions.
Benign Potentially toxic
video stream web content
User inputs Requests with
masked identity
User Global egress Public internet
network
Encrypted Policy Storage Reseach
logs tools
Dark web
Admin API access
Improve Efficiency
Purpose-built tools and third-party integrations give investigators the workflow tools they need to move through their
caseload effectively. Built-in features for translation, capture and annotation simplify the data collection and analysis
process. Authentic8 Secure Storage also makes it easy to save and collaborate safely on information, while adhering
to policy.
Additional features are available to automate analysts’ tasks, including for collection and multi-search workflows, while
adhering to tradecraft best practices.
More than 500 of the world’s most at-risk enterprises and government agencies rely on Silo for Research to conduct
secure and anonymous online investigations, including for:
• Trust and safety • Fraud and brand misuse
• Intelligence and evidence gathering • Corporate research and protection
• Security intelligence • Financial crime and compliance
To learn more about Silo for Research, request a demo or contact a sales representative.
Silo for Research is an integrated solution for conducting secure and anonymous web research, evidence +1 877-659-6535
collection and data analysis from the surface, deep and dark web. It’s built on Authentic8’s patented, cloud- www.authentic8.com
based Silo Web Isolation Platform, which executes all web code in a secure, isolated environment that is
managed by policy, providing protection and oversight of all web-based activity.
© Authentic8, Inc. All rights reserved. 09072021 20DATA SHEET
Silo for Research: Dark Web
One-click access to darknets with built-in security and anonymity
Dangerous organizations and individuals thrive when they can operate in the shadows; this makes the dark web the
perfect place for them online. Analysts investigating criminal activity, financially motivated fraud, cyberthreats and
threats to their brand need to follow leads wherever they go. But the dark web is a hazardous place, where criminals
and adversaries have the upper hand by:
• Employing sophisticated counter-surveillance tools • Actively recruiting legitimate analysts and
researchers for illicit purposes
• Booby-trapping sites with malware
As a result, resource-constrained organizations too often lack dark web access altogether. Large organizations may opt
to build separate, “dirty” infrastructure, which is expensive and labor-intensive to maintain, slow and opaque.
Safe, Anonymous Access to the Dark Web
Silo for Research: Dark Web provides simple and safe “point and click” access to dark web content. Dark web access is
seamlessly integrated within Silo for Research and its suite of analyst tools, as compared to a separate and standalone
dark web browser.
The dark web enhancement extends the Authentic8 global egress network to include designated dark web nodes.
Each dark web node is connected via IPSec but converts requests using proxies for access to the desired network.
Each connection is built from scratch based on randomly selected nodes and relays to provide additional obfuscation.
Benefits
• In addition to the familiar benefits of Silo for • Organizational control to manage and deter
Research, the dark web enhancement provides: unauthorized use of the dark web
• A single pane of glass for analysts to conduct • Dark web access without the need to install or
research on the surface, deep and dark web manage additional applications or software
• Full isolation from dark web counter-surveillance and • Comprehensive audit oversight extended to the
threats (e.g., malware) dark web
To learn more about Silo for Research, request a demo or contact a sales representative.
Silo for Research is an integrated solution for conducting secure and anonymous web research, evidence +1 877-659-6535
collection and data analysis from the surface, deep and dark web. It’s built on Authentic8’s patented, cloud- www.authentic8.com
based Silo Web Isolation Platform, which executes all web code in a secure, isolated environment that is
managed by policy, providing protection and oversight of all web-based activity.
© Authentic8, Inc. All rights reserved. 09072021 21You can also read
