Virtual Machines for OSINT

August 17, 2020

If you are an OSINT investigator you undoubtedly have your cache of tools and search resources. There is no short supply of start.me pages and link collections out there. However, for good operational security and case management a good virtual machine is just as vital to your investigation.

For the last several years Michael Bazzell and David Wescott’s Buscador VM was my go to for this, however since that project is no longer updated I’ve changed my strategy a bit. Luckily there are still several free options out there pre-configured and pre-loaded with tools that can help you get up and running quickly. We’ll do a quick tour of several of my favorites and I’ll try to leave you with enough resources you can build out your own custom virtual machine. The latter isn’t the fastest or easiest but will probably give you the best environment since you the investigator know what tools you consider a must have and which ones you would use from time to time.

To try a virtual machine out, you may not always want to grab a 20 gigabyte image file for a test drive… so I did it for you! Let’s take a quick tour!

Pre-built VM

Trace Labs Virtual Machine

Screen Shot 2020-07-23 at 11.04.27 AM.png

Trace Labs produced their own custom VM for anyone who may be participating in one of the OSINT Search Party CTFs. The system is a customized Kali Linux build so if you are familiar with the famous penetration testing VM you may have an extra comfort level. There were several pre-built apps and a massive OSINT bookmarks section installed in Firefox.

Nice assortment of links sorted by category

Anbox (Android in a Box) a containerized android system seemed convenient to have pre-installed, as mobile emulators can sometimes be frustrating to setup quickly.

Other cool programs like Phone Infoga were also ready to go. If you don’t know Phone Infoga has some phone number research mixed with google dorks which opens up across multiple tabs for some fast OSINT.

Those were two of the most handy pre-loads I found but there is a lot more to unpack the full list of applications in the build can be found on the Trace Labs Github page: https://github.com/tracelabs/tlosint-live#applications-included-in-the-build

With that many features the Tracelabs VM is likely an easy starting point for many researchers. The project is also on version 2.0 and seems to have some community momentum so the potential for it to improve is high.

Trace Labs VM is available for download here: https://www.tracelabs.org/trace-labs-osint-vm/

Tsurugi Linux

Screen Shot 2020-07-27 at 6.36.32 PM.png

Tsurugi Linux is a hybrid VM designed for digital forensics, malware analysis and OSINT. I’ve used it a couple times when it first came out but they’ve released a few updates, so I grabbed a fresh copy for a look.

As I poked around the tools and features of the OS it is quickly apparent this VM is loaded.

The preloaded applications for malware analysis and digital forensics are impressive, but there is an OSINT switcher that toggles many of those away for better access to the other more commonly used OSINT tools.

As I explored the OSINT tools one thing that stands out to me about the Tsurugi toolsets is that really seemed to be catered to actual analysis of data, not just collection and pivoting. There are several options for analysis of photos, video files, website structure and one of the most important sections that should never be overlooked… reporting.

If you find yourself doing specialized investigation (Digital Forensics or Malware Analysis) then you should definitely grab the latest copy for your tool kit.

Tsurugi can be downloaded here: https://tsurugi-linux.org/downloads.php

Tails

I’m counting Tails as a virtual machine for this blog, but Tails is a self-contained (on USB drive) privacy centered operating system. If I was somewhere away from my own machines or office but had access to a Tails USB drive and somebody else’s computer I could use Tails to conduct an investigation without risk of contaminating the host system. Kind of a quick and dirty solution, but one to know about. The setup goes through a bit of a process to ensure a clean install so it can take a while to setup initially.

Tails can be downloaded here: https://tails.boum.org/install/index.en.html

Remnux + SIFT

Remnux recently had an update so if you happen across anything malware related in your OSINT cases this is a good VM to know about. The documentation page found here is very useful and has a rundown of the tools and uses found in the virtual machine.

Screen Shot 2020-08-12 at 12.24.57 PM.png

I’ve used a hybrid VM in the past that coupled the more digital forensics focused SIFT workstation. Lenny Zeltser wrote a blog earlier this month showing a few options to make the hybrid VM.

Making the hybrid VM takes a little work, but the documentation out there is great so It is pretty easy for most to follow along even if not an expert in virtual machines.

You can download Remnux here: https://docs.remnux.org/install-distro/get-virtual-appliance

You can download SIFT here: https://digital-forensics.sans.org/community/downloads

Roll Your Own

There are several free options to get ‘clean’ operating systems and bake in your own tools and configurations. Let’s face it each of us has our own investigative methods and patterns so building out your own system is not going to be the easiest answer but you may be able to keep handy the best tools for both investigating, note taking and reporting if you build out your own research VM. Below you will find a few links that may help you get started:

Ubuntu Linux

https://ubuntu.com/download/desktop

Windows 10

https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/

Genymotion Android Emulator (Personal Edition)

https://www.genymotion.com/fun-zone/

My good friends at The OSINTcurious Project reminded me that our own Nixintel wrote a great blog series about building your own custom VM

https://nixintel.info/linux/build-your-own-custom-osint-machine-diy-buscador-part-1/

If you have any VM suggestions to share or comments please drop me a line on Twitter @baywolf88

Happy OSINTing

Opting Out Like a Boss - The OSINT way (part 1)

January 25, 2018

Tip of the Hat

Quick tip of the hat to Michael Bazzell and Justin Carroll over at the Complete Privacy and Security Podcast. The offense and defense segment they do toward the end of each episode goes over one newer OSINT tactic and a way to defend your privacy against it. On a recent episode they discussed another people search site that popped up plus the opt-out link so you can have your information removed. That episode got me thinking about these types of sites and this blog is a result of that brainstorming session.

People Searching

If you follow OSINT or Privacy techniques, then you are familiar with the main people search sites like Pipl, Spokeo and Radaris. As an OSINT investigator I try to stay familiar with both the main sites and the smaller websites that continue to appear. I notate the sites with reliable results for my investigation purposes and I make sure to opt my own information off the sites for privacy.

osintframework.com currently has 44 links to various people search websites

Opt Out

Opting out is not an easy task. It takes time and effort to remove your information from the multiple sites on the internet. Some sites have a simple opt out page, others require valid ID submission as proof of your record before they will remove it. Its also not a one and done situation since new search sites appear every few months.

There are 2 excellent resources I recommend if you are going to start down the path of opt out:

Lesley Carhart wrote a blog highlighting the removal process on several sites and also delves into security checkups on your social media accounts.

https://tisiphone.net/2017/01/25/thwart-my-osint-efforts-while-binging-tv/

Micah Hoffman hosts an awesome document for opt out created by a colleague which is described on his website.

https://webbreacher.com/2017/04/24/removing-yourself-from-the-internet/

Once you feel like you have a handle on your publicly available info, set yourself a reminder and in about 6 months, go back and look for your info online again. Be prepared for another round of opting out and also don't forget about others in your household. Just because you removed all of your records from the internet doesn't mean I can't find a record of your significant other who happens to live with you now or in your past. The task of opting out is never ending. That said... can we do it more efficiently?

OSINT on the People Search sites

As I was checking out people search sites, something occurred to me. Why haven't I done OSINT on the people search sites themselves? On the OSINT framework photo I can see similarities in the names of the sites themselves. Peoplefinder.com vs Peoplefinders.com and TruePeopleSearch vs. FastPeopleSearch are very similar in name. The look and feel of the websites are all pretty similar, so my thought process goes like this. What if some of these sites are the same companies? If they were it would be pretty easy to just to launch another website and connect their people database to the new URL. Maybe there is even a trigger for the database transfer, like a certain percentage of opt outs. Those are all speculation, but I decided to dig a little bit.

I started with 2 sites similar in appearance and name Truepeoplesearch and Fastpeoplesearch:

Visibly similar in layout and almost identical toward bottom of the web page is the Terms, Privacy and Contact links.

For a closer look I drop both pages into a comparison tool at Copyscape.com. Copyscape is part of a plagiarism checking service. It runs a quick side by side comparison of matching words on 2 different webpages.

Snapshot of comparison checker at Copyscape.com

97 and 99 percent matching to each other, we can posit that even if this isn't the same company, both sites at least used the same legal template and just changed out the company name. They even have the same update stamp visible of April 5, 2017. I file this under interesting and add the comparison tool to my OSINT arsenal. Time to search a deeper level than matching words.

Sub-domain Enumeration

In the world of penetration testing, sub-domain enumeration is used to find additional servers and machines on a network to increase the chances of finding a vulnerability for the pen test.

I'm not officially on the red team so while I know of programs like Sublister and Aquatone that make Sub Domain Enumeration more automated, there are other tools just as easy for me and my use cases. Enter DNSdumpster.com:

I put DNSdumpster to work and looked for any overlap in the sub-domains of the people search websites. I started with the list of sites on Inteltechniques.com Real Name Search found here. I noticed something interesting when I got to Peoplefinders.com and Peoplesearchnow.com.

That MX record for Peoplesearchnow at 204.44.57.11 looks interesting

DNSdumpster has other features that I recommend exploring like the Domain mapping graphs and exporting the host info to an xls file, but more on that later. What I've found is my first potential link between 2 people search sites. To test my theory I want to try an opt out. Domain maps lead me to believe that PeopleFinders network is the larger one. In theory, if I opt out of the larger site, my info should drop off the smaller site as well.

2 For 1 Opt Out Attempt

First I find my record on both sites to confirm I am a part of the database in both places According to HowManyofMe.com there are approximately 142 people in the United States with the same name as me. It doesn't take long to find my record with just my name and the state I live in.

You will find the opt out link for PeopleFinders here ( https://www.peoplefinders.com/manage ) and PeopleSearchNow here ( https://www.peoplesearchnow.com/opt-out ). I submit the opt out process on the PeopleFinders site:

Submit for my confirmation

So my record drops off of PeopleFinders.com instantly, which is nice since some sites will tell you your record may take 24 hours or more to stop showing up in search results. Before I hit submit on the PeopleFinders opt out, I opened up my record in side by side browsers on the other site PeopleSearchNow. After the opt out submission I hit a refresh on the browser on the right and....

So my theory is confirmed, if multiple sites are indexing my data from the same company or server, I can opt out of multiple sites if I know which ones are connected. Since this is 2 sites out of many more that are online, I decide to dig further so I can determine if there are other ways the people search sites are connected.

Coming in Part 2

I took a closer look at the company contact info for PeopleFinders I notice another company name in the mix. I've done some OSINT pivoting on business search sites like Manta.com which look at business filings and business registration info. (Items like Duns Number, SIC and NAICS which you can read more about here)

Those pages can lead you to the company's executive names and business contact info like phone number and addresses. I'll take a closer look in part 2.

If you have any techniques to share or comments please drop me a line on Twitter @baywolf88

Happy OSINTing

See All The Things

February 21, 2017

Part of the research for the OSINT fire drill series included finding how many webcams in my area were publicly available. I ended up finding a little over 500 in the state of South Carolina. Some were right from Department of transportation websites and some were indexed through other sites like Shodan or Insecam.

Since I found so many, I decided to begin a 'small' undertaking to see how many public cameras were available nationwide and in the future aggregate them into some type of map based tool.

As I build this resource I will make the links available to my fellow OSINT researchers on a Github page. If anybody has built their own state's resource please share and I will add them to the collection.

https://github.com/baywolf88/seeallthethings

OSINT Fire Drill Part 1 - Monitoring the Internet

December 12, 2016

One project I've been working on is the ability to conduct OSINT at a real-time pace while an event is happening. I've been conducting some fire drills when there have been active shooter scenarios in progress to see how much intelligence I could produce about the area the shooter was in as well as watch for social media posts in the area of the incident.

The recap of those drills will be for another post in what may be a 3 or 4 part series. Part 1 will cover some of the tools used to monitor current events or activities that are happening online.

Staying Current

We all know that a majority of people get their current events and news happenings from social media sites like Facebook and Twitter. (Insert fake news grumble here) With a well crafted Twitter feed of the local news stations in your city you can get fairly up to the minute accounts of current events or emergencies in your area. Once you follow the activity of a particular station you may even find twitter accounts of specific reporters who specialize in events such as crime, traffic, or weather. When it comes to crime, some cities have a fairly active law enforcement social media feed as well. Your local sheriff's department will likely let you know if there is an escaped convict in your neighborhood (more on that angle in a later part of this series). Going live on Facebook or Periscope with a press conference after something happened is becoming common place. (Often these have geo location turned on as well)

Monitoring Specifics

If you don't want to stay glued to your social media feed all day, I recommend setting up some alerts.

If you have been researching a topic online setting up a google alert will tell you when there is new content available via an email notification. Since I did a few talks about OSINT this year I tried to setup some alerts to tell me if people were linking to my website or putting my name online. One alternative to Google Alerts that I found useful for this purpose was Talkwalker Alerts.

Talkwalker.com - Free Tools — Talkwalker.com - Free Tools

When I setup the alerts on my name I found that the Philadelphia Eagles Wide Receiver Josh Huff had recently been arrested for drug and gun charges. As a result, any alerts I tried to setup in my name were flooded by NFL news reports of the football player. So I learned how to filter keywords off your targeted alert search. The following alert with the AND NOT modifier seemed to cut back on alerts for the football player:

Alert for "Josh Huff" AND NOT (eagles OR arrest OR nfl OR court OR hearing OR team OR football OR receiver OR week)

Now I get a daily email with links to sites with Josh Huff mentioned. There are obviously more than 2 Josh Huffs (okay 7 if you go by http://howmanyofme.com), but this is a good way to see if anybody is mentioning my talks.

This link is a guide to all the operators you can use to refine your alerts: http://twalertsupport.talkwalker.com/what-forms-of-search-queries-are-respected/

You could use these type of alerts for specific OSINT targets you may be seeking information on or even to monitor brand reputation of your business name.

Website Changes

Just yesterday I had an excellent chance to test out some of the 'Change Detection' tools from the OSINT Framework

I was anxiously awaiting the launch of SANS Holiday Hack Challenge which was scheduled to launch Monday December 12th. I took this chance to setup an alert on 3 of the 4 tools in the OSINT Framework. ( https://visualping.io , http://www.changedetection.com and https://www.followthatpage.com )

All 3 of the sites were super easy to use. Enter a website you want to monitor for changes, enter an email to send the alert to and set the threshold of change that you want to trigger an alert. Change detection let you set up a daily alert. Follow That Page let you setup an hourly alert (every 10 mins with paid account). Visual Ping let you setup a daily alert (hourly with paid account). So I dropped them in place and wanted to see who delivered the good news first when the site was launched on Monday.

A few hours later, something awesome happened:

@EdSkoudis announces early release of Holiday Hack Challenge

Look at those time stamps! 3:46pm exactly!

Disclaimer: I don't know exactly when Ed and his team hit the Holiday Hack launch button before he tweeted the announcement but I would say Follow That Page did a pretty awesome job of hitting me with the fastest alert especially for a free service.

How did the sites compare?

Followthatpage.com emailed me at 3:46pm Sunday the 11th (was set to hourly)

Changedetection.com emailed me at 7:57am Monday the 12th. (set to daily)

Visual Ping emailed me at 12:25pm Monday the 12th. (set to daily)

Suggestions?

I talk OSINT a lot, but it is impossible to know all the tools. If you have any recommendations for online monitoring please leave some suggestions on twitter @baywolf88

Coming in Part 2 - Know How to Know Things