by Emmanuelle Welch
Earlier this month, about 300 online investigators converged to Las Vegas’ Excalibur hotel for the fourth edition of Osmosis 2018, the annual online social media and open-source intelligence (OSINT) investigation summit organized by Hetherington Group. The “Dark Web Knights” were out to acquire the best techniques to chart Dark Web investigations.
Looking for a little help from friends to crawl through the Dark Web, to follow the scent of kush markets, locate data leaks, and zero in on stolen merchandise? Lending hands were plentiful at Osmosis, the annual online social media and open-source investigation summit. Demystifying the underbelly of the Internet was a main motif of the conference, attended by about 300 investigators, a.k.a. the “Dark Web Knights.” The open-source sleuths were mostly from the U.S. and Canada, though some come from as far as Australia, the U.K. and Namibia. The audience of law enforcement, government agencies, and private firms was lured by the prospect of adding new techniques to their OSINT toolboxes, as well as networking and socializing in the flesh with pals from Twitter and the IntelTechniques forum.
The definition du jour for #OSINT, as per security consultant and OSINT yoda Justin Seitz on one recent podcast is: “Pretty much anything that you can access online that doesn’t involve clandestine sources and secrecy.” That includes the Dark Net.
Anthony Reyes, president at High Technology Crime Investigation Association (HTCIA), pulled out different Darkware tools, i.e. software used to access the Dark Web, including IRC client HexChat and the encrypting IRC proxy, DIRT. “IRC is making a come-back!” Reyes announced with apparent glee. “IRC was the beginning of the Dark Web, and it’s back as part of the Dark Web,” he reminded the younger crowd. But the main tools remain the best-known darknet technology, the Tor browser, followed by the anonymous I2P network, peer-to-peer network ZeroNet, and BitTorrent client Tribler. “For a more secure setup of these, use a browser you never use otherwise, such as Opera or Vivaldi,” Reyes recommended.
His presentation on the data left behind by Tor on one user’s computer, even when used from a USB drive, was an eye-opener to many. Knowing the vulnerabilities that can expose an investigator can also prove useful to determine if Joe Subject or Jane Suspect has been visiting the Dark Web. Steps include reviewing a computer’s registry for deleted programs, looking for traces of Tor use in the RAM, or digging for the meek-client.exe file, which, if still on a computer, reveals that Tor was used and is gone. Sounds a tad technical? It was at times, but the idea is that even a non-techie can investigate in the Dark web much further than initially thought.
Dark Net Investigations
Because of the constant threat of malware and looming infection by Botnets, a Dark Web investigation often starts with a virtual machine (Kali Linux in Virtual Box appears to be a favorite). Instructors also mentioned remote virtual machines such as Amazon WorkSpaces, Paperspace, or MacStadium, or using a PC after some adjustments to protect a user’s anonymity: “This laptop has no Microsoft and no Adobe so that I can’t trip,” explained OSINT expert trainer Kirby Plessas during a live demonstration.
For the methodical investigator who likes to read a manual before plunging head-first, Plessas gave plenty of tips on how to locate Dark Net vendor and buyer bibles on Reddit and to stay current on Dark Net news and tools. So-called Dark Web search engines don’t really search the Dark Web, but Torch was many experts’ favorite engine for Dark Net links searching.
Most dark markets require users to log in but don’t require verification. Plessas showed how to collect nuggets of information on a dark market, such as an image hotlinked on a server, a portion of a PGP key, a username, burner phone number, or clues lefts by buyers: “I always look at the ratings, because people call sellers by different user names,” she said, examining a listing for heroin that garnered rave reviews. Bitcoin addresses are also key.
Digital forensics expert Eric Huber, Vice President of International and Strategic Initiatives of NW3C, devoted an entire session to virtual currency investigations, mostly decentralized cryptocurrencies. Not too many eyes glazed over the neat deck of slides on blockchain technology and various crypto-crimes, because Huber managed to make it wildly entertaining. Again, an investigator doesn’t need advanced cypto-forensic tools to make progress on a case involving the now ubiquitous Bitcoin transaction, from ransomware attacks to concealment of assets to money laundering, Huber told the crowd.
In fact, you often need to go back to traditional investigative methods: “Don’t forget that there is a lot of paper involved. After a search warrant, you may end up with pieces of paper, sometimes with a string of numbers. A bitcoin transaction number…” Since every Bitcoin transaction is recorded in a public ledger, anyone can download the entire transaction history of bitcoins and analyze it or parse it in blockchain.info or Block Explorer. Advanced tools can tell if a transaction came from a particular wallet, to a particular Dark Net market.
More advice for investigating the Dark Net came from no less than Andrew Lewman, former CEO at the Tor project, and vice president of the Dark Owl. During his presentation on investigating an onion site, in this case a dump of credit card information, he showed a method (detailed in this blog post) that involves firing up “developer tools” in your preferred browser and watching the conversation with the web server. This alone can provide a ton of information, he told the audience.
As social media sites clamp down access and change, causing some of our investigative methods to go obsolete, we need to constantly think of new ways to get data – and data that isn’t presented to us on our screen.
So does looking at the code of a web page. “Through the source code, look for everything unique,” recommended Kirby Plessas. In fact, this is one of my main takeaways from Osmosis, and from this vibrant and growing community of open source investigators: As social media sites clamp down access and change, causing some of our investigative methods to go obsolete, we need to constantly think of new ways to get data—and data that isn’t presented to us on our screen. Inspecting lines of code in “devtools consoles” isn’t nearly as rousing as an evening of partying in a Vegas penthouse with a magician and a game of beer pong, but all it takes is some time, a curious mind, and a little help from friends.
Andrew Fordred, a hacker at large, forensic investigator, and founder of Intelligence-i1, is the unassuming Beatle of OSINT. A cult hero of the IntelTechnique forum, he came to Osmosis from Namibia (distributing colorful souvenirs to a lucky bunch!) and taught the roomful of investigators how to “Expose dirty business with a little help of some friends.” His OSINT strategy includes a mix a free and paid software (Fordred was a beta tester for Justin Seitz’s Hunchly, a tool for documenting and authenticating web captures that is a favorite of many OSMOSIS attendees.)
He also contributed to the Automating OSINT Python course and visual link analysis tool Maltego, which has free versions. Other free “friends” recommended were The Harvester and Fear the FOCA, a tool used mainly to find metadata and hidden information in the documents its scans. “In essence,” concluded Fordred, no one tool completes the OSINT or online investigation process.”
Also: Avoid «street light vision,” as in “searching only where there is more light.”
Better Than Dumpster Diving
Ask Amber Schroader founder of Paraben Corp. about the mass adoption of “Internet of Things” platforms, and the IoT forensics expert will tell you that “it’s better than dumpster diving.” Schroader gave a captivating presentation on everyday devices that are recording and storing data for years (who is guilty of synching their phone to a rental car’s sound system to listen to music?) and end up assisting tremendously in investigations, even murder cases.
Indeed, robot vacuum cleaners that map the house and suddenly work around a dead body can become a major piece of evidence to date the time of death. Not to mention Amazon’s Alexa who, by all means, should be called if you’re running around the house, chased by a stranger, so that your digital friend can record the events in the cloud.
Schroader gave tips on expanding your imagination to consider all possible embedded and attached devices containing data, from peacemaker to smart sweaters that “send you hugs.” For instance, when a vehicle forensics examination turns out to be very expensive, find out if the driver was wearing a Fitbit tracker that may contain the same data, retrievable at a fraction of the cost. These devices are, in Schroader’s words, “’forensic sprinkles’ because they make life so much better.”
About the Author:
Emmanuelle Welch, CFE, is a private investigator licensed in New York State and Washington DC, and is owner of French Connection Research, an investigative agency specializing in Open Source Investigation and transatlantic white collar crime. An OSMOSIS attendee since 2015, she presented on “Hacking the dating sites and hook-up apps” in 2017 and maintains a repository of dating sites here.