OSINT Researchers - Human Vs Machine

Last year I was a speaker at OSMOSIS Conference in Myrtle Beach, South Carolina.  The conference is a draw for investigators across many professional fields.  One thing that I was curious to see was the vendor booths.  I already knew of some of the conference vendors, like Skopenow and TLO, being in the Private Investigation business.  This was the first time I would see demos from other companies like Liferaft and Voyager Labs.

Like many OSINT analysts, I'm selective when it comes to spending my software license budget and some of these vendors can have pretty large license costs.  That's why I was interested to see what these power house companies could do for an OSINT investigator.  The conference had some good breakout sessions where I got to see demos of the software in action. 

Machine Advantage

The 2 examples that wow-ed me the most were from Voyager Labs who demonstrated with a case study of the Instagram Models who were arrested with a large haul of cocaine on an Australian cruise ship.   

 Geo-location of social media, drug trafficking and models makes for an interesting case study

Geo-location of social media, drug trafficking and models makes for an interesting case study

The analysis showed geo-location analysis and the different countries of port on the cruise ship where the cocaine was likely to have been brought on board. The software was able to quickly extract location data from target social media and create geographic points on a map for analysis.

The 2nd example that caught my attention was one of the social network mapping demos.  The context was gang member analysis on the west coast of the United States.  The software took a suspected gang member's Facebook page and visually mapped out the network of friends while pointing out specific details in common among the account's network of friends.  The software also took the data and graphed it out visually.

 simulated social network graph

simulated social network graph

There were common profile account details that when analysed were subtle identifiers of potential gang involvement.  What was most impressive about this demo was the speed of the graphic analysis and the case management portal that gave a quick way to change and filter the graph based on account details.  If you wanted to see all the people in the suspect's Facebook network that were from the same city, high school or employer all you had to do was flip a few selectors and that data and the graph would both change on the fly.

The demonstrations showcased the power of automating some of the OSINT analysis within a custom dashboard giving a drastic speed advantage to portions of social media analysis.  

License Vs Open Source

The obvious advantage in comparing open source tools to licensed commercial material is cost.  Some of the lower cost social media tools on the market can still run you $50-150 per month for access to things that will automate the aggregation or analysis of social media and other online content.  While the heavy hitters like the vendors I mentioned above can run you several thousand dollars per year for a license to access this software.

Unless you have an unlimited budget, open source tools will likely be an area of interest.  Here are a few recommended tools and resources (open source) that OSINT investigators will want to check out:

Online Resource Collections-

http://osintframework.com/ (Visual Collection of tools based on category) Credit - @JNordine

https://inteltechniques.com/menu.html (Impressive collection of online search tools) - Credit @IntelTechniques

https://github.com/Ph055a/awesome_osint (Large collection of OSINT resources) - Credit @Ph055a

https://brokemy.network/osint-resources/ (Great collection of the great resource collections) - Credit @CryptoCypher 

https://start.me/p/m6XQ08/osint (start page of OSINT resources featuring some international tools) - Credit @TechNisette

https://start.me/p/VRxaj5/dating-apps-and-sites-for-investigators (Start page of OSINT tools for Dating Sites) - Credit @FrenchPI

Tools - 

Maltego Community Edition

https://www.paterva.com/web7/buy/maltego-clients/maltego-ce.php

Maltego Casefile

https://www.paterva.com/web7/buy/maltego-clients/casefile.php

Gephi

https://gephi.org/

Tweetmap

https://www.mapd.com/demos/tweetmap/

Buscador (OSINT Virtual Machine)

https://inteltechniques.com/buscador/

Human Advantage

While I was impressed with the software demonstrations I saw at OSMOSIS I never once felt like my skill set was threatened to be replaced by a machine.  The software gave a definite speed advantage, but the mind of a good OSINT investigator can come up with some brilliant comparisons and open source solutions that can be just as effective and run several levels deeper when it comes to full analysis of a target profile.

My Own Case Study

One set of research that I took on manually was Facebook account creation analysis.  My research is covered more in depth in previous blog.  But with a minimal amount of effort stretched over a long amount of time I was able to create a data set that lets me narrow down the date that a Facebook account was created based on the Facebook account ID number alone.  During the course of this research and analysis I was able to learn a lot about the inner workings of Facebook account creation and general strategies for research (sock puppet) account creation.

Using only open source data captured from hundreds of Facebook users, analysis of data points in a spreadsheet and graphing software I was able to generate a graph which allows me to determine the day an account was created.  This was NOT anything like scraping or mass collection by survey like we are seeing in the Cambridge Analytica headlines.  Using simple analysis of public Facebook posts over time the following graph was created and refined.

 Data points generated from Open Source data collection of Facebook posts

Data points generated from Open Source data collection of Facebook posts

The real world use for this Facebook analysis has come in handy for cases where people have been impersonated online with false accounts and for cases where a subject created multiple accounts and I needed to map out potential account involvement based on an activity or event that had occurred at a certain point in time.  

This research was featured in the Facebook chapter of Michael Bazzell's Open Source Intelligence Techniques (6th Edition) 

 Book available here:  https://inteltechniques.com/book1.html  

 

In the book entry I provided Michael with a range of Facebook ID number's that can help you quickly narrow into the specific year an account was created back through 2007.  Since then I've already been able to refine my data to where the average account can be narrowed down to a range of about 2 weeks down the exact day of account creation with only the account's ID number.

It was my own drive to solve a simple challenge in a case that lead me to developing my own tool I could rely on for many future cases.  These are the things that will separate human investigator from machine for a long time.  Knowing the advantages available in form of pricey software only pushes me and the other OSINT investigators I network with to research harder for our own specialized solutions and techniques.  

If you have any techniques to share or comments please drop me a line on Twitter @baywolf88

Happy OSINTing