Remaining anonymous is often vital during internet investigations. There are many reasons why investigators may wish to remain anonymous, however, there are two core reasons that stand above the others.
Firstly, when a subject becomes aware of an investigation they are likely to change their behavior and routines. A successful investigation often relies on catching an offender during the act, so causing them to change their behavior can mean missing the opportunity to prosecute them.
Secondly, alerted subjects can pose a physical risk to investigators. Individuals being investigated through the internet can include dangerous and violent individuals. If those subjects learned the names of their investigators then they may choose to take actions to disrupt the investigation or get payback for finding evidence to support a prosecution. Ensuring that the subject does not learn the name of the investigator is crucial.
OPSEC, or Operational Security, is the collective steps that investigators can formulate into a process that they can follow during an OSINT investigation to remain anonymous and keep their activity undiscovered. OPSEC can be achieved through a combination of software, hardware, and actions.
Traditionally, advice for investigators conducting OSINT investigations has always aired on the side of caution, with trainers advocating for absolute protection at all times. However, the necessity of specific hardware and software varies depending upon the nature of the investigation, with the type of subject and investigative process both playing a key role.
Requirements for specific tools like covert machines, VPNs, and virtual machines for all OSINT investigations have resulted in an ineffective utilization of resources, with investigators in some organizations sometimes being required to wait for access to shared covert machines or to travel to a location with a covert machine. With the recent shift to remote working, requiring the use of covert machines means increased travel or hardware costs.
In reality, these measures, whilst representing absolute best practice, are not always necessary for every single investigation when factoring in the likely risk. The need for each of the recommended tools below should be risk assessed on a case-by-case basis, ensuring that effective measures are adopted when necessary but not over cautiously, to the detriment of an investigation.
This is an introduction to OPSEC tradecraft for OSINT. To view the full webinar click here or download the guide, which includes advanced techniques and analysis, click here.
Investigation Device
When conducting any internet investigation, an investigator should always use a device dedicated to such work. This can include a device used only for investigations, or a device used for other work, but should never include a personal device.
Personal devices contain personal data and have accessed personal social media accounts. This information can leak into investigations through several avenues, such as LinkedIn contacts on a covert account populating from the device's contact list. To minimize this happening, ensure that you don’t use accounts linked to personal accounts.
Using a personal device can also compromise a legal case. Internet investigation techniques are scrutinized in court and using a personal device demonstrates poor professional standards. Lawyers may also request to examine the device used, which should not contain personal files.
Mobile Hotspots
Mobile Hotspots, also known as Wireless Routers or MiFis, are portable devices that enable users to connect to WiFi anywhere. Similar to a cell phone/ mobile phone contract, users pay a monthly fee to a service provider which enables their Mobile Hotspots to access the internet through a sim card.
Investigators can use a mobile hotspot to ensure that they are not using their personal or work internet service during investigations. Personal internet services can be linked to personal web traffic that may include personal information.
In most cases, mobile hotspot devices will not be necessary. The majority of criminals cannot trace a user’s internet usage or an IP address to an owner. To access this information, they would need access to the internet service provider's records, either through hacking or through a warrant. However, when conducting investigations into foreign nation officials or high-level criminals with extensive funds and criminal networks that may be able to access this data, a mobile hotspot can provide peace of mind that their personal details will not be discovered.
In the US, investigators can get a mobile hotspot from providers like T-Mobile and AT&T. Similarly, in the UK, investigators can get a mobile hotspot from providers like EE, O2, and Vodafone.
Virtual Private Networks (VPNs)
Virtual Private Networks enable users to access public servers around the world, masking the device's internet protocol (IP) to make any internet traffic virtually untraceable. This ensures that any activity conducted by an investigator appears to have been conducted in the location of the VPN server, rather than the location of the device being used by the investigator. An IP address can be traced back to its source, so if you slip up on an investigation and your IP isn’t protected then you’re opening yourself up to discovery and danger, you could be inadvertently alerting their targets to both yourself and your investigation.
Similar to the case with a mobile hotspot, most internet users cannot access ISP information, so the use of a VPN is only required at certain times.
Any website owner can see IP information for people that access their site. From an IP address, website owners can get rough geolocation data for the IP address that accessed the site, which could, if they monitor traffic closely, show a location near the investigator. Therefore, a VPN should always be used when accessing any subject’s or business’ website during an investigation.
When conducting investigative activity on social media, only social media companies can see the traffic of IP addresses accessing their servers. Therefore, in most cases, a VPN is not required to access a subject’s social media account. Social media companies will provide traffic data following a warrant and these files can technically be hacked. Therefore, when conducting investigations into foreign nation officials or high-level criminals with extensive funds and criminal networks that may be able to access this data, using a VPN for social media activity might be worthwhile.
NordVPN
NordVPN is a VPN service with applications for Microsoft Windows, macOS, Linux, Android, iOS, and Android TV. NordVPN operates under the jurisdiction of Panama, a country that has no mandatory data retention laws and does not participate in the Five Eyes or Fourteen Eyes intelligence-sharing alliances. NordVPN provides users with access to servers in 60 countries. NordVPN is a great VPN service for the average OSINT specialist and is available from $3.29/ £2.89 a month.
Private Internet Access (PIA)
Private Internet Access is a VPN service with applications for Microsoft Windows, macOS, Linux, Android, and iOS. PIA states that it stores not logs but operates under the jurisdiction of America and as such is governed under US law, which requires data retention and data sharing with US law enforcement under warrant. PIA provides users with access to servers in 78 countries. PIA is an affordable VPN service for the average OSINT specialist and is available from $2.69/ £1.69 a month.
Proton VPN
Proton VPN is a VPN service with applications for Microsoft Windows, macOS, Linux, Android, and iOS. Proton VPN operates under the jurisdiction of Geneva, Switzerland, which has strict data privacy laws. Proton VPN is a high-end VPN service for the corporate OSINT users and is available from €4 for access to servers in 40 countries and two users or €8 for access to servers in 63 countries and ten users.
Surfshark
Surfshark is a VPN service with applications for Microsoft Windows, macOS, Linux, Android, iOS, gaming consoles, and smart TVs. Surfshark operates under the jurisdiction of the Netherlands and as such is governed under EU law, which requires data retention and data sharing with law enforcement under warrant. Surfshark offers camouflage mode which makes your connectivity look like a regular internet connection from the outside by removing any VPN traces on your connection. Surfshark is a solid VPN service for the average OSINT specialist and is available from $2.49/ £2.49 a month.
Virtual Machines
Even when you have a VPN, there’s still some risk. The majority of social media users are unable to identify which computer was used to view their social media profile as this information is only available to the social media sites themselves. However, as with a VPN, it is recommended to use a virtual machine when accessing a subject’s website to mask the device, operating system, and browser used. A virtual machine remains crucial in any situations where a website is being accessed that might pose risk to the machine, such as when conducting dark web activity.
A virtual machine emulates a computer and it's an operating system within your own operating system. Virtual machines are a safe environment that can be turned off and deleted, shielding your investigative device from risks, If you stumble upon a whole heap of viruses, only the virtual machine should be affected, and you’ll be able to start afresh with a new virtual machine, without any impact on your device.
To use a virtual machine, investigators first need to install a hypervisor in order to install and operate the virtual machine. VMWare and VirtualBox are two free options that enable investigators to run a virtual machine on their devices.
The Trace Labs OSINT VM is a great virtual machine designed specifically for OSINT that can be installed on both VMWare and VirtualBox. The Trace Labs virtual machine comes pre-installed with a range of OSINT tools, like Instaloader, Twint, Sherlock, and WhatsMyName.
Browsers
Having established the required security measures to ensure an investigation remains anonymous and safe, selecting a browser is the next step toward conducting internet investigations.
Selecting a browser for internet investigation is essentially a personal choice, as each has its own benefits. Internet investigations often incorporate the use of browser extensions, covered later in the guide. Some of these add-ons are only available for Firefox or Chromium (Chrome and Brave) browsers, so having access to more than one browser may be beneficial.
PrivacyTests has conducted audits of popular browsers to break down the security strength of each of them, which may help inform a browser decision.
Firefox
Firefox is a browser built by the Mozilla Foundation, first released in 2002 and designed for privacy. Firefox is available on Windows, Mac, and Linux machines and ios and Android devices.
Minor changes can be made within Firefox for enhanced security in the ‘Privacy & Security’ section. These changes can include selecting ‘Strict’ settings and setting cookies to delete when Firefox is closed.
Chrome
Chrome is a browser built by Google and first released in 2008. Chrome has an extensive store of browser extensions, which investigators can leverage. Chrome is available on Windows, Mac, and Linux machines and ios and Android devices.
There are valid concerns that as Chrome is owned by Google, with data being sent to them, which is a factor investigators should consider.
Minor changes can be made within Chrome for enhanced security in the ‘Privacy and security’ section. These changes can include selecting to block third-party cookies.
Brave
Brave is a browser built by Brave Software and first released in 2019. Brave is a privacy-focused browser, which automatically blocks online advertisements and website trackers in its default settings, without the need for any settings changes. Brave is a Chromium browser, meaning it can leverage Chrome’s extensive store of browser extensions. Brave is available on Windows, Mac, and Linux machines and ios and Android devices.
OSIRT
OSIRT is an OSINT investigation-based browser that enables investigators to capture evidence and build automatic reports. OSIRT is currently only available on Windows. Last updated in 2018, a new update is expected in Spring 2022.
Password Manager
A password manager is an encrypted digital vault that stores secure password login information, enabling users to easily create different unique passwords for every service without the need to remember each password.
When creating a password for an investigation, it is important for investigators not to create a password themselves. When creating a password, investigators may inadvertently include words or numbers associated with them.
Using unique passwords for each platform means that even after data breaches, investigative accounts cannot easily be linked to one another or accessed.
There are two leading browser-based password managers, 1Password and LastPass. Both 1Password and LastPass offer free accounts but also provide paid-for options with enhanced features, such as enabling investigators to access their accounts from both web browsers and mobile applications.
Both 1Password and LastPass will be default autofill username and password fields and enable users to create new passwords from the password field.
From the extension menu at the top of the browser, users can click the LastPass or 1Password button to view the menu. In the extension menu, investigators can view and copy the username and password for the site currently being accessed and can open up the full password vault.
Activity Recording Tools
When you’re conducting an investigation, it’s important to keep track of your findings, both what you’re seeing and where you’re seeing it. If an investigation goes to court, an investigator needs to be able to demonstrate the source for everything they are presenting and have all of that intelligence stored appropriately.
Hunchly
Hunchly is a paid-for system popular with OSINT investigators and priced at $130 per annum. Hunchly runs in the background of your investigation and records all of your browser activity within a Chrome browser. It collects and documents every webpage that you visit, tracking the URL, timestamps, and hashes of each site. You can look back through every webpage you visited and evidence any investigative route on request. It also allows you to capture select pages and images to include in an automated report, to save you time in saving HTML pages and images separately.
Zotero
Zotero is a free tool that classifies itself as a personal research assistant. You can store webpages as a link or a snapshot within Zotero and it will collect the metadata on the site. It also offers automatic referencing. However, Zotero does not offer the same tools as Hunchly or the same ease of recording. Zotero will only store what is selected, meanwhile, Hunchly stores everything investigators see.
Snagit
Snagit is a paid-for screen recording tool priced at £60 for permanent access to the version being purchased. Snagit is an ideal tool when investigators need to capture the full investigative process, rather than just web pages accessed, such as during dark web investigations.
Automating OSINT
To establish a secure environment that supports anonymous OSINT manual OSINT investigations, the table below shows a financial commitment, minus the cost of the investigator's time, of $1,912.14 for the initial year and an additional $563.14 for each following year.
|
Investigative Tools Investment |
Device/ Software |
Cost |
Recurrence |
|
Investigation Device |
MacBook Pro |
$1,199.00 |
Single |
|
Cell Phone |
Samsung Galaxy A11 |
$150.00 |
Single |
|
Sim Card for Cell Phone |
Mint Mobile |
$180.00 |
Annual |
|
Mobile Hotspot |
Nighthawk M6 |
$103.44 |
Annual |
|
VPN |
ProtonVPN |
$101.70 |
Annual |
|
Virtual Machine |
TraceLabs |
$0.00 |
Single |
|
Browsers |
Brave |
$0.00 |
Single |
|
Password Manager |
LastPass Business |
$48.00 |
Annual |
|
Activity Recording Tool |
Hunchly |
$130.00 |
Annual |
|
First Year Total |
$1,912.14 |
Single |
|
|
Following Years |
$563.14 |
Annual |
Using a tool like Skopenow, you can automate OSINT investigations and negate anonymity and security concerns associated with collecting internet intelligence. Skopenow instantly and anonymously locates and archives web pages and social media activity, plots location history, flags actionable behaviors, and reveals hidden connections between individuals. Skopenow’s automatic report builder will save you time organizing the analyzed intelligence into a court-ready report. Please reach out to sales@skopenow.com or visit www.skopenow.com/demo to schedule a demo and activate a 7-day free trial for qualified businesses.
This is an introduction to OPSEC tradecraft for OSINT. To view the full webinar click here or download the guide, which includes advanced techniques and analysis, click here.