One project I've been working on is the ability to conduct OSINT at a real-time pace while an event is happening. I've been conducting some fire drills when there have been active shooter scenarios in progress to see how much intelligence I could produce about the area the shooter was in as well as watch for social media posts in the area of the incident.
The recap of those drills will be for another post in what may be a 3 or 4 part series. Part 1 will cover some of the tools used to monitor current events or activities that are happening online.
Staying Current
We all know that a majority of people get their current events and news happenings from social media sites like Facebook and Twitter. (Insert fake news grumble here) With a well crafted Twitter feed of the local news stations in your city you can get fairly up to the minute accounts of current events or emergencies in your area. Once you follow the activity of a particular station you may even find twitter accounts of specific reporters who specialize in events such as crime, traffic, or weather. When it comes to crime, some cities have a fairly active law enforcement social media feed as well. Your local sheriff's department will likely let you know if there is an escaped convict in your neighborhood (more on that angle in a later part of this series). Going live on Facebook or Periscope with a press conference after something happened is becoming common place. (Often these have geo location turned on as well)
Monitoring Specifics
If you don't want to stay glued to your social media feed all day, I recommend setting up some alerts.
If you have been researching a topic online setting up a google alert will tell you when there is new content available via an email notification. Since I did a few talks about OSINT this year I tried to setup some alerts to tell me if people were linking to my website or putting my name online. One alternative to Google Alerts that I found useful for this purpose was Talkwalker Alerts.
When I setup the alerts on my name I found that the Philadelphia Eagles Wide Receiver Josh Huff had recently been arrested for drug and gun charges. As a result, any alerts I tried to setup in my name were flooded by NFL news reports of the football player. So I learned how to filter keywords off your targeted alert search. The following alert with the AND NOT modifier seemed to cut back on alerts for the football player:
Alert for "Josh Huff" AND NOT (eagles OR arrest OR nfl OR court OR hearing OR team OR football OR receiver OR week)
Now I get a daily email with links to sites with Josh Huff mentioned. There are obviously more than 2 Josh Huffs (okay 7 if you go by http://howmanyofme.com), but this is a good way to see if anybody is mentioning my talks.
This link is a guide to all the operators you can use to refine your alerts: http://twalertsupport.talkwalker.com/what-forms-of-search-queries-are-respected/
You could use these type of alerts for specific OSINT targets you may be seeking information on or even to monitor brand reputation of your business name.
Website Changes
Just yesterday I had an excellent chance to test out some of the 'Change Detection' tools from the OSINT Framework
I was anxiously awaiting the launch of SANS Holiday Hack Challenge which was scheduled to launch Monday December 12th. I took this chance to setup an alert on 3 of the 4 tools in the OSINT Framework. ( https://visualping.io , http://www.changedetection.com and https://www.followthatpage.com )
All 3 of the sites were super easy to use. Enter a website you want to monitor for changes, enter an email to send the alert to and set the threshold of change that you want to trigger an alert. Change detection let you set up a daily alert. Follow That Page let you setup an hourly alert (every 10 mins with paid account). Visual Ping let you setup a daily alert (hourly with paid account). So I dropped them in place and wanted to see who delivered the good news first when the site was launched on Monday.
A few hours later, something awesome happened:
Look at those time stamps! 3:46pm exactly!
Disclaimer: I don't know exactly when Ed and his team hit the Holiday Hack launch button before he tweeted the announcement but I would say Follow That Page did a pretty awesome job of hitting me with the fastest alert especially for a free service.
How did the sites compare?
Followthatpage.com emailed me at 3:46pm Sunday the 11th (was set to hourly)
Changedetection.com emailed me at 7:57am Monday the 12th. (set to daily)
Visual Ping emailed me at 12:25pm Monday the 12th. (set to daily)
Suggestions?
I talk OSINT a lot, but it is impossible to know all the tools. If you have any recommendations for online monitoring please leave some suggestions on twitter @baywolf88
Coming in Part 2 - Know How to Know Things