In part 1 of this series I touched on how to monitor changes on the internet. The methods and sites I mentioned are a good way to 'Cast Nets' to catch information on specific topics or targets of interest. The essence of this series is how to gain intelligence in a real-time scenario (or as close to real time as possible). That said, internet page alerts are a good way to detect a change online, but you would have to know something could happen ahead of time. So part 2 will focus on research once something has already happened.
Originally part 2 was going to be about social media, but social media won't ALWAYS hold the answer so I want to touch on knowing things in general first. Remember the saying of read the instructions first? That applies here. In my digital forensics work I always start by looking up the specs of the device I am about to investigate. Once I know what a device's specs and features are I get a general sense of what information the device may contain. Then I can confidently dissect device data with the appropriate tools for the job.
In part 2 I present resources to find info on physical 'Things' which may be in your investigation.
Real World Example - Vehicle Identification Numbers (VIN)
In December 2016 I was in an auto accident in which the other driver abandoned his vehicle and fled the scene. On my police report I was given a VIN and I knew the other vehicle's make and model. Finding the driver is not what I want to focus on. Instead I focus on the 'thing' in the investigation, a Ford truck. (When somebody enjoys OSINT the way I do, I will say my insurance company received PLENTY of information on the driver)
One thing people may not know is that a VIN can be decoded because the number contains certain identifying features of the vehicle. I learned about this because there was a typo on the VIN I acquired. So I went here http://www.fleet.ford.com/partsandservice/vin-guides/ and downloaded a guide for the vehicle I was researching.
As you can see in the chart above the different positions of the VIN number are used to identify specs. Such as engine type, production year and assembly plant of origin. This brochure connects detailed vehicle options to VIN values by position. So my invalid VIN number was corrected by matching features from the vehicle. As a result the VIN started working in regular lookup tools.
Now that my VIN was complete I could run searches on the VIN itself. To prevent doxing I picked a random Ford Explorer from Cars.com to pull the following information:
Entering the VIN number into a site like www.vindecoderz.com we can find very specific features tied to that exact vehicle. http://www.vindecoderz.com/EN/check-lookup/1FM5K8GT4HGB27072
Another excellent resource is Berla's iVe automotive digital forensics lookup page. https://berla.co/products/ive/vehicle-lookup/
A full listing of features such as this has the potential to help us with identification of a vehicle. It can also say what level of data evidence might be present if we needed to perform digital forensics on an infotainment center within a vehicle.
VIN and Owner Information
You can try basic google searching by VIN number but your query may not always hit deep enough on the web without the proper search tools. These are a few I recommend (from the OSINT Framework):
Car Dealerships and the Wayback Machine
Let's say you don't have a VIN number but you know make/model/year. With a little OSINT you can likely determine the geographic area and approximate time that a vehicle was purchased. Most local car dealerships have used vehicle inventory online.
If we take the URL from the used inventory page of this dealer to the Wayback Machine's beta search https://web-beta.archive.org/
The dealership's used car page was archived 75 times since October 2013.
Knowing the previous info you should now be able to:
Go back in time and retrieve VINs -
Piece VINs back together based on car features-
Get full detailed features and specs of a vehicle
Run searches connecting people data to vehicles
Know How to Know Other Things
Once you know how to know things at this level you will find there are many types of these online resources you should know about. To save this blog from being 9 miles long I won't break down each category the same way. These are a few of the resources that come to mind when I need to research 'things'.
Buildings and Houses
Electronic Devices (anything with an FCC ID number)
OSINT is often about linking personal data to some object. Being able to deep dive into the physical objects of an investigation should help in validating those connections.
I've said before it's impossible to know all of the good tools out there. If you have any recommendations or investigation tips to share please drop me a line on Twitter @baywolf88
Coming in Part 3 - Advanced Social Media OSINT (for real this time)