IntelTechniques OSINT Training Consolidated Lesson Notebook Version 8.2022 [v8.2022 ed.]

Citation preview

IntelTechniques OSINT Training Consolidated Lesson Notebook v.8.2022

Consolidated Training Notebook v.8.2022 Training lessons are accompanied by individual pre-written notes in pdf and/or markdown formats. The individual training documents will always be the most up to date, but we recognize that some members prefer to periodically download and/or print the notes as a whole. Periodically we collect the updated notes from each lesson and consolidate them into a single notebook. We do our best to update and repair tactics, links, resources, etc. over time utilizing member feedback, but due to the large volume of notes and content, there will inevitably be errors here and there. For example, a site that may be a great video download resource one month, may be gone the next. If you find broken links or other errors in the notes please report them to Jason on our Matrix server or email a list of any errors to [email protected]. It is very helpful if you include a screen shot or a copy paste of the detail that needs updating. Thank you for you for supporting the training and providing any feedback. -Jason

Contents 1Consolidated Training Notebook.pdf 1GettingStartedTips-220225-103315.pdf 1OSINT Training Overview v.pdf 1OSINTCertification.pdf 1OSINTUseCases.pdf 1Renewals.pdf 1Training Exercises 2022.pdf 1Welcome.pdf 2022_new_pdfs 20CheatSheet_OSINT_Sept_2020v1.pdf 20DomainBriefingBriefingTemplate_PowerPointConversion.pdf 20TargetNotebookTmplate.pdf 2OSINTAccountCreation.pdf 2OSINTBasicSteps.pdf 2OSINTBrowserCustomization.pdf 2OSINTCustomTools.pdf 2OSINTEntityCardsAlternateStyle.pdf 2OSINTEntityCardsdrawio-220626-165826(1).pdf

2OSINTEquipment.pdf 2OSINTFaceSheetChecks2020.pdf 2OSINTLinkAnalysisTimelines.pdf 2OSINTMac.pdf 2OSINTReportAirBnB_RedactedSample-220704-175314.pdf 2OSINTStreamdeck.pdf 2OSINTTrainingSetup.pdf 2OSINTVSCode.pdf 2OSINTWindowsAdv.pdf 2OSINT_EntityTiles-220626-165657(1).pdf 2OSINT_ReportConsiderations.pdf 3OSINTHunchly.pdf 3OSINTMediaCapture.pdf 3OSINTQuickVideoCaptureJuly2020.pdf 3OSINTShareX.pdf 3OSINT_Archiveboxt-220314-165705.pdf 4OSINTSearchEngines.pdf 4OSINTSearchOperators.pdf 4OSINT_bookmarklets-220429-134130.pdf 4OSINT_BrowserCustomization-220429-231930.pdf 4OSINT_ToolsUpdate2022-220731-105256.pdf 5OSINTEmails.pdf 5OSINTGoogleDrivetoEmailAddress.pdf 5OSINTGoogleHangoutsQuery.pdf 5OSINTPhoneNumbers.pdf 5OSINTRealNames.pdf 5OSINTUsernames.pdf 5OSINT_Username_Scripts_v102021.pdf 6OSINTFacebook.pdf

6OSINTInstagram.pdf 6OSINTTikTok.pdf 6OSINTTinder.pdf 6OSINTTwitter.pdf 6OSINT_Pinterest-220530-183531.pdf 7OSINTImages.pdf 7OSINTInstallYoutubeDlffmpeg.pdf 7OSINTStreamCapture.pdf 7OSINTVideoCaptureMatrix.pdf 7OSINTYouTube.pdf 8OSINTBusinessesLinkedin.pdf 8OSINTdocuments.pdf 8OSINTMapsAddresses.pdf 8OSINTOrg_Walkthrough.pdf 8OSINTScenariosUsingMaps.pdf 9OSINTCommandCenter.pdf 9OSINTDiscord.pdf 9OSINTGab.pdf 9OSINTKeywords.pdf 9OSINTParler.pdf 9OSINTTelegram.pdf 9OSINTVMExpress.pdf 10domainchecklistv1.pdf 10domaindiagramv1drawio-211128-171543(1).pdf 10DomainReportTemplate_v1-211128-171543(1).pdf 10DomainWorksheetv1-211128-171543(1).pdf 10OSINTDomainReporting.pdf 10OSINTdomains.pdf 10OSINT_Domains_Reporting-211128-171543(1).pdf

10OSINT_Spiderfoot-220314-220523.pdf 11OSINTBreachData.pdf 11OSINTHashes.pdf 11OSINTLeakData.pdf 11OSINTLeaksCleaningData.pdf 11OSINTRipgrepCheatSheet.pdf 12OSINTAndroidNox.pdf 12OSINTVirtualMachinesBuild.pdf 12OSINTVMExpress-220114-114346.pdf 12OSINTVMExpress.pdf 12OSINTWSL2andWindowsTerminalDec2021Update.pdf 12OSINT_linux_VM_Steps_Dec2021.pdf 12WindowsVM122021-211231-130424.pdf 13OSINTBatchFiles.pdf 13OSINTDirectoryScript.pdf 13OSINTGoogleDocsScript.pdf 13OSINTPowerShellExample.pdf 13OSINTWSL.pdf 14OSINTCriminalMarkets1.pdf 14OSINTCriminalMarkets2.pdf 15OSINTCareerDevelopment.pdf 15OSINTCollaboration_robandkramerproject_R.pdf 15OSINTCollaboration_tut4dl Report_R.pdf 15OSINTSMEsToFollow.pdf 15OSINTTeamCollaboration.pdf 15OSINTTeamCollaborationBasics.pdf 15OSINTWritingPolicy.pdf 16DisinformationResourcesFall2021.pdf 16PrivacyEmailManagement-220530-183435.pdf

16Security10DaySecurity.pdf 16SecurityBitwarden.pdf 16SecurityDDwrtFirmware.pdf 16SecurityDisinformation.pdf 16SecurityEncryptedContainers.pdf 16SecurityIOS14.pdf 16SecurityLANPlanning.pdf 16SecurityNetworks.pdf 16SecurityPhysicalSecurity.pdf 16SecurityPrivacyPacket.pdf 16SecurityPrivateDomains.pdf 16SecurityTelnyxVoip.pdf 16SecurityuBlockOrigin.pdf 16SecurityVOIPSMSAppGuide.pdf 16SecurityVPN.pdf 16SecurityWFH.pdf 16TravelPackingList-220308-171707.pdf 17Backups_done_right-220112-144529.pdf 17Considering_aNAS-220112-144806.pdf 17GhuntSetup-220117-164522(1).pdf 17OSINTAustralianResources.pdf 17OSINTInvestigationsUsingStocktwits.pdf 17OSINTPoshmark.pdf 17OSINT_ClandestineLinkedInTechnique.pdf 17OSINT_InvestigationsUsingLoveawake.pdf 17OSINT_Misdirection Mode_Obscuring Personal Cell Phone Carrier Through Voicemail Manipulation.pdf 17passport_renewal_guide-220311-105303.pdf 17SecurityGhosteryBrowserExtension.pdf

17SecurityMisdirectionMode_DisinformationCampaigns.pdf 17SecurityPersonalVPN.pdf 17SecuritySecure-private-cryptocurrency.pdf 17SEOToolsCheckingbacklinks-220613-094906.pdf 17SEOToolsDomainAuthorityPageAuthority-220223-120807.pdf 17TheRetailEquation-220222-111250.pdf 18UnRaidOperatingSystem-220227-220436.pdf 18WorkstationBuildPlan-211230-192042.pdf

OSINT - Getting Started Tips v.2.2022

New to OSINT - Training Tips 1. There is no right or wrong way to work through the training. 2. Some advanced topics may not be pertinent to your mission and are provided for some of our members who are further along in the learning process or who have extensive experience in the investigations and/or intelligence fields. It is probably good to at least view the more advanced topics at some point so that you are aware of these techniques, but you do not need to master every tactic or use every technology. If you are new and try to do everything out of the gate you will likely feel frustrated when you hit advanced topics and tactics. 3. Most lessons have a difficulty rating. Two popular approaches to the training content: a. Watch all videos through once to get an overall feel for the content and techniques. Then go back through the lessons and spend more time on topics that suit your own missions and/or areas of interest. b. Watch all of the videos with a basic rating first, then go back through the basic topics and practice some of the tactics. Leave the intermediate and advanced topics until you feel comfortable with the basics. 4. The practical exercises provided can be quite difficult so do not get hung up if you attempt them and have little success at first. An alternate method of building experience in a hands on fashion is to do the following: a. Download one of the templates we provide at https://inteltechniques.com/osintnet/ (the login is provided on the course materials lesson https://www.inteltechniques.net/courses/take/ open-source-intelligence/downloads/19553573-osint-course-materials) b. Pick an innocuous corporation as a practice target to conduct a vulnerability or data exposure assessment. An easy place to find targets is https://theorg.com and an example is https://theorg.com/org/zoominfo/org-chart. Pick any of the leadership at the company and start researching them and filling out their accounts, addresses, and any other identifiers on the template. I like choosing companies like Zoominfo who are data brokers because they make money off of selling our data so that makes their leadership fair-game in my mind. We do not however sharing our findings back out or

otherwise expose these practice targets. This is just for training purposes so make sure to do no harm. c. This is also practice that will help you if you ever attempt the OSIP certification assessment because it is not only practice digging on targets, but we need to also work on our process for pulling intelligence into reports or other documentation. That is why using the templates is good first step into preparing documentation. 5. We purposefully provide multiple tools and methods for most topics. That doesn’t mean you need to use or master them all. Our goal is to give you redundant options so that you have tactics to fall back on when sites or tools disappear or break. Workflow Recommendations 1. Operational Security – If you are new to OSINT then you should start working on innocuous targets (don’t dive in and start hunting cyber-criminals) so the security level of your connection and workstation will matter less. That being said, we want to acknowledge that before moving on to higher threat targets you should make sure you understand how to protect your connection (VPN), your workstation (virtual machines), and accounts (dedicated under-cover accounts). Later in the training you will have a better feel for how to utilize VPN and virtual machines to protect your engagements and operations. 2. Workspace: Get in the habit of setting up a digital notebook, paper scratch pad, case directory, browser with useful extensions and burner social media accounts (FB, Twitter, and IG accounts). We will show examples of each of these things and how to set them up over the course of the training. 3. Clarify Knowns & Goals: Something professional analysts do is to define and/or clarify the question you are working to answer up front along with any “knowns.” This can be in writing or on short term assignments even just saying it aloud can help to assert the focus of your mission. Example: Question – find home address, knowns – Jason Bourne and [email protected] 4. Non-OSINT Checks: Prior to diving into internet searches, consider using any premium, proprietary, and/or gov/LE checks (DOL, booking photos, etc.) For example, if you have Lexis Nexis, government databases, or premium people search accounts (i.e.: Spokeo, BeenVerified, etc.) use those up front to potentially gain additional leads.

5. Research: Use Google and our custom OSINT tools to query the most unique identifiers (email addresses, unique names or usernames, domains, etc.) 1. Remember to unblock pop-ups the first time you use each category of the tools. If only one tab opens then popups are being blocked. 6. Use OneTab or another extension to manager your tabs (examples of this are provided throughout the training videos 7. Work through the results pulling any minor leads into a new tab and any strong leads into their own window 8. Any strong leads should also be added to your digital or analogue notes (i.e.: new email, phone number, account, address, etc.) 9. Take 30-seconds up front to make a plan and then re-assess periodically Basic Investigative Steps – a More Detailed List of Steps 1. Set up your notetaking and data collection to track your work - paper notebook, One-Note, Hunch.ly, directory on an encrypted flash drive, etc. 2. List your investigative goals - full profile, locate for apprehension, identify associates, collect digital evidence, etc. (are you collecting intel or evidence for court?) 3. List your seed info - emails, phone numbers, names, etc. 4. Run all your paid and/or gov queries and use those to add to your seed information. If possible, get a hold of a booking or DOL photo for comparison while researching social media. 5. Run Accurint (Lexis-Nexis), TLO, or Clear reports. 6. Fire up Chrome with your plugins of choice - uBlock, https everywhere, json viewer, Fireshot, one-tab (or use your prebuilt custom OSINT VM) 7. If it is likely going to be a full investigation, I turn on hunch.ly and enter my “selectors” (keywords from seed info) 8. I do a quick Google search and check my people finder site of choice for that week. [“James McIntire” “Denver”] and the name through my custom offline tools. Use the custom tools page that matches your known identifier (see info) so if you have an email address, use Email.html. This first dive is a fast-moving search for low hanging fruit. 9. My typical order is email, real name, search engines, Twitter, Facebook, Instagram, phone number, and then the rest depending on what you have to go on.

10. I exhaust Google and my custom tools closing any tabs that return false positives or no useful results. Any page that is important I note any identifiers (account IDs, usernames, etc.) in my case notes and screen capture the page. 11. Screen captures are saved in the case directory and/or in a digital notebook such as OneNote. On a case with multiple targets create subfolders for each person of interest. 12. When I am done with my research I copy/paste pertinent information and identifiers into a profile or case report (for template examples see the documentation module). I embed or attach any pertinent screen captures, pdfs (such as LexisNexis reports), and photos (anything depicting the individuals, vehicles, or addresses). 13. I go over that report with the case detective or agent to explain my investigation and see if they have any questions. This is their opportunity to get clarifications and request additional intelligence. 14. My rough notes, workbooks, hunch.ly files, and/or cloned VMs are usually saved in an archive in case I need them for further investigation or court. The exceptions to this are missions such as intel gathering for operations, events, threat assessments, etc. A hunch.ly export might be burned to disc as evidence but be cautious of any unintended data that might have been inadvertently saved during that session. The VM backup should not go into evidence as it would divulge tradecraft. Treat it as an undercover laptop that you can refer to but avoid exposing it unless you are forced to (work with your prosecutor to fight this). If you do not need that VM for court, do not keep it (hording data comes with custodial responsibilities and potential liabilities). Develop a routine for housekeeping your case archives and investigative workstations. Your agency likely has retention policies and you should review them. 15. I make sure I have a fresh VM for the next case or crisis that comes up. I also make new accounts to have in pocket if any of my research accounts were burned. Better to prepare for the next case at the end of the previous and be ready to go at a moment’s notice. Not every mission justifies a VM, you’ll find your own workflow and threshold for deploying advanced tools. 16. Wash, rinse, repeat. Track successes to justify more equipment, staffing, and training. Note: My standard setup is an off-grid windows pc, on a UC cable modem or MiFi (VPN as appropriate). For quick checks such as events, threats, etc. I stay in windows and just use chrome/Firefox and my custom tools. If I need to run

a script, I do so from my Linux for windows terminal. This is for convenience and speed with less fuss when there is less of a need for compartmentalization, security, and/or anonymity. For investigations I typically use my custom OSINT VM and fresh research accounts. Quick utility vs. backstopped single purpose - use the right tool for each mission. If you don’t have a set of custom OSINT tools and VM, you will by the end of this training. We will build them together which means you will understand what they are doing and be able to keep them working even if Michael and I disappear.

OSINT Training Overview v.8.2021 How To Get the Most Out of this Training One of the best aspects of online vs live training is the ability to ingest the material at your own pace. I recommend moving through the material in a manner that suits your own learning style and available time to do so. Also, the lessons are organized in a logical progression, more experienced investigators may wish to move through the content in a less linear fashion which is perfectly fine. The Training Site Refer to the dashboard training video if you have any question about navigating the training site or playing the videos. It is very straight forward with the lessons grouped into chapters in the left-hand menu. Click on the carrot on any menu to expand it and see the lessons. As you complete lessons they will be marked as so. This will allow you to track your progress through the course. Once you complete all of the lessons you may download a certificate if you would like. Some agencies require these as verification of completion for reimbursement of training fees. The certificate can also be used as verification of training hours for continuing education credits or other professional training requirements. Update: A consolidated pdf of course materials is now available for download on our resource page: https://inteltechniques.com/osintnet/ If you don't already know the member login, it is posted in the course materials lesson. Reference PDFs Some of you may learn best by taking down notes while you watch and listen, while others may not. Therefor I have pre-written notes for each module, and you are welcome to download these to build out your own OSINT reference manual. Please do not redistribute these outside of this course as they contain trade craft and I would rather they not end up instantly on criminal forums. We have not typically made the lion’s share of the online training content downloadable, but in this case I felt that it was important that we provide you with the added value of downloadable reference sheets. The videos remain locked down, although if you are taking this course you will of course learn how to defeat this. If you do decide to rip our videos please do not redistribute them as again we want to keep the trade craft under wraps as much as possible. Also we have had cases of others taking our material and then reselling it for $10 on places like Udemy and that is not great. 1.3 Scripts & Advanced Tools Over the course of the training we will be rebuilding the OSINT custom tools that Michael laid out in Open-Source Intelligence 8th Edition. We will start small and update these over to time to reflect the current best selection of tools and sites. As Michael did in the book, we will provide sample files for those who struggle to get their own tools working, but I would encourage everyone to work through the bumps and bugs because you will learn a lot by failing at first.

We will go light on Linux and scripts in the beginning and put more of a focus on using the advanced tactics as we move forward. If at any point you feel overwhelmed by the more technical portions of the demonstrations, hang in there and just watch. We will get many reps and, in the end, you will feel very comfortable with the steps. It just takes times and repetition. Soon it will be second nature. 1.4 Comments & Questions We encourage you to share and comments and questions on our Element chat channel. OSINT Training Room Primary: https://matrix.to/#/!KtioSOJclafqAdZgIf:matrix.org?via=matrix.org Alternative: https://matrix.to/#/#inteltechniques.training.discussion:matrix.org?via=matrix.org 1.5 Practicals Twice a year we provide a new set of practical exercises which you may use to practice your skills on innocuous targets. This is a good way to also get feedback when you hit dead ends. Some of these will be presented as work at your own pace individual exercises and others will be friendly team competitions in the style of CTF competitions. If you are not familiar with CTFs, do not worry, we have information about how to use and access the training exercises here: https://www.inteltechniques.net/courses/take/open-source-intelligence/lessons/27473174-trainingexercises-v-2. Note: A new set of practical exercises were released on August 31st of 2021.

General Course Overview The course menu lists all of the current and "in the works" lessons and topics, although more will be released each month. If you employer requires a more concise list or you need to write up a justification here is an example of material covered. Feel free to copy and paste this into your training request should your employer request a summary of training. This can also be used in explaining your training and experience in court when challenged regarding your qualifications.

Ethics, privacy and legal considerations when conducting online investigations Build a secure and efficient investigative workstation Proper data collection and documentation Conduct advanced search queries on dozens of search engines simultaneously Access restricted information through cached results Use online translation tools to automate search and translate foreign text Obtain extended information from personal Facebook profiles

Identify personal and business associations on Facebook Locate and analyze live Facebook video streams Methodology in collecting Facebook data for preservation and reporting Identify and analyze a target's Twitter profile Locate and capture imagery and video streams Locate deleted content from Twitter accounts Monitor live content and communication on Twitter Identify social networks related to cellular telephone numbers Investigate Instagram accounts and search for hidden/privatized data Locate social media accounts based on a target's "real-name" Query email addresses and identifying associated accounts Identify all social networks in use by target username Access content believed to be hidden on social networks Reverse search photographs for additional copies and details Locate online videos related to subject of investigation Reverse search videos for additional copies and details Break through common pitfalls with YouTube restrictions Break through common pitfalls with LinkedIn searching Identify users of private cellular telephone numbers Search historical deleted versions of Websites Locate documents related to target subject View multiple satellite image collections of any location Locate personal addresses of practically anyone Retrieve Caller ID information from any landline or cellular telephone number Search public file storage services for target data Application Program Interfaces and their use in online research Multiple methods of building an Android virtual phone on a desktop Efficiency and security benefits of using virtual machines Build your own custom desktop OSINT tool-set

Build your own custom Linux virtual machine Locate breach/leak data and discuss investigative applications Investigate open-web and darknet criminal markets

Key Takeaways: Updated instruction on foundational OSINT skills and resources Become self-sufficient by learning to build your own OSINT virtual machine and desktop tools Build a strong workflow that produces professionally documented and actionable intelligence

Instructor Bio: Jason Edison is a full-time criminal investigator with 20+ years of experience tracking fugitives involved in organized crime, threats of mass-casualty incidents, and all forms of cyber-crime. He teaches basic and advanced OSINT live courses on behalf of Inteltechniques.com as well as providing security and privacy related contract services to large organizations in both the private and public sectors. Jason has instructed thousands of students on best practices when planning, executing, and documenting credible OSINT investigations.

1OSINTCertification.md

7/22/2021

Certification Program Overview The IntelTechniques certification program provides participants with an opportunity to work through a realworld scenario and demonstrate that they can produce an intelligence product that meets a high professional standard. It is an extension of the IntelTechniques Open-Source Intelligence live and online courses and is for those practitioners who require a documented metric establishing their capabilities. The testing process involves completing an intelligence assignment, from mission briefing all the way through to delivering a completed case file. Participants whose final work product reflects a high standard of e ecution will be recognized as an IntelTechniques Certified Investigator. It is important to understand that this is not a traditional academic testing process. You will be required to conduct an investigation and/or intelligence operation from beginning to end. A passing grade will only be awarded if the final submission is accurate, well organized, comprehensive, and displays a recognizable degree of professionalism. An IntelTechniques Certified Investigator is someone who can be assigned a target individual, organization, or other entity and deliver an exceptionally well-constructed, substantiated, and articulated intelligence report.

Prerequisites & Participation Requirements This assessment program is an addition to the existing live and online IntelTechniques OSINT training programs. As such, there are prerequisites for participation as well as some resource requirements. It is your responsibility to ensure that you have met these criteria prior to applying for the assessment program. It is also your responsibility to establish the tools and investigative environment necessary to successfully complete the testing process. The following are minimum requirements for participation: 1. You must have completed the IntelTechniques.net training curriculum OR have completed a live IntelTechniques OSINT session within 1-year of testing. Note: The former IntelTechniques.com online video training does not qualify for this requirement as there is no way for us to verify completion of that program. OSINT changes rapidly and there is a high demand for what is an involved testing process, so we must limit entry to recent students who are trained on the current curriculum. 2. You are responsible for providing your own equipment and resources. You are acting as a freelance investigator and the expectation is that you have built up a sufficient arsenal of tools and techniques to conduct a proper investigation. 3. The assessment will initially cost $200 US (CC, PayPal, or BTC accepted) for the first group of candidates. This cost will increase as we adjust for demand and the time required to maintain and support the program. Assessment slots will be awarded to qualified applicants in the order they are received.

Process, Rules, & Grading Criteria This assessment is being run as a live simulation. Participants will receive a request from a "client" detailing the target(s) and mission requirements. These are live, innocuous targets that reflect realistic operational asks in the investigative and intelligence fields. Successful completion will require delivery of a complete, thorough, and very professional case file. The e pectation is that all participants will e ercise a high degree of discretion and operational security throughout the exercise.

1/5

1OSINTCertification.md

7/22/2021

This is a solo assignment. You are to complete all stages yourself. Once your engagement begins, consider all communication and mission details as being strictly confidential, just as you would when working a sensitive case in the private or public sectors. Do not share or post your work product online during or at any time after completing your certification testing. There are a finite number of assigned targets and we need to maintain the integrity of the test by keeping mission details private. Integrity

Intelligence and investigations work requires integrity and a reputation as someone who

can be trusted to keep details in confidence. Any dishonest, illegal, or unethical behavior is grounds for disqualification. What can I talk about after successfully completing my assessment? You can speak generally about the process and your impressions, but you may not disclose any details about the specific assignments or targets. Grading

All casework will be reviewed by Jason personally. This is not an automated academic test.

The baseline for a passing grade is: Would a company or other professional organization pay for this work product? The case work that you submit must be accurate and professional. That means no typos, no messy formatting, no overlooked key intel, and no blatantly false findings. Any conjecture must be clearly stated as such. A good report will also convey a confidence level in the key findings

how

certain are you that X did Y and lives at Z. Format -- You may use whatever format you choose if it is well organized and effectively communicates and supports your findings. Some of the more advanced templates from the training course would be acceptable for the foundation of your report. Your report should be in PDF format and any digital evidence or other assets should be consolidated within a well organized zip file. You must deliver your report and any supporting materials by a secure means. Problem solving secure communications is an important part of the intelligence process, so it is the participant's responsibility to establish any communication or delivery of materials beyond the initial Protonmail e change with the "client". You will have 10 days, from the time of receiving your assignment, to deliver a completed casefile meeting the requirements set forth by your "client". Deadlines are a reality in this line of work, and we all have busy lives so please schedule your assessment for a date range where you will have a significant amount of time to devote to the task. There will be no e tensions. I cannot emphasize this enough: plan wisely and allow for a considerable time investment. We review every submission thoroughly and measure the final report against a high professional standard. Could we deliver this as the final work product to a paying client? Within 10 days you will eventually receive a pass/fail grade along with feedback on strengths and weaknesses in your work product. Retesting

Although in the real world we do not typically receive "do overs", you may be allowed one

retest if you fail your first assessment. This will only be offered in cases where submissions were of high quality but needed fine tuning to meet our standard. If a request for reassessment is granted you will participate again 60-days later with no additional fee. Do not rely on being granted a second assessment put 100% effort in the first time. 2/5

1OSINTCertification.md

7/22/2021

Additional questions regarding the assessment may be directed to Jason via the Element Training channels which is linked in your training materials and the monthly training newsletter. Certificates of Completion vs. Certification

Completing the IntelTechniques.net online training results

in a Certificate of Completion which documents hours of training received. A "certification" is different in that it indicates that you have met a testing/performance standard.

Support Again, this is an assessment, not training. There will be limited support for participants. However, we are providing some resources for those who wish to take advantage of them. Once accepted you will receive access to a resource page which includes a sample case file. This is to give you a clear idea of the minimum acceptable submission. This sample represents the baseline expectation, the bare minimum to pass. Please do not aim low and hope to squeak by. Create and submit a superior work product that would impress any client. You will also receive access to an Element support channel for the assessment. This is an optional, private space, where you can share advice and talk shop with other participants. You are not allowed to share case specifics, but process and resource tips are fair game. "Here is a template that worked very well for my casefile" or "this is an outline for my approach to completing my assignment" would be appropriate topics to share. We will be monitoring this channel as well for any technical questions/issues that may arise regarding the testing. Remember, participants are expected to be experienced practitioners who have completed our training courses. If you still have many questions about the basics, you would be wise to hold off on testing until you have a solid foundation of OSINT knowledge.

Application Process If after reading this, you feel this practical assessment is a good fit, you will need to apply for an opportunity to go through the certification process. The testing process is time intensive for the instructors, so we must limit the number of participants. To apply for the assessment program, send an email to Jason ([email protected]) with a subject line of "Certification Testing". In the body include the following: Date of completion: IntelTechniques live or IntelTechniques.net online training (live trainings prior to 2019 do not qualify) Protonmail address to be used for the training engagement. Requested Testing Dates (provide three dates in order of preference): Testing date options are the 1st, 11th, or 21st of each month (i.e.: December 21st, 2021). The earliest date that you can request is at least 30 days out from the date of your application. Acknowledge that by participating in this process you agree to keep the details of confidential and violate no laws in e ecution of your assignment. Acknowledge that if accepted you will be provided with a payment link for the assessment fee and that you will either complete payment or withdraw from the process (to make room for others on the waitlist). Acknowledge that you already have the skills and tools to complete a full OSINT investigation unassisted. 3/5

1OSINTCertification.md

7/22/2021

You will receive an acknowledgment email that your request has been received and if accepted you will receive additional instructions and scheduling information via Protonmail. Any applications which do not meet the assessment criteria will be notified withing 10 business days of receiving the request.

How to Succeed This is not for everyone or even for most people. This is for a limited number of you who want or need to establish a formal professional credibility around your open-source intelligence skillset. If the details of this assessment seem daunting or even harsh, it is because we are testing based on our experience with client expectations. It is one thing to show that someone has received some hours of training and another to test their ability to competently carry out a real-world mission. Above all else, please consider: Are you confident in your foundational research/analysis skills? Have you previously prepared case documentation or otherwise have strong writing skills? Do you have the necessary time to invest towards building a sufficient work product? Do you feel excited by the challenge of hunting targets on a deadline and submitting a best-in-class case write-up? If the answer to any of those questions is "no", please consider taking more time to shore up your experience and preparation prior to committing to an assessment. We are rooting for everyone to be successful, but we will not pass people who fail to meet the standards. The trainings are the place to receive help and guidance. The assessment is you, on your own, demonstrating your capabilities and proficiency. Successful participants will receive a certificate acknowledging their status as an IntelTechniques Certified Investigator. Remember, if you are only looking for "practice", all online training members have access to the new online practicals at no additional cost. That is a particularly good option for anyone who does not need the status of having passed the certification assessment.

4/5

1OSINTUseCases.md

7/22/2021

OSINT Essentials - Use Cases 1.1 Where Does OSINT Fit into Our Mission The following are some examples of how we and colleagues in other fields apply open-source intelligence techniques to their operational goals and assignments. This is not a comprehensive list and the application of OSINT to your own operations is only limited by your own ingenuity and the degree of support from your agency. Keep in mind that agency support can be bolstered significantly by showing "wins". Sometimes a little flash earns us the tools to tackle the more substantive tasks. The categories below are not always distinct lanes and a specific mission may straddle multiple categories.

1.2 Criminal Investigations Persons of Interest -- Building out a profile on persons related to an incident or crime, this may include building out the structure and identity of others associated with the subject Fugitive Apprehension

Where can we locate an individual and the intelligence to then apprehend them in

a safe manner Evidence Preservation -- Location and preservation of online digital evidence Loss prevention -- Essentially the same techniques used by LE, applied by private security and in-house investigators Private Investigation Cyber Crime

Private sector, non sworn contract investigations

Obviously electronic and online crimes, require a technical investigative approach. These days

almost all crime has some nexus with technology as just about everyone has a smart phone, but some crimes are specifically digital in nature.

1.3 Threat Assessment Individuals -- These are usually cases of someone being harassed, stalked, or otherwise threatened by an individual or group who either has an axe to grind or possibly due to mental illness. The motivation is sometimes financial profit, but more often than not emotion. Events -- Intelligence supporting planning and logistics prior to an event as well as situational awareness during the event. Executive and Diplomatic Protection -- Logistical research and specific threat investigation related to VIPs in both the private and public sectors. This might be related to specific threats or even geographical assessments based on travel or other business dealings.

Due Diligence Backgrounding Backgrounding potential employees

Does the individual pose a physical or reputational security issue if

associated with and given access to the organizations systems, facilities, and assets?

1/3

1OSINTUseCases.md

7/22/2021

Backgrounding vendors and contractors -- Could the vendor or their practices expose the organization to security vulnerabilities and/or compromise the brand/reputation? Vulnerability assessments on targeted personnel

This is usually an individual in a leadership position, or

an employee thrust into the limelight based on a positive or negative event which has garnered them public scrutiny

1.4 Data and Infrastructure Defensive Reconnaissance -- This is an immensely popular application of OSINT in the information technology field. It often includes penetration testing of both physical and data infrastructure to highlight weaknesses in an organizations security posture. This may includes collecting information on personnel as a typical weak point in security posture.

1.5 Intelligence Gathering This can at times be very similar to criminal investigations in that it can involve profiling individuals and organizations of interest, although not always based on a specific criminal act. This also an area where we want to make sure we are in articulable good standing in regard to law, policy, and agency mission priorities. We don't like being "spied" on and no one else does either, so as professionals we ensure that intelligence gathering is always done professionally and with cause. Organizational Profiling

Who works for, operates, or is otherwise associated with an business,

government, or other body of organized individuals? Competitive Intelligence -- The private sector uses OSINT to gather information on work being done by competitors and use this data to adjust their own business road map. Regional Assessments

We intend to deploy resource X to region Y and need to know what could and is

likely to impact operations and personnel. Broad Scope Threat Assessment -- Who in the world wishes us harm, what are the capable of, and when/where would they likely act to further a plan that could impact us?

1.6 One-Tab Bookmarks https://sanangelolive.com/news/crime/2020-07-18/nsfw-details-released-aboutfugitive child predator | NSFW Details Released About Fugitive Child Predator https://www.deseret.com/utah/2020/5/25/21269777/tinder-murder-victim-identifiedlayton-utah-ashlyn-black | Utah woman killed on Tinder date identified by police Deseret News https://www.reddit.com/r/PDX/ | PDX Portland, OR https://www.reddit.com/r/Portland/comments/ht7voc/live_stream/ | Live stream? : Portland https://www.reddit.com/r/Portland/comments/htb9er/hundreds_converge_at_downtown_po rtland protests/ | Hundreds converge at downtown Portland protests, brace for continued federal presence (live updates) : Portland https://6abc.com/2-girls-charged-after-fake-school-shooting-threat/5964330/ | Teens charged after fake school shooting threat at Penn Wood High School, middle school 6abc Philadelphia 2/3

1OSINTUseCases.md

7/22/2021

https://www.sltrib.com/news/ 020/03/19/utah man denied/comments/ | Comments: Utah man denied coronavirus test allegedly threatened to bomb hospital - The Salt Lake Tribune https://www.shacknews.com/article/119026/last-of-us-2-voice-actor-laura-baileyshares death threats on twitter | Last of Us 2 voice actor Laura Bailey shares death threats on Twitter | Shacknews https://twitter.com/LauraBaileyVO/status/1279173199918292992 | Laura Bailey on Twitter https://www.nbcnewyork.com/news/local/two new york men arrested for allegedly doxing-dozens-of-law-enforcement-officers/1990564/ | Two New York Men Arrested for Allegedly Doxing Dozens of Law Enforcement Officers: Prosecutors -- NBC New York https://www.telegraph.co.uk/technology/2020/06/10/us-police-forces-scrubidentities internet amid fears officers/ | US police forces scrub identities from the internet amid fears officers will be 'doxxed' https://www.foxnews.com/tech/microsoft-employee-accused-of-scheme | Former Microsoft employee bought $1.6M house after stealing millions in digital currency, feds allege | Fox News https://cstoredecisions.com/2020/01/17/nielsen-announces-new-ceo-cfo/ | Nielsen Announces New CEO, CFO - CStore Decisions https://www.truckinginfo.com/353252/ups-announces-new-ceo-new-temporary-role-foroutgoing ceo | UPS Announces New CEO and Temporary Role for Outgoing CEO Fleet Management - Trucking Info https://www.cshub.com/attacks/articles/incident-of-the-week-alabama-hit-by-2ndransomware-attack-in-as-many-months | Incident Of The Week: Alabama Hit By 2nd Ransomware Attack In As Many Months | Cyber Security Hub https://www.offensive-security.com/pwk-oscp/ | PWK and the OSCP Certification | Offensive Security https://travel.state.gov/content/travel/en/traveladvisories/traveladvisories.html/ | Travel Advisories https://liveuamap.com/ | Ukraine Interactive map - Ukraine Latest news on live map - liveuamap.com

3/3

1Renewals.md

7/22/2021

Training Renewals v.6.2021

Membership Types - Subscription vs One-Time-Payment Depending on how and when you purchased your membership your account may be coded as a subscription or a one-time-payment. Subscriptions auto-renew (this is a function of our provider and we do not have the ability to turn off auto-renewals for subscriptions) and one-time-payments do not. We want to avoid any unintentional renewals so this guide will walk you through verification of your account type and how to make any desired changes to your billing/status. Note: Above all else, we will make sure that everyone is taken care of. We will work with you to ensure that anyone who wishes to discontinue their membership is able to do so as smoothly as possible. We will also ensure that everyone choosing to renew receives their original lower price point for the next year of training (and every year going forward). Our hosting provider has ensured us that regardless of any issues renewing, no progress will be lost on any training accounts so even if we hit a glitch in renewing, we will get you sorted out and you will be able to pick up right where you left off.

Verifying Your Account Type The first and most important step is to verify your account type. Log in to your account on IntelTechniques.net and select the drop down menu by clicking on your name on the top right. Select "My Account" to view your account details (see images below if you have trouble locating it). Next, select "Billing" and if you see a Subscription listed, you are a subscription customer. If you do not see a subscription, you have a "one time payment" account.

1/5

1Renewals.md

7/22/2021

Subscription Customers Your subscription will auto-renew on the anniversary of your enrollment date using whatever payment card you have listed on your billing page. If you wish to renew with your current card on file, there is nothing that you need to do. If you wish not to renew or if you need to change your payment details prior to renewal, you should complete one of the following steps prior to your renewal date. Option #1 - You Wish to Auto-Renew If you check your billing status on your IntelTechniques dashboard and see a subscription and you wish to auto-renew with your previously used payment details, there is nothing you need to do. On the anniversary of your training purchase the payment system will bill the payment card/account on file and add 365 days to your membership. Option #2 - Update Payment Details If you wish to renew your subscription for another year, but with a new payment card, you can edit your card details using the "Edit" button and then select "Update" as seen below. If you have issues with your new card being declined, do not worry, just email us at [email protected] and we will work with you to address the issue with Stripe (our payment processor). Again, you will not lose any progress on the training if your card is rejected. Once we sort out the payment processing, your completion status will be exactly how you left it. 2/5

1Renewals.md

7/22/2021

Option #3 Cancel Subscription This will prevent auto renewal, but you will retain access until the end of your current 1 year term. To cancel, log into your account on IntelTechniques.net and select "My Account". Next, select "Billing" and then you can choose to cancel your membership.

3/5

1Renewals.md

7/22/2021

Option #4 - Changing From a Subscription to One-Time-Payment Plan If you are a subscription customer now but wish to move to a one-time-payment account type, you should first cancel your subscription on your billing page as detailed above. Then, once your subscription expires, email us at [email protected] and request a one-time-payment link. Please include your original price point and the email address you use on the training site. It is a smoother process if you let your subscription run out and then add you back in as a one-time-payment member. You will not lose any progress as long as you use the same email address and log in. We really are just changing your enrollment billing. Your account remains intact even if there is a lapse in enrollment.

Renewing Non-Subscription Memberships Depending on how you signed up and how you paid, you may have a "One Time Payment" membership. For example, accounts paid for with PayPal and bitcoin do not auto-renew. If you look at your account billing page and do not see a subscription, but wish to renew, just email us at [email protected]. Use a subject line of "Renewal" and include the email address that you use on the training site with a short message. For e ample: "My address for the training is osint [email protected] and I would like to renew my training account for another year. I bought into the training at the $400 rate". We will respond with a payment link and once the payment goes through we will add a year onto your account.

Additional upport

4/5

1Renewals.md

7/22/2021

We will be monitoring renewals and cancellations closely to make sure that everyone has a smooth e perience. You can reach us at [email protected] with any questions or issues. To provide an additional avenue of extended support we have created an additional Matrix/Element chat channel just for renewal questions and issues: Links to the support channels: Primary: https://matri .to/#/!fXQLoTTuSqSKnihIpm:matri .org?via matri .org Alternative: https://app.element.io/#/room/#inteltechniques.support:matri .org

Recap of the Account Types Subscriptions - Subscriptions auto-renew IF you have a valid payment card on file. One-Time Payment Customers - One-Time-Payments do not auto-renew. Bitcoin and Paypal Customers - Bitcoin and Paypal purchases do not auto-renew. Email [email protected] if you wish to renew. Orders Through Laura - Orders through Laura do not auto-renew. Please email [email protected] if you wish to have Laura renew your account.

5/5

Training Exercises 2022 Lesson Difficulty: Intermediate/Advanced v.7.2022 Practical Exercises #2 "AngryPanda" In 2021 we released our first set of practical exercises with the intention that members have a set of questions and targets with which they can use to practice tactics and skills. The format is "CTF" style in that it is a series of questions where you as the participant must figure out the exact answer and submit it via the online portal. In early 2022 we updated to a new platform, with new questions, and we continue to add new challenges over time. Some things to keep in mind: • •

•

•

•

•

The practicals site works pretty well but as is the case with any automated system, it is imperfect The most significant limitation of this type of format is that the system looks for an exact text string when you submit an answer so pay attention to any notes regarding the expected format of answers. It could be that you have a correct answer but that it is just not in the correct format. For example: "username" versus "@username". If you are certain you have the correct answer but the answer is not being accepted you are welcome to direct message Jason on our Matrix server to ask about your submission. Please don't post guesses in the general chat channels as we wouldn't want to spoil the practicals for other participants. Some of the more advanced challenges were created by Francesco Poldi. If you see that it is one of his challenges, I recommend DMing him @FP on Matrix with any questions about his challenges. If you see a hint attached to a challenge with a value of 99999, just ignore it. Anything 99999 is only visible to admins and is a way that we attach notes for supporting participants who run into issues or find alternate solutions. We have a dedicated Matrix channel for questions or comments that do not contain spoilers. You can find that here: https://matrix.to/#/#inteltechniques.training.practicals:matrix.org I will say again, the points system is only there to add a bit of fun to the practicals, so don't get too caught up on earning points versus building skills. The average points amount is 100, but some questions are higher or lower to indicate difficulty level.

Option #1: Skip Straight to the Exercises The easiest way to get started is to download the text file at the bottom of this lesson. That will show you where and how to create an account and get started. The account can be made with all burner info, but obviously you need to store your password in your password manager of choice. Alternatively, if you want an additional challenge you can hold off on reading that text file, and

try to find the practicals site using OSINT. This will be quite difficult, but for anyone wanting an extra challenge, you can skip to option #2. Option #2: Hunt For the Practicals Site & Login - If you want to kick off your journey with a tough initial challenge then it is your mission to locate the site where we are hosting the new challenges. You will also need to find a second site where we have hidden a clue to the registration password. It will not be easy as we wanted to make this early challenge a tough one. Here are your knowns: •

•

• •

•

•

•

•

There are two sites, neither of which are inteltechniques.com or inteltechniques.net. One site hosts the new practicals using a popular CTF framework as the back end. The other site contains a hint to a password that you will need if you want to register on the first site. UPDATE: as if this part wasn't difficult enough, in the summer of 2022 we will be taking the site with the registration password clue down. The upside is that as OSINT professionals we have ways of searching for deleted content so this is still solvable, just more difficult. No hacking is allowed, nor is it needed. This is an OSINT only challenge. Do not port scan or "hack" any sites. You may need to dig through site content using OSINT skills. For the password, which we will call the "key", a page on that site holds a clue as to what it is. It doesn't flat out give you the password, just a hint to what it is. Other pages, files, or items on that site might also hint at infrastructure or technologies used on the other site which is where the challenges are hosted. The password is not case sensitive. It has no spaces or special characters. If you find site one, dig through it to your hearts content, but again do not hack anything. This is not a pentest and you do not need any infosec skills to solve it. Any clues are logical, not technical. There's no decrypting etc. Much of this two part challenge relies on educated guesswork based on what you know about our intentions with the new practicals and possibly some things we did with the last challenges. You do not need to stalk my personal information, but it may be worth looking back through things like the Matrix/Element chat for intel. Think about what you know about me (Jason) and how I do things, what my skills are, etc. just like any other target. I have not hidden any hints anywhere in my own online footprint, so again don't hack me and you don't need to stalk me, it would be a waste of time, there is no part of this that touches my other projects or anything of Michael’s. These are two new sites and they are not on our known domains, nor are they on the same domain. Once you find the site with the challenges, use the password (you will likely be unsure if it is correct so be prepared with a list of things to try) to register as a user and a team. Then you are welcome to start hammering challenges. A head start if you will as reward for solving this early challenge and for being active members of the Matrix/Element chat. You can do any of this solo or as a team, it is totally up to you.

The challenge posed by option #2 is tough and if you are new to OSINT and want to bypass this obstacle, the text file attached to this lesson has the answers. Be aware this is a spoiler and you will have skipped this initial challenge so make sure that is what you wish to do. This is not

meant to be a competitive even beyond some friendly gamification so the spoiler is provided so that those not ready or wanting the site hunt can move on to the exercises as a whole without the frustration of a barrier to entry. Remember, the point of the practicals is to provide you with targets to practice on. The gamification and score keeping is just to add a layer of fun, but don’t forget that you can use any of the targets for testing other tactics and doing a practice deep dive. You will get the most out of it if you do not limit yourself to just answering the specific questions provided. You can join the dedicated Matrix channel here: https://app.element.io/#/room/#inteltechniques.training.practicals:matrix.org

1Welcome.md

7/22/2021

IntelTechniques Online Training Roadmap IntelTechniques.net Welcome to the new IntelTechniques online training. I am excited to have you on board as we rebuild and update the IntelTechniques material, building off of the amazing curriculum created and honed by Michael Bazzell over the last two decades. Before we dive into the lessons, I wanted to take moment to explain the move over to a new domain, platform, and instructor. When Michael announced that his online training would be ending in July 2020, he received much feedback requesting that he reconsider. Maintaining the online training was simply too time consuming and was taking time away from his other projects. Numerous companies offered to purchase the training to repackage as their own, but Michael was not confident that they would keep it updated and accurate. He did not want the members of his online training to fall victim to a "money grab" or end up in the hands of people who were not truly colleagues, with an investment in the trade craft. This past spring, as the end of the training approached, we discussed the possibility of my taking on the online training as I have been teaching his live courses for the last couple of years. We did not want the community to be abandoned, nor his great foundational curriculum die on the vine. We needed to move responsibility for the online training off of Michael's plate and yet ensure a level of quality and accuracy if it were going to continue. Where we landed was that in addition to teaching the online IntelTechniques course, I would take over the instruction and day to day responsibilities of the online training. Michael's would be an advisory role to make sure that the members continued to receive the quality and level of training that they have come to expect. In May 2020, I started working on updated video lessons and online documentation that mirrors what we cover in our live classes. On August 1st we opened up the new training to interested existing members and the public release was scheduled for the end of that same month. Michael has developed his content over years and we both recognized that it would take some time to flesh out a similar quantity of content. Thus, he graciously offered to provide selected videos of the previous training to fill any content gaps while the new training is built up. As new lessons are released those videos will be replaced so that we do not have any outdated or otherwise inaccurate content. Below is a roadmap and timeline reflecting the plan for the online training as we close out 2020 and move into 2021.

Training Instruction & Management The entire reason the training has changed hands is so that Michael can focus on other projects. Big shoes to fill for sure, but he will continue to monitor and provide high-level guidance on the direction of the training. I will be handling all of the day to day care and maintenance of the site and instruction. As we move forward, I am here to provide support for any of your questions, comments, and concerns. There are numerous avenues of support on the new training platform and I can always be reached at [email protected]. Michael will continue to produce the podcast, books, forum, and many new projects so he is not disappearing by any means. He has told me many times that OSINT should be taught by e perienced investigators who are actively working in the field. Handing the reigns to a colleague who is actually working real OSINT investigations was the most important consideration. No one has the breadth of e perience that Michael has when it comes to 1/2

1Welcome.md

7/22/2021

OSINT, but I do have a similar law enforcement background and I am currently working real-world cases that are likely very similar to your own.

Roadmap August 2020 -- Pre-release for current members at a discounted rate. Basic Content is in place and Michael's newer, advanced videos are included as placeholders for updated version. Updates and additional lessons added on a weekly basis as we close any curriculum gaps. August 28th -- Public release of the new video training. Weekly additions of new OSINT videos and materials. October 2020 -- Security and Privacy modules added to the training, continued accelerated content release cycle. November-December 2020 -- The remainder of Michael's content will be replaced with updated versions. 2021-Forward -- New video lessons released on a monthly basis Addition of practical exercises (individual and team) Continued customization and development of the custom offline OSINT tool-set Continued updates and support for the OSINT cheat sheets and reference materials

Member Feedback This timeline is very non specific  purposefully as the members will in part decide the direction the training takes over time. The new training platform makes it easier than ever to ask questions and give feedback. That feedback will help determine which topics and mission types we tackle each month. There is a balance to servicing both newer and more experienced investigators, so we will be pushing out material that covers a good range of both basic and advanced topics. A great place to ask questions or comments is our Element chat: OSINT Training Room Primary: https://matri .to/#/!KtioSOJclafqAdZgIf:matri .org?via matri .org Alternative: https://matri .to/#/#inteltechniques.training.discussion:matri .org?via matri .org

Support I will be your dedicated instructor and support for the online training. I will be helping you sort out any issues you might run into with accessing the training as well as providing guidance and help with the individual training modules. Please use the built-in interaction and support features on IntelTechniques.net to request assistance and again you can always contact me directly at [email protected]. One reason the training was moved to a 3rd party platform is the 24/7 support and redundancy provided by the hosting company, so outages should be very rare. You are welcome to request assistance with any platform related issues from the host as well Thinkific - Troubleshooting Guide for Student Issues.

2/2

OSINT – Entity Tiles v.6.2022

What are entity Tiles? Entity tiles or entity cards are small graphics and/or document elements which represent a person, place, or thing in an OSINT report, diagram, or presentation. Most often we use them to show either relationships or connections, such as an investigative path. For example, if you are illustrating that Jane Jones owns the domain janejones.com you could use a set of tiles or cards to represent Jane, the domain (web site), and also any sites or records which substantiate that she does own that site. Any uncomplicated way to understand how we might use these tiles/cards is the old school “crazy wall” or “murder board”.

(Image source: https://i.redd.it/bq9tge4j71b21.jpg) These tend to be mostly a television cop show convention, but we do occasionally put together either physical or digital boards illustrating relationships between people, places, and things. We talked about setting up some basic diagrams or link charts in a previous lesson (https://www.inteltechniques.net/courses/take/opensource-intelligence/lessons/21409569-link-charts) and please consider this lesson an extension of that topic. This is not a practice that we use on all cases, or even on

most cases, but you may find it useful for most involved investigations or long term operations where you want a visual representation of relationships or connections. In this lesson we are going to provide an overview of the concept of entity tiles and provide a small set of starter assets. If you decide to fold this into your tools and process, you should consider further customizing and expanding on our examples. Entity Tiles/Cards To get started setting up visual representations of entities for you investigation you should first create a selection of graphical assets which entity types. An entity type is typically any of the common categories or identifiers we use as leads during our investigations. For example: A Person: Subject of interest and could be a suspect, witness, associate, etc. Phone Number: This could belong to an individual or organization Location: Reiterate mission goals, constraints, and investigative focus Social Media Account: Facebook, Twitter, IG, Reddit, etc. Domain: Websites or individual pages Organization: Business, employer, club, etc. Event: This could be real world or online, something like a “meetup” may be both with a physical meeting and an online page as well. 8. Document: Items such as public records 9. Images: Typically, images are folded into the other categories, for example your person card may have a profile image, but you might also have something like a surveillance photo that is an entity of its own. 10.Financial Transaction/Account: This could be tracking crypto or traditional currency transactions and associating them with real people or accounts. 11.Everything Else: An entity can really be any major lead, pivot point, or other item in your investigation so expect too occasionally create new entity types if you adopt this technique. Another way to think about it is that many of the entity types reflect the categories of our OSINT tools: https://inteltechniques.com/net/tools/ 1. 2. 3. 4. 5. 6. 7.

Two Use Cases The following are just two of the common ways that you might use entity tiles. Do not feel limited to these use cases and always use your own creative problem solving to find new applications for any technique.

Investigative Path: Either as a standalone document or as part of a longer presentation or report, there are times where a visual representation of our investigative path is helpful. For example, if during your research you connect a real name to a specific social media account, you might illustrate the connections using entity tiles.

This example, using two of our sample tiles, shows how we can present an image and some concise intelligence on two entities and then also include the link to the site where we were able to substantiate the connection. This example is of course just fake filler data but you get the point. This could be two entities or seven or any number really but depending on your use case I would not make it too complex or

difficult to read. If you plan to use the tiles for a briefing, I recommend going light on text content because too much text during something like a PowerPoint briefing can be difficult for the audience to follow. You can of course explain your investigative path with a written narrative or using a link chart (as discussed in our link charts lesson), but entity tiles just give you another option to consider. Link Analysis Diagram – Link analysis diagrams are a common method of illustrating relationships between data points for intelligence missions and investigations. Typically, these use small icons with just a single word or line of text to label the entity. In many cases using a single small icon makes sense due to the substantial number of data points on the diagram, but in some cases it may make sense to use some version of our entity tiles. The result is similar to the “crazy wall” or “murder board” that you see in cop shows. In fact, you could print out your tiles as individual cards and then physically attach them to a pin or white board if you are running a long term operation out of a controlled space such as a command center. A simple example created in Draw.io:

Tips and Recommendations Some things to keep in mind when using this technique. 1. Digital Documents – If you use entity tiles in a digital document there are two approaches depending on your use case. a. Embed Images – If you do not need the tiles to be editable in your final document, consider pasting them in as images vs tables or text. This will make them easier to embed without messing up the how the look or the formatting of your report. b. Embed Editable Objects – Depending on how you create your tiles (our examples were created in Draw.io and Excel) and the format of your final work product, you may have the option to embed an editable version of your tiles. For example, when copying a tile created in Excel over to a report written in Word, you could choose to embed the table itself so that it can be further edited within the Word application. This is convenient but sometimes can create distortions or formatting challenges. 2. PowerPoint – Some people conduct briefings using PowerPoint and if so these tile assets work well with that format. We have a PowerPoint template in one of our Domain lessons which may give you additional ideas for how you can format and make use of your entity tiles. 3. This May Not Be for You – What I mean by that is, this is just another option for presenting and illustrating your intelligence. It may not suit your workflow or your use case. Do not feel obligated to use this technique if it doesn’t feel right or provide value to your own scenario. We try to present many ways of doing things so that everyone can pick the tools and options that are a good fit for them.

OSINT – Components of a Good Report v.6.2022

New to OSINT - Training Tips Although what makes a report “good” is somewhat subjective, there are some key components and concepts that are worth going over for those of you who have less experience drafting comprehensive reports. This is not an all or nothing deal, but rather a set of considerations which you may want to bear in mind when working on a large OSINT assignment that requires a detailed written work product. This lesson may also be useful for those planning to tackle the OSIP certification as I will share in the video some of the criteria I use to evaluate the final reports during testing. Report Components We’ve talked about these in other modules and they are reflected in most of our more comprehensive templates, but let’s start by reviewing some of the standard sections that we might include in a full report. Again, your mission and requirements may vary, so your reports may have additional sections and/or topics. The example report used in this lesson is for a vulnerability assessment or “due diligence” assignment so bear that in mind when you watch the video. Cover: Clean, crisp, eye-catching, professional Table of Contents: Concise and clear navigation of sections and topics Scope: Reiterate mission goals, constraints, and investigative focus Key Findings: The top items and take-aways the client should see (typically bullet points) 5. Executive Summary: A more verbose description of key-findings (typically paragraphs) 6. Organization Overview: Consider including a diagram 7. VIP Profiles: In our example this is the top priority component and where most of the research time should be spent. Part of the clarifying goals step may include verification of who to cover and focus on, how many profiles are expected, etc. Be careful to control client expectations. Sometimes they expect the world, but at the cost of a small town. 1. 2. 3. 4.

8. Recommendations: Any strong leads 9. Analyst/Investigator Experience: Take 30-seconds up front to make a plan and then re-assess periodically 10. Appendix: 11. File Attachments/Archive: Mission Clarity An important step in accepting an assignment is clarifying expectations. Depending on your company/client/industry the process and jargon may differ, but in general you should make certain that you fully understand what is expected as a final work product and all details related to the logistics of delivery (file types, transmission, etc.). In the private sector this is sometimes referred to as clarifying deliverables. This can be as simple as instigating a conversation about report focus, format (word, pdf, etc.), and method of delivery (secure file transfer, encrypted email, etc.). Obviously, memorializing communication regarding scope and expectations is wise should their be dispute over the final work product. Sometimes it is beneficial to remind clients as to what they really asked for. Pitfalls Some common issues we see when evaluating OSINT reports. 1. Lack of Polish – I have what I call a 30-second rule. A good report conveys a sense of being professional and comprehensive in the first 30 seconds of viewing it. Often a client will have subconsciously judged your report value in the first 30 seconds of viewing it. This is also why the first 3-5 pages of the report are the most important. Sloppy formatting, poor layout, lack of a cover or other key components, and failure to proof your work are all potential problems. 2. Errors – This goes hand in hand with failure to proof your work. Typos, misspellings, and poor grammar. Please, please, please use spelling and grammar check AND have another trusted professional proof your work. Sloppy presentation implies sloppy intelligence. 3. Focusing on the wrong aspects of the assignment – This relates back to clarifying expectations. Does your client want primarily data exposures

and vulnerabilities on their c-suite leadership, but you provided them with a pentest on their infrastructure? Excellent work is not useful if it doesn’t address your clients wants/needs. Take the time to clarify mission priorities and reflect those priorities in how your report sections structured and weighted in regard to volume of content and time spent on collection and analysis. 4. Time – Time management is huge is tackling major assignments and OSINT missions. If your mission includes producing a written work product, make certain to pace and plan your time so that you have adequate hours to commit to preparing and proofing your final report along with any case assets. There is a point in any investigation where you have to move your focus away from digging and start pulling together the work product, whether it be a written report, verbal briefing, or both. 5. Be Self Aware – Prior to accepting an assignment, position, or undertaking something like the OSIP certification, make sure that you have a good sense of your own capabilities and how long it takes you to preform all of the tasks required. Do you have additional challenges? For example, if English is your second language, but the client is a native English speaker, you may need to allow extra time to have a native English speaker proof your work. Be realistic about what you can accomplish, manage your time well, and when possible schedule large projects for times when other distractions are less frequent. For example, it’s probably a bad idea to schedule your OSIP assessment for the same week that you have a thesis due or near the date that you are having a baby. 6. Remember the Mission Goals – For example, a common question that comes up is as follows. Jason, I have a target who I am doing a vulnerability assessment on but I cannot find some key identifiers such as date of birth or home address. What should I do? If you’ve invested plenty of time searching and checked most of the main sources for those data types, then in the context of a vulnerability report the fact that you couldn’t locate it is useful. The mission was to show how exposed the VIP is, so it is also pertinent that certain items are not exposed. For those line items you can list what was checked and/or include a rating reflecting that it appears relatively secure. What we

don’t want is a report full of blank fields, which would make it feel less than comprehensive. 7. Proof Your Work Again – Formal reports should be error free so checking them multiple times is smart. Also test your method of delivery. If you zip up files into an archive and password protect it, make certain that it opens properly using the instructions provided to the client. 8. Support Your Findings – Although the early potions of your report probably should not have too much detail, it is wise to footnote or otherwise provide referenced to where you sourced the intelligence. For example, one of your key findings may be a one liner explaining the level of breach data exposure on VIP accounts. You would not want to put raw data in that part of the report because that is a high level overview, but you may want to add a footnote or embed a link tying it to a section deeper in the report or a section in the appendix. The appendix attached file archives, and deeper sections of the report most often contain items that substantiate your findings and provide links, screen captures, etc. as appropriate to the mission scope.

2OSINTAccountCreation.md

7/22/2021

OSINT Essentials - Account Creation 1.1 Best Practices When Creating Covert Online Accounts Burner, puppet, UC accounts, etc. We usually make FB, IG, and Twitter at once and tie them in as one covert profile. Each adds depth and veracity to the others (intentional cross correlation). Keep notes on your covert details either in a paper notebook or a digital format like a password manager or spread sheet, having your security requirements in mind. If it is a sensitive or deep infiltration case make sure to compartmentalize this profile from the get-go (connection, browser, device (use VM to isolate), etc.) 1. Connection: No VPN during account creation, most VPN IP blocks are flagged Cellular data connections (MiFi's) are good -- dynamic/shared IPs Another technique is to get a free tier AWS EC2 or Digital Ocean VM and use it to make the account as then you will have an AWS IP, this is more advanced but works pretty well if you are comfortable with VMs and learning to navigate AWS. Some groups even run full investigative VMs on AWS, but again this is a more advanced setup that takes some work to sort out. Another advanced technique is to roll your own VPN thru AWS as the providers tend not to flag AWS: GitHub - streisand 2. Email Address: No Gmail, Hotmail, yahoo, or other top free mail (Gmx.us is an exception for now) Private domains work best, grab a Namecheap or GoDaddy domain and webmail for cheap and make a bunch of account with them Gmx.us accounts seem to work ok (for now) and require no existing email or contact info Sudomail and Protonmail addresses work ok, not as good as a private domain though 3. Phone #: You might get lucky and not get the phone number requirement, but also sometimes it won't require it at first but then a couple hours or days in it will throw it at you as a security requirement No VOIP -- most number blocks are flagged Mint test kits and an unlocked phone are a cheap way to get 7 days on a real number Make sure you have Mint coverage in your area 1/3

2OSINTAccountCreation.md

7/22/2021

Amazon, Mint Mobile - $5 for two sims You might then port the number over to google voice Some groups buy these in bulk You can also use an extra # on a real account (i.e.: Verizon) and then port it over to google voice and then draw a new # for that Verizon account Some people will also use hotel phones and the like when travelling to roll accounts, but that is kind of a pain I think and a roll of the dice, that sort of taking advantage of public #s as you find them works fine for individuals but not so much orgs 4. Choose a name that is generic, but not too generic i.e.: Nicky Robinson, Hunter Reynolds, etc. HowManyOfMe.com 5. Name, gender, city, employer (school) should make sense, remember a real person at FB will likely look at your profile if it is reported as suspicious, we want to pass the smell test 6. Profile/cover photo We don't ever purport to be a specific individual without consent (ie: no identity theft) Pikwizard -- Good source for free for anything licensed photos Pixabay is also decent Avatar makers are another option - Mashable Fiverr -- You can buy profile photos for cheap or anything else really...avoid buying bulk accounts, they are often locked, scams, or stolen I also like taking a pic from images.bing.com of a large crowd (road race, sporting event, concert), use the snip tool to crop it, and then post the still large group shot, it's unclear who we are in the group and yet it's the kind of shot people post for profiles or banners because the internet is all about bragging Get creative -- general rule is snip, crop, filter, logical pic choice Once we get into our new account start making it feel real right away and do not let it get stale. 1. Time to flesh out our profile by making some friends Join Groups -- anything that has large groups that accept anyone Nerdy groups and pop culture are my favs: video games, cosplay (cause then costumed profiles make sense), etc. If you are doing a deep infiltration you may have to research your targets groups, don't join her/his groups directly, join similar and work your way in slowly after you have some history

2/3

2OSINTAccountCreation.md

7/22/2021

Do some liking and commenting in groups for a day or two Then https://www.facebook.com/find-friends/browser/ and let FB recommend friends. We never cold call friends anymore, we let FB tell who it's already cross correlated with our profile. This reduces chances of getting flagged significantly. 2. Posts: August 1st Facebook cut off all 3rd part app access except for messenger or FB pages. We formerly used IFTTT and WordPress to auto post but they are broken for now. IFTTT still works for twitter. 3. Avoid political chat and comments. Politics and social issues are high on the radar of the FB watchdogs due to the fake news and voter tampering concerns. 4. Keep track of covert accounts in a spread sheet or better yet a password manager. 5. Sim jacking Twitter accounts is very popular so use long passphrases even on your sock accounts and consider 2-factor if they are mature or otherwise valuable accounts 6. Know your agencies policies around things like friending and any levels of approval or documentation required 7. ...and of course, we always use our powers for good so we always assume that our investigation will eventually see the light of day so make sure you are proud of how your activity will look in retrospect by an objective 3rd party in regard to reasonable and responsible

1.2 Resources/Articles How to create OSINT investigation accounts and not get shut down (OSINT ME), 2019 Burner Plans Compared - Google Doc

1.3 One Tab Bookmarks https://namecheap.com | Preferred Domain Purchase Site https://fastmail.com | Freemail for account creation https://protonmail.com | Freemail for account creation https://www.gmx.com/ | Freemail for account creation http://howmanyofme.com/ | Name Selection https://mashable.com/2007/09/12/avatars/#mn3Ph1PwgZqi | Profile image Source https://www.pexels.com/search/profile/ | Image Source https://pikwizard.com/ | Profile image Source https://www.fiverr.com/ | Profile image Source https://pixabay.com/en/man-board-drawing-muscles-strong-2037255/ https://www.bing.com/images/search?q marathon | Profile Images Example https://www.facebook.com/groups/discover | Join Groups FB https://www.facebook.com/find-friends/browser/ http://thispersondoesnotexist.com | Fake Profile Photo Generator https://pastebin.com/b1LKabJk | Script to Bulk Download TPDNE Photos

3/3

2OSINTBasicSteps.md

7/22/2021

OSINT Essentials - Investigation Steps 1.1 Working Up Your First OSINT Case Many of you are seasoned investigators who may not need a basic set of steps to get you started, but all of us started somewhere. In teaching the live sessions I heard from many returning students that the sheer number of tools and techniques made it difficult to know where to get started when they applied them to a real-world investigation. For anyone using OSINT for the first time the following are some reliable steps that you can use when working up your first case.

1.2 Triage Clarify e pectations and goals before diving in 1. Define the primary question that you are trying to answer. Who owns this twitter account? Where are we likely to locate this target? Does this person have the means and intent follow through on the threat? 2. What do we know about the target? Any names, accounts, identifiers, associates, etc. 3. What are our time and resource constraints? 4. Are we collecting intelligence, evidence, or both? 5. What form of end product is e pected? Verbal briefing, short form threat assessment, full report?

1.3 Investigative teps Working up your first case with your new tools and techniques: 1. Set up your notetaking and data collection to track your work - paper notebook, One-Note, Hunch.ly, directory on an encrypted flash drive, etc. 2. List your investigative goals - full profile, locate for apprehension, identify associates, collect digital evidence, etc. (are you collecting intel or evidence for court?) 3. List your seed info - emails, phone numbers, names, etc. 4. Run all your paid and/or gov queries and use those to add to your seed information. If possible, get a hold of a booking or DOL photo for comparison while researching social media. 5. Run Accurint (Lexis-Nexis), TLO, or Clear reports. 6. Fire up Chrome with your plugins of choice - uBlock, https everywhere, json viewer, Fireshot, one-tab (or use your prebuilt custom OSINT VM) 7. If it is likely going to be a full investigation, I turn on hunch.ly and enter my "selectors" (keywords from seed info)

1/2

2OSINTBasicSteps.md

7/22/2021

8. I do a quick Google search and check my people finder site of choice for that week. "James McIntire" "Denver" and the name through my custom offline tools. Use the custom tools page that matches your known identifier (see info) so if you have an email address, use Email.html. This first dive is a fastmoving search for low hanging fruit. 9. My typical order is email, real name, search engines, Twitter, Facebook, Instagram, phone number, and then the rest depending on what you have to go on. 10. I exhaust Google and my custom tools closing any tabs that return false positives or no useful results. Any page that is important I note any identifiers (account IDs, usernames, etc.) in my case notes and screen capture the page. 11. Screen captures are saved in the case directory and/or in a digital notebook such as OneNote. On a case with multiple targets create subfolders for each person of interest. 12. When I am done with my research I copy/paste pertinent information and identifiers into a profile or case report (for template examples see the documentation module). I embed or attach any pertinent screen captures, pdfs (such as Le isNe is reports), and photos (anything depicting the individuals, vehicles, or addresses). 13. I go over that report with the case detective or agent to explain my investigation and see if they have any questions. This is their opportunity to get clarifications and request additional intelligence. 14. My rough notes, workbooks, hunch.ly files, and/or cloned VMs are usually saved in an archive in case I need them for further investigation or court. The exceptions to this are missions such as intel gathering for operations, events, threat assessments, etc. A hunch.ly e port might be burned to disc as evidence but be cautious of any unintended data that might have been inadvertently saved during that session. The VM backup should not go into evidence as it would divulge tradecraft. Treat it as an undercover laptop that you can refer to but avoid exposing it unless you are forced to (work with your prosecutor to fight this). If you do not need that VM for court, do not keep it (hording data comes with custodial responsibilities and potential liabilities). Develop a routine for housekeeping your case archives and investigative workstations. Your agency likely has retention policies and you should review them. 15. I make sure I have a fresh VM for the ne t case or crisis that comes up. I also make new accounts to have in pocket if any of my research accounts were burned. Better to prepare for the next case at the end of the previous and be ready to go at a moment's notice. Not every mission justifies a VM, you'll find your own workflow and threshold for deploying advanced tools. 16. Wash, rinse, repeat. Track successes to justify more equipment, staffing, and training. Note: My standard setup is an off-grid windows pc, on a UC cable modem or MiFi (VPN as appropriate). For quick checks such as events, threats, etc. I stay in windows and just use chrome/Firefo and my custom tools. This is for convenience and speed with less fuss when there is less of a need for compartmentalization, security, and/or anonymity. For investigations I typically use my custom OSINT VM and fresh research accounts. Quick utility vs. backstopped single purpose - use the right tool for each mission. If you don't have a set of custom OSINT tools and VM, you will by the end of this training. We will build them together which means you will understand what they are doing and be able to keep them working even if Michael and I disappear.

2/2

2OSINTBrowserCustomization.md

7/22/2021

OSINT Essentials - Browsers 1.1 Tuning Your Browsers We will be doing more work in our browsers than just about any other piece of software and yet most of us use them in their stock state and without making use of available efficiencies.

1.1.1 Tweaks Recommended changes to the default browser settings. 1.1.1.1 Chrome Create a custom search engine with the http://google.com/search?q=%s&tbs=qdr:y (see the Operators Module for steps) 1. Go to setting via the Chrome menu or by typing chrome://settings/ into the address bar 2. Turn off syncing, autofill, and review each category under Privacy and security (use common sense) Tweak your notifications to prevent constant GDPR popups chrome://settings/content/notifications 1. I prefer to do most popup and script blocking with uBlock origin vs Chrome's built in settings 2. uBlock Origin (our recommended script blocker) can also block the popups: uBlock Origin icon -> Open the dashboard -> Import... -> (paste the following link) -> Apply changes https://raw.github.com/r4vi/block-the-eu-cookie-shit-list/master/filterlist.txt 1.1.1.2 Firefox Adjust your privacy/security options: menu -> options -> privacy & security Go through each portion, use common sense, or uncheck all except for: 1. Delete cookies and site data when Firefox is closed 2. Warn you when websites try to install add-ons For History: Never remember history & then click on clear history Advanced: For granular control type about:config into the address bar, hit enter, and show all Mark all of the following as False: geo.enabled browser.safebrowsing.phishing.enabled browser.safebrowsing.malware.enabled media.navigator.enabled dom.battery.enabled 1/5

2OSINTBrowserCustomization.md

7/22/2021

extensions.pocket.enabled media.peerconnection.enabled media.peerconnection.use_document_iceservers media.peerconnection.video.enabled Mark as True: media.peerconnection.turn.disable Now install your e tensions (see list below) Once you have Firefo how you want it, backup your profile so that it can be imported to any new Firefo instances: Help -> Troubleshooting Information -> Open Folder Copy this file to safe location and then anytime you set up a new instance of Firefox, find the config folder with the same steps and paste in your save profile after deleting any e isting file in that directory

1.1.2 Shortcuts On Mac replace Ctrl with ⌘ 1.1.2.1 Chrome Google Chrome shortcut keys (Computer Hope), 2021 17 of the Most Wonderful Chrome Shortcuts, Tested and Approved (Yesware), 2018 Commands: Ctrl F Find Ctrl A Select all Ctrl C Copy Ctrl V Paste F11 Full screen Ctrl + Shift + N Go Incognito Mode Ctrl + Shift + T Open Last Closed Tab Ctrl + W Close the Active Right Away Ctrl + Tab (Next open tab) Shift + Ctrl + PgUp (Previous open tab) 2/5

2OSINTBrowserCustomization.md

7/22/2021

Ctrl + M Minimize the Active Window Ctrl + J Open Your Downloads Page Ctrl + B Open Bookmarks Manager Ctrl + L Snap Your Cursor to the Search Bar Ctrl + Shift + Delete Clear Browsing Data 1.1.2.2 Firefox Keyboard shortcuts - Perform common Firefox tasks quickly Ctrl-F Find Ctrl-A Select all Ctrl-C Copy Ctrl-V Paste Ctrl+T and middle-click Pressing Ctrl+T opens a blank new tab or if you want to open any link in a new tab press your middle mouse button (often the scroll wheel) to open that link in a new tab. Ctrl+Shift+T Oops, close a tab you didn't want closed, pressCtrl+Shift+T to undo any tab close. Pressing this multiple times will undo multiple closes. Ctrl+L or F6 Quickly get to the URL address bar by pressing this function key. Ctrl+F Pressing Ctrl+F opens the find feature. Using this shortcut, you can quickly find text on the same page. If you want to do a quick find and have Firefox scroll to the text location as you type press forward slash (/) instead while in the browser. Ctrl+W Close the current tab Ctrl+Tab or Ctrl+Shift+Tab Move between open tabs. Ctrl+D Open bookmark window for page currently viewing. Ctrl+ Increase the font size Ctrl+ Decrease the font size Ctrl+0 Reset the font size 3/5

2OSINTBrowserCustomization.md

7/22/2021

F11 Make the screen full screen, removing all toolbars and status bars. Ctrl+J Open the Download Manager window.

1.1.3 E tensions 1.1.3.1 Chrome uBlock origin script blocker HTTPS Everywhere Onetab Tabs Outliner Context Search Json Formatting Instagram Downloader Treeverse Link Grabber NooBox RevEye Reverse Image Search Download all Images Fireshot Nimbus Screenshot OneNote Clipper Explain & Send Screenshots E if viewer Video and Image Tools Video DownloadHelper RightSpeed for YouTube Data Scraper Domain and IP Search Detect page technology Multi archives Archiveror Google translate Location Guard User Agent Switcher Practical Startpage 1.1.3.2 Firefox uBlock Origin HTTPS Everywhere Firefox Containers User-Agent Switcher Context Menu Search Archive Search Link Extractor 4/5

2OSINTBrowserCustomization.md

7/22/2021

LinkedIn - Guest browser View Embedded Images Pinterest - Guest browser Fireshot Nimbus Screenshot E if viewer Video DownloadHelper Location spoofing Archive Wayback Keypass E tension

1.2 Resources Make Your Own Custom OSINT Bookmarklets (secjuice), 2020 Custom Search Engines in Google Chrome: Essential Tips and Tricks (MUO), 2019 31 Power Tips for Chrome That Will Improve Your Browsing Instantly (MUO), 2018 Tweet location FAQs

5/5

2OSINTCustomTools.md

7/22/2021

OSINT Custom OSINT Toolset Editing Your OSINT Tools For years Michael hosted an OSINT dashboard on his site where we could quickly run several queries based on identifier type. This eventually had to be taken down due to abuse, but with his 7th edition book he walked us through rebuilding those tools on our own desktop. We will be rebuilding those tools using his foundational HTML files, culling out broken sites and replacing them with new ones. We will be knocking a couple of these out monthly and then pulling them all together into a complete dashboard that you can further customize and run from your workstation. You can complete all of this work with a text editor and browser, but here are a couple of recommendations for tools that may make this process as pain free as possible. Most of these can be used for basic text editing, but also offer a full IDE (interactive development environment). Watching the videos will be helpful if this is all new to you. Atom Atom - HTML Preview Visual Studio Code Visual Studio Code - HTML Preview VS Codium Non-Microsoft "Private" version of VS Code Notepad ++ Solid Windows Text Editor

1.1 HTML Reference Lines of HTML e plained:

This informs your browser that the "head" portion of the page begins now.

This informs your browser that the "head" portion of the page begins now. Email Search Tool This represents the title of the page, visible in the browser tab.

This discloses the end of the "head" section.

This informs your browser that the "body" portion of the page begins now.

This identifies the end of the script.

This creates a form to generate the URL, looking for a specific value. New Terminal

4/5

2OSINTVSCode.md

7/22/2021

16. Your new Ubuntu Linux terminal is now open in VSCode

1.4Additional Resources Sites, write-ups, and walk-throughs: YouTube - VSCode Tutorial The Ultimate Guide 🚀 To Use VS Code With Windows Subsystem for Linux (WSL) Another WSL on VSCode Tutorial YouTube - Tmux Tmux as well which I am a fan of

5/5

(Dev), 2020

2OSINTWindowsAdv.md

7/22/2021

OSINT Essentials Mastering Windows Speed & Efficiency If you are like me, you are always working against the clock either solving short term crisis or meeting long term deadlines. Most of us have never received any real training when it comes to using our workstation efficiently. The following are tips and shortcuts to save time on repetitive tasks and hopefully improve your work product as well.

1.1 Organization A messy workspace, whether it be physical or digital, will slow you down and potentially impact the quality of your work. We need to set up a good system to organize data and tools so that once we are juggling a few cases, we can appropriately compartmentalize and also prevent a lot of extra work when it comes time to pull recovered data into a final work product. Tools

Add shortcuts for your most used tools to the taskbar and clear your desktop. The desktop is for

immediately collected and used files, the taskbar and start menu are for shortcuts. Directory Structure -- Establish a logical and consistent system for creating and organizing the folders that will hold your case data. We want to compartmentalize cases and place data in folders that indicate the contents at a glance. Directory is just another name for folders on your workstation. I like to give each case its own folder and, in that folder, I place any documentation along with subdirectories for anything I download related to the case, such as screen shots or media files. Each subdirectory is given a name that reflects the date data was added. This aids in documenting the chain of custody on longer cases that might span months. Collaboration

If you are working as a team you may want to consider some type of shared digital

workspace. This can be accomplished on-premise using shared network storage or if appropriate, there are many cloud based office suites that support shared documents and file storage. Microsoft Office 365 is the most common in larger organizations and OneNote is my preferred method of building out digital case work as a team. Note: any online office or collaboration software/service will present potential privacy and security compromises, so they may not be appropriate for more sensitive investigations.

1.2 Tools Have the right tools installed and ready to go before you need them. Clean Workstation/Connection

It may seem obvious but regular maintenance on your workstation and

network are essential for reliability and security. We need a properly patched/scanned workstation and cold connection or reliable VPN . Refer to the desktop and network modules in the Security & Privacy Course for detailed instructions. Capture Tools -- Preinstall you manual capture tools, scripts, and browser extensions. Refer to the Media Capture Cheat Sheet for concise go by or the Media Capture Module for a more detailed set of steps. Virtual Machines

Have a clean master custom OSINT VM ready to go. Should a critical and sensitive case

arise you will be able to spin up a clean, isolated working environment, preloaded with OSINT tools, very quickly. If you have not yet worked through the virtual machine training, it is covered e tensively in the Advanced OSINT Course. 1/5

2OSINTWindowsAdv.md

7/22/2021

1.3 Windows Tricks & Hotkeys Take the time to learn some extremely useful hotkeys for your desktop environment. If you make a habit of using these, they will become second nature and save you a huge amount of time in the long run. We are going to be generating millions of keystrokes and mouse clicks in the next year of online investigations. Imagine how much time you will save by reducing a five-step task to a single coordinated keypress.

1.3.1 Windows & Most Browsers CTRL+C Copy the selected item CTRL+X Cut the selected item CTRL+V Paste the selected item CTRL+A Select all items in a window, on the desktop, or all text in a document Shift+Any Arrow Key Select te t within a document (e.g., one letter at a time) or one item at a time in a window CTRL+Shift+Any Arrow Key Select a block of te t (e.g., a whole word at a time) CTRL+F or F Find Text or Files CTRL+N Create a new file or document or open a new browser window CTRL+O Open a file or document CTRL+P Print CTRL+T Open a new tab in your web browser CTRL+Shift+T Reopen a tab you just closed (e.g., by accident) CTRL+H View your browsing history CTRL+Z Undo an action CTRL+Y Redo an action

1.3.2 Workspace WIN+Right Arrow Resize the window to half of the display and dock it to the right. WIN+Left Arrow Resize the window to half of the display and dock it to the left. WIN+Up Arrow 2/5

2OSINTWindowsAdv.md

7/22/2021

Maximize the window to full screen. WIN+Down Arrow Minimize the window or restore it if it is maximized. WIN+Shift+Right/Left Arrow Move the window to an external monitor on the left or right.

1.3.3 Function Keys F1 Open the Help page or window F2 Rename an object (e.g., file in Windows Explorer) F3 Find F4 Shows the address bar in Windows Explorer F5 Refreshes the page F6 Moves to a different panel or screen element in a window or the desktop

1.3.4 Screen Capture If you haven't changed the default (ie: ShareX) ALT+Print Screen Capture a screenshot of a window CTRL+Print Screen Capture the entire screen/desktop

1.3.5 Windows system shortcuts CTRL+ALT+Delete Windows Task Manager ALT+Tab Show open applications WIN+D Show your desktop WIN+L Lock your computer CTRL+Shift+N Create a new folder Shift+Delete Delete an item skipping recycle bin ALT+Enter or ALT+Double-click Go to the properties

1.4 oftware 3/5

2OSINTWindowsAdv.md

7/22/2021

Here is the list of software that can be helpful during online investigations. When open-source options exist, they are preferred, but good premium options are listed as well.

1.4.1 Browsers Mozilla Preferred Privacy Browser (when tuned correctly) Chrome Most Powerful Search Capability (horrible privacy) Brave Privacy Focused Chromium Browser Tor TOR Official Browser (Darknet)

1.4.2 OSINT Capture Tools Hunchly OSINT Capture Tool (premium, but not expensive and worth it) ShareX Open Source Screen Capture Open Broadcast Software Project Open-Source Screen Recording

1.4.3 Note Taking Moleskine High Quality Paper Notebook OneNote Powerful Digital Notebook Standard Notes Secure & Private Digital Notes Atom Open Source Te t Editor Notepad++ Windows Text Editor

1.4.4 Connection Monitoring GlassWire Software Firewall & Network Monitor

1.4.5 Virtual Machines VirtualBo Best Free Virtualization Software VMare Premium versions are better, but pricey

1.4.6 Emulators 4/5

2OSINTWindowsAdv.md

7/22/2021

Genymotion Android Emulator NoxPlayer Android Emulator (Privacy/Security Issues

see Emulators Module)

1.4.7 Desktop Tools Stream Deck Hardware & Hotkey App MobaXTerm Terminal Tools (PowerShell, SSH, etc.)

1.4.8 VPNs Private Internet Access Anonymous VPN Service Provider ProtonVPN Secure and Free VPN service for protecting your privacy

5/5

OSINT Archivebox https://archivebox.io/ Difficulty: Intermediate/Experimental Intro and Use Case Archivebox is an application which combines several site preservation tools and provides a graphical interface for managing them. For example, one of the site capture extensions we use is SingleFile (https://github.com/gildas-lormeau/SingleFile) and one of the archiving sites we use frequently is Archive.org. Archive box uses both of these tools/sites along with many others to provide an easy way to capture webpages and output multiple formats. In the default mode we will enter a URL for a site and Archivebox will save copies of the site as PDF, HTML, PNG, and more. This makes it a great tool to have in our custom OSINT virtual machine and in the video I will demonstrate adding it to your VM. Demo Page: https://demo.archivebox.io/public/ WARNING: use of Archivebox is going to typically be active reconnaissance in that the sites you are capturing many notice your traffic and see the IP address your Archivebox instance is running from. You should only use Archivebox on targets where it is appropriate to have direct contact with the site and also make sure to protect your connection with VPN if you wish to obfuscate your IP address. In Short: if you would not browse the site directly due to security or operational concerns, then you probably should hold off on using Archivebox on the site. 1.1 Installation Your method of installation will depend on what platform you wish to run Archivebox on. Below I will list three good options for Linux, Mac, and Unraid (the latter is uncommon but as I used this in my demo it makes sense to reference it). Most of you who choose to use Archivebox will like do so in your Linux VM or on a Linux/Mac workstation. If you are already a Docker user that is a good option for installation but is beyond the scope of this lesson. There are many installation options that are not covered in the video and you should always consider the project site below as the best source for current installation steps. I am providing some steps/commands here for convenience, but please always double check with the project Github page for the latest recommended commands. We did not create or maintain these tools so we have limited ability to support them.

Installation Official Steps: https://github.com/ArchiveBox/ArchiveBox/wiki/Quickstart MacOS: 1. Install Homebrew on your system (if not already installed). Install the ArchiveBox package using brew. brew tap archivebox/archivebox brew install archivebox 2. Create a new empty directory and initialize your collection (can be anywhere). mkdir ~/archivebox && cd ~/archivebox archivebox init --setup

# if any problems, install with pip instead

3. Optional: Start the server then login to the Web UI http://127.0.0.1:8000 ⇢ Admin.

archivebox server 0.0.0.0:8000

# completely optional, CLI can always be used without running a server # archivebox [subcommand] [--args] Ubuntu/Linux: 1. Add the ArchiveBox repository to your sources. # On Ubuntu == 20.04, add the sources automatically: sudo apt install software-properties-common sudo add-apt-repository -u ppa:archivebox/archivebox 2. Install the ArchiveBox package using apt. sudo apt install archivebox sudo python3 -m pip install --upgrade --ignore-installed archivebox needed because apt only provides a broken older version of Django

# pip

3. Create a new empty directory and initialize your collection (can be anywhere). mkdir ~/archivebox && cd ~/archivebox archivebox init --setup

# if any problems, install with pip instead

4. Optional: Start the server then login to the Web UI http://127.0.0.1:8000 ⇢ Admin.

archivebox server 0.0.0.0:8000

# completely optional, CLI can always be used without running a server # archivebox [subcommand] [--args] Windows OS Users: I prefer to use Archivebox in Linux or on Mac, but if you need to deploy it on Windows you can use pip per the official step: https://github.com/ArchiveBox/ArchiveBox#package-manager-setup Unraid OS: If you are an Unraid user and have the community apps plugin installed (see our Unraid videos), then you can install Archivebox in just a few steps: 1. 2. 3. 4. 5. 6. 7. 8.

Open your applications tab Search for Archivebox Select install Once installed start the application by clicking on the icon next to the application. From the application drop down menu you can: Start the application Open a terminal windows in the application folder Open the application in the browser Open the application in the terminal and setup a user account with these commands: su archivebox archivebox manage createsuperuser

9. The second command should prompt you to create a username and a password. 10. Now you can open the application and log in using that username and password you just created. See the video for an example of this. Once logged in you can click on “Add” and past in one or multiple URLs for capture. Note: as with all intermediate/advanced/experimental tools and lessons, if you decide to test out Archivebox, expect to have to do a little bit of your own research and troubleshooting. Open source projects like this can be great in our OSINT toolset, but it is common to run into errors so don’t be surprised if you need to do a little bit of your own digging and tinkering to make it work. You don’t need this tool to do good OSINT captures. It is just another option for intermediate/advance practitioners.

(Image: Archivebox is available in the apps tab for Unraid users) 1.2 Articles & Resources Sites, write-ups, and walkthroughs Official Documentation https://github.com/ArchiveBox/ArchiveBox/wiki Github-Repository https://github.com/ArchiveBox/ArchiveBox Other Archiving Projects https://github.com/ArchiveBox/ArchiveBox/wiki/Web-Archiving-Community#webarchiving-projects Archive Community Presentation

https://www.youtube.com/watch?v=7eoz_EU6-wQ Archivebox Article: https://nixintel.info/osint-tools/make-your-own-internet-archive-with-archive-box/

One-Tab Bookmarks

https://github.com/ArchiveBox/ArchiveBox/wiki | Home · ArchiveBox/ArchiveBox Wiki · GitHub https://github.com/ArchiveBox/ArchiveBox#quickstart | GitHub ArchiveBox/ArchiveBox: 🗃🗃 Open source self-hosted web archiving. Takes URLs/browser history/bookmarks/Pocket/Pinboard/etc., saves HTML, JS, PDFs, media, and more... https://archivebox.io/ | ArchiveBox | 🗃🗃 Open source self-hosted web archiving. Takes URLs/browser history/bookmarks/Pocket/Pinboard/etc., saves HTML, JS, PDFs, media, and more… https://demo.archivebox.io/public/ | Archived Sites https://github.com/ArchiveBox/ArchiveBox/wiki/Quickstart ArchiveBox/ArchiveBox Wiki · GitHub

|

Quickstart

·

https://github.com/ArchiveBox/ArchiveBox/wiki | Home · ArchiveBox/ArchiveBox Wiki · GitHub https://github.com/ArchiveBox/ArchiveBox/wiki/Web-Archiving-Community#webarchiving-projects | Web Archiving Community · ArchiveBox/ArchiveBox Wiki · GitHub https://www.youtube.com/watch?v=7eoz_EU6-wQ | Archive Community Video https://nixintel.info/osint-tools/make-your-own-internet-archive-with-archive-box/ Make Your Own Internet Archive With ArchiveBox – NixIntel

|

Other Capture Tools https://github.com/gildas-lormeau/SingleFile | GitHub - gildas-lormeau/SingleFile: Web Extension for Firefox/Chrome/MS Edge and CLI tool to save a faithful copy of an entire web page in a single HTML file https://archive.org/ | Internet Archive: Digital Library of Free & Borrowable Books, Movies, Music & Wayback Machine

https://getfireshot.com/ | FireShot - Instant Full page Screen Capture in your browser https://hunch.ly/ | Hunchly - OSINT Software for Cybersecurity, Law Enforcement, Journalists, Private Investigators and more. https://www.httrack.com/ | HTTrack Website Copier - Free Software Offline Browser (GNU GPL) https://www.guyrutenberg.com/2014/05/02/make-offline-mirror-of-a-site-using-wget/ | Make Offline Mirror of a Site using `wget` – Guy Rutenberg https://getsharex.com/ | ShareX - The best free and open source screenshot tool for Windows

3OSINTHunchly.md

7/23/2021

OSINT Essentials - Hunchly Chrome Session Capture Hunchly is not open-source and is not free, but it is one of the only paid OSINT tools that I recommend to all teams. It collects each page you visit in Chrome at the code level, including all photos, and preserves them in a forensically sound database. This database is searchable and there is even a rudimentary report builder. I should add that Justin Seitz, the creator and owner of Hunchly is a friend, but that being said I was a customer (and still am) prior to getting to know him as a colleague.

Installation & Configuration You will need Chrome as Hunchly does not support Firefox. 1. If not a customer grab a free 30-day trial at: https://www.hunch.ly//try-it-now 2. Install the application from: https://www.hunch.ly/downloads 3. The installation is straight forward and there are dozens of support videos and docs at: https://support.hunch.ly/category/16-getting-started 4. If the extension does not show up in Chrome following installation, you can add it manually from: https://chrome.google.com/webstore/detail/hunchly-20/amfnegileeghgikpggcebehdepknalbf

etting Up Your First Case Basic steps for setting up your first Hunchly collection 1. Hunchly is amazing, but not perfect. You will still need to collect video's manually and I like to capture certain key or difficult pages using ShareX or Fireshot as well 2. Start the Hunchly application and click on the plus (top left) to create a new investigation and give it a logical name 3. If you wish to use the built in "To Do" list, this is a good place to type concise mission objectives or the questions you are trying to answer ie: locate all identifiers and account for target and complete profile report 4. On the top right enter any selectors, these are keywords that you want Hunchly to search for and highlight on each page that you browse. You can enter these manually or paste them in as a bulk set with a : between each term. Consider as a start, pasting in any known identifiers or your target's full name or username if it is unique. This is also a good place to paste in threat keywords if you are working on a threat assessment. 5. The bottom half of the Hunchly interface is where all of the collected data will show up 6. Go back into Chrome, left click on the Hunchly e tension, select your new case, and toggle capture to on (the slider will turn blue and the extension icon will lose the "don't symbol"

1/5

3OSINTHunchly.md

7/23/2021

7. Now you are set, start browsing and as sectors are detected on a page you will see a green number show up on the e tension icon

Workflow At this point you can conduct your investigation as normal, but here are some tips and caveats. 1. Only use that browser session for this case as Hunchly will capture everything in the session...do not do personal business or other cases 2. Save any videos that you need manually using the techniques covered in the video capture module 3. For any image, link, or page item that you find particularly pertinent to you case, right click on it and use the Hunchly conte t menu to tag that item

2/5

3OSINTHunchly.md

7/23/2021

4. The "Store as Selector" function in the conte t tool makes it easy to further flesh out your keyword list as your investigation is unfolding 5. Periodically check the Hunchly application to assess the data collected and adjust your selectors and tagging workflow as appropriate for your mission goals 6. You can delete entries in Hunchly, but if you do so you will need to note the justification in your final report as there is an audit trail that includes deletion. This is purposeful in making your Hunchly data sufficient for use in court.

Collection Tips Collection can be as stright forward as activating capture on your Hunchly extension, but the following are some considerations to increase efficiency and the overall effectiveness of the application. Turn it back off when you are done collecting. Remember that huntil you disable capture, all activity in that browser will be collected and added to your case. Reload pages visited prior to activating Hunchly. When you turn Hunchly on, if you already have tabs loaded, you will need to load them again. OneTab can make this easier by allowing you to collapse and restore your tabs. Hunchly will only capture the portions of the page that load. You may need to manually scroll, use an extension, or script to scroll the page. Also if you are using a script blocker that may interfear with some 3/5

3OSINTHunchly.md

7/23/2021

data and prevent Hunchly from gathering it. Although all loaded images are captured, you may want to right click and use the context menu to tag key graphics. This makes them easier to locate in your Hunchly database and also easier to dump into your report or appendi . The selectors (keywords) are retroactively searched, so if you find new identifiers for your target, such as new account names/numbers, add them as a selector as you go. You can use creative selectors to identify data types on pages. For example, @gmail.com or Avenue might help highlight email addresses or streed addresses. You can develop these lists, save them in your OSINT notebook, and add them to Hunchly as a bulk set at the beginning of your investigation.

Utilizing Collected Data Once you have collected data for your investigation, you may wish to transfer some or all of it into your final case report or other work product.

Resources Hunchly Knowledgebase Hunchly Official Youtube Tutorials Hunchly Desktop Training TOR pro y setup Hunchly and Elasticsearch walkthrough by NixIntel One-Tab Bookmarks

https://www.hunch.ly//try it now | 30 day trial https://www.hunch.ly/downloads | Installation Files https://support.hunch.ly/category/16-getting-started | Getting started tutorials https://chrome.google.com/webstore/detail/hunchly20/amfnegileeghgikpggcebehdepknalbf | Chrome Extension https://www.youtube.com/results?search_query=hunchly | Youtube has some great videos covering Hunchly https://www.youtube.com/watch?v=O-NH2TA8ucU | How to use Hunchly - Webinar, June 16, 2021 YouTube https://hunch.ly/ | Hunchly - OSINT Software for Cybersecurity, Law Enforcement, Journalists, Private Investigators and more. https://support.hunch.ly/category/46-integrations | Integrations - Hunchly Knowledge Base https://support.hunch.ly/category/61-page-compatibility | Page Compatibility Hunchly Knowledge Base https://support.hunch.ly/category/16-getting-started | Getting Started - Hunchly Knowledge Base https://support.hunch.ly/category/50-hunchly-evidence-guide | Hunchly Evidence Guide - Hunchly Knowledge Base https://support.hunch.ly/category/86-hunchly-mobile | Hunchly Mobile - Hunchly Knowledge Base https://support.hunch.ly/category/61-page-compatibility | Page Compatibility Hunchly Knowledge Base 4/5

3OSINTHunchly.md

7/23/2021

https://support.hunch.ly/article/64 facebook | Facebook Hunchly Knowledge Base https://support.hunch.ly/article/66-instagram | Instagram - Hunchly Knowledge Base https://support.hunch.ly/article/78-twitter | Twitter - Hunchly Knowledge Base https://support.hunch.ly/category/89-webinars | Webinars - Hunchly Knowledge Base https://support.hunch.ly/category/9 installation | Installation Hunchly Knowledge Base https://support.hunch.ly/category/21-faq | FAQ - Hunchly Knowledge Base https://support.hunch.ly/category/46-integrations | Integrations - Hunchly Knowledge Base https://support.hunch.ly/category/41-dark-web | Dark Web - Hunchly Knowledge Base

5/5

3OSINTMediaCapture.md

7/23/2021

OSINTE Essential - Media capture Online Investigations - Collecting Internet Content as Digital Evidence The following is a list of recommended tools and resources for preserving online content such as sites, videos, images, and/or audio. You are responsible for using any of these tools and techniques within the boundaries of applicable policy and law. Certain tools will be covered in greater depth further in the training. This document is supplied as a concise "cheat sheet" for the most common online media capture scenarios.

1.1 Manual Screen Capture -- PC 1. Snipping Tool Hit the windows key and type in "snip" to locate the Snipping or > Snip and Sketch > tool.

1 / 21

3OSINTMediaCapture.md

7/23/2021

2 / 21

3OSINTMediaCapture.md

7/23/2021

Right click on either of these tools and select "pin to taskbar". Now you have a convenient screen capture button on your desktop, which will allow you to drag a capture bo over any portion of your screen and save or copy the contents as an image. Both applications have an optional delay setting which allows you to capture windows that were minimized when you opened the snipping tool. Think of it as the delay timer on a camera allowing you to adjust the shot after pressing the capture button. 2. Video and Stills Windows 10

Hit CTRL G which will bring up the application screen capture. This is meant for

recording games but will work in most applications. Snagit and Camtasia - Snagit handles still and video capture. Camtasia has Snagit's capabilities along with video editing. The licenses carry a cost, with Snagit being cheaper, but less powerful. ShareX ShareX is an open source screen capture program that can run in portable mode (no installation required). ShareX supports many capture options for still images and video as well as basic editing capabilities.

3 / 21

3OSINTMediaCapture.md

7/23/2021

1.2 Manual Screen Capture -- Mac 1. Mac OSX shortcuts Press command-shift-4. A crosshair cursor will appear. Click and drag around the relevant portion of the screen you want to capture. The selected portion will save as a .PNG on your desktop. To take a screenshot of a specific application window, press command-shift-4 to pull up the crosshair cursor. After the crosshair cursor has appeared, tap spacebar. The crosshair cursor will turn into a camera. As the camera moves over a window on the screen, it will be highlighted. Select the relevant window and click the mouse screen. A .PNG will be saved to the desktop. d. You can also take a screenshot of the entire screen by pressing command-shift-3. 4 / 21

3OSINTMediaCapture.md

7/23/2021

2. Video QuickTime -- QuickTime is a multimedia framework developed by Apple that allows for screen recording and capture. If it is not in your programs dock, click on the magnifying glass and type in QuickTime. In QuickTime, click on File -> New Screen Recording

5 / 21

3OSINTMediaCapture.md

7/23/2021

Select either the "Record Entire Screen" or "Record Selected Portion" on the menu. If you select "Record Selected Portion" you will be able to adjust the area of the screen recording. Press Record. Once you have recorded the relevant portion, press the stop icon located in the upper right Macintosh menu bar. The video will save on your desktop.

Note: to use this method, QuickTime needs permission to capture the screen. To enable this, go to Settings -> security and privacy

screen recording and check the bo for QuickTime.

6 / 21

3OSINTMediaCapture.md

7/23/2021

7 / 21

3OSINTMediaCapture.md

7/23/2021

1.3 Screen Capture - Browser Chrome -- Technique #1 1. Print -- Right click on the page -> Print -> Save as PDF 2. Or click the three dots on the top right to get the main menu -> Print -> Save as PDF

8 / 21

3OSINTMediaCapture.md

7/23/2021

3. Extension -- FireShot is the preferred "save as PDF" extension (the premium version is not necessary for most situations) Fireshot Chrome -- Technique #2 1. In Chrome: hit F12 or Ctrl+Shift+I which will open the developer's panel. 2. Press Ctrl+Shift+P to open the command menu or select it from the tabs. 3. Type "screenshot" and select "capture full size screenshot" from the menu. 9 / 21

3OSINTMediaCapture.md

7/23/2021

4. Chrome will take a screenshot of the entire page and place it in your Downloads folder.

Firefox 1. Print -- Menu (three horizontal lines top right):

Print

Print again top left

2. Firefo Screenshot

save to PDF

Click on the three dots to the right of the address bar:

-> Take a Screenshot -> choose visible, full page, or drag a selection box -> Choose download and save as a .png file.

10 / 21

3OSINTMediaCapture.md

7/23/2021

3. Select Save full page or Save visible in the top right corner. 4. Addon

Fireshot

1.4 Capturing Online Images 1. In your browser right-click on the image to bring up the context menu. Choose "Save image as..." and browse to your "Downloads" folder or other directory designated for your investigation.

11 / 21

3OSINTMediaCapture.md

7/23/2021

2. Some pages/images use formatting or code that prevent the "save image" option. In those cases, one solution is right click and choose "View Page Source" which shows the HTML of the page. You can then hit Ctrl-F (the Find command) and search for things like .jpg (the most common image filetype). This is

12 / 21

3OSINTMediaCapture.md

7/23/2021

a manual way to search the page code for the exact URL addresses of the images on the page. If you find the right one you can copy that URL and paste it into a new tab. 3. Alternatively, you could use one of the screen capture tools above to collect a manual capture of the image portion of the page. The downside of this method is that you will lose any meta-data in the image. 4. There are browser e tensions that assist in downloading all images from a page. For Chrome "Bulk Image Downloader" and for Firefox "Downloadstar" or "DownThemAll" work well. Always understand that e tensions/addons are 3^rd^ party scripts that could weaken the security of your browser. If you are working on a sensitive investigation these tools may not be appropriate. You can obtain the latest versions by searching in the Chrome Web Store or the Firefo Addons repository. Bulk Image Downloader Download Star Downthemall

1.5 Capturing Online Videos 1.5.1 YouTube Firefox Addons - Do not use Chrome to capture YouTube videos. There are several Firefox addons that allow you to usually download YouTube videos. The most successful is VideoDownloadHelper. Keep in mind our normal precautions when it comes to addons and extensions: every time we add an extra script to our browser, we make it a little less secure and a little bit more unique in regards of browser fingerprint. Addon #1 Video DownloadHelper Select one of the mp4 options and if you get to a screen asking if you want to use a browser or install the application, choose the browser option. This addon works on most videos, but not all.

13 / 21

3OSINTMediaCapture.md

7/23/2021

Addon #2 Easy YouTube Video Downloader Express Convenient drop down below the video:

14 / 21

3OSINTMediaCapture.md

7/23/2021

15 / 21

3OSINTMediaCapture.md

7/23/2021

16 / 21

3OSINTMediaCapture.md

7/23/2021

Select one of the mp4 options and if you get to a screen asking if you want to use a browser or install the application, choose the browser option. This addon works on most videos, but not all. Third Party Download Sites One way to avoid addons or having to install anything is to use a 3rd party site to download the video for you. Here are a couple of options: Simply remove the "ube" within the URL which will direct you to Yout's website. Select audio or video and press "record" https://yout.com/video/U2d9ZbPhQoM/ deturl Add deturl.com/ in front of youbtube.com http://deturl.com/www.youtube.com/watch?v=U2d9ZbPhQoM VDYouTube Downloader If you need to get YouTube or other online videos often I recommend using yt-download which is a script: GitHub - yt-download. This is an advanced technique that requires running the scripts from the command line in Windows, but if you can learn to use it, it is exceptionally clean and effective.

17 / 21

3OSINTMediaCapture.md

7/23/2021

FFMpeg -- You will also want to install FFMpeg codec packas described in the YouTube module. FFMpeg

1.5.2 Other Popular Video Sites Vimeo Most of the YouTube methods also work for Vimeo videos. Facebook Method 1 -- Use Firefox and replace the www in the address with an "m", for example: m.facebook.com/video12334. Now play and then pause the video. You should now be able to right click on the video and save it as an mp4 file. This will not work in Chrome. Method 2 -- Use a third-party download site such as fdown.net. Method 3 -- Do a manual screen capture with ShareX or Snagit but be aware that you will lose metadata and some resolution.

Twitter Most Twitter videos are linked from Instagram, YouTube, etc. 3rd party downloaders -- twdown or twsaver Instagram 3rd party options such as -- dredown or igram Chrome Extension such as -- Live Stream Downloader TikTok 3rd party download site -- Experts PHP Paste in your URL and once it loads, right click on it and choose save video as. Twitch 3rd party twitch downloader -- untwitch

1.5.3 Livestreams VLC Install VLC -> VLC Media Player (available for Win, Mac, Linux) Open VLC -> select Media -> Open network stream -> Paste in URL -> Play - > click on Record icon If you do not see a record button, select View -> Advanced controls Click on the record button to start and stop stream capture. Default capture directory is your Video folder

1.5.4 Everything Else Just remember that if all else fails you can do a manual screen capture of anything using ShareX, Snagit, or the Windows Snipping Tool. This is always at the cost of meta-data but is better than nothing. Sometimes it is

18 / 21

3OSINTMediaCapture.md

7/23/2021

wise to first do a quick manual capture to be safe and then go research a download process by contacting the Video Unit or Tech Ops squad up in CIS. Reminder All research and evidence collection must be conducted consistent with your own agency's policy and in compliance with city, state, and federal law. It is your responsibility to be educated on pertinent guidelines and restrictions. If you have any questions or concerns regarding tools and techniques in relation to policy or law, please consult your prosecutor or applicable legal counsel.

19 / 21

3OSINTMediaCapture.md

7/23/2021

20 / 21

3OSINTMediaCapture.md

7/23/2021

21 / 21

NEEDSWORKQuickVideoCaptureJuly2020.md

7/22/2021

OSINT Essential - Online Media Capture Cheat-Sheet How to Collect Any Video or Image

1.1 Native Browser Tools

Install Chrome (See Browser Module for detailed instructions) Google - Chrome Install Firefox (See Browser Module for detailed instructions) Mozilla - Firefox Chrome Viewing Page Code . View Source: Right click -> select Windows: Cntl + U Mac: Cmd + U . View Frame Source Right click -> select . View Page Info Right click -> select Windows: Ctrl + Shift + i Mac: Cmd + Option + i Firefox Viewing Page Code . View Source Right-click and select View Page source Windows: Ctrl + U Mac: Cmd + U . Inspect Element Right-click and select inspect Windows: Ctrl + Shift + C Mac: Cmd + Option + C . View Page Info Windows: Cntrl + I Mac: Cmd + I

1.2 Browser Extensions

1/6

NEEDSWORKQuickVideoCaptureJuly2020.md

7/22/2021

Chrome Fireshot VideoDownloadHelper DownThemAll Firefox Fireshot VideoDownloadHelper GitHub - Stream Detector DownThemAll

1.3 Video Download Scripts & Codecs

Youtube-DL See YouTube Module for detailed installation instructions FFMPeg See YouTube Module for detailed installation instructions

1.4 Stream Capture

VLC Media Player Steps: . Open VLC -> select Media . Open network stream -> Paste in URL . Play -> click on Record icon If you do not see a record button, select View -> Advanced controls Click on the record button to start and stop stream capture. Default capture directory is your Video folder

1.5 Screen Capture

PC: Add Snip & Sketch to taskbar, on Windows search bar type snip & hit enter -> right-click on Snip & Sketch and select "Pin to taskbar" ShareX ->install . Type sharex into Windows search bar (next to Start) . Right-click on ShareX -> select Add to taskbar Detailed instructions are available in the ShareX Module

1.6 Tools & Techniques by Platform

1.6.1 Twitter

2/6

NEEDSWORKQuickVideoCaptureJuly2020.md

7/22/2021

. Right-click next to the video -> "inspect" -> Network -> filter for ".m3u8" Copy .m3u8 links, open VLC, File -> open network stream -> paste .m3u8 link -> play/convert . Copy URL -> open youtube-dl in terminal -> type in "youtube-dl", space, paste in URL, hit enter . Use twdonw or TwitterVideoDownloader

1.6.2 Facebook

. Replace www with mbasic on the video URL -> hit play and a new tab will open -> right-click on video -> save video as . Copy URL -> open youtube-dl in terminal -> type in "youtube-dl", space, paste in URL, hit enter 3/6

NEEDSWORKQuickVideoCaptureJuly2020.md

7/22/2021

. Use FDown

1.6.3 Instagram

. Right-click on video page -> Inspect -> Network Tab -> Media -> double-click on mp4 link to open in a new tab -> right-click -> save video as . Highlight and copy URL to video page -> Open YouTube-DL script in terminal -> type in "youtube-dl", space, paste in URL, hit enter . Inflact (formerly Ingramer) -> IG Downloader -> Paste in URL -> Search

1.6.4 Reddit

. Right-cllick on video -> Save video as . YouTube-DL script can download all videos on a page - Copy URL -> open youtube-dl in terminal -> type in "youtube-dl", space, paste in URL, hit enter . VLC -> Media -> Open Network Stream -> paste in URL -> change play to convert -> save as Mp4 . RipSave

1.6.5 Snapchat

4/6

NEEDSWORKQuickVideoCaptureJuly2020.md

7/22/2021

Right-click on the page next to the video -> Inspect -> Network Tab -> Media -> double-click on mp4 link to open in a new tab -> right- click -> save video as

1.6.6 TikTok

Right-click on the video -> Inspect -> look for link with tiktokcdn.com -> right-click on link & open in a new tab -> right-click -> save video as

1.6.7 Youtub.com

Youtube-DL is the best VideoDownloadhelper in Firefox Your Custom Offline YouTube Tools

1.6.8 Discord

5/6

NEEDSWORKQuickVideoCaptureJuly2020.md

7/22/2021

Right-click -> Save as to save images and most videos

1.6.9 Twitch

Twitch Video Downloader

1.6.10 Youtube-DL

Copy URL -> open youtube- dl in terminal -> type in "youtube-dl", space, paste in URL, hit enter NOTE Video Download Helper works on some enbedded videos, others link back to a native platform, rightclick -> copy the link -> paste it into youtube-dl.

6/6

3OSINTShareX.md

7/23/2021

OSINT Essentials - ShareX Advanced Screen Capture on Windows Sharex is by far the best screen capture tool on Windows. Capturing images and videos from the internet in their native format (i.e.: right click save as) is always preferred, but it is not always possible. Screen captures of images, videos, and sites are quick and ShareX makes the process pain free. Pros: 1. Open-Source (zero cost, donation funded) 2. Captures still images and video in several formats 3. Capture by region, monitor, applications window, supports auto scrolling 4. Very customizable workflow options, such as copying to clipboard and saving to a case file simultaneously 5. Built in editor and video converter 6. E tra tools such as a hash validator built in Cons: 1. PC Only 2. Installed Application (although it can be run as a portable application sacrificing some features)

1.1 Settings & Customization These are the recommended settings for an efficient capture workflow on your investigative workstation. 1. Download and install the application at https://getsharex.com/downloads/ 2. During installation pay attention to the wizard and uncheck any boxes to your liking. I typically disable the desktop shortcut. 3. Open the application and use the left tabbed menu to navigate to "After capture tasks" and select the following three options or to suit your own preferences. This menu toggles actions that occur anytime you do a capture. Copy image to clipboard Save image to file Show file in explorer Note: Some new users prefer to also select "Show quick task menu" 4. Task Settings This menu will allow you to adjust the image and video format of your captures if you so choose.

1/7

3OSINTShareX.md

7/23/2021

Under "Capture" you may want to disable "show cursor in screenshots" if your primary use is evidentiary. 5. Application Settings Under Paths change the screenshot folder to either your case directory or another logical folder. ShareX will organize captures by date by default. Under Integration you may choose to install the Chrome e tension or Firefo addons, but this is optional.

6. Hotkey Settings

2/7

3OSINTShareX.md

7/23/2021

You may change the default primary hotkeys if you wish. This is especially useful if one of the combinations conflicts with hotkeys for another program. (primary hotkeys are listed below in section 1.4)

1.2 Basic Capture Functions Long term your goal should be to get comfortable using hotkeys to perform the desired type of capture, but when starting out you may want to have the ShareX application. If this is the first time you are running ShareX, consider pulling up the application window on your second monitor so that you can see the full menu and all the options. There are three primary methods for executing a capture. 1. From the application, select the "Capture" Menu on the top left. This will give you a full list of your capture options. The first time you use the program go through the list and try each one. The functions that I use the most often are: Window -- This will allow you to select any open window on your PC and ShareX will capture the full frame of that window which is super handy if you have a lot going on. Monitor -- If you use multiple monitors this is a quick way to capture any one of them. Region -- Draw a box to capture Screen Recording -- This will allow you to select a region, a screen recording will start with "stop" "abort" and a running time elapsed clock at the bottom. Text capture OCR -- Attempt to pull text from an image depicting text. Auto Capture -- Start automatic screen captures at an interval of you choosing Screenshot Delay* -- Useful for timing a capture for an elusive window that will not allow you to click the capture button without it disappearing. 2. You can also you use the ShareX icon in your system tray as a shortcut for captures. If ShareX is running, but the icon is not showing up on your task bar, open your system tray and drag the icon to your taskbar. Clicking on the ShareX system tray icon Right-click the system-tray icon for a pop-up of the full menu Left click to capture a region Double left-click to open the ShareX application window

3/7

3OSINTShareX.md

7/23/2021

1.3 Directory Indexer The directory indexer will generate a list of collected media for any folder that you select. This is especially useful in copy/pasting or exporting lists of evidence into your report or appendix.

4/7

3OSINTShareX.md

7/23/2021

1.4 Workflows & Useful Keyboard Shortcuts "Workflows" in ShareX are keyboard shortcuts that allow us to activate various forms of capture more efficiently. Key Combination

Effect

CTRL+PrintScreen

Capture Region

PrintScreen

Capture Entire Screen 5/7

3OSINTShareX.md

7/23/2021

Key Combination

Effect

ALT+PrintScreen

Capture Active Window

Ctrl-Shift+PrintScreen

Start/Stop Video Capture

Hold left click Insert

Start region selection

Hold Alt

Snap selection to preset sizes

Hold Shift

Proportional resizing

Esc Right-click

Close region capture

Tab Middle-click

Switch between last region and last drawing tool

Space

Fullscreen capture

1, 2, 3

Specific monitor capture

\~

Active monitor capture

Q

Toggle multi region mode

Dbl Click + Enter

If multi region mode is enabled then capture region

Note: You may wish to re-assign hotkeys to your numpad if you have a 10-key pad on your keyboard. If you have a specialized keyboard or a Streamdeck you can establish a more advanced workflow (see module Advance OSINT -- Hot-key Hardware)

1.5 Additional Tools 1. Image Editor - Preparing Operation/Briefing Visuals 2. Image Effects -- Blurring PII Prior to Public Release 3. Hash Checker -- Verifying Downloaded Files (i.e.: VM Files) 4. Optical Character Recognition (OCR) -- Generating Text from Images 5. Directory Indexer -- Preparing a List or Appendix of Digital Evidence 6. Image Combiner/Splitter/Thumbnailer/Video Thumbnailer (useful for reports) 7. Video Converter -- Preparing Working Copies of Captured Videos 6/7

3OSINTShareX.md

7/23/2021

1.6 Additional ShareX Resources Full List of Region Capture Hotkeys Chrome / Firefox Site Capture Instructions ShareX Discord ShareX info or practice your Discord tactics ShareX on Twitter GitHub - ShareX repository and source code

7/7

OSINT Bookmarklets v.4.2022 Difficulty: Basic for routine use (advanced if you choose to create your own) What are bookmarklets? Most of us are familiar with browser bookmarks and using them to pull up sites that you visit regularly. Bookmarklets are bookmarks which are commonly used to run a command or small piece of code, such as java-script, on a web page. A very common and familiar example would be the Facebook bookmarklets provided by http://com.hemiola.com/bookmarklet/ which allow us to expand comments on a Facebook timeline. This is super useful to run prior to capturing the page using any of our preservation options (Hunchly, Fireshot, etc.). In this lesson we will look at additional bookmarklets and also get under the hood a bit and talk about how we can set up our own if we wish. 1.1 Installing Bookmarklets There are a variety of pre-built OSINT bookmarklets which have been circulating through the various OSINT communities for years. You certainly can collect these and use them as-is, but it is a good idea to at the very least look at the code included to assess what it is doing and also that is in no way malicious. More advanced users may wish to create their own bookmarklets from scratch. Let’s look at a popular bookmarklet and break down what the code is doing. This will help us to better understand how they work and how to review or customize bookmarklets that you find online. I will add that there is a good set of articles similarly explaining OSINT bookmarklets and breaking down the code here: https://www.secjuice.com/osintbookmarklet-tools/ We are using Firefox in our examples, but you can also use bookmarklets in Chrome and just about any other browser. Installing a bookmarklet Installation of bookmarklets is very straight forward. We do want to use some care and avoid adding random bookmarklets we find online without doing a little research. To save you some homework we’ve listed some of the more popular OSINT bookmarklets at the end of this lesson. These are examples of bookmarklets used fairly widely in our community and although we cannot make any guarantees, they are likely to all be in fairly safe territory. That being said, please do your own research on any that you

decide to adopt. This is true for almost all OSINT tools. Always be a little paranoid about scripts and code that you find online. 1. Display the bookmarks tab, for example in Firefox right click on an empty section of the address strip and select “Bookmark Toolbar” which will allow you to turn the bookmarks bar on or off.

2. Once you are displaying the bookmark toolbar you can browse to a page with the bookmark and drag it to the toolbar. An effective way to try this out is using the http://com.hemiola.com/bookmarklet/ bookmarklet:

3. The new bookmark will have a Name and URL. The URL is the code for the bookmark should you wish to review it, which we recommend. Just copy and paste it out to an editor such as VSCode, Atom, Notepad, etc. In some cases, there will also be a project page where you can review the code. In our example they provided a link to the Github which is helpful. https://github.com/hemiola314/expand-all

4. The code for this particular example is quite long and complicated so let us use a simple example to demonstrate reviewing the code. Sample Bookmarklet: Reverse Whois Search javascript:var%20d=document,w=window,e=w.getSelection,k=d.getSelection,x=d.sele ction,s=(e?e():(k)?k():(x?x.createRange().text:0));if(!s.length)%7Bs=prompt('Enter%20a%2 0website%20below%20to%20search:','');%7Dif(s)%7Bdocument.location.href='http://d omainbigdata.com/'+escape(s);%7Delse%7Bvoid(0);%7D The URL code from the bookmark in question is JavaScript and looks like a quite a mess, but at its core it is doing two thing: 1) it opens a dialogue box requesting “Enter Website Below to search” 2) and then it feeds the site you entered it to the third party search site domainbigdata.com as a query. If you think about it, it is just using URL manipulation similar to how we would in adding a site like domainbigdata.com to our custom OSINT tools. For example, we can enter inteltechniques.xyz, click on OK, and it will open a new tab to https://domainbigdata.com/inteltechniques.xyz. Note: that domain does not belong to us and is likely just being squatted by a reseller or someone looking to cash in on the brand name recognition. Pop-up blockers: Some bookmarklets use popups windows so if the bookmarklet appears to be doing nothing, it could be that your browser settings or a security extension is blocking the popups. This is similar to how we have to enable pop-ups for custom OSINT tools which also utilize URL manipulation.

1.2 Standard OSINT Bookmarklets Here are some brief explanations of the bookmarklets included in the most recent build of the custom OSINT virtual machine and Michael’s preconfigured Firefox customization. If you open up a recent version of our custom OSINT virtual machine or you have used Michael’s Firefox configuration file you can view these in your browser. We cover using his configuration file in the browser lesson, which is also in this section of the Video Training. If you are new to the training, you do not likely have a Virtual Machine set up yet. Worry not, we will cover that in Section 12 and at that time you may wish circle back to this lesson if you want to revisit bookmarklets. https://www.inteltechniques.net/courses/take/open-sourceintelligence/lessons/14589775-building-your-custom-osint-vm-v-12-2021

If you have a recent version of our custom OSINT virtual machine handy, you can easily export a list of the included bookmarklets by: 1. Open Firefox in your custom OSINT virtual machine. 2. Right-click on the bookmarklet button and select “manage bookmarks” 3. Click on the Import and Backup tab

4. Select Export to HTML 5. Same the HTML document to your desktop, shared folder, or other logical location 6. You now have a list of the standard OSINT bookmarklets and if you hover or right click on each one you can review what is included in each URL. I have used the steps above to paste a set of bookmarklet links below. Each has it’s respective URL code included for convenience. (These are current as of April 2022 so as time passes you may wish to export your own version from your own virtual machine which may be more current.) Included are short explanations on what each bookmarklet accomplishes as laid out in the ninth edition of Open Source Intelligence Techniques.

Importing & Exporting Bookmarks

Bookmarklets FacebookID – Extract FB ID # from a Facebook user page FacebookGroupID - While on any Facebook group page, this option displays the Facebook Group ID. FacebookExpand - Attempts to expand all comments on a profile. May be slow and could crash on large pages! FacebookScroll - Loads and scrolls a Facebook feed before capture of a page. Can be finicky and often breaks. TwitterScroll - Loads and scrolls a Twitter feed before capture of a page. InstagramScroll - Loads and scrolls an Instagram feed before capture of a page. PageScroll-Slow - Slowly scrolls through a static website for video capture. PageScroll-Fast - Faster scroll through a static website for video capture. PageScroll-Feed - Scrolls through a feed-style (social network) website for video capture. ModifiedDate - Displays the date and time of modification to a static web page. Cache-Google - Opens a Google Cache version of the current website. Cache-Archive - Opens the Archive.org version of the current website. Images - Opens a new tab with all images from the current website. Links - Opens a new tab with all URL links from the current website. WordFrequency - Displays all words on a page sorted by frequency to easily digest keywords. Paywall - Opens a blocked news article within a new tab through Outline.com. Right-Click - Enables right-click functionality on sites which block it. TextSelect - Enables copy-paste functionality on sites which block it. BugMeNot - Checks BugMeNot for public credentials to any website Tools - Opens your offline search tools on your Linux Desktop (if you are using our custom OSINT virtual machine build) Notes - Opens a blank page which can be used to type or paste notes about the current website. This data is stored within your local storage and is persistent. If you open a new website and click this option, the notes page will be blank. If you return to the previous page which contained notes, clicking this button retrieves those notes Pertinent to that URL. This allows you to keep custom notes throughout your entire investigation about each site independently. Rebuilding your VM or Firefox profile

removes all note data. Again, if you have not already been through the virtual machine lessons, do not fret, you can revisit the Notes functionality once you get your own VM setup in section 12. Please keep in mind that just like any other code that we find online and wish to run on our devices, we should always be critical of bookmarklets. We recommend using vetted bookmarklets from our list or if you find a new bookmarklet that you wish to try, please test it in a safe environment. For example, you could use a virtual machine to run an isolated browser and on a VPN internet connection. That is one reason we like having virtual machines on hand, for testing bits of code or various tactics prior to using them on real operations or investigations.

1.3 Resources & Articles https://support.mozilla.org/en-US/kb/bookmarklets-perform-common-web-page-tasks | Mozilla Bookmarklet Explanation https://hatless1der.com/4-simple-useful-osint-search-bookmarklets/ | Bookmarklets OSINT Article Hatless1der https://www.secjuice.com/osint-bookmarklet-tools/ | Custom Bookmarklet Creation Secjuice 2-part series, good write-up https://github.com/sinwindie/OSINT/blob/master/Bookmarklet%20Templates | Sample Bookmarklets Sinwindie https://github.com/B0sintBlanc/Osint-Bookmarklets | OSINT Bookmarklet List https://www.discoveringdata.org/index.php/2021/07/11/sunday-quicky-5-a-handybookmarklet-for-archive-org-analysis/#more-499 | Bookmarklet Creation Article https://github.com/hemiola314/expand-all | ;Hemiola Expand-all Github https://nitroyeast.dev/bookmarklets/ | A sample collection of bookmarklets not specific to OSINT https://www.scrapersnbots.com/blog/general/how-to-create-bookmarklet-inchrome.php | Creating Bookmarklets in Chrome https://www.thewindowsclub.com/add-a-bookmarklet-browsers | Adding Bookmarklets in chrome or Firefox https://www.youtube.com/watch?v=dauK -jcqP8 | This is an example of using a bookmarklet to add sites to start.me pages https://www.freecodecamp.org/news/what-are-bookmarklets/ | Creating Bookmarklets

OSINT Essentials Browsers v.4.2022 Difficulty: Basic Tuning & Getting to Know Our Browsers We will be doing more work in our browsers than just about any other piece of software and yet most of us use them in their stock state and without making use of available efficiencies. We will benefit from starting to experiment with customizing our browsers and “getting under the hood” to gain a better understanding of lesser known functionalities. 1

Customizations

Below are some recommended changes to the default browser settings for Chrome and Firefox. These are not meant to be adopted all of nothing. They are meant to give you some ideas on things you might adjust depending on your use case. There is no perfect, one-size-fits-all browser for every use case. Therefore, we are going to lay out some options to consider with a use case of OSINT for our Chrome browser and privacy for our Firefox browser. Chrome (OSINT Focused) Although not in the video lesson, another way you can get under the hood and tinker with your Chrome browser a little is to practice by setting up a default “last year” search: Create a custom search engine with the “Last Year” operator http://google.com/search?q=%s&tbs=qdr:y (see the Operators Module for steps https://www.inteltechniques.net/courses/take/open-source-intelligence/lessons/12912750google-operators) 1. Go to setting via the Chrome menu or by typing chrome://settings/ into the address bar 2. Turn off syncing, autofill, and review each category under Privacy and security (use common sense) Another is to add a block of those annoying GDPR popups about cookies: Tweak your notifications to prevent constant GDPR popups chrome://settings/content/notifications 1. I prefer to do most popup and script blocking with uBlock origin vs Chrome’s built in settings 2. uBlock Origin (our recommended script blocker) can also block the popups: 3. uBlock Origin icon > Open the dashboard > Import... > (paste the following link) > Apply changes https://raw.github.com/r4vi/block-the-eu-cookie-shit-list/master/filterlist.txt

Firefox (Privacy Focused) Firefox Prebuild Configuration - Michal created and shared out a pre-built Firefox configuration file that you are welcome to import and use if you are not interested in manually changing your settings. His build is very privacy focused so understand that it may be more “locked down” than you are used t. You can download the lastest build on the book resource page https://inteltechniques.com/osintbook9/ and our shared member login for that page is available in the resources lesson https://www.inteltechniques.net/courses/take/open-sourceintelligence/downloads/19553573-osint-course-materials. The steps for adding that profiles to Firefox can be read here: https://support.mozilla.org/enUS/kb/back-and-restore-information-firefox-profiles Basically, you will: 1. 2. 3. 4.

Open the Firefox menu on the top right of your browser Select Help -> More Troubleshooting Information That will display the link to your profile direction under “Profile Folder” Open that directory and you will se a folder that is the current profile, it is the one with folders in it such as bookmark backups etc. Delete the content of that folder IF you are okay losing all of your Firefox settings, bookmarks and extensions. THIS WILL COMPLETELY RESET YOUR FIREFOX. 5. Now export the files from the custom profile that you downloaded from our osintbook9 page (linked above) and paste those files in to your profile folder 6. Refer to the lesson video for a demonstration or again refer to https://support.mozilla.org/en-US/kb/back-and-restore-information-firefox-profiles

Security Settings Review and adjust your privacy/security options: menu -> options -> privacy & security Go through each portion, use common sense, or uncheck all except for: 1. Delete cookies and site data when Firefox is closed 2. Warn you when websites try to install add-ons For History: Never remember history & then click on clear history Advanced: For granular control type about:config into the address bar, hit enter, and show all Mark all of the following as False: feo.enabled, browser.safebrowsing.phishing.enabled, browser.safebrowsing.malware.enabled, media.navigator.enabled, dom.battery.enabled, extensions.pocket.enabled, media.peerconnection.enabled, media.peerconnection.use, document.iceservers, media.peerconnection.video.enabled Mark as true: media.peerconnection.turn.disable Now install your extensions (see list below)

Once you have Firefox how you want it, backup your profile so that it can be imported to any new Firefox instances: Help -> Troubleshooting Information -> Open Folder Copy this file to safe location and then anytime you set up a new instance of Firefox, find the config folder with the same steps and paste in your save profile after deleting any existing file in that directory 2. Shortcuts (on Mac replace Ctrl with ⌘) Chrome

https://www.computerhope.com/shortcut/chrome.htm https://www.yesware.com/blog/chrome-shortcuts/ Ctrl-F | Find Ctrl-A | Select all Ctrl-C | Copy Ctrl-V | Paste F11 | Full screen Chrome: CMD-Shift-R / CTRL F5 | Reload Page Assets (ignores browser cache) Ctrl + Shift + N | Go Incognito Mode Ctrl + Shift + T | Open Last Closed Tab Ctrl + W | Close the Active Right Away Ctrl + Tab | (Next open tab) Shift + Ctrl + PgUp | (Previous open tab) Ctrl + M | Minimize the Active Window Ctrl + J | Open Your Downloads Page Ctrl + B | Open Bookmarks Manager Ctrl + L | Snap Your Cursor to the Search Bar Ctrl + Shift + Delete | Clear Browsing Data Firefox Shortcuts https://support.mozilla.org/en-US/kb/keyboard-shortcuts-perform-firefox-tasks-quickly Ctrl-F Find

Ctrl-A Select all Ctrl-C Copy Ctrl-V Paste CMD-Shift-R / CTRL-Shift-R | Reload Page Assets (ignores browser cache) Ctrl+T and middle-click | Pressing Ctrl+T opens a blank new tab or if you want to open any link in a new tab press your middle mouse button (often the scroll wheel) to open that link in a new tab. Ctrl+Shift+T | Oops, close a tab you didn't want closed, press Ctrl+Shift+T to undo any tab close. Pressing this multiple times will undo multiple closes. Ctrl+L or F6 | Quickly get to the URL address bar by pressing this function key. Ctrl+F or / | Pressing Ctrl+F opens the find feature. Using this shortcut, you can quickly find text on the same page. If you want to do a quick find and have Firefox scroll to the text location as you type press forward slash (/) instead while in the browser. Ctrl+W | Close the current. Ctrl+Tab or Ctrl+Shift+Tab | Move between open tabs. Ctrl+D | Open bookmark window for page currently viewing. Ctrl+ | increase the font size Ctrl+ | decrease the font size Ctrl+0 Pressing | reset the font size F11 | Make the screen full screen, removing all toolbars and status bars. Ctrl+J | Open the Download Manager window.

3.

Browser Extensions – Standard OSINT Extensions

Although everyone’s use case is going to vary to some degree there are some extensions which have become standard parts of our OSINT configurations. Let’s break them down by type and how they assist us in our research. Chrome Extensions Security/Privacy https://chrome.google.com/webstore/detail/ublockorigin/cjpalhdlnbpafiamejdnhcphjbkeiagm?hl=en | uBlock origin script blocker

https://chrome.google.com/webstore/detail/httpseverywhere/gcbommkclmclpchllfjekcdonpmejbdp?hl=en | Https when available https://chrome.google.com/webstore/detail/locationguard/cfohepagpmnodfdmjliccbbigdkfcgia/RK%3D2/RS%3D1FWCBfrCnJkzZreNdixB8lN0EOs- | Location Guard https://chrome.google.com/webstore/detail/user-agentswitcher/kchfmpdcejfkipopnolndinkeoipnoia/related?hl=en | User agent switcher Search https://chrome.google.com/webstore/detail/onetab/chphlpgkkbolifaimnlloiipkdnihall?hl=en | OneTab https://chrome.google.com/webstore/detail/tabsoutliner/eggkanocgddhmamlbiijnphhppkpkmkl |Tabs Outliner https://chrome.google.com/webstore/detail/contextsearch-webext/ddippghibegbgpjcaaijbacfhjjeafjh | Context Search https://chrome.google.com/webstore/detail/json-viewer/gbmdgpbipfallnflgajpaliibnhdgobh | Json Formatting https://chrome.google.com/webstore/detail/reveye-reverse-imagesear/keaaclcjhehbbapnphnmpiklalfhelgf/related?hl=en | Reverse image Capture/Preservation/Analysis https://www.downthemall.org/ | Download all Images (Chrome) https://chrome.google.com/webstore/detail/take-webpagescreenshots/mcbpblocgmgfnpjjppndjkmgjaogfceg?hl=nl |Fireshot (Chrome) https://chrome.google.com/webstore/detail/nimbus-screenshotscreen/bpconcjcammlapcogcnnelfmaeghhagj?hl=en |Nimbus Screenshot (Chrome) https://www.onenote.com/clipper | OneNote Clipper https://chrome.google.com/webstore/detail/explain-and-sendscreensh/mdddabjhelpilpnpgondfmehhcplpiin | Explain & Send Screenshots https://chrome.google.com/webstore/detail/exifviewer/nafpfdcmppffipmhcpkbplhkoiekndck?hl=en |Exif viewer (Chrome) https://www.youtube.com/watch?v=jjnqQGpCLw0 | Video and Image Tools http://www.downloadhelper.net/ |Video DownloadHelper (Chrome) https://chrome.google.com/webstore/detail/downloader-forinstagram/olkpikmlhoaojbbmmpejnimiglejmboe?hl=en |Instagram - Downloader (Chrome)

https://chrome.google.com/webstore/detail/treeverse/aahmjdadniahaicebomlagekkcnlcila?hl= en | Treeverse https://chrome.google.com/webstore/detail/linkgrabber/caodelkhipncidmoebgbbeemedohcdma/related?hl=en | Link Grabber https://chrome.google.com/webstore/detail/noobox/kidibbfcblfbbafhnlanccjjdehoahep?hl=en | NooBox (Chrome) https://chrome.google.com/webstore/detail/rightspeed-foryoutube/flibmeaimaamdoldglmbcooncgjedblo?hl=en | RightSpeed for YouTube (Chrome) https://chrome.google.com/webstore/detail/instant-datascraper/ofaokhiedipichpaobibbnahnkdoiiah?hl=nl | Data Scraper (Chrome) https://chrome.google.com/webstore/detail/sputnik/manapjdamopgbpimgojkccikaabhmocd/r elated | Domain and IP Search https://chrome.google.com/webstore/detail/wappalyzer/gppongmhjkpfnbhagpmjfkannfbllamg | Detect page technology https://chrome.google.com/webstore/detail/webarchives/hkligngkgcpcolhcnkgccglchdafcnao?hl=en | multi archives https://chrome.google.com/webstore/detail/archiveror/cpjdnekhgjdecpmjglkcegchhiijadpb?hl =en | Archiver https://chrome.google.com/webstore/detail/googletranslate/aapbdbdomjkkjkaonfhkkikfgjllcleb |Google translate (Chrome) https://le-tools.com/DumpItBlueExtension.html | Facebook Tools - Use with caution https://chrome.google.com/webstore/detail/ycs-youtube-commentsearc/pmfhcilikeembgbiadjiojgfgcfbcoaa?hl=en | YCS - YouTube Comment Search - Chrome Web Store https://chrome.google.com/webstore/detail/instant-datascraper/ofaokhiedipichpaobibbnahnkdoiiah/related?hl=en-US | Instant Data Scraper - Chrome Web Store Firefox Extensions Security/Privacy https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/ | uBlock Origin https://addons.mozilla.org/en-US/firefox/addon/multi-account-containers/ | Firefox Containers

https://addons.mozilla.org/en-US/firefox/addon/user-agent-switcher-revived/ | User-Agent Switcher https://addons.mozilla.org/en-US/firefox/addon/location-guard | Location spoofing https://addons.mozilla.org/en-US/firefox/addon/keepassxc-browser/ | Keypass Extension Search https://github.com/ssborbis/ContextSearch-web-ext | Context Menu Search https://addons.mozilla.org/en-US/firefox/addon/resurrect-pages/ | Archive Search https://addons.mozilla.org/en-US/firefox/addon/behind/ | View Embedded Images https://addons.mozilla.org/en-US/firefox/addon/linkedin-guest-browser/?src=search |LinkedIn - Guest browser (FF) https://addons.mozilla.org/en-US/firefox/addon/pinterest-guest/?src=search |Pinterest - Guest browser (FF) Capture/Preservation/Analysis https://addons.mozilla.org/nl/firefox/addon/fireshot/?src=search |Fireshot (FF) https://addons.mozilla.org/en-US/firefox/addon/nimbus-screenshot/?src=search |Nimbus Screenshot (FF) https://addons.mozilla.org/en-US/firefox/addon/exif-viewer/ | Exif viewer (FF) https://addons.mozilla.org/nl/firefox/addon/video-downloadhelper/?src=search |Video DownloadHelper (FF) https://addons.mozilla.org/en-US/firefox/addon/wayback-machine new/ | Archive Wayback https://addons.mozilla.org/en-US/firefox/addon/link-gopher/ | Link Extractor

4. Developer Panel Difficulty: Intermediate/Advances The developer panel or developer console is a browser interface which is hidden by default. We can open it using F12 or by right clicking on your browser screen and selecting “Inspect”. This will split the screen and you will now have a console for inspecting and interacting with files and code on the page. How is this different from right-clicking and selecting ”view page source”? Choosing to view the page source can be useful but it only shows the raw static html code of a specific page. The console has much more capability and not only shows page html, but also displays and filters files and scripts running on the page. It is a fantastic tool for locating and isolating pieces of

content from the page. When you get to our videos on downloading videos you will find that the developer console is one way we can “dig” media out of pages where the page creators attempt to prevent us from doing so. Another common use is getting at images where the page prevents us from right clicking on them. An example of this is Instagram profile images. Instagram does not want us to be able to download or interact with profile images easily so they mask them to prevent this. We can easily circumvent this by using the developer console. We also benefit from greater access to meta-data for objects loading on the page. Most of us will either be using a Chromium based browser (Chrome, Brave, etc.) or Firefox. The console in each will look slightly different but they have very similar functionality. There are two great ways to start learning to use the developer panel for OSINT work: •

•

5

Experimentation – There is a lot of value in just rolling up your sleeves and playing with the panel. Start off by replicating some of the techniques we use in our video capture and Instagram lessons. Going in and finding media files on pages is a very good place to get started in building comfort with the console. Basic Developer Training – A great way to become a much stronger researcher across the board is to gain a better understanding of how web pages work. We have many students who benefited from taking one of the many free short form html or web development courses. Understanding how people build pages helps us figure out how best to dig into pages to get what we want. One course which students of this training have benefited from is https://www.codecademy.com/learn/learn-html.

Resources

https://support.mozilla.org/en-US/kb/back-and-restore-information-firefox-profiles | Installing Firefox profiles https://www.secjuice.com/osint-bookmarklet-tools/ | Creating custom bookmarklets https://www.makeuseof.com/tag/create-custom-search-engines-google-chrome/ | Custom Search Engines https://www.makeuseof.com/tag/chrome-power-tips/ | Chrome Tips https://help.twitter.com/en/safety-and-security/tweet-location-settings | Hunchly https://www.computerhope.com/shortcut/chrome.htm | Shortcuts Hotkeys https://www.yesware.com/blog/chrome-shortcuts/ | Shortcuts Hotkeys https://support.mozilla.org/en-US/kb/keyboard-shortcuts-perform-firefox-tasks-quickly | Shortcuts Hotkeys

OSINT Custom Toolset – 2022 Update v.7.2022 Difficulty: Basic What has changed? Over the last few years there have been two versions of the IntelTechniques custom tools available. One set was for owners of Michael’s books and was available behind a shared login found in each copy of his book. The other version was for online training members and continues to be available on our member resource page: https://inteltechniques.com/osintnet. So, what are the differences between the various of the custom OSINT tools? Public Toolset https://www.inteltechniques.com/tools/ •

• • • •

Several years ago, there was a public facing version of the OSINT tools which was eventually privatized due to some abuse by users and resulting legal threats from some online platforms. In July of 2022 we again made a version of the OSINT tools available on the above page, which does not require a login. Our hope is to continue to make this set of tools publicly available as long as it is not abused or misused. This set of tools is a very clean and efficient means of initiating online queries across various sites and services. Operational Security - All searches run from your browser, so these sites and services see you IP addresses and browser fingerprint. This is my preferred set to use anytime I am just need to run quick queries without a likelihood of an involved or long term investigations. This is the perfect set to share with colleagues who are not part of the training program.

Training Toolset https://inteltechniques.com/osintnet/tools/ •

An alternate version of the custom osint tools is available to training members only. This version is available on the resource page at https://inteltechniques.com/osintnet and as a reminder we use a shared group login for that page (you can find that login at the following page

• • •

•

•

https://www.inteltechniques.net/courses/take/open-sourceintelligence/downloads/19553573-osint-course-materials). This set of the tools includes queries identical to the public version, but also includes notes and additional resources for each tab of the tools. This set of the tools includes an offline version, a zipped set of the html files which you can unpack on your workstation and run locally. This offline set of the tools is also customizable, and you are encouraged to remove and add additional queries as you see fit. See our tools customization lessons at https://www.inteltechniques.net/courses/take/open-sourceintelligence/lessons/14929956-custom-tools-removing-broken-sites and https://www.inteltechniques.net/courses/take/open-sourceintelligence/lessons/14933312-custom-tools-replacing-a-site. These videos were recorded using an older version of the tools, but the process for editing the tools remains the same. Operational Security – Just as is the case with the public version, all searches run from your browser, so these sites and services see you IP addresses and browser fingerprint. This is my preferred set to use anytime I am conducting a more involved investigation or setting up a workspace for a long term

• Virtual Machine Toolset https://inteltechniques.com/osinbook9/ • •

•

•

An offline version of the public osint tools is built into the custom OSINT virtual machine. This set of the tools currently matches the 9th edition book and there are plans to adjust it so that you can pull up either the book version or the current public version. There is nothing stopping you from opening the public version of the tools in your VM browser OR dropping the offline training version into your virtual machine. You can customize your virtual machine however you see fit to suit your preferences. Our training group login (the same login you use for inteltechniques.com/osintnet) will gain you access to the osintbook9 page which hosts the resources provided with the latest book.

4OSINTSearchEngines.md

7/23/2021

OSINT Essentials - Search Engines When Google Isn't Enough Google is almost always our first stop when it comes to researching a target. That being said, there are times when you will want to dig deeper across other general and more specialized engines. Big Five: Most of our time in search engines will be spent on those with the deepest data pools; Google, Bing, Yahoo, Yandex, and SearX (or another meta-crawler) Specialized Engines: There are too many specialized search engines to list them all, but below is a collection of sites that have been useful on occasion. Depending on the type of investigation or intelligence mission, querying specialized data sets such as academic or business databases might be beneficial. Privacy Options: All the major engines collect your data aggressively, but there are some privacy focused options for personal search or situations warranting tighter operational security. Most privacy focused search engines are "meta-engines" which means they pull results from the big search engines on your behalf.

1.1 Best Search Engines for Low Hanging Fruit Google is the primary focus of our discussions in the Search Operators Module as they simply have the best data sets for offensive research. Bing and Yahoo would be my next stop, while Yandex and Baidu are useful for international or cross-cultural perspectives. Meta-crawlers leverage data from multiple engines and give you a combined or filtered result. Often, we fire our requests to these platforms by default, yielding a comprehensive set of initial data to work with. This is your shotgun approach to basic search using five complimentary engines. Google Bing Yahoo Uses Bing results but in different order Yandex (Russia) Searx.me Baidu ** I have recently stopped including Baidu in default searches due to inaccuracies causes by English requests (China)

1.2 Specialty Search Engines Bing vs Google Side by side Google and Bing results WolframAlpha Academic focused search engine, math and computational tools boardreader Search engine for forums million short Skip to more obscure results 1/4

4OSINTSearchEngines.md

7/23/2021

I Search From I Search From: custom location, language, device & personalization Google Search tool to preview ads & results Search Engigne Colossus Search Engines Search Engines Search Engines NerdyData Search The Web's Source Code for Technologies Advangle Advanced Filters

1.3 Cache Search start.me OSINT Internet Archive Digital Library of Free & Borrowable Books, Movies, Music & Wayback Machine Archive.today Webpage archive CachedView Google Cached Pages of Any Website Cached Pages Get the cached page of any URL GitHub - wayback-machine-dowloader hartartor's - Download an entire website from the Wayback Machine.

1.4 Privacy Search Engines Whether you utilize these sites manually or add them to your custom OSINT tools build, this is the collection that will give you the best bang for buck on a quick username dive. DuckDuckGo Privacy, supports bangs (!) Mojeek Independent crawler (not a meta-engine) Startpage Less Private (recently bought by ad-company) Disconnect Search Proxied meta search etools.ch Privacy Focused metasearch with filters Sear Searx instances GitHub sear YaCy Metager German meta search engine SwissCows 2/4

4OSINTSearchEngines.md

7/23/2021

Swiss meta search engine, primarily Bing results Qwant Meta engine primarily pulling Bing results

1.5 Translators & International Engines Translators Google Translate Bing Microsoft Translator DeepL Translate 2lingual Google Search Non-US Search Engines Search Engine Colossus Search by Country SearchEnginesIndex.com Search by Country A Chinese search engine, Mandarin lang, heavily censored Baidu in English Auto-Google Translate Baidu Requests Daum South Korean Search Engine Parseek Persian Search Engine Goo Japanese search site powered by Google Seznam Czech Search Engine I Search From Custom location, language, device or country

1.6 One tab Bookmarks https://www.google.com/ | Google Search https://www.google.com/advanced_search | Google Advanced Search https://www.bing.com/ | Bing https://searx.space/ | SearX Decentralized Search Engine https://yandex.com/search/?text=osint&lr=11514 | osint --- Yandex: 6 thousand results found https://www.baidu.com/ https://web.archive.org/web/*/michael%20bazzell | Wayback Machine https://web.archive.org/web/*/seattle.gov | Wayback Machine https://archive.md/ | Webpage archive https://search.yahoo.com/web/advanced? guc consent skip 1574218170 | Yahoo Advanced Web Search https://advangle.com/ | Advangle: advanced web-search in Google and Bing 3/4

4OSINTSearchEngines.md

7/23/2021

https://keywordtool.io/search/keywords/google/12421450? category=web&keyword=proud%20boys&country=US&language=en#suggestions | Search for "proud boys" found 39 unique keywords https://ahmia.fi/search/?q=heroin | Search results for heroin --- Ahmia https://darksearch.io/ https://www.onionlink.xyz https://www.tor2web.org/ https://search.goo.ne.jp/ | goo検索 https://translate.google.com/ | Google Translate https://www.bing.com/translator | Bing Microsoft Translator https://www.deepl.com/translator | DeepL Translator https://www.2lingual.com/ | 2lingual Google Search https://www.daum.net/?t nil top refresh | Daum http://www.parseek.com/ | ‫ آﺧﺮﯾﻦ اﺧﺒﺎر ﺳﺎﯾﺘﮭﺎی ﺧﺒﺮی‬- ‫ﭘﺎرﺳﯿﮏ‬ http://isearchfrom.com/ | I Search From: custom location, language, device & personalization Google Search tool to preview ads & results https://searchenginecolossus.com/ | Search Engines Search Engines Search Engines https://duckduckgo.com/ | DuckDuckGo --- Privacy, simplified. https://www.startpage.com/ | Startpage.com - The world\'s most private search engine https://nerdydata.com/ | NerdyData.com Search The Web\'s Source Code for Technologies https://cse.google.com/cse/ | Custom Search Engine

4/4

4OSINTSearchOperators.md

7/23/2021

OSINT Essentials - Search Operators v041121 Conducting Precise Queries Our goal is to collect a small amount of pertinent intelligence versus amassing a pile of broad information. Operators are commands that we can add to our search engine queries to filter the results to suit our mission. Must Know Operators: Make site: and the use of quotes part of your daily workflow. These are by far the mostly useful operators and essential to OSINT work. They also work on most major search engines. Example site:twitter.com "James Mcguillicutty" Tools/Advanced Search: Most search engines and platforms offer a built in quick filter and some form of “advanced search”. These simply structure the URL requests for you, but they are useful if you are struggling to remember an operator for a more obscure search provider. Try not to lean on these too much early on as repetition adding operators by hand will reinforce them in your memory. Soon it will be second nature. Deprecation: Over time Google and other platforms have removed functionality from certain operators and tools. While some were entirely removed, others were simply less predictable. These are noted where appropriate. Other Engines: Operators for other popular engines are included at the bottom of this document. We will be using Google 99% of the time for offensive OSINT search, so this document will largely focus on that platform. Many of the operators and techniques carry over to other search providers although some may vary slightly.

1.1 Google Tweaks Update: In some of the documentation and explanations I have the now deprecated "AND" operator. Google has retired "AND" so we do not use it in our queries any longer. Google assumes a soft AND now and we can add quotes to force inclusion of a specific keyword/phrase. Materials are being updated to reflect this, but I wanted to point it out for anyone diving into this lesson prior to the revisions. (Sept. 3, 2020) Customization: I prefer to have Google default to a date range of the prior year, which I can then change to anytime as needed. I find that most often this cuts through noise and outdated details. We can use Chrome’s Search settings to set some customized search options. 1. Chrome Menu -> Settings -> Search Engine -> click on drop down box and choose Manage search engines. 2. Select add and name it Google Last Year 3. For keyword enter > or character of your choosing (this functions like an operator in that in the search field you can hit > followed by tab to activate the custom search option) 4. For URL paste in http://www.google.com/search?tbs=qdr:y&q=%s and select add 5. Find the new search engine in the list on the same page, click on the three dots, and mark it as default.

1/6

4OSINTSearchOperators.md

7/23/2021

6. Now click on the top address bar of Chrome and type > (or your chosen character) followed by tab. That will activate your custom search:

. 7. You can repeat these steps to add any number of custom operator combinations. It works well for operators and filters that you use often. 8. Another handy string to use is &tbs cdr:1,cd min:1/1/0,sbd:1 which will put the results in reverse chronological order. You can also add this to any search by hand, just paste it to the end of your query in the search field. 9. For image search: https://www.google.com/search?q %s&tbm isch

1.2 Operators Presented in order of usefulness, add these to requests to narrow or expand results. Remember we can string multiple operators together Google Operators site:

Explanation Limit results to those from a specific domain: site:apple.com Quotes indicate search for e act term: “red rider BB gun”

AND OR

The AND operator has been deprecated, the AND is now assumed Search for term A, term B, or both. A pipe symbol is the same as OR. gun OR rifle is the same as gun | rifle

*****

Wildcard for words in a phrase that you don’t know: wish * a star

()

Group a set of words/operators separately: (gun | pistol) ammo

-

Exclude results including this word: chicago baseball -cubs

$

Search for a certain price: “apple watch” $299

cache:

Most recent cached version of a domain: cache:boston.gov

filetype:

Only search for specific filetype, ext: works the same filetype:pdf “confidential” or ext:pdf “confidential”

related:

Search for sites related to a domain: related:sony.com

intitle:

Find pages with a term in the page title: intitle:sabotage

inurl:

Find pages with a term in the url: inurl:private

around(x)

Find pages with terms in X words pro imity of each other: microsoft (7) surface

info:

Sometimes shows related pages, cache date etc. info:chicago.gov

2/6

4OSINTSearchOperators.md

Google Operators Adv. Search

7/23/2021

Explanation https://www.google.com/advanced_search

Notes: You can string as many operators together as suits your goal. For e ample, the following will search most of the current “chan” sites (warning, the posts on chan sites are notoriously vulgar and awful) site:4chan.org OR site:endchan.net OR site:16chan.xyz OR site:8kun.top OR site:onee.ch OR site:acechan.xyz OR site:mlpol.net OR site:julay.world OR site:vch.moe OR site:3chan.co OR site:bunkerchan.xyz OR site:finalchan.net OR site:balkanchan.ga OR site:bienvenidoainternet.org OR site:diochan.com OR site:dreamch.net OR site:plus4chan.org

1.3 Google Custom Search Engines (CSEs) Similar to our custom search engines in Chrome, Google offers a more robust option for creating a google search page that is preset to query across a specific set of sites and using predefined operators. 1. Log in to a burner Google account 2. Navigate to https://programmablesearchengine.google.com/cse/create/new 3. Click on Add and add any site you want to search to the site field, after adding one, more boxes will appear. You can add as many as you like 4. Give your search a logical name and hit Create 5. Select on Edit Search Engines from the left menu, choose your engine, Search Features, and the Refinements tab 6. Add a refinement entry for each of the sites you added to the engine. These will be tabs on your search page to filter results by site 7. Tinker with the different settings and test the results, the main panel will have a public link that you can share out with your team 8. Here is an example: https://cse.google.com/cse?cx=014118686029493401129:a6k_lrxesfa

1.4 Bing Bing has removed their advance search page. Bing Search Operators Cheat Sheet: The Ultimate Guide, (Sidegains), 2021 Most of the Google operators work in Bing. Here are some additions. Just like Google, terms or operators grouped in parenthesis are processed together and separate from other conditions. Bing Operators

Explanation

3/6

4OSINTSearchOperators.md

Bing Operators OR

7/23/2021

Explanation All Bing searches are treated as AND searches unless you specidfy OR between terms: goat OR pig OR cow

NOT

Exclude results with a specific term(s) the – symbol also works: boat NOT (raft OR ship)

loc:

Return pages from a specific region(s): dogs (loc:GB OR loc:FR)

prefer:

Weight results in favor of a term: prefer:tomato plum apple

near:x

Words in x proximity of each other: red near:4 blue

ip

Finds sites hosted on an IP address: ip:208.43.115.82

site/domain:

Filter for specific domain type: site/.gov confidential

feed:

Finds RSS feeds based on search terms: feed:osint

Bing Adv.

MS retired Bing’s advanced search page

1.5 Yandex (Russia) Yande is useful if you are working investigations involving Eastern European or Asian communities. It is also useful for bypassing US censorship and finding results with a less US slant or perspective. Yandex Support - Symbols and Operators Most of the Google operators work in Bing. Here are some additions. Yandex Operators

Explanation

Adv. Search

Click the icon in the search bar

lang:

Language filter ccn: lang:fr

mime:

Similar to filetype: mime:docx gdpr

date:

Page modified date: bombing date:20180416

url:

Like site: but adding a * to the end of the url pulls up any docs sharing that url: url: Alice url:en.wikiquote.org/wiki/*

1.6 Baidu (China) Most standard Google operators work on Baidu. If you search on Baidu it is best to do so in Chinese, not English. Best case scenario work with a translator to prepare queries, otherwise use google translator to prepare Chinese versions of your search terms. Understand that these may not be completely accurate. Baidu Advanced Search Capabilities (Seqe)

1.7 cripts & pecial Tools 4/6

4OSINTSearchOperators.md

7/23/2021

Most of these tools are require a Unix operating system such as Linux. Refer to the Linux and Virtualization modules for details instructions on implementing these tools into your workflow. 1. GitHub Sherlock Username Search 2. GitHub Python Tutorial || Hunt Down Social Media Accounts by Usernames for Open Source Intelligence || Looking-Glass v1.0 (ncorbuk) YouTube video 3. GitHub - WhatsMyName (WebBreacher) 4. GitHub linkedin2username (initstring)

1.8 Guides and Resources https://moz.com/blog/mastering-google-search-operators-in-67-steps | Moz Guide https://null byte.wonderhowto.com/how to/use google search operators find elusive information-0198558/ | NullByte Operator Guide https://www.sourcecon.com/googles-aroundx-search-operator-doesnt-work-or-does-it/ | SC https://www.startpage.com/en/advanced search.html | Startpage Advance Search https://support.startpage.com/index.php?/Knowledgebase/List/Index/1 | Startpage Syntax https://help.duckduckgo.com/results/syntax/ | Duckduckgo Syntax https://duckduckgo.com/bang | Bangs https://geekwire.eu/ghdb/ | Google Hacking Database (GHDB) - Google Dorks - OSINT - Recon - GeekWire https://www.exploit-db.com/google-hacking-database | Google Hacking Database (GHDB) Google Dorks, OSINT, Recon https://www.osintguru.com/blog/osint-google-hacking | OSINT Google Hacking — OSINTGURU https://medium.com/@polihenko.o/google-dorks-3cbc0e2de2dc | Google Dorks (OSINT) | Medium https://blog.glugmvit.com/Google-Dorks-for-Recon/ | Google Dorks, Recon & OSINT | GLUG MVIT https://www.compass-security.com/fileadmin/Research/White_Papers/201701 osint cheat sheet.pdf | Compass Security OSINT Cheat Sheet 2017 01_osint_cheat_sheet.pdf https://github.com/BushidoUK/OSINT-SearchOperators/blob/main/GoogleDorks.csv | OSINT-SearchOperators/GoogleDorks.csv at main · BushidoUK/OSINT-SearchOperators https://matrix client.matrix.org/_matrix/media/r0/download/matrix.org/yBodxUdSjDImudEVqOvStlgj | DuckDuckGo-Cheat-Sheet.jpg (JPEG Image, 1120 × 805 pixels) https://eraser.heidi.ie/duckduckgo-tips-tricks/ | DuckDuckGo Tips & Tricks – Eraser https://seosly.com/yandex-search-operators/ | Yandex Search Operators: A List Of 25+ Operators [2021] https://www.makeuseof.com/tag/cool-duckduckgo-bangs/ | 25 Cool DuckDuckGo Bangs That Make Google Search Look Slow https://synapsint.com/ | SynapsInt - The unified OSINT research tool https://www.sans.org/security-resources/GoogleCheatSheet.pdf | TCP/IP handbook GoogleCheatSheet.pdf https://docs.google.com/spreadsheets/d/18rtqh8EG2q1xBo2cLNyhIDuK9jrPGwYr9DI2UncoqJ 5/6

4OSINTSearchOperators.md

7/23/2021

Q/edit#gid 930747607 | Bellingcat's Online Investigation Toolkit [bit.ly/bcattools] - Google Sheets https://www.google.com/search?q=osint+google+dorks&newwindow=1&client=firefox-b-1d&source=lnt&tbs=qdr:m&sa=X&ved=2ahUKEwjKo_DsxfbvAhWVr54KHXKwDHUQpwV6BAgBECM&biw=1 715&bih 1229 | osint google dorks Google Search https://www.google.com/inputtools/ | Google Input Tools https://moz.com/learn/seo/search-operators | Google Search Operators \[2020 SEO\] - Moz http://www.googleguide.com/advanced operators reference.html | Google Search Operators - Google Guide https://ahrefs.com/blog/google-advanced-search-operators/ | Google Search Operators: The Complete List (42 Advanced Operators) https://www.searchenginejournal.com/google search operators commands/215331/ | An SEO Guide to Advanced Google Search Operators https://www.sidegains.com/search-engines/bing-search-operators-cheat-sheet/

1.9 Chan Google Operator E ample Google chan query e ample:

"site:4chan.org OR site:endchan.net OR site:16chan.xyz OR site:8kun.top OR site:onee.ch OR site:acechan.xyz OR site:mlpol.net OR site:julay.world OR site:vch.moe OR site:3chan.co OR site:bunkerchan.xyz OR site:finalchan.net OR site:balkanchan.ga OR site:bienvenidoainternet.org OR site:diochan.com OR site:dreamch.net OR site:plus4chan.org" ACAB Doxx

6/6

5OSINTEmails.md

7/23/2021

OSINT Essentials - Email Addresses Researching Email Addresses Email addresses are one of the best sources of information on a target as they are required to make just about any type of account and can tell us potentially a great deal about a person. They often lead to social media accounts, dating profiles, employers, and detailed listing on various people search sites. Most people have multiple emails addresses for personal business and work, each likely cross contaminating one another due to lack of operational security. It is a potential gold mine and often the best piece of information to start off a successful OSINT investigation. We most often start an email investigation with either just the email address or sometimes an actual email message. We will look at techniques for tackling both scenarios. If we can get our hands on a full email message as a file, that is the best case scenario as we will be able to research the email headers, message content, and the email address itself.

1.1 Triage Take few minutes to ask some question prior to diving in on the investigation. Some questions to ask the victim or person requesting assistance: 1. What is the source of the email address? Do you have an actual email or what is associated with another form of online posting or communication? 2. If an email was received, can you forward a copy of the email as an attachment? We need it as an attachment to see the header data. How to Forward an Email as an Attachment in Outlook (Lifewire), 2020 3. If they are unable to forward the full email, request the text portion of the email so that you can evaluate it for context. 4. Have you received these before or do you have any idea who this could be? 5. Can you provide an IT contact for whoever manages your email server (if it is managed on site vs an online provider such as Gmail) 6. Please list any other identifiers included in phone conversations or emails (numbers, names, addresses, IPs, etc.)

1.2 General earch Google the email address in quotes: [email protected] and consider an AND operator joined with any additional unique context such as location, subculture, or profession. 1. If you have the contents of the email, versus just an address, Google portions of the email body text that seem unique to see if they are posted anywhere online, such as a blog: "Crazy person monologue text blah blah"

1/4

5OSINTEmails.md

7/23/2021

2. Search the email address through any government or agency provided databases: Lexis-Nexus, Clear, agency RMS./CAD, Dept. of Corrections, etc. 3. Search any premium "people search" services such as Spokeo, Intelius, BeenVerified, etc. If you do not have any paid service subscriptions move on to the next section.

1.3 Tier One Tools The following are tools that we tend to get good results with when searching email addresses. They can be used individually, imported into One-Tab, or added to your custom offline OSINT toolset (covered in the Custom OSINT Tools module). The format below is intended for One-Tab use:

https://haveibeenpwned.com/unifiedsearch/ | Breach Search https://portal.spycloud.com/endpoint/enriched-stats/ | SpyCloud https://dehashed.com/ | DeHashed https://www.ussearch.com/search/reverseemail/ | US Search https://psbdmp.ws/api/search/ | Dump Search https://emailrep.io/query/ | https://emailrep.io/query/ https://api.trumail.io/v2/lookups/json?email | Trumail https://intelx.io/?s .html | Intelligence X https://hunter.io/email-verifier | Email Verifier https://www.google.com/webhp | Google https://www.bing.com/?scope=web&mkt=en-US | Bing https://www.linkedin.com/sales/gmail/profile/viewByEmail/ | LinkedIn https://www.searchmy.bio/search?q | searchmy.bio https://thatsthem.com/email/ | ThatsThem https://www.spytox.com/people/search?email | Spytox https://aleph.occrp.org/search?q | occrp https://groups.google.com/forum/?fromgroups#!overview | Google Groups https://www.google.com/search?q=inurl:ftp+-inurl:(http%7Chttps)+&cad=h | ftp Google Search https://domainbigdata.com/ | Domainbigdata https://securitytrails.com/list/by-email/ | SecurityTrails http://analyzeid.com/ | Analyze ID https://en.gravatar.com/site/check/ | Gravatar - Globally Recognized Avatars https://viewdns.info/reversewhois/ | whois reverse email search

1.4 Tier Two Tools & Scripts GitHub - Amass (OWASP) Amass Email Enumeration Script (Linu ) GitHub - theHarvester (laramies) Email Search Script (not great results lately) (Linu ) Spiderfoot Automated API E ecution for Email Search GitHub - recon-ng (lanmaster53) Advanced OSINT Command Line Tool (Linu ) GitHub - datasploit (DataSploit) OSINT Script Email, phone numbers, etc (Linu ) 2/4

5OSINTEmails.md

7/23/2021

GitHub - WhatBreach (Ekultek) Identifies Breach Data Containing Target Email (Linu ) GitHub - buster (sham00n) Searches For SocMed Accounts, Breach Data, etc. (Linu ) Email to Twitter Account (Aware Online) Guide on Trusted Provider Method

1.5 Email Assumptions Email enumeration is the strategy of guessing accounts by taking a known username choice and testing it against the most common email domains. Users will often use the same username across multiple email providers. Here is a Google search string for most common freemail carriers (replace "username" with your targets username):

"[email protected]"OR"[email protected]"OR"[email protected]"OR"username@prot onmail.com"OR"[email protected]"OR"[email protected]"OR"[email protected]"OR\" [email protected]"OR"[email protected]"OR"[email protected]"OR"[email protected]

Breach query sites are useful for checking the e istence of emails using the target username. (note: for Dehashed.com make sure you are logged in another tab before firing off your queries) Example: target username "hacker" URL for manual Dehashed query: https://dehashed.com/search?query=%[email protected]%22 We can then replace gmail.com with any freemail domain and get similar results. Reminder: queries on Dehashed need quotes around them if you do not want to return every entry that contains the te t string, in this case gmail.com which will return millions of hits. Breach search sites are constantly closing or being taken down, but haveibeenpwned.com and dehashed.com have weathered the storm so far. You can do a manual search on either quite easily, but you want to also include them in your custom tools. See the sample html file attached to this lesson for an example of how we can fire off multiple searches as once or refer to the lesson Building Your Own Custom Tools. I highly recommend signing into your free or paid Dehashed account prior to running multiple queries to avoid display issues. These are e ample of the URLs you will end up with after correctly querying "username" through your tools. Any of these can be entered manually and are also formatted so that they can be copy, pasted, and imported into OneTab.

1.6 Email Headers If your case involves the receipt of an email vs just knowing the email address, you will likely want to review the header to gain more intel on the source. This can help identify spoofed emails and other obfuscation of the sender's identity. 1. View a message header in an email client, for example Microsoft Outlook Double click the message in Outlook to open it in its own window. With the message open in Outlook, click on "File" in the upper left-hand corner. 3/4

5OSINTEmails.md

7/23/2021

Now select "Properties" towards the bottom middle of the window. The bottom of the screen will have a bo titled "Internet headers." Click your mouse pointer anywhere in the box and then hit ctrl-A to select all text in the box. Hit ctrl C to copy the highlighted header te t Paste that text into your notes in OneNote or wherever you are collecting key details. 2. How to read messages headers in outlook (How-to-Geek), 2019 A more detailed set of instructions for viewing headers in Outlook 3. Analyze the Header Go to one of the various online header analyzers Email Header Analyzer Good overall email toolset Check to see if the email has a traceable IP DNS Checker Note: none of these analysis services are perfect so they do not necessarily rule anything out. Further reading to help you understand email headers: How to Read and Analyze the Email Header Fields and Information about SPF, DKIM, SpamAssassin Header Guide How to Get Email Headers How to get headers from popular providers

1.7 Emergency Legal Requests 1. Look up law-enforcement legal request contact details for the email provider: https://www.search.org/resources/isp-list/ 2. Whenever possible try to get a real person on the phone so that you can sweet talk some basic information. Hopefully, they will at least tell you if there is any subscriber information to be had via an emergency order or legal request such as a warrant. 3. If it is a US company submit either an emergency request (for imminent public safety threats) or a warrant/subpoena (for criminal cases). 4. Screen emergency and/or legal requests with a prosecutor

1.8 Trackers In serious cases, you may be able to get a court order to send the target email a tracker. Always consult a prosecutor prior to utilizing this technique to ensure you are on solid legal ground. Also make certain that it is within agency policy. Canary Tokens Low Level Canary Tokens Track a Target Using Canary Token Tracking Links (Null Byte), 2019 Good how-to article

4/4

5OSINTGoogleDrivetoEmailAddress.md

7/23/2021

OSINT Essentials - Google Drive to Email Address v.5.2021 This is a short demonstration walking through a Google drive page of a live target who is distributing pirated content. We take that lead, talk through the approach and e tract a vanity name, email, Google ID, and domain from the page. This is not a long write up, just some short concise steps: Op-sec - Consider using VPN, a virtual machine, and a burner browser. Open the target page and take a quick look at what type of content is there. Consider taking a screen capture and starting a scratch sheet for notes. Leave content analysis for later (docs, folders, images, videos, etc.) Hit the "i" symbol on the top right, which is the page information button to open up potential data on the author. If there is a name listed, know that it may not be the target's real name, but it is still a possible good lead or "pivot point". Hover over the name with your mouse and you will likely see an email address, you can write it down or screen shot it if you choose. Hit F12 to open the developer panel. Select the "Network" tab. Type "emailAddress" or "permissions" in the filter field. Click on various documents/files on the Google drive page. In the developer panel you will see some file names listed which means they contain the word you filtered for. If you click on one of those files you will see a panel open to the right of it. Select the "response" tab. -If the first file doesn't show anything useful in the response tab click on another until you find something useful. Note down and/or screen capture any located identifiers such as email addresses, domains, Google IDs, or names. "Pivot" off of any good leads by running them through Google or your custom OSINT tools. -If being done for an operation or investigation make sure to capture as you go and take good notes. NOTE: Any time you are looking at files which belong to an adversary we want to be e tra cautious and use good operational-security. Consider only opening or examining the files in a virtual machine and while on a protected connection such as VPN. The virtual machine should provide some isolation and protection should a file have malware or something else nasty inside.

1/1

5OSINTGoogleHangoutsQuery.md

7/23/2021

Locating Google Map Contributions & Albums via Google hangouts v.8.2020 This is one way to use Google Hangouts to locate the the Google ID of a gmail account and then plug that into URL structures to view public map and gallery information. This was first seen on a reddit post, so credit to "Iaqvdm" over on reddit: [How to find user's reviews on Google Maps by Gmail address?] ((https://www.reddit.com/r/OSINT/comments/iaqvdm/how_to_find_users_reviews_on_google_maps_by_gmail/ ). 1. Open Google hangouts with a burner account 2. Click on contacts (upper left corner) 3. Click on create a chat and enter the gmail address you want in the search 4. If an account exists the profile will show up and you will see a profile image if they have one 5. (optional) Reverse Image Search - Right click profile image and open in new tab, then right-click and reverse image search it (this is a separate search and is not part of the album/map steps) 6. Right click on the profile and choose inspect element to bring up the developer panle. 7. Hover over the profile  and on the elements screen you will see the gmail address in the code, near there will be their 21 digit Google ID (it follows "hovercard-oid") 8. Double click on the ID to highlight it and copy the ID (right-click and copy, or CTRL+c) 9. In your text editor or notepad add the ID number onto these two URLS: https://get.google.com/albumarchive/ https://www.google.com/maps/contrib/ 10. With the URLs constructed, paste them each into a browser tab and hit enter 11. For the maps results, it should show google maps, with their same profile photo top left. If they have any public map data it will be noted under their photo i.e., "1 contribution". If you click no contributions you can see which type of data they shared and if it is a review click on the review tab below the profile. You may have to zoom out the map to see any map markers. Make sure that you have no map data saved on your burner account or that may be confusing when looking at the map data. 12. For albums, if they have shared gallery you will see a picture title and the name of the gallery. Clicking on that picture will open the set of images. 13. For preservation you may wish to screen capture pages with any pertinent results and save an images by right-clicking and "save image as" or use a media downloader extension such as downloadthemall or downloadstar

1/2

5OSINTGoogleHangoutsQuery.md

7/23/2021

14. If you are using the data as evidence or to substantiate findings you may also want to screen capture the Google Hangouts page with the developer panel open and the Google ID highlighted as this shows your process and the link between the gmail address and numerical ID. Format https://get.google.com/albumarchive/GoogleID https://www.google.com/maps/contrib/GoogleID To test just use your operators: "my google maps" AND @gmail.com Examples https://get.google.com/albumarchive/115369109636919639957 https://get.google.com/albumarchive/115369109636919639957 https://get.google.com/albumarchive/100631518012057473992 https://www.google.com/maps/contrib/100631518012057473992 Note: As seen in these examples, some accounts will have little or no data

2/2

5OSINTPhoneNumbers.md

7/23/2021

OSINT Essentials - Phone Numbers Intro and Use Case Phone numbers have become one of the most prolific identifiers due to most platforms wanting phone numbers as a primary contact medium. Although most platforms have a phone number associated with a user, OSINT traditionally struggles with phone numbers. This is largely due to: 1. Variations in numbering formats 2. Transient number use -- VOIP, number porting, etc. 3. Most platforms do not support search by phone number 4. Mobile only applications and platforms

1.1 Carrier Identification Free Carrier Lookup Unlimited search, best details about VOIP Carrier Lookup One free lookup per day Nanpa Select Central Office Code Utilized Report

1.2 Caller ID Databases Twilio Identify incoming calls through caller ID Neustar Telo customers For E isting OpenCNAM customers For Existing EveryoneAPI customers Caller ID Service Bulk Solutions Service Objects Caller ID Test

1.3 Telephone Search Websites People search websites which allow phone number queries. Replace the demo number () with target number: 1/4

5OSINTPhoneNumbers.md

7/23/2021

411: https://www.411.com/phone/US 800 Notes: https://800notes.com/phone.aspx/ Advanced Background Checks: https://www.advancedbackgroundchecks.com/ America Phonebook: https://www.americaphonebook.com/reverse.php?number= Caller Smart: https://www.callersmart.com/phone-number/ Dehashed: https://dehashed.com/search?query= Fast People Search: https://www.fastpeoplesearch.com/ Info Tracer: https://infotracer.com/phone-lookup/results/?phone= John Doe: https://johndoe.com/phones/ Numpi: https://numpi.com/phone-info/ Nuwber: https://nuwber.com/search/phone?phone= OK Caller: https://www.okcaller.com/ People Search Now: https://www.peoplesearchnow.com/phone/ Phone Owner: https://phoneowner/phone/ Reverse Lookup: https://www.reverse-lookup.co/ Search Bug: https://searchbug.com/tools/reverse-phone-lookup.aspx?TYPE=phonerev&FULLPHONE= Search People Free: https://www.searchpeoplefree.com/phone-lookup/ Spytox: https://www.spytox.com/reverse-phone-lookup/ Sync.me: https://sync.me/search/?number= That's Them: https://thatsthem.com/phone/ True People Search: https://truepeoplesearch.com/search?phoneno= US Phonebook: https://www.usphonebook.com/ White Pages: https://www.whitepages.com/phone/ WhoCalled.org: http://whocalled.org Yellow Pages: https://people.yellowpages.com/whitepages/phone-lookup?phone= Zabasearch: https://www.zabasearch.com/ Google: https://www.google.com/search?q= Bing: https://www.bing.com/search?q=

2/4

5OSINTPhoneNumbers.md

7/23/2021

Yandex: https://yandex.com/search/?text=

1.4 Historical Search Websites Searching for historical landline information Old Phone Book: https://oldphonebook.com To search caller ID for a number in the year 1998: http://www.oldphonebook.com/searchphone2.php?syear=1998&sphone=

1.5 earch Engines E amples of phone number formatting to use in Google and Bing or other Search Engines:

"(618) 4620000" "(618) 462-0000" "(618)462.0000" "618.462.0000" "(618) 462.0000" "618 462 0000" "(618)4620000" "six one eight four six two zero zero zero zero" "618 four six two zero zero zero zero" "six one eight four six two 0000" "618 462 zero zero zero zero" "six one eight 462 zero zero zero zero" "618 four six two 0000" "six one eight 462 0000"

Examples of searching on multiple: "618.462.0000"OR"(618) 4620000"OR"(618)4620000" "si one eight four si two zero zero zero zero"OR"618 four si two zero zero zero zero"OR"si one eight 462 0000"OR"six one eight 462 zero zero zero zero" True Caller: https://truecaller.com Craigslist: https://craigslist.org Escort Index: https://escortindex.com Spy Dialer: https://spydialer.com CellularLD: https://celluarld.com

1.6 Loyalty Cards If all other techniques have failed: enter the target telephone number as the reward/loyalty program phone number when making a purchase at a local grocery store. 3/4

5OSINTPhoneNumbers.md

7/23/2021

You can also use this technique at a gas pump. In both instances you will most likely receive a receipt listing the target's name.

1.7 One-tab Bookmarks https://freecarrierlookup.com | unlimited search, best details about VOIP https://carrierlookup.com | one free lookup per day https://twilio.com/lookup | Twilio https://www.opencnam.com/login | Login - OpenCNAM https://www.everyoneapi.com/login | Login to Your Account | EveryoneAPI https://calleridservice.com | Bulk Solutions https://bulkcnam.com | Everyone API https://serviceobjects.com/products/phone/reverse-phone-lookup-service | Caller ID Test https://calleridtest.com https://www.411.com | 411 https://800notes.com | 800 Notes https://www.advancedbackgroundchecks.com | Advanced Background Checks https://www.americaphonebook.com | America Phonebook https://www.callersmart.com | Caller Smart https://dehashed.com | Dehashed https://www.fastpeoplesearch.com | Fast People Search https://infotracer.com | Info Tracer https://johndoe.com | John Doe https://numpi.com | Numpi https://nuwber.com | Nuwber https://www.okcaller.com | OK Caller https://www.peoplesearchnow.com | People Search Now https://phoneowner.com | Phone Owner https://www.reverse-lookup.com | Reverse Lookup https://searchbug.com | Search Bug https://www.searchpeoplefree.com | Search People Free https://www.spytox.com | Spytox https://sync.me | Sync.me https://thatsthem.com | That's Them https://truepeoplesearch.com | True People Search https://www.usphonebook.com | US Phonebook https://www.whitepages.com | White Pages http://whocalled.org | WhoCalled.org https://people.yellowpages.com | Yellow Pages https://www.zabasearch.com | Zabasearch

4/4

5OSINTRealNames.md

7/23/2021

OSINT Essentials - Real Names Investigating Real Names This is one of the most common searches that we will do across all mission types. The uniqueness of the name and presence or absence of additional identifiers and conte t can make this a very quick search or an extremely arduous one. Elaine Sklar from Vermont vs Bill Smith from somewhere.

1.1 Google Operators Examples of using Google to search real names: "John Doe" "Chicago" "John Doe" "Microsoft" site:instagram.com "John Doe" site:twitter.com "John Doe" AND "city" OR "sports team" (see next specific example) site:twitter.com "James Davidson" AND broncos Unique names will require fewer operators to filter out false positives.

1.2 People earch Engines True People Search Fast People Search Nuwber XLEK Family Tree Now Intelius Radaris UFind Spyto Search People Free John Doe That's Them Spokeo Advanced Background Checks Yasni Zaba Search People Search Now WebMii Social Searcher Truth Finder People By Name White Pages 1/4

5OSINTRealNames.md

7/23/2021

Find People Search Public Records Public Mail Records How Many Of Me Classmates

1.3 Resumes Examples of Google searches for resumes:

"John "John "John "John "John "John "John "John "John "John "John "John "John

Doe" Doe" Doe" Doe" Doe" Doe" Doe" Doe" Doe" Doe" Doe" Doe" Doe"

"resume" filetype:doc OR filetype:docx OR filetype:pdf "Resume" "Curriculum Vitae" "CV" "Resume" filetype:doc "Curriculum Vitae" filetype:doc "CV" filetype:doc "Resume" filetype:pdf "Curriculum Vitae" filetype:pdf "CV" filetype:pdf "Resume" site:docs.google.com "Curriculum Vitae" site:docs.google.com "CV" site:docs.google.com

CV Maker Indeed

1.4 Gift Registries The Knot The Bump Amazon Baby Amazon Wedding Target Wedding Target Baby Kohl's Wedding Registry Finder My Registry

1.5 Search by Address Sites Fast People Search White Pages People Finder People Search Now True People Search Radaris Intelius 2/4

5OSINTRealNames.md

7/23/2021

Advanced Background Checks Spokeo That's Them Homemetry

1.6 Non-US People Peoplesearch - Australia Canadapages - Canada Infobel - Canada Infobel - France Infobel - Germany Infobel - Spain 192 - UK People Trace UK GOV.UK

1.7 Additional Resources Howmanyofme How common is your targets name FamilySearch Common Surnames by Country Netcredit Common Surnames by Country

1.8 One-tab Bookmarks https://searchmy.bio | Search my bio https://truepeoplesearch.com | True People Search https://fastpeoplesearch.com | Fast People Search https://nuwber.com | Nuwber https://xlek.com | XLEK https://familytreenow.com | Family Tree Now https://intelius.com | Intelius https://radaris.com | Radaris https://ufind.name | UFind https://spytox.com | Spytox https://searchpeoplefree.com | Search People Free https://johndoe.com | John Doe https://thatsthem.com | That's Them https://spokeo.com | Spokeo https://advancedbackgroundchecks.com | Advanced Background Checks https://yasni.com | Yasni https://zabasearch.com | Zaba Search https://peoplesearchnow.com | People Search Now https://webmii.com | WebMii https://social-searcher.com | Social Searcher https://truthfinder.com | Truth Finder 3/4

5OSINTRealNames.md

7/23/2021

https://peoplebyname.com | People By Name https://whitepages.com | White Pages https://findpeoplesearch.com |Find People Search https://publicrecords.com | Public Records https://publicemailrecords.com/name search | Public Mail Records https://howmanyofme.com | How Many Of Me https://classmates.com | Classmates https://cvmaker.com | CV Maker https://indeed.com | Indeed https://www.theknot.com/registry/couplesearch | The Knot https://registry.thebump.com/babyregistrysearch | The Bump https://www.amazon.com/baby-reg/homepage/ | Amazon Baby https://www.amazon.com/wedding | Amazon Wedding https://www.target.com/gift-registry/ | Target Wedding https://www.target.com/gift-registry/baby-registry | Target Baby https://www.myregistry.com/kohls-wedding-registry.aspx | Kohl's Wedding https://www.registryfinder.com | Registry Finder https://www.myregistry.com | My Registry https://www.fastpeoplesearch.com/ | Fast People Search https://www.whitepages.com | White Pages https://www.peoplefinder.com | People Finder https://www.peoplesearchnow.com/ | People Search Now https://www.truepeoplesearch.com/ | True People Search https://radaris.com | Radaris https://www.intelius.com| Intelius https://www.advancedbackgroundchecks.com/address | Advanced Background Checks https://www.spokeo.com/reverse-address-search | Spokeo https://thatsthem.com/reverse-address-lookup | That's Them https://homemetry.com | Homemetry https://www.peoplesearch.com.au/People_Search_by_Location/ | Australia https://www.canadapages.com | Canada https://www.infobel.com/en/Canada | Canada https://www.infobel.com/en/France | France https://www.infobel.com/en/Germany | Germany https://www.infobel.com/en/Spain | Spain https://www.192.com/ | UK https://www.peopletraceuk.com/ | UK https://www.gov.uk/government/organisations/land-registry | UK

4/4

5OSINTUsernames.md

7/23/2021

OSINT Essentials - Usernames Usernames Investigations Usernames are vanity names assigned by sites and platforms. They are sometimes used as the user ID for the platform, but more often they are in addition to a numerical or alphanumerical control number for the corresponding account. We are not often dealing with ID numbers, but very often work from a username or pivot into them from other online assets associated with a target. Usernames as Leads: The most common Username scenario we see is when investigating posts made by a user which contain threats, trafficking in illicit goods, crimes against children, or other content of interest to law enforcement or the intelligence community. The simplest e ample of this would be a user in a gaming forum threatening to shoot up a school. Target Profiles: Usernames may also be uncovered on investigations that begin with some other initial lead data. Any target with a robust online presence will likely have usernames either on popular social media platforms or online communities such as hobby groups. A common example of this is searching for cybercrime suspects in gaming forums. There are also many hacker forums where criminals openly engage in transactions and discuss tradecraft. Cyber-criminals love their monikers and avatars. Usernames and other aliases are an important part of any comprehensive target profile (see sample target profile report). Email Enumeration: Most humans are predictable in that we like what we like and tend not to deviate far from that. When we make choice of username for a site or service, it will often be similar to choices that we have made when signing up for email services at places like Gmail. Therefore, a part of enumeration (developing a list of data connected to a target) usually includes interpolating possible email addresses based on username choices.

1.1 Assess the Context and Uniqueness of a Username "Charlie12345" does not tell us very much about the target, but "Sniper69" certainly does. The very first assessment I do is contextual evaluation of the username. Does the choice say anything about the age, gender, or culture of the target? In the first case we really can only devise that it is more likely than not a male and someone who is not terribly creative. Super generic username or email choices can also be indications of account made in bulk via automation, or for a single purpose. When someone makes an account to use long term they usually care about what it says about them and so they tend to use a name that is part of theirs with numbers tacked on or a cultural reference they are fond of. I even catch myself doing this when making burner accounts, again it's human nature. Don't move too quickly past using your intuition and making some guesses about what that username choice indicates about your target. That is one of the biggest differences between purely academic research and investigation; the latter involves applying some psychology and following hunches.

1.2 Search Engines If the username is unique you may hit paydirt with a simple Google query using your operators.

1/7

5OSINTUsernames.md

7/23/2021

Username AND Site:twitter.com OR site:facebook.com OR site:reddit.com OR site:twitch.tv

1.3 OISINT Tools Loadout ../tools/Username.html Whether you utilize these sites manually or add them to your custom OSINT tools build, this is the collection that will give you the best bang for buck on a quick username dive. IntelTechniques Username Tool (yours may be in a different directory): file:///C:/Users/YourWindowsUsername/Desktop/tools/Username.html haveibeenpwned.com https://haveibeenpwned.com/unifiedsearch/username Username dehashed https://dehashed.com/search?query=%22username Username pwbdmp.ws https://psbdmp.ws/api/search/username Username KnowEm https://knowem.com/checksocialnames.php?u=username Username Username Search https://usersearch.org/results_advanced.php?URL_username=username Username Namevine https://namevine.com/#/username Peekyou https://www.peekyou.com/username=username Social Searcher https://www.social-searcher.com/search-users/?q6=username Skype API https://api.skype.com/users/username/ Gravatar https://en.gravatar.com/username Gravatar Profile (view in json) Username Searchmy.bio https://www.searchmy.bio/search?q=username Instagram username Snapdex https://www.snapdex.com/list?search=username Popular Snapchat Name 2/7

5OSINTUsernames.md

7/23/2021

Twitter https://twitter.com/username Profile / Twitter Facebook https://www.facebook.com/username Facebook (note: you can't actually use "username") Instagram https://www.instagram.com/username/ Instagram (@username) TikTok https://www.tiktok.com/@username Telegram https://t.me/username YouTube Search https://www.youtube.com/username Vimeo Search https://vimeo.com/username Tinderhttps://www.gotinder.com/@username Tumblr https://username.tumblr.com/ Medium https://medium.com/@username Flickr https://www.flickr.com/photos/username GitHub https://github.com/username Ebay https://www.ebay.com/usr/username Venmo https://api.venmo.com/v1/users/username Pinterest https://www.pinterest.com/username Pastebin https://pastebin.com/u/username "username" - Google Search https://www.google.com/search?q=%22username%22 "username" - Bing https://www.bing.com/search?q=%22username%22 "username" - Yandex https://yandex.com/search/?text=%22username%22&lr=91

1.3 Additional sites **These may not work with your tools but are available for a manual search. Namechk Username Search Namecheckr Username Search Instant Username Check username as you type Searchpof This just does a google CSE search on Plentyoffish.com Usersearch 3/7

5OSINTUsernames.md

7/23/2021

People Search Engine WhatsMyName Osintcombine

1.4 Gaming Communities Gaming sites are great to check for usernames, especially if your target is a younger demographic or involved in any type of cyber-crime. Refer to the module Gaming Platforms for more in-depth tactics working with video gaming communities. See the Gaming Module for additional resources. Gaming Platforms Steam https://steamcommunity.com/id/username Discord https://discordhub.com/user/search YouTube https://www.youtube.com/results?search_query=username Twitch https://www.twitch.tv/username Mixer https://mixer.com/api/v1/channels/username Reddit https://www.reddit.com/user/usnername Xbox https://www.xboxgamertag.com/search/usnername PSN https://psnprofiles.com/username Nintendo - *Still looking for a reliable search outside the platform Minecraft https://namemc.com/name/username Deviant Art https://www.deviantart.com/username

1.5 Email Enumeration Email enumeration is the strategy of guessing accounts by taking a known username choice and testing it against the most common email domains. Here is a Google search string for most common freemail carriers (replace "username" with your targets username):

"[email protected]"OR"[email protected]"OR"[email protected]"OR"username@prot onmail.com"OR"[email protected]"OR"[email protected]"OR"[email protected]"OR"u [email protected]"OR"[email protected]"OR"[email protected]"OR"[email protected]

Breach query sites are useful for checking the existence of emails using the target username. (note: for Dehashed.com make sure you are logged in another tab before firing off your queries) Example: target username "hacker" URL for manual Dehashed query: https://dehashed.com/search?query=%[email protected]%22

4/7

5OSINTUsernames.md

7/23/2021

We can then replace gmail.com with any freemail domain and get similar results. Reminder: queries on Dehashed need quotes around them if you do not want to return every entry that contains the te t string, in this case gmail.com which will return millions of hits. Breach search sites are constantly closing or being taken down, but haveibeenpwned.com and dehashed.com have weathered the storm so far. You can do a manual search on either quite easily, but you will want to also include them in your custom tools. See the sample html file attached to this lesson for an example of how we can fire off multiple searches as once or refer to the lesson Building Your Own Custom Tools. I highly recommend signing into your free or paid Dehashed account prior to running multiple queries to avoid display issues. These are e ample of the URLs you will end up with after correctly querying "username" through your tools. Any of these can be entered manually and are also formatted so that they can be copy, pasted, and imported into OneTab. IntelTechniques Username Tool file:///C:/Users/WindowsUser/Downloads/tools/Username.html Haveibeenpwned https://haveibeenpwned.com/unifiedsearch/[email protected]?truncateResponse=true https://haveibeenpwned.com/unifiedsearch/[email protected]?truncateResponse true https://haveibeenpwned.com/unifiedsearch/[email protected]?truncateResponse=true https://haveibeenpwned.com/unifiedsearch/[email protected]?truncateResponse true https://haveibeenpwned.com/unifiedsearch/[email protected]?truncateResponse=true https://haveibeenpwned.com/unifiedsearch/[email protected]?truncateResponse true https://haveibeenpwned.com/unifiedsearch/[email protected]?truncateResponse=true https://haveibeenpwned.com/unifiedsearch/username@yande .com?truncateResponse true https://haveibeenpwned.com/unifiedsearch/[email protected]?truncateResponse=true https://haveibeenpwned.com/unifiedsearch/[email protected]?truncateResponse true https://haveibeenpwned.com/unifiedsearch/[email protected]?truncateResponse=true https://haveibeenpwned.com/unifiedsearch/[email protected]?truncateResponse true Dehashed https://dehashed.com/search?query %[email protected]%22 https://dehashed.com/search?query=%[email protected]%22 https://dehashed.com/search? query %[email protected]%22 https://dehashed.com/search? query=%[email protected]%22 https://dehashed.com/search? query %[email protected]%22 https://dehashed.com/search?query %[email protected]%22 https://dehashed.com/search?query=%[email protected]%22 https://dehashed.com/search? query %22username@yande .com%22 https://dehashed.com/search?query %22username@gm .com%22 https://dehashed.com/search?query=%[email protected]%22 https://dehashed.com/search? query %[email protected]%22 https://dehashed.com/search?query %[email protected]%22 |

1.6 Scripts & Special Tools Most of these tools are require a Unix operating system such as Linux. Refer to the Linux and Virtualization modules for details instructions on implementing these tools into your workflow. GitHub - Sherlock (sherlock-project) GitHub - Python-Tutorial---Hunt-Down-Social-Media-Accounts-by-Usernames-for-Open-SourceIntelligence (ncorbuk)

5/7

5OSINTUsernames.md

7/23/2021

YouTube - video GitHub - whatsmyname (WebBreacher) GitHub - linkedin2username (initstring)

1.7 One-tab Bookmarks Username Search Sites

https://haveibeenpwned.com/unifiedsearch/username | haveibeenpwned.com username https://dehashed.com/search?query=%22username | "username --- DeHashed https://psbdmp.ws/api/search/username | psbdmp.ws username https://knowem.com/checksocialnames.php?u username | KnowEm UserName Check https://usersearch.org/results_advanced.php?URL_username=username | Username Search https://namevine.com/#/username | Namevine https://www.peekyou.com/username username | Peekyou https://www.social-searcher.com/search-users/?q6=username | Social Searcher https://api.skype.com/users/username/ | https://api.skype.com/users/username/ https://en.gravatar.com/username | username - Gravatar Profile (view in json) https://www.searchmy.bio/search?q username | username Instagram searchmy.bio https://www.snapdex.com/list?search=username | Popular Snapchat Names - Snapdex https://twitter.com/username | Profile / Twitter https://www.facebook.com/username | Facebook (note: you can't actually use "username") https://www.instagram.com/username/ | Instagram (@username) https://www.tiktok.com/@username | TikTok https://t.me/username | Telegram https://www.youtube.com/username | YouTube Search https://vimeo.com/username | Vimeo Search https://www.gotinder.com/@username | Tinder https://username.tumblr.com/ | Tumbler https://medium.com/@username | Medium https://www.flickr.com/photos/username/ | Flickr https://github.com/username | Github https://www.ebay.com/usr/username | Ebay https://api.venmo.com/v1/users/username | Venmo https://www.pinterest.com/username | Pinterest https://pastebin.com/u/username | Pastebin https://www.google.com/search?q=%22username%22 | "username" - Google Search https://www.bing.com/search?q %22username%22 | "username" Bing https://yandex.com/search/?text=%22username%22&lr=91 | "username" --- Yandex https://www.namechk.com/ | Namechk Username Search https://www.namecheckr.com/ | Namecheckr Username Search https://instantusername.com/#/ | Check username as you type https://searchpof.com/ | This just does a google CSE search on Plentyoffish.com https://usersearch.org/index.php | People Search Engine https://whatsmyname.app/ | Whatsmyname (Osintcombine)

Usernames Gaming 6/7

5OSINTUsernames.md

7/23/2021

https://steamcommunity.com/id/username https://discordhub.com/user/search | Discord 3rd party user search https://www.youtube.com/results?search_query=username https://www.twitch.tv/username https://mixer.com/api/v1/channels/username https://www.reddit.com/user/usnername https://www.xboxgamertag.com/search/usnername https://psnprofiles.com/username https://namemc.com/name/username https://www.deviantart.com/username | Deviant Art

Usernames - Scripts

https://github.com/sherlock-project/sherlock | Sherlock Username Search https://github.com/ncorbuk/Python Tutorial Hunt Down Social Media Accounts by Usernames-for-Open-Source-Intelligence-/blob/master/README.md | ncorbuk https://www.youtube.com/watch?v=ApVoG1NE4lk https://github.com/webbreacher/whatsmyname | What's my name (Webbreacher) https://github.com/initstring/linkedin2username | LinkedIn Username Scraper

7/7

2. You can copy the URL for the image and manually past that URL into images.google.com (click on the camera icon and paste in the URL).

3. The account name is in the URL after pinterest.com so in my example it is OSINT981. I should consider adding this to my notes and also conducting a reserve username search by pasting it into a Google search between quotes such as: "OSINT981". The URL format for accounts is pinterest.com/accountname .

4. The vanity username (below the profile image) can also be reverse searched using the same technique, so in my example: "OSINT ANALYST" which will no doubt bring back false positives as well, which vanity names and common usernames tend to do. One reason I tend to enter these in Google manually versus using the right-click context menu search is that depending on your browser the context menu (the menu you get when you right click in a browser) may or may not allow you to select and search text easily. I have found that with Pinterest it's easiest to just do the Google searches manually rather than using the context menu. 5. The usefulness of the bio data will depend on what they include. As with the vanity name the user can put whatever they want so don't assume that it is all necessarily true. In my example the bio lists a private domain and a username (I've already searched this username in step 3). The private domain will likely be a very good lead so I will probably start an investigation into that in a new window or possibly even spin up a virtual machine and get on a protected connection prior to doing reconnaissance on that site. Remember going to personal domains often warrants better operational security. See our lessons on domain investigations for more tips on that piece but know that the osintanalyst.com is one of the strongest leads in my sample scenario.

6. Followers and Following: At a very basic level this will give us an idea of the popularity of the account. Most "normal" people follow more than they get followed so our example above definitely reflects a target that is not very prolific. Depending on the targets privacy settings you may be able to click on the followers or following to see a list of accounts. You may need to log into a burner account in order to see the list of followers and following. For most targets, if they are not celebrities or "influencer" types, the people following them are more interesting than who they are following. 7. Prior to capturing individual pages or "boards" you may want to hold down the space bar or use a scrolling extension to scroll down the page and get all of the pins to load. Typically, we will capture the board as a whole and then open individual posts or "pins" if they are especially pertinent to our investigation. You should note at the top of each board the number of pins and often it will also state how old the board is. In our example there are 22 pins on the user's OSINT board and it is 8 years old:

Note that if you scroll down past the 22 pins you will then enter a "more like this" section which really is not your targets posts and rather it is just Pinterest suggested posts. That is less pertinent to our investigation and I typically do not capture these posts. You can conduct your page captures with Fireshot, Hunchly, SingleFile, or your capture tool of choice. I find Fireshot to be the quickest and Hunchly to be the best for large accounts or involved investigations.

Removing Nag Screens & Overlays Pinterest will constantly try to force you to create or log in to an account, but we have some additional options for removing those nags and obstructions if you don't wish to use a burner account. Option 1: temporarily remove nag by deleting end of URL and reloading the page For example, I go to: https://www.pinterest.com/flrinvestigations/osint/ and then click on one of the images we'll get a nag popup. At some point Pinterest will cover the page with a popup nagging me to create or log in to an account. If I look at the URL, ?mt=login has been added to the end. If I remove ?mt=login and reload the nag goes away temporarily.

Option 2: Use an extension such as https://addons.mozilla.org/en-US/firefox/addon/pinterest-guest/ or https://chrome.google.com/webstore/detail/behind-theoverlay/ljipkdpcjbmhkdjjmbbaggebcednbbme?hl=en to block the nag popup. Option 3: Use the developer panel to remove the nag. You can use the develop panel to locate and temporarily disable nags and overlays but this method is not recommended because it is more complicated and also only temporary, which makes this method more trouble than it is worth. Option 4: Use the uBlock Origin element zapper to remove the popups/nag overlays

Using the zapper will block the nag temporarily or you can go into the "picker" to set up a more permanent filter. To do so select the picker and then a script window will show up on the lower right and you can select different lines and "preview" the results. Once the preview represents the results you want, select create.

Remember you can delete your filters and start over from scratch at any time. We encourage experimenting and tinkering with your own variations. There are multiple methods of achieving the same goal.

Resources & Articles https://help.pinterest.com/en | Official Help Docs https://www.aware-online.com/en/osint-investigation-on-pinterest/ https://github.com/sinwindie/OSINT/blob/master/Pinterest/Pinterest OSINT Attack Surface.pdf https://addons.mozilla.org/en-US/firefox/addon/pinterest-guest/ | Remove Nag Extension https://chrome.google.com/webstore/detail/behind-the-overlay/ljipkdpcjbmhkdjjmbbaggebcednbbme? hl=en | Alternative Overlay Removal Extension https://www.youtube.com/watch?v=2xstVuTCCvg | Video on Pinterest & IG nag removal https://offeo.com/download/pinterest-video-downloader/ | Pinterest Video Downloader https://chrome.google.com/webstore/detail/imageassistant-batchimag/dbjbempljhcmhlfpfacalomonjpalpko?hl=en | Alternative Batch Image Downloader https://www.bestproxyreviews.com/pinterest-scraper/ | Advanced Pinterest Scraping Article https://chrome.google.com/webstore/detail/web-scraper-free-webscra/jnhgnonknehpejjnehehllkliplmbmhn?hl=en | Scraper Extension https://imgdownloader.com/ | Bulk Image Download Site https://www.pinterest.com/rockandice/ | Innocuous target to practice on https://greasyfork.org/en/scripts/by-site/pinterest.com | Pinterest Scripts https://thrivemyway.com/pinterest-hashtags/ | Hashtag Overview https://www.google.com/webhp?hl=en&sa=X&ved=0ahUKEwi8042Bk4X4AhWkmo4IHYqnCfYQPAgI | Google https://nerdschalk.com/pinterest-search-without-login-in-5-ways-step-by-step-guide/ | Pinterest: Search Without Login in 5 Ways [Step-by-step Guide] https://in.pinterest.com/ideas/ | Explore the best of Pinterest https://www.tampermonkey.net/ | Tampermonkey • Home https://chrome.google.com/webstore/detail/pinterest-save-button/gpdjojdkbbmdfjfahjcgigfpmkopogic?hl=en | Pinterest Save Button - Chrome Web Store https://www.ghacks.net/2021/09/25/best-pinterest-plugin-for-chrome-here-is-my-best-choice/ | Top 7 Different Pinterest Plugins for Chrome - gHacks Tech News https://bloggingtips.com/pinterest-extensions-for-chrome/ | 5 Useful Pinterest Extensions for Chrome to Extend its Features | Bloggingtips.com

6OSINTFacebook.md

7/23/2021

OSINT Essentials - Facebook (Basics) Intro and Use Case Facebook has become incredibly challenging for OSINT practitioners due to their aggressive anti-fraud tactics which make maintaining covert accounts on the platform a huge pain. Also, they killed graph search in 2020 and prior to that cut off integration with most third-party services. In short, it is a mess, but we still have targets on the platform so we will need to do much of the work manually.

1.1 Create Covert Account Email Fastmail Does not require an established email address to obtain a new address. Not as heavily scrutinized for malicious activity as other more popular email providers. Protonmail Does not require an established email address to obtain a new address. GMX Better than using a gmail or yahoo, but does now require an existing email address or phone number as reference when creating an account Phone Best Case Scenario: pick up a Mint 7-day sim kit for about $1-$5 via amazon (cheapest) or BestBuy (brick & mortar option for privacy) Search example: https://www.google.com/search?tbs=qdr:y&q=mint+sim+kit Mobile account creation: VOIP service such as Google Voice no longer work, so circumventing the phone number requirement by using the Facebook mobile site is the best option: https://m.facebook.com Turn off any VPN, Tor browser, or other IP masking services Clear out internet cache Log out of any accounts If phone number is still required for account creation, consider using local public library Wi-Fi Account creation is a bit of a roulette situation and sometimes you just have to start from scratch. There is a section below containing articles related to lockouts and policy at FB.

1.2 Basic Facebook earch Options Traditional Filters Example: search filters for “OSINT” All: https://www.facebook.com/search/top/?q=osint Posts: https://www.facebook.com/search/posts/?q=osint People: https://www.facebook.com/search/people/?q=osint Photos: https://www.facebook.com/search/photos/?q=osint 1/3

6OSINTFacebook.md

7/23/2021

Videos: https://www.facebook.com/search/videos/?q=osint Marketplace: https://www.facebook.com/search/marketplace/?q osint Pages: https://www.facebook.com/search/pages/?q=osint Groups: https://www.facebook.com/search/groups/?q osint Apps: https://www.facebook.com/search/apps/?q=osint Events: https://www.facebook.com/search/events/?q osint Links: https://www.facebook.com/search/links/?q=osint Target Profile Search Example: Search target “zuck” via direct query: Timeline: https://www.facebook.com/zuck About: https://www.facebook.com/zuck/about Employment: https://www.facebook.com/zuck/about?section=work Education: https://www.facebook.com/zuck/about?section=education Locations: https://www.facebook.com/zuck/about?section=living Contact Info: https://www.facebook.com/zuck/about?section=contact-info Basic Info: https://www.facebook.com/zuck/about?section=basic-info Relationships: https://www.facebook.com/zuck/about?section=relationship Family Members: https://www.facebook.com/zuck/about?section=family Bio: https://www.facebook.com/zuck/about?section=bio Life Events: https://www.facebook.com/zuck/about?section=year-overviews Friends: https://www.facebook.com/zuck/about?section=friends Profile Photos: https://www.facebook.com/zuck/about?section=photos Photo Albums: https://www.facebook.com/zuck/about?section=photos_albums Videos: https://www.facebook.com/zuck/about?section=videos Check-Ins: https://www.facebook.com/zuck/about?section=places_recent Sports: https://www.facebook.com/zuck/about?section=sports Music: https://www.facebook.com/zuck/about?section=music Movies: https://www.facebook.com/zuck/about?section=movies TV Shows: https://www.facebook.com/zuck/about?section=tv Books: https://www.facebook.com/zuck/about?section=books Likes: https://www.facebook.com/zuck/about?section=likes Events: https://www.facebook.com/zuck/about?section=events Facts: https://www.facebook.com/zuck/about?section=facts Reviews: https://www.facebook.com/zuck/about?section=reviews Notes: https://www.facebook.com/zuck/about?section=notes

1.3 User Number User number recover has become really unpredictable The old way which is broken currently: Finding a target s user number in Firefo and Chrome Right click on a Facebook profile page and select “View Page Source” Search page for entity id 2/3

6OSINTFacebook.md

7/23/2021

On some profiles you can dig a user number out using queries on “fbid=” but it is inconsistent so standby and we will be researching this more.

1.4 Downloading Videos Third party: https://FBdown.net Manual: Replace www with mbasic in the URL, open the video, right click, save video as

1.5 Reliable Resources Expand Comments Auto Scroll Scroll it!

1.6 Articles Regarding FB Rules/Enforcement What types of ID does Facebook Accept? Facebook has already removed 583 million fake accounts this year, 2018 Facebook publishes its community standards playbook, 2018 Facebook's Secret Censorship Rules Protect White Men From Hate Speech but not Black Children, 2017 Facebook's New Captcha Test: 'Upload A Clear Photo of Your Face', 2017 https://www.facebook.com/help/community/question/?id=1321872044593566 Facebook asking locked out users to provide Government ID, 2018 What other names are allowed on Facebook? I signed up on Facebook with my mobile number and now I can't log in How to Unblock Facebook Account that are Blocked/Disabled, 2019 https://www.facebook.com/communitystandards/integrity_authenticity/misrepresentation/ Account Integrity and Authentic Identity Community Standards Enforcement Report, First Quarter 2021

1.7 Other Resources Most of these are broken…mostly but they are worth keeping an eye on. Pay attention to date - in the summer of 2019 that's when FB tightened things up. Sowdust Search Tool (Mostly Deprecated) Tools - Intelligence X DumpItBlue+ Chrome Extension Net Bootcamp - Facebook Search Who posted what? Osint Support - Chrome Extensions UK OSINT - Useful Facebook Links Aware Online - Save a Facebook Video

3/3

6OSINTInstagram.md

7/23/2021

OSINT Essentials - Instagram v.6.2021 Investigating Instagram Profiles There are two common tasks that take us to Instagram. Typically, we are either searching for a targets profile or we are collecting and analyzing a known profile. The third body of work on Instagram would be using it as a pivot point and gleaning intelligence from persons related or associated with our target.

1.1 IG Basic Tasks Locate User Number Right-click on the profile page and select view page source. Hit ctrl-f and search for: "owner":{"id" to locate the user ID Time of post Search the post source for "taken_at_timestamp" Date is in Unix time so use epochconverter.com to convert URL Structuring Channels https://www.instagram.com/username/channel/ Hashtags (URL Manipulation) https://www.instagram.com/explore/tags/keyword/ Note: Only works if they put # on their hashtags Tagged https://www.instagram.com/username/tagged/ Expand in JSON Format https://www.instagram.com/username/?__a=1

1.2 earch & Operators E ample of using Google to search Instagram: Site:instagram.com target name Site:instagram.com “@username” Site:instagram.com "username" "keyword" Posts with comments or mentioning 2 users: Site:instagram.com "username1" "username2" E ample of search for IG photos on Twitter: Site:twitter.com username

Instagram.com/p

1.3 Third Party Search & Analysis Sites This section lists sites that can be used to search or analyze the type of data or platform. 1/4

6OSINTInstagram.md

7/23/2021

Search my bio (Twitter and IG bio search) Follower analysis (see also follower section below)

1.4 Profile Images Instagram does not want us to be able to isolate the profile image, here are steps to solve that. Method 1 1. Right click on the page and choose “view page source” 2. Ctrl-F and search for og:image 3. The long link in the code is a very small resolution profile image 4. Copy the number before .jpg 5. Ctrl-F again and search for that number (something like 183746353) 6. The third instance of that number is a link to a higher resolution profile image Method 2 1. In chrome right-click to the side of the profile photo (not on it) and select Inspect to open the developer panel 2. In the dev panel select the Sources tab to open a file tree for the page 3. Expand any entries starting with scontent 4. Image folders are nested here and grouped by resolution and typically ordered with higher resolution files at the top of the list 5. Clicking on the file will open a preview in the Sources panel 6. Right clicking the file name will allow you to open it in a new tab or in the network tab of the developer panel Third party profile image sites/tools (these break all the time so get good at the manual methods): Full size IG profile photo viewer Downloadgram Instagram downloader Gramsave Instadownloader.co Gramsave Instaoffline.net

1.5 Followers You must be logged in to view the followers of a specific account. Manual capture of followers and following: While logged in click on the following or followers link Scroll to the bottom and then hit Ctrl-A which will select all entries Right click and select Copy selected links (this works best in Firefo ) Paste into your OneNote or a spread sheet Third party follower tool of choice: Follower analysis

1.6 Complete Post Analysis 2/4

6OSINTInstagram.md

7/23/2021

1. First screen capture the page using Fireshot or your screen capture of choice 2. Ne t save the image: Right click on the photo and choose “inspect” which will open the developer panel Method 1: Select the Network tab click on the Img filter and then you may need to refresh the page (F5 key) a list of images will appear right-click on each and open it in a new tab to view right click on the image and choose save as Method 2: Select the Sources tab E pand the entry that starts with scontent , this will reveal nested folders containing the images from the page Once you find the one you want, right click on it and either open it in a new tab or hit save Paste the URL into a browser and download the full version of the suspect image. 3. Scroll through the comments, and e pand any if necessary, by clicking "+". 4. Click the summary of likes below the heart icon. 5. Scroll through them until all are loaded, select all with ctrl a (command a on Mac) 6. Paste these into a spreadsheet or your OneNote using ctrl-v 7. Repeat with any other posts that you need in full 8. Remember that you can use a script such as Instaloader to download all the photos, but it will only get the photos, not the comments…thus instructions for manual capture

1.7 Download IG Videos & Stories Instagram stories are short videos that only stay up for 24 hours. Stories can sometimes be downloaded using the 3rd party tools and tactics as posted videos, but your milage may vary. Open the video Right click next to the video (not on it) and select inspect Click on the network tab In the filter field type in MP4, make sure the “All” filter is also selected Refresh the video by playing it again or hitting F5 In the dev panel the links to the video will show up, right-click and open in a new tab The video will load in a new tab, right-click and select save video as 3rd Party Downloaders IG Story Viewer Ingramer General Video Ingrammer Stories Tool IG Downloader Chrome Extension (warning the bulk download feature can get your account locked out)

1.8 Scripts & Advanced Tools Scripts and/or programs for more advanced search and analysis. This address will be slightly different for you:

G:/Tools/Tools main/IT NET Tools v3/Instagram.html 3/4

6OSINTInstagram.md

7/23/2021

IG Photo Downloader NOTE: Instaloader results seem to be throttled after about 12 images lately. To install and run on Linu (or via WSL)

sudo pip3 install instaloader instaloader profile username

Instalooter was the previous favorite but often fails lately

1.9 One-Tab Bookmarks Links from the lesson:

https://downloadgram.com | Downloadgram https://instadp.org/instagram downloader | Instagram downloader https://gramsave.com | Gramsave https://downloadgram.com/ | DownloadGram - Instagram photo, video, IGTV, and Reels downloader online https://instadp.org/#r | Instadp Full size Insta dp Updated https://instadownloader.co/ | Instagram Video Downloader - InstaDownloader https://instaoffline.net/ | Download Instagram Photos online free https://followerwonk.com | Follower analysis https://searchmy.bio | Search my bio (https://ingramer.com/downloader/instagram/video/ | Ingramer Video Downloader https://ingramer.com/tools/stories-viewer/ | Instagram Story Viewer: Get Access To Content Anonymously https://www.instafollowers.co/download instagram stories | Download Instagram Stories and Highlights - Online,Free Views https://chrome.google.com/webstore/detail/instagramdownloader/cpgaheeihidjmolbakklolchdplenjai?hl=en | Instagram Downloader - Chrome Web Store

4/4

6OSINTTikTok.md

7/23/2021

OSINT Essentials - TikTok TikTok Investigations TikTok is a wildly popular mobile video platform which grew out of musical.ly, essentially a rebranding by Bytedance, the Chinese parent company. Similar to apps like Vine or Periscope, what sets TikTok apart is the focus on short videos paired with popular background music. The platform has also become a favorite or criminals and pedophiles due to the popularity amongst kids and teens.

1.1 TikTok Investigations via Browser Take few minutes to ask some question prior to diving in on the investigation. Some questions to ask the victim or person requesting assistance. The account format in a URL is: https://tiktok.com/@username There are three identifiers for each account, similar to other social-media platforms. Right click on the profile page-> select “View Page Source” -> ctrl-f to conduct a keyword search -> search for uniqueid uniqueid userid nickname (nicknames are not unique; they are vanity names)

The hashtag format in a URL is: https://tiktok.com/tag/keyword

1/7

6OSINTTikTok.md

7/23/2021

Individual videos have a format similar to: https://www.tiktok.com/@lightvisa/video/6809871476372606214 Screen capture the profile page using Fireshot or other capture extension Steps to save the profile pic 1. Right-click on the profile pic and choose save as to get a low resolution version 2. For a higher resolution image, right click on the pic and select inspect element. The link to a higher resolution image will likely be highlighted and if not look for the link following img src=. Double click the link to select it, then copy and paste into a new tab. Right-click to save as. 3. The resolution will be shown in the URL and for some profiles you may be able to replace it with a higher numerical value to get a higher resolution image, but this does not work on all profiles. Steps to download videos 1. Right click on the video and select “Inspect Element”

2/7

6OSINTTikTok.md

7/23/2021

2. The developer panel will open and look for a video link containing ticktokcdn.com. It will look similar to:

3. Right click on the link and select open in new tab 4. The video will be isolated in a new tab, right click on it and select save as 5. You will now be able to save it as an mp4 file 6. Consider using Fireshot or other screen capture on the video page to preserve any text captions that the user added when uploading the video 7. Exporting comments – Paste the page link into https://exportcomments.com/ and you will get some, but not all comments as an ls file Note: to browse comments manually via a browser, you must be logged into to a TikTok account Search Search for TikTok links shared on other platforms using keywords m.tiktok.com or vm.tiktok.com On Twitter a hashtag search of #tiktok paired with your keywords works well Google operators This will look for any tags containing the keyword vs an exact match: site:tiktok.com/tag keyword This will search inside the post text: site:tiktok.com intext:keyword Find all usernames containing the keyword: inurl:https://m.tiktok.com/h5/share/usr filetype:html keyword Deleted Content Some TikTok accounts are captured by archive.org, just search the user account URL in the waybackmachine: https://web.archive.org/web/*/https://www.tiktok.com/@marshmellomusic

1.2 TikTok via an Android Emulator We are not going to get much just using a browser and you may choose to create an investigative account on TikTok for more capability or possibly conducting infiltration. You will need a physical burner phone or an

3/7

6OSINTTikTok.md

7/23/2021

emulator to run the application. Most people choose the emulator route as it is a zero-cost option to create multiple disposable virtual phones (with some limitations). TikTok on No TikTok APK File Alternatively, you can get it from the Google play store if your emulator is set up to provide Google Play access. Creating your account: You will need to provide TikTok with a burner phone number, email address, or social media account. Note: some features such as in app messaging and password resets require a phone number vs just an email address Additional emulator options are listed in section Guides and Resources

1.3 Account Verification If you attempt to create an account with a phone number, email address, or social media account that is already associated with a TikTok account, you will get an error that the information is already associated with an account. Keep in mind that this indicates that there was an account using that phone number or address at one time so it may not be a current active account. There have been cases where the account was setup by the previous owner of that phone number or email address. Another method for searching against known accounts is to use the contacts tactic. In a burner phone or emulator, you may populate the contact list with your target information and give the TikTok application access to your contacts.

1.4 Tools & cripts OSINT Combine Tik Tok Quick Search Username, Hashtag, Keyword Search GitHub TikTok OSINT Script (Linu ) GitHub - Bookmarklets by Sinwindie TTDown TikTok Video Downloader Cloutlog User analytics E port Comments VidNice Tag and User Search VidNice - Video Downloader TikTok Hashtags.com Hashtag Analysis Byte Sights Analyze TikTok influencers Influence Grid Identify TikTok influencers GitHub scrcpy Android Tether Display GitHub BerserkParser 4/7

6OSINTTikTok.md

7/23/2021

JSON Parser

1.5 Guides & Resources Investigate TikTok Like a Pro!, 2020 This is a very good TikTok investigations article Beginner's Guide to TikTok, 2019 Intro to TikTok, links to iOS and Android How to Use TikTok on PC or Mac, 2021 Emulating TikTok on Bluestacks Download and use TikTok on PC Emulating TikTok on Memuplay Download TikTok on PC with NoxPlayer Emulating TikTok on Nox How to make a new account on TikTok in 3 different ways, 2020 Account Signup Overview TikTok Official Support Page Sinwindie TikTok Guide TikTok OSINT: targeted user investigation (Part 1/3:User), 2020 3-Part Guide on Advance JSON Interception TikTok

1.6 Legal Requests Law Enforcement & Legal Request Guidelines

1.7 One-Tab Bookmarks Search

https://www.tiktok.com/foryou?lang=en | Trending Videos on TikTok https://www.tiktok.com/@jiffpom?lang=en | jiffpom💗 (@jiffpom) Official | TikTok https://www.tiktok.com/tag/cvv | #cvv videos on TikTok https://www.tiktok.com/@lightvisa/video/6809871476372606214 | Serious business only [Snap-litevisa] Methods, CCVs, Bins, Dumps 📲 #cc #cvv #bins #freebins #scammer #methods #freemethods #teejayx6 #fraudbible https://exportcomments.com/ | Export Facebook, Instagram, Twitter, YouTube, VK, TikTok, Vimeo Comments to CSV / Excel EXPORTCOMMENTS.COM https://www.google.com/search? q=m.tiktok.com+AND+cvv&rlz=1C1CHBF_enUS860US860&oq=m.tiktok.com+AND+cvv&aqs=chrome ..69i57j33.12317j0j8&sourceid=chrome&ie=UTF-8 | m.tiktok.com AND cvv - Google Search https://www.google.com/search? q=site%3Atwitter.com+%23tiktok+AND+cvv&rlz=1C1CHBF_enUS860US860&oq=site%3Atwitter. com+%23tiktok+AND+cvv&aqs=chrome..69i57j69i58.16255j0j8&sourceid=chrome&ie=UTF-8 | site:twitter.com #tiktok AND cvv Google Search https://www.google.com/search? rlz=1C1CHBF_enUS860US860&sxsrf=ALeKk01vO_Wp2TNZfoS03SYQXfolhAJOMQ%3A1592439179474& ei=i7HqXqa8HMj4wSdwIHwAg&q site%3Atiktok.com%2Ftag+militia&oq site%3Atiktok.com%2Ftag+militia&gs lcp=CgZwc3ktYWIQA1COoQFY5/7

6OSINTTikTok.md

7/23/2021

LUBYMS4AWgBcAB4AIABJogBvwKSAQE5mAEAoAEBqgEHZ3dzLXdpeg&sclient psy ab&ved=0ahUKEwjmrfmciorqAhVI_J4KHR1gAC4Q4dUDCAw&uact=5 | site:tiktok.com/tag militia - Google Search https://www.google.com/search? q site%3Atiktok.com+intext%3Acvv&rlz 1C1CHBF enUS860US860&oq site%3Atiktok.com+int ext%3Acvv&aqs=chrome..69i57j69i58.27206j0j8&sourceid=chrome&ie=UTF-8 | site:tiktok.com intext:cvv - Google Search https://www.google.com/search? rlz 1C1CHBF enUS860US860&sxsrf ALeKk02a0uyRGz6Bktb7UNJ0DomjDc fsw%3A1592439304445& ei=CLLqXqzeGozMgT636mIBg&q=iii.+inurl%3Ahttps%3A%2F%2Fm.tiktok.com%2Fh5%2Fshare%2Fusr+filetype%3A html+fullz&oq=iii.+inurl%3Ahttps%3A%2F%2Fm.tiktok.com%2Fh5%2Fshare%2Fusr+filetype% 3Ahtml+fullz&gs lcp CgZwc3ktYWIQA1CWfljFgwFggoUBaABwAHgAgAEniAG0AZIBATWYAQCgAQGqAQ dnd3Mtd2l6&sclient=psy-ab&ved=0ahUKEwisgsXYiorqAhUMpp4KHfpvCmEQ4dUDCAw&uact=5 | iii. inurl:https://m.tiktok.com/h5/share/usr filetype:html fullz - Google Search https://web.archive.org/web/*/https://www.tiktok.com/@marshmellomusic | Wayback Machine

Analytics

https://ttdown.org/ | download tiktok video. tiktok to mp3. tiktok downloader. ttdown.org https://exportcomments.com/ | Export Facebook, Instagram, Twitter, YouTube, VK, TikTok, Vimeo Comments to CSV / Excel - EXPORTCOMMENTS.COM https://vidnice.com/ | TikTok Web Viewer Online and Analytics | VidNice https://vidnice.com/download/ | TikTok Video Downloader VidNice https://www.osintcombine.com/tiktok-quick-search | TikTok Quick Search | OSINT Combine https://tiktokhashtags.com/ | TikTok hashtag generator - tiktokhashtags.com https://www.slinkyproductions.co.uk/guide to tiktok/ | Beginner's Guide to TikTok | How to use TikTok https://bytesights.com/ | Fanbytes Search - Search & Analyse Tiktok influencers https://www.influencegrid.com/ | Find TikTok Influencers Now - Influence Grid https://github.com/sinwindie/OSINT/blob/master/TikTok/Bookmarklet%20Tools | OSINT/Bookmarklet Tools at master · sinwindie/OSINT · GitHub https://www.cloutlog.com/ | Real-Time TickTock Follower Count (Live Follower Count) - RealTime TickTock

Emulator

https://www.tiktok.com/ | TikTok - Make Your Day https://www.bignox.com/blog/tiktok-pc-noxplayer/ | Download Tik Tok on PC with NoxPlayer NoxPlayer https://tik-tok.en.uptodown.com/android | TikTok 16.3.5 for Android - Download https://apkpure.com/search?q=tiktok | tiktok search results | APKPure.com https://apkpure.com/tiktok-musically/com.zhiliaoapp.musically | TikTok Musical.ly APK Download Free Media and Video app for Android | APKPure https://github.com/sc1341/TikTok-OSINT | GitHub - sc1341/TikTok-OSINT: TikTok Open Source Intelligence Tool 6/7

6OSINTTikTok.md

7/23/2021

7/7

6OSINTTinder.md

7/23/2021

OSINT Essentials - Tinder & Spoofing One-Tab Bookmarks https://tinder.com/ | Tinder | Dating, Make Friends & Meet New People https://addons.mozilla.org/en-US/firefox/addon/location-guard/ | Location Guard – Get this Extension for 🦊 Firefox (en-US) https://www.thispersondoesnotexist.com/ | This Person Does Not Exist

1/1

6OSINTTwitter.md

7/23/2021

OSINT Essentials - Twitter Update: Adding the old "forgotten password" trick. Just keep in mind that it will give you a partial identifier and might notify the account owner as with Facebook or any of the other platforms that support this tactic.

Investigating Twitter Accounts Twitter remains a staple of OSINT due to its consistent popularity and the fact that people rarely privatize their content. One significant change over the last decade has been the shift away from the sharing of geolocation information, so know that less than 3% of Twitter users share their geolocation data. We use twitter in three primary fashions: 1. We have a known target and are attempting to find their twitter account to gain additional intelligence 2. We are given a Twitter account of interest and need to track it back to a real person 3. We are gathering intelligence regarding a past, current, or future event

1.1 Search & Operators Example of using Google to search Twitter: Site:twitter.com “target name” (As always common names will be more difficult to sort through vs unique ones) Twitter standard search page Twitter Advanced Search Twitter Directory Twitter Search Operators: “to” and “from” from:empty_regrets 1/5

6OSINTTwitter.md

7/23/2021

Location search as list geocode:37.763946, 122.470816,1km "riot" Mandatory search uses quotes around exact term bash the fash OR operator portland pd molitov OR gun OR bomb Date Range since:2019 10 01 until:2020 11 01 bomb threat” From from:keeper of inns since:2021 03 01 until:2021 03 31 Containing links url:inteltechniques.com Mentioning @keeper of inns Media and Likes: https://twitter.com/keeper of inns/media Adjust url by adding media https://twitter.com/keeper of inns/likes Adjust url by adding likes Cached: https://web.archive.org/web/*/twitter.com/apple

1.2 Downloading Videos Option 1: Use a third-party tool such as TWDown.net Option 2: Dev Panel 1. Right-click next to the video (not on it) and select “inspect” 2. Select Network 3. Type .m3u8 into the filter 4. Copy .m3u8 links, open VLC, File -> open network stream -> paste in the .m3u8 link and hit play 5. Now hit save/convert at the bottom to save the video as an mp4 Option 3: Use youtube-dl (this is the preferred method and has its own module) 1. Open a command prompt in your youtube-dl directory (Desktop for some) 2. Type: youtube-dl URL and hit enter where URL is your video address as copied from twitter (right click on the video and it will offer to copy the URL) 3. Youtube-dl will download the video to the directory that you ran it from

1.3 Third Party Search & Analysis Sites This section lists sites that can be used to search or analyze the type of data or platform. TweetBeaver 2/5

6OSINTTwitter.md

7/23/2021

twitter reporting tool Spoonbill Twitter bio changes One Million Tweetmap Some of the most recent one million tweets mapped Twitter map Very few results Trendsmap Mapping limited data All My Tweets Clean display of all the users' posts on one screen Sleeping Time Average time user sleeps FollowerWonk Keyword search when name is common or unknown Twiangulate Use if TweetBeaver is unavailable. Filters friend and follower data. Twitonomy Comprehensive profile analytics Tinfo Leak Analytics and reporting tool Foller Posting patterns Tweet Topic E plorer Grabs recent tweets and creates a word cloud Aware online Twitter search tool on Aware-online.com Thread reader Display by thread Social Bearing Pretty graphical and csv reporting Mention Map Analytics Best Hashtage Hashtag Associations Fake Followers detection Spark Toro Twitter Audit

1.4 Scripts & Advanced Tools Scripts and/or programs for more advanced search and analysis. This address will be slightly different for you:

3/5

6OSINTTwitter.md

7/23/2021

G:\Tools\yourcustomofflinetools\twitter.html

GitHub - Twint Twitter collection script Google CSE Example

1.5 Deleted Tweets Option 1: check search engine (Google, Yandex) caches for the tweet Options 2: check archive.org with a URL structure of: https://web.archive.org/web/*?twitter.com/accountname

1.6 Tweetdeck Tweetdeck is covered thoroughly in the Events Module as the streaming nature of the data makes it most useful for tracking live or upcoming events. That it is owned by Twitter, gives it longevity and deep data access as a tool. Most third party Twitter “intel” tools were cut-off from the data firehose years ago. Tweet Deck - Rolling column-based dashboard, owned by Twitter and useful or monitoring events

1.7 Additional Resources Sites, write ups, and walkthroughs. These are not specific tools, but rather collections of tools or articles. GitHub Twitter Search Operators The Best Twitter Search Tricks, 2020 Collection of Twitter search tactics Mine Twitter for Targeted Info with Twint Example, 2019 Twint E ample Twint an OSINT Tool for Collection on Twitter at Wholesale, 2019 Another Twint Walkthrough How to Search for Twitter List on Google, 2020 (video) Searching for lists on Google by FirstDraft Trufan.io (Social Rank) Twitter analytics

1.8 One-tab Bookmarks https://twitter.com/search-advanced https://twitter.com/i/directory/profiles | cumbersome tool, but allows you to browse through profiles alphabetically https://twitter.com/[username]/media https://twitter.com/[username]/likes https://twdown.net/ | video downloader https://spoonbill.io | twitter bio changes https://tweetbeaver.com | twitter reporting tool https://onemilliontweetmap.com | most recent one million tweets on an 4/5

6OSINTTwitter.md

7/23/2021

international map https://allmytweets.net | clean display of all the users’ posts on one screen https://sleepingtime.org | average time user sleeps https://followerwonk.com | Keyword search when name is common or unknown https://twiangulate.com | use if TweetBeaver is unavailable. Filters friend and follower data http://best-hashtags.com | Hashtag Associations Fake Followers: distinguish authentic profiles from fake https://sparktoro.com https://twitteraudit.com https://twitonomy.com | comprehensive profile analytics https://trendsmap.com | top keywords posted as well as heat map for peak usage https://tinfoleak.com | analytics and reporting tool https://foller.me | posting patterns https://tweettopicexplorer.neoformix.com | grabs recent tweets and creates a word cloud https://socialbearing.com | comprehensive graphical and csv reporting https://analytics.mentionmapp.com/modules/free/ | Analytics https://tweetdeck.twitter.com | Rolling column-based dashboard, owned by Twitter and useful or monitoring events https://www.aware online.com/en/osint tools/twitter search tool/ | Twitter search tool on https://twitter.com/explore https://threadreaderapp.com/ | Display by thread https://github.com/twintproject/twint | Twitter collection script https://github.com/igorbrigadir/twitter-advanced-search | Twitter Search Operators https://www.labnol.org/internet/twitter-search-tricks/13693/ | Collection of Twitter search tactics https://web.archive.org/web/*?twitter.com/accountname | deleted tweets https://twitter.com/atmdtrack | Example target account

5/5

7OSINTImages.md

7/23/2021

OSINT Essentials - Images Utilizing Images During Investigations Here are a few typical use cases for image analysis during an OSINT investigation: 1. Image Search – Search using keywords to quickly scan pages of images that may indicate pertinent sites 2. Reverse Image – locating other instances of that image on the internet in order to locate other accounts and pages associated with your target 3. Image Metadata – Recover exif data from images that may indicate the source or contain other clues as to person or device that captured/generated the image 4. Identify Fakes – detect and identify modified/altered images that may have been used to commit fraud or obscure the identity of a target 5. Undercover Accounts – defensive analysis for our own accounts and communications

1.1 Primary Search Engines With the exception of Tineye the major search engines support search and reverse image search. If you have trouble isolating images, utilize the “inspect” function in your browser context menu. Google Images Bing Images Google Reverse Image Search Bing Reverse Image Search TinEye Reverse Image Search Yandex Images Baidu Images The below are examples of direct links for the image from https://inteltechniques.com/img/EP3D.png Google Direct URL https://www.google.com/searchbyimage? site=search&sa=X&image_url=https://inteltechniques.com/img/EP3D.png Bing Direct URL https://www.bing.com/images/search? view=detailv2&iss=sbi&q=imgurl:https://inteltechniques.com/img/EP3D.png TinEye Direct URL https://www.tineye.com/search/?url=https://inteltechniques.com/img/EP3D.png Yandex Direct URL https://www.yandex.com/images/search? rpt=imageview&url=https://inteltechniques.com/img/EP3D.png&rpt=imageview Baidu Direct URL https://graph.baidu.com/upload? image=https%3A%2F%2Finteltechniques.com%2Fimg%2FEP3D.png

1.2 Secondary Image Search Sites 1/3

7OSINTImages.md

7/23/2021

Karma Decay Root About Wolfram Image Identification Project Pictriev Flickr Flickr Map Flickr API Key

1.3 Exif Data & Forensics Jeffery’s Exif Viewer Camera Trace Online Barcode Reader Foto Forensics Forensically

1.4 Resources

ites and oftware

I'll complete the rest of the doc A lot of these tools break often because a lot of effort goes into building and maintaining. OSINT Combine 3rd party Tool Search by Image - Google Chrome Store YouTube Video Search google images by face tutorial #osint RevEye Reverse Image Search - Google Chrome Store GitHub Filename Fingerprinting Exif Tool Email to Flikr Account Tutorial

1.5 One-Tab Bookmarks Lesson Examples

https://smallseotools.com/reverse-image-search/ | Reverse Image Search - Find Similar Photos Online https://www.pic2map.com/ | Photo Location & Online EXIF Data Viewer - Pic 2 Map https://twipho.net/ | twipho - Twitter photo search https://twicsy.com/ | Top Twitter Pic Trends and Users | Twicsy - Twitter Picture Discovery http://www.errorlevelanalysis.com/| Image Forensics : Error Level Analysis http://fotoforensics.com/ | FotoForensics http://suncalc.net/#/39.739,-104.984,12/2018.09.03/06:17 | SunCalc - sun position, sunlight phases, sunrise, sunset, dusk and dawn times calculator https://my.pixsy.com/ | https://my.pixsy.com/ http://youtube.github.io/geo-search-tool/search.html | Geo Search Tool https://www.newocr.com/ | Free Online OCR - Convert JPEG, PNG, GIF, BMP, TIFF, PDF, DjVu to Text https://newsinitiative.withgoogle.com/training/course/verification | Google News Initiative Training Center 2/3

7OSINTImages.md

7/23/2021

https://www.bellingcat.com/resources/how tos/2017/10/17/conduct comprehensive video-collection/ | bellingcat - How to Conduct Comprehensive Video Collection bellingcat https://firstdraftnews.org/en/education/curriculum-resource/2-google-reverseimage/ | First Draft News https://archiving.witness.org/archive-guide/ | WITNESS Archiving | The Activists' Guide to Archiving Video https://citizenevidence.amnestyusa.org/ | Extract Meta Data

3/3

7OSINTInstallYoutubeDlffmpeg.md

7/23/2021

OSINT Essentials - Youtube-DL Installation Update 08/28/2020: Reminder to run your terminal as admin (right click and run as administrator)/ Python users: Check your selections during installation, I've added images to the bottom of this document to reflect recommended choices during python installation. Updated Installation on Mac, Windows, & Linux Youtube-DL and FFMpeg are the power duo that let you download just about any video and play it, convert it, etc. Youtube DL Youtube DL has installation packages for Windows and Mac that include any file dependencies, so installation in those environments could not be easier. If you are a Linux user, we will address installation and use of Youtube DL in detail during our Linu and VM modules. FFmpeg You will also want FFMpeg which is an open source set of video codecs which will not only improved the functionality of Youtube-DL, but will also dramatically increase the likelihood that you can play various odd video formats on your workstation using VLC or another player.

1.1 Mac – Using Homebrew The easiest install method will be using homebrew (https://brew.sh/). 1. Open a terminal: cmd+space and type terminal.app Optional: Add terminal to your dock - right-click the Terminal icon on your Dock and select Options > Keep in Dock 2. Paste into your open terminal: /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)" 3. Hit enter and follow the prompts, it will ask for your password, when it asks you to hit Enter again do so, now homebrew is installed 4. Type into terminal: brew install youtube-dl 5. Install FFMpeg: brew install ffmpeg 6. Command format youtube-dl: youtube-dl ‘URL’. Example: youtube-dl ‘https://www.youtube.com/watch?v=NhOkYXB2_QQ’ 1/7

7OSINTInstallYoutubeDlffmpeg.md

7/23/2021

7. Alternate format: youtube-dl [URL] -f 'bestvideo[height=720]+bestaudio' ` 8. Downloading entire playlist: youtube-dl -cit ‘youtube-playlist-url’ ` Operators: Continue the download

c

-i — Ignore errors With titles

t Example:

youtube dl

cit ‘https://www.youtube.com/watch?

v=YTJr5bMWVyo&list=FL3yZCVcmtU79KR5gXOp6rhQ’ 9. Default download folder: To bring up the home folder simply go to Finder > Go > Home or press the keyboard shortcut CMD + Shift + H 10. Troubleshooting: If you get a permission error, try: sudo install -d -o $(whoami) -g admin /usr/local/Frameworks If you get a permissions error, a second possible fi : sudo chmod a+rx /usr/local/bin/youtube-dl Youtube dl, download Youtube videos on the Mac, 2019 (Installation Guide #1) How to Install YouTube-dl on Mac, 2018, (Installation Guide #2) youtube dl cheatsheet, 2020 How to Open the Terminal on a Mac, 2020

1.2 Windows – Python Method The advantage of using Python to drive Youtube-dl is that it will run from any location on your workstation without editing environment variables (see section 1.3). It also is independent of your C++ distribution so one less thing to update. 1. Install Python https://www.python.org/downloads/windows/ Currently 3.8.5 if you don’t already have a different version. Download and install the Windows x86-64 executable installer at the bottom of the page. 2. Install youtube-dl: pip install --upgrade youtube-dl 3. Upgrade (patch): python -m pip install --upgrade pip 4. Install FFMPEG: pip install --upgrade ffmpeg 5. To update youtube-dl and ffmpeg in the future just type and run in terminal: pip install --upgrade youtube-dl && pip install --upgrade ffmpeg

1.3 Windows

C++ E ecutable Package Method 2/7

7OSINTInstallYoutubeDlffmpeg.md

7/23/2021

1. Standard Installation: Download the youtube-dl.exe from the link provided above and place it on your Desktop or in another logical directory. Right click on the e e file and select run as administrator . If you get a warning window, select “more” and “run anyway”. 2. To Run the Script: Click on the location bar in Windows explorer and type “cmd” and hit Enter. This will open a command prompt in that same directory. Another option is to hold down shift while right clicking in the Windows explorer window and then choosing open cmd prompt or open PowerShell. 3. Use the following command with your full video URL and hit enter to download your target video. youtube dl https://www.youtube.com/watch?v yOhGkZ4U4lI

4. When using the C++ version of youtube-dl, the executable must be run from the current working directory in terminal unless you set environmental variables, which you can do with these steps: 1. Create a folder called “path” on your C: drive 2. In your locator bar search for “edit environmental variable” 3. Open the Environmental variable panel and click on Path in the bottom window and hit “Edit” 4. Click on “New” and type C:\path into the line

5. Click OK three times to exit the open windows 5. Now use the C:\path folder to install any scripts that you want to be able to run system wide from the terminal. Paste youtube dl.e e and the contents of your FFMpeg bin directory into your path folder

3/7

7OSINTInstallYoutubeDlffmpeg.md

7/23/2021

Note: you can use other directory locations such as on your investigative drive, just add the paths in the same manner substituting your preferred directory location such as G:\tools For FFMpeg you could repeat the steps above and add the location of your bin folder as a path or just paste the contents of your FFMpeg bin folder to C:\path\

1.4 Linux Linux is the easiest and best way to run youtube-dl and/or FFMpeg. These are the Ubuntu 20.04 instructions, but you can find steps for other versions here: 1. Update your packages list: sudo apt update 2. Install using pip Install python-pip if you do not already have it: sudo apt-get -y install python3-pip Install youtube-dl: sudo pip3 install --upgrade youtube-dl 3. Alternatively, you can install using apt-get: sudo apt-get install youtube-dl 4. Update youtube-dl: sudo youtube-dl -U (if you used apt-get) or sudo pip3 install --upgrade youtube-dl (if you used pip3) 5. Install FFMpeg: sudo apt install ffmpeg Note: Excellent tutorial on Linux for beginners: Ryan's Tutorials - Linux Tutorial Youtube-DL most used commands: Download in best quality $ youtube-dl -f best URL Resume unfinished download $ youtube-dl -c URL List available video files and formats 4/7

7OSINTInstallYoutubeDlffmpeg.md

7/23/2021

$ youtube-dl -F Ignore failed download and move on to ne t file $ youtube-dl -I URL Download with subtitles $ youtube-dl--all-subs URL This pulls the link to the stream, usually an m3u8 file e tension $ youtube-dl -g URL Download .mp3 audio $ youtube-dl -x --audio-format mp3 URL Download videos from all pages in the referenced te t file $ youtube-dl -a url.txt Download video with description, metadata, annotations, subtitles and thumbnail $ youtube-dl --write-description --write-info-json --write-annotations -write sub

write thumbnail URL

YouTube DL and FFMpeg Additional Tools & Resources One Tab Links

https://ryanstutorials.net/linuxtutorial/ | Linux Tutorial for Beginners - Learn Linux and the Bash Command Line http://blog.gregzaal.com/how to install ffmpeg on windows/ | FFMpeg install windows 10 https://github.com/TheFrenchGhosty/TheFrenchGhostys-YouTube-DL-Archivist-Scripts | Youtube-DL Archive Scripts https://windowsreport.com/download install ffmpeg pc/ | How to download and install FFmpeg on Windows 10 https://www.reddit.com/r/youtubedl/comments/dzj0mr/youtubedl_the_complete_installa tion_guide_for/ | youtube-dl : The complete installation guide for Windows : youtubedl https://ytdl-org.github.io/youtube-dl/download.html | youtube-dl: Download Page https://jeangalea.com/how-to-download-youtube-videos-on-mac-via-keyboard-shortcutwith-youtube-dl/ | How to Download YouTube Videos on Mac https://techwiser.com/how to install youtube dl on mac/ | How to Install YouTube dl on Mac | TechWiser https://www.applevis.com/guides/youtube-dl-download-youtube-videos-mac | Youtubedl, download Youtube videos on the Mac | AppleVis https://medium.com/better programming/12 terminal tips and tricks using macos and homebrew-4e89c2ccb2fb | 12 Terminal Tips and Tricks Using macOS and HomeBrew https://www.thewindowsclub.com/how-to-install-ffmpeg-on-windows-10 | How to install and use FFmpeg on Windows 10 https://github.com/adaptlearning/adapt authoring/wiki/Installing FFmpeg | Installing FFmpeg · adaptlearning/adapt_authoring Wiki · GitHub https://www.idiotinside.com/2016/05/01/ffmpeg-mac-os-x/ | Installing ffmpeg on Mac OS X - IdiotInside.com http://macappstore.org/ffmpeg/ | Install ffmpeg on Mac OSX Mac App Store https://www.wikihow.com/Install-FFmpeg-on-Windows | How to Install FFmpeg on Windows (with Pictures) – wikiHow https://linuxconfig.org/ubuntu-20-04-ffmpeg-installation | Ubuntu 20.04 FFmpeg installation LinuxConfig.org https://linoxide.com/linux-how-to/install-use-youtube-dl-ubuntu/ | How to Install and Use YouTube-DL on Ubuntu 18.04 5/7

7OSINTInstallYoutubeDlffmpeg.md

7/23/2021

https://snapcraft.io/youtube dl | Install youtube dl for Linux using the Snap Store | Snapcraft

6/7

7OSINTInstallYoutubeDlffmpeg.md

7/23/2021

7/7

7OSINTStreamCapture.md

7/23/2021

OSINT Essentials - Streaming Video Capture Intro and Use Case Capturing streaming video is an essential capability when monitoring live events or collecting data/evidence on a target that utilizes some of the newly popular online video platforms. Some of our e isting tools/techniques are capable of downloading the video once the stream has ended but capturing the video real time requires a little different approach. Here are three solid methods of capturing live stream video.

1.1 Isolating the Stream URL Locate the Stream (one of the most common formats is HLS (file extension .m3u8) Method One: open browser dev panel (CTRL + SHIFT + i OR F12 ) -> network tab -> type .m3u8 into filter field -> reload page (F5) -> copy link Tip: on the timeline in the dev panel, look for a long blue line and isolate it, this will narrow down the results to your stream Method Two: Firefox Stream Detector Chrome HLS Downloader Method Three: StreamLink Examples to test on: NASA Live: Official Stream of NASA LiveBitcoinPrice - Twitch Crittervision Explore.org multiple live cams Facebook - Live video page

1.2 VLC VLC is our preferred open source video player VLC Enabling the record button: View Adding stream: Media

Advanced Controls

Open Network Stream

paste in URL

click Play or Convert

1.3 YouTube-dl Youtube-DL Recording: use the following command and then hit CTRL+C to stop 1/4

7OSINTStreamCapture.md

7/23/2021

Command:

G:\>youtube dl URL

Example:

G:\>youtube-dl https://www.twitch.tv/crittervision

Google Search: youtube dl m3u8 Stack Overflow: How do you use youtube dl to download live streams (that are live)?

1.4 FFMPEG FFMPEG VideoHelp Forum: How to use ffmpeg to simultaneously download and play with vlc Command:

ffmpeg -protocol_whitelist "concat,file,subfile,http,https,tls,rtp,tcp,udp,crypto" allowed extensions ALL i sourceurl.m3u8 c copy savedfilename.mp4

or

ffmpeg -i "http://example.com/video_url.m3u8" -c copy -bsf:a aac_adtstoasc "output.mp4"

Note: Remember that FFMPEG is powering most of the other scripts used here.

1.5 StreamLink Streamlink is a script that isolates the HLS stream and feeds it to VLC (assuming that is your default media player). 1. Install StreamLink for your platform, my e ample is Windows. https://streamlink.github.io/cli.html 2. Locate your StreamLink installation directory and then open the bin folder. For me that was: C:\Program Files (x86)\Streamlink\bin 3. Hold down shift and right-click in the bin folder to bring up the context menu. Open a CMD or PowerShell terminal to that folder. Alternatively, you can just open a terminal and then navigate to the bin folder using terminal commands. In my example this command would be: 2/4

7OSINTStreamCapture.md

7/23/2021

cd C:\Program Files (x86)\Streamlink\bin

Now just type streamlink space URL quality

C:\Program Files (x86)\Streamlink\bin> streamlink twitch.tv/channel quality

This will make the script search that video page for a stream link and if it finds one it will feed it to your default media player, in my case VLC. My example exact command:

C:\Program Files (x86)\Streamlink\bin> streamlink https://www.twitch.tv/crittervision best

If streamlink does not detect VLC as your default media player you can change it in your windows settings (windows start menu->default apps->change video player to VLC) or the following additional operator will force it use VLC as long as it is installed

C:\Program Files (x86)\Streamlink\bin> streamlink -p VLC https://www.twitch.tv/crittervision best

The downloaded files will end up in your bin folder which you should already have open. There are additional features and commands. Read through the developer docs to get more power and control. There is also a config file where you can tweak things such as the output format and location. The example in the video is just the bare basics. The Twitch GUI application uses StreamLink as its engine and has an install wizard so just follow those steps and the video instructions. StreamLink Resources: Command-Line Interface — Streamlink 1.5.0 documentation Installation — Streamlink 1.5.0 documentation -Release Streamlink 1.5.0 · streamlink/streamlink · GitHub Streamlink-twitch-gui

1.6 Screen Capture 3/4

7OSINTStreamCapture.md

7/23/2021

Sharex Open Source Windows Capture How to record the screen on your Mac Capture With Quicktime on Mac OBS Studio Cross platform Screen Recording 5 Best Ubuntu Screen Recorders for Every User Linu recording options Installing OBS on Ubuntu:

$ sudo add-apt-repository ppa:pbsproject/obs-studio $ sudo apt-get update $ sudo apt get install obs studio

Installing Kazam on Ubuntu:

$ $ $ $

sudo sudo sudo sudo

apt-add-repository ppa:sylvain-pineau/kazam apt get update apt-get install kazam apt-get upgrade

1.7 One Tab Bookmarks Remember: Capturing raw stream data is always better than doing a screen capture using ShareX, QuickTime, or other software, but we want to have screen recording tools ready as a backup option.

4/4

7OSINTVideoCaptureMatrix.md

7/23/2021

OSINT Essentials - Fast Video Capture Update from the trenches (11/2/2020): So as I work the elections I am noticing that FB is doing some funkiness on the back end of certain videos. YTDL and all other tools are erroring out on some but not all static videos. It has happened to me three times today. A quick work around if you run into this: replace www. with m. to force the url into mobile view. Then click on the Video Download helper extension and it will now let you download it. If you want the URL to pull another way, click on the three dots in VDH extension ne t to the video and then choose "Details" and the URL will be in the list. Kind of a messy fi but is a working duct-tape solution if anyone is in a pinch to get a video. Keeping it simple We have a few different “go-bys” for preserving online video and this one is for people who want a very simple, no frills, chart. It is intended for use with a dedicated capture directory and a sample folder is provided at the bottom of the lesson.

1.1 Tactics by Platform Platform

Static (Not Live)

Live Streams

Youtube

Bat File: ytdl.bat

Bat File: ytdl.bat

Extension: VDH (FF)

Note: ctrl c to stop the capture

Bat File: ytdl.bat

Bat File: ytdl.bat

Extension: VDH (FF, Chrome)

Note: ctrl-c to stop the capture

Bat File: ytdl.bat

VLC: Media > Open Network Stream

Extension: VDH (FF, Chrome)

SLB: Use SD to find SLB stream URL

Twitch

Facebook

Note: .mpd Instagram

Bat File: ytdl.bat

VLC: Media > Open Network Stream

Extension: VDH (FF) IGD (Chrome)

SLB: Use SD to find SLB stream URL Note: .mpd

Twitter & Periscope

Vimeo

TikTok

ALL Platforms

Bat File: ytdl.bat

Bat File: ytdl.bat

Extension: VDH (FF, Chrome)

Note: ctrl-c to stop the capture

Bat File: ytdl.bat

Bat File: ytdl.bat

Extension: VDH (FF, Chrome)

Note: ctrl c to stop the capture

Bat File: ytdl.bat

Use an Emulator or Burner

Extension: VDH (FF, Chrome)

Capture: emulator or burner screen recording

FF = Firefox

SD = hls-stream-detector

1/6

7OSINTVideoCaptureMatrix.md

Platform

7/23/2021

Static (Not Live)

Live Streams

VDH = Video Download Helper

VLC = VLC Media Player

IGD = Instagram Downloader

SLB = Streamlink .bat file

1.2 Recommended Tools Recommended video preservation tools for Windows users are listed here, but before you download them individually and slog through the manual install process please read section 1.3 for a better way to install most of them very quickly. Batch Files - The provided “capture” directory contains .bat files which are titled to match the chart in section 1.1. Feel free to further customize the scripts. Stream Detector Also known as hls stream detector, is an e tension for Firefo which attempts to identify live video URLs. https://github.com/rowrawer/stream-detector/ https://addons.mozilla.org/en US/firefo /addon/hls stream detector/ Youtube DL You will need Youtube DL which is included in the capture folder attached to this lesson. Use the exe version if you are on windows and place it in the same directory where you plan to download videos. Windows Youtube-DL Linu /Mac Youtube DL FFMpeg You will need FFMpeg which is included in this folder or downloadable at (extract and copy the contents of the bin folder into your chosen directory) Windows FFMpeg VLC - Great media player that uses FFMpeg codecs and supports stream capture via the network stream and record functions. Toggle on View

Advanced Controls for the record button.

Windows VLC Streamlink Livestream capture only, remember to hit ctrl c to kill it and stop the download. With Streamlink we have the Streamdetector extension generate the full command (not just the URL) via the menu on the top right of the Streamdetector interface. Windows Streamlink Command E ample:

F:\>streamlink -o filename.mp4

URL best

ShareX - ShareX is our preferred screen capture for Windows. Screen capture and recording is not as good as ripping the data stream but is better than nothing. Full version of ShareX 2/6

7OSINTVideoCaptureMatrix.md

7/23/2021

Portable version of ShareX

Browser Extensions Stream Detector (FF Only) DownLoadHelper (FF or Chrome) Downloader for Instagram (Chrome) Twitter Media Downloader (Chrome) Note: Some of these scripts and programs work best if you place them together in the directory where you intend to run them. On Windows specifically you need to do one of three things to ensure these items work properly: Youtube-dl and all files from the FFMpeg/bin folder must be placed in the directory where you intend to use them (as they are in the provided capture directory). Install Youtube-dl and FFMpeg using Chocolatey (see below) Set environmental paths https://danclowry.com/blog/youtube-dl-windows-install/

1.3 Installing Tools in Terminal (Recommended) The best way to install these scripts on Windows is to use Chocolatey . Chocolatey This is a package manager for Windows that makes it quite easy to install some of our favorite scripts from the command line. Chocolatey Start by opening a command prompt as administrator: type cmd into the locator bar and right-click on Command Prompt, select Run as administrator

Paste in the following command and hit Enter:

@"%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile InputFormat None ExecutionPolicy Bypass Command "iex ((New Object 3/6

7OSINTVideoCaptureMatrix.md

7/23/2021

System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))" && SET "PATH=%PATH%;%ALLUSERSPROFILE%\chocolatey\bin"

Note: You will want to restart your terminal (again as admin) prior to installing any of the following additional programs. You can also install from PowerShell directly but the command is slightly different. That command is listed in the ChocolateyAndBrewInstallCommands-11.2020.txt file at the bottom of this lesson. Python - Is a prerequisite for some of the other scripts:

F:\>choco install python

FFMpeg - Install ffmpeg with Chocolaty to make it better:

F:\>choco install ffmpeg

Youtube dl Install ffmpeg with Chocolaty to make it better:

F:\>choco install youtube-dl

VLC - Install VLC with Chocolaty:

F:\>choco install vlc

Streamlink - Install Streamlink as a backup livestream downloader:

F:\>choco install streamlink

ShareX - Screen capture and recording software:

F:\>choco install sharex

All Video Tools Install Youtube dl, ffmpeg, and VLC with one command:

F:\>choco install python youtube-dl ffmpeg vlc streamlink sharex

Consider adding a cmd shortcut setup to run as administrator. This site shows how to do it.

4/6

7OSINTVideoCaptureMatrix.md

7/23/2021

1.4 Mac Steps Mac is a Unix based operating-system, so it handles scripts well and with fewer steps. Similar to Chocolatey in Windows, we can use Brew to setup all of our tools. 1. Installing Brew (Open Terminal - Control + Option + Shift + T):

ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

2. Close and reopen your terminal and then use this command to install your tools:

brew install python youtube-dl ffmpeg vlc streamlink

Screen capture QuickTime is the best native screen recording for Mac. Hotkey: Shift Command (⌘)

5

1.5 Livestreams There are some challenges unique to capturing livestreams. Most platforms break the streams up into several files and if you do not grab the correct master file and in some cases a header, you may only get a tiny unusable file versus a flowing stream of video files. Filetypes: DASH and HLS are the most common streaming protocols. You will typically be looking for a .m3u8, .mpd, or possibly a .ts URLs: Isolating the correct .m3u8, .mpd, or .ts URL can be challenging. It can be done via the developer panel, but the easiest way is using the HLS Stream Detector extension on Firefox as listed in earlier sections. Stopping the Capture: Once a live stream is being successfully captured you will see the terminal constantly load more text. To stop the capture, click in the terminal window and hit ctrl-c which will end the capture and your file will be waiting for you in the capture folder. VLC: If all else fails attempt to feed the URL to VLC via the Open Network Stream option under the Media tab. If it works you can use the recording feature to capture the stream in VLC as an mp4. Facebooks and Instagram: Youtube-DL actually handles most livestreams well, but Facebook and Instagram streams in particular are captured most successfully using Streamlink. As mentioned above, use the Streamdetector extension to generate a Streamlink command for the file URL. See the video for reference.

1.6 Additional Resources If you have any trouble, consider going through my other videos covering video capture. The goal is to give you several approaches and build some depth of understanding so that it is easier to problem solve. These platforms change how they embed the files often, so it is not unusual to have to tinker when things don t work quite how they should. The other related course videos are in the Photos and Videos section. 5/6

7OSINTVideoCaptureMatrix.md

7/23/2021

6/6

7OSINTYouTube.md

7/23/2021

OSINT Essentials – YouTube YouTube Investigation & Collection - https://YouTube.com/ YouTube is one of the most common platforms that we deal with during investigation and at times it is where the case begins. Previous lessons provided tactics for video capture in general, this module covers YouTube specifically. If you need to turn a YouTube channel upside down to see what falls out, the resources and steps detailed here will allow you to do e actly that. Capture for Preservation: One of the most common requests I receive specific to YouTube, is a capture request. If there is evidence of a crime or critical intelligence on a YouTube page, the investigator may intend to serve Google with a preservation request . This usually precedes a subpoena or warrant and asks that Google retain any data related to that channel or user. This is to prevent loss of evidence should the user or Google decide to delete the channel or any content. This process is not immediate and is not always an option, so we need to be able to conduct an immediate capture of the YouTube channel and all videos on our own. This is our insurance, should something get deleted prior to obtaining it through legal service, or in cases where legal requests are not possible, this may be our evidence or intelligence end product. Note: If you are just doing a quick capture across many platforms, also see the [general media capture] module. Target Profiles: Many people have YouTube channels and we can see a person s interests and personality which gives us insight and context to who they are and helps us be more efficient and successful in our research. Many time users will link other social media accounts or push e commerce affiliate promotions on their YouTube pages. We can run reverse searches on their images and videos and search through the videos themselves for content and leads that the user unintentionally includes, maybe in the background of the shot. I once had a threat suspect who monologued his manifesto on his bus ride home from work and the combination of visual and audio clues in the background not only led us to his home address, but provided great evidence for inclusion in the search warrant affidavit. Event Livestreams: Although there are many other popular livestreaming platforms, some groups of interest continue to host their streams and events on YouTube. This can be a source of event intelligence in the days proceeding and real-time intel during the event. I have found the cultural and age demographics for livestreaming on YouTube to be a wide spectrum, although younger people are more often on Twitch, Mi er, TikTok, and Instagram. The people who use YouTube to livestream generally do not care about anonymity, do not want to pay to stream, seek a large widespread audience, and/or have a reasonably low level of comfort with technology. These are only very general trends so learning the culture and habits of your target group may who a deviation from the overall demographics.

1.1 YouTube.com – Investigative Approach YouTube is owned by Google which is important to keep in mind as we go about using it to gather intelligence and/or evidence. These are steps that can be used to for most YouTube investigations. Skip any that do not apply to your mission or agency. 1. Preservation - If you are Law Enforcement/Gov, consider a preservation letter to Google requesting that they retain all channel and user account data. If you have not submitted legal requests to Google 1/6

7OSINTYouTube.md

7/23/2021

previously, you will need to sign up with your agency credentials at https://lers.google.com/signup v2/landing. (Remember to conduct overt agency business and legal requests on a workstation that is air-gapped from your undercover workstation- see Module – Operational Security). If you require other contact information or sample templates for legal requests, two good resources are: https://www.search.org/resources/isp-list/ & https://www.nw3c.org/investigative resources. The official LE contact address is [email protected]. 2. Capture - We want to capture the YouTube channel data and videos in time. See the Locating Video section for detailed steps, but at its core we are going to save every page as a pdf and rip all videos at the highest resolution possible. We are going to do this all very quickly and then down-shift to review the channel for content once everything is safely recorded. 3. Analysis Once everything is captured to insure against deletion, we can pick through the channel and user profile without concern of losing evidence. The order of review may vary based on your mission and the volume of data on the channel. Notes Add the channel URL, username of the channel owner, avatar/profile image, and any additional accounts of profile data from the about page. If you have not done so already screen capture these items and place those images either in your digital notebook or case directory. Videos - Go to the Videos tab and scan the list of uploaded videos sorted newest to oldest. We have already downloaded these in the capture step, so now we are looking for low hanging fruit related to our mission. Key intel to look for is any thumbnails or descriptions that indicate a monologue or footage taken by the channel owner (vs reposts of other user s videos).Narrated clips tend to give a lot away about the target while also giving us a voice sample. Footage taken inside homes, businesses, or even in the community can unintentionally disclose location and identity. 4. Documentation - Significant videos and their respective pages will be included by URL in our report along with select screen captures which give a quick understanding of their significance to the case or mission. Remember reports need to tell a story or support a finding. The frames of the video that are most pertinent to your investigation are unlikely to be the default keyframes, so you may need to run through the video and capture your own working images for inclusion in the main report. Additional still captures and pdfs of full pages will be organized into the appendi of your report. Media files, both video and still, will be saved to optical disk or other storage media for submission to evidence or transfer to the requesting party. If your agency supports online or network based submission of digital evidence, ensure that you use the original and highest quality captures. (see the Documentation Module for more detail)

1.2 Locating Videos There are times when you will want to direct a query at YouTube and there are a few similar ways to do to that. Keep in mind that Google is the parent company so out of the box YouTube is using Googles powerful search capability.

2/6

7OSINTYouTube.md

7/23/2021

1. Use your Google operators `site:youtube.com “keyword”`` 2. Use YouTube s built in search bar and filters 3. Add your search term to the following URL https://www.youtube.com/results?search_query= Google reverse image search the default thumbnail images associated with the video. This will help to locate other sites where the same video is posted. The code to reverse image search all thumbnails for a specific video is in the sample Tools files attached to this lesson. 1. The format for this is http://i.ytimg.com/vi/videoID/1.jpg to pull the first thumbnail. There are typically four thumbnails (ie: 2.jpg, 3.jpg, etc) 2. Paste each of the jpg links into the URL image search on Google https://images.google.com/ and hit Enter 3. Similar reverse image searches can be preformed on https://tineye.com/, https://yandex.com/images/, and https://www.bing.com/visualsearch The YouTube Channel Crawler

1.3 Basic Capture Using Firefox Addons If you plan to use Chrome extensions to collect YouTube videos be prepared for headaches. Google owns Chrome, so extensions that scrape YouTube content do not last long. A better option is to switch over to Firefox and use of the many YouTube downloader add-ons. Keep in mind that extensions and addons can potentially contain security vulnerabilities. Only install what you need for the mission and consider doing some research for publicized complaints of malicious behavior. 1. Video Download Helper 3/6

7OSINTYouTube.md

7/23/2021

1. Once you have installed the addon, right click on the addon icon (three overlapping spheres and select settings. 2. Select the “Behavior” tab and change the following settings Download process

Browser

Hide ADP variants -> Check this box 2. EasyYoutubeDownloader this addon adds a download button below the video Note: There are dozens of addons, and you are welcome to research more on your own, but you really should consider using the open-source youtube-dl script that is described in section 1.5. It has better functionality with less impact on your security/privacy. It worth one e tra click copy paste for the higher quality video with no tradeoffs.

1.4 View/Capture Using Third Party Services Third party services may be less invasive than installing an addon or desktop application, but they will push ads and most are chock full of buttons and links that appear to link to your processed video, but instead take you to a sales site, so be careful what you click on. (In the below urls videosID would be changed.) YouTube - Full Screen, Age & Commercial Bypass https://www.youtube.com/embed/videoID Download Video Clipmega https://clipmega.com/watch?v=videoID) Download via yout.com https://yout.com/video/videoID Location Bypass http://polsy.org.uk/stuff/ytrestrict.cgi?ytid=videoID Hooktube - Bypass & Download Alternative https://hooktube.com/watch?v=videoID ytimg - Default Keyframe/Thumbnail https://i.ytimg.com/vi/videoID/hqdefault.jpg Download Subtitles https://downsub.com/ Archive on the Wayback Machine https://web.archive.org/web/2oe_/http://waybackfakeurl.archive.org/yt/videoID

1.5 Youtube DL Youtube DL is a widely used open source script for downloading Youtube and other online videos. It is available for Windows, Mac, and Linux, although the Linux version is better maintained and easier to use. Youtube-DL Youtube-DL has installation packages for Windows and Mac that include any file dependencies, so installation in those environments could not be easier. If you are a Linu user, we will address installation and use of Youtube-DL in detail during our Linux and VM modules. FFMpeg

4/6

7OSINTYouTube.md

7/23/2021

You will also want FFMpeg which is an open-source set of video codecs which will not only improved the functionality of Youtube DL, but will also dramatically increase the likelihood that you can play various odd video formats on your workstation using VLC or another player. Getting Started Tips for Windows Users: Windows users seem to struggle the most with running scripts, so here are some quick steps for your first time through. 1. Installation: Download the youtube dl.e e from the link provided above and place it on your Desktop or in another logical directory. Right-click on the exe file and select “run as administrator”. If you get a warning window, select more and run anyway . 2. To Run the Script: Click on the location bar in Windows e plorer and type cmd and hit Enter. This will open a command prompt in that same directory. Another option is to hold down shift while right clicking in the Windows e plorer window and then choosing open cmd prompt or open PowerShell. 3. Use the following command with your full video URL and hit enter to download your target video: youtube dl https://www.youtube.com/watch?v yOhGkZ4U4lI

Linux & OSX Users: Step by step installation commands are on the youtube-dl GitHub. We will be installing Youtube-dl on Linux in the Linux VM module.

1.6 YouTube Additional Tools & Resources Specialized tools and scripts. Video Metadata OSINT Toolkit Youtube Search/Analysis YTTool Metadata Downloader Reddit post with a good overview of youtube dl on Windows 10 IntelTechniques Custom Tools Yt comment search

1.7 One-Tab Bookmarks One-Tab URL Import: YouTube | Select and copy the list below -> go to the OneTab addon/extension in your browser -> select import/export -> Import URLs -> paste in the list -> select import

https://www.youtube.com/ | YouTube https://lers.google.com/signup_v2/landing | Google | Law Enforcement Request 5/6

7OSINTYouTube.md

7/23/2021

System https://www.search.org/resources/isp-list/#participants-list-1 | SEARCH | ISP List https://www.nw3c.org/investigative-resources | Investigative Resources https://www.google.com/search? q site:youtube.com+keyword&rlz 1C1CHBF enUS860US860&sxsrf ALeKk01M946IrmO2QeDvnmvF _piFsj1Bw:1592353901915&source=lnt&tbs=qdr:y&sa=X&ved=2ahUKEwjvn7jFzIfqAhVCFzQIHZU bCswQpwV6BAgMECM&biw=2560&bih=1329 | site:youtube.com keyword - Google Search https://www.youtube.com/results?search_query=keyword | keyword - YouTube https://channelcrawler.com/ | The YouTube Channel Crawler https://addons.mozilla.org/en-US/firefox/addon/video-downloadhelper/ | Video DownloadHelper – Get this Extension for 🦊 Firefox (en-US) https://addons.mozilla.org/en-US/firefox/addon/easy-youtube-video-download/ | Easy Youtube Video Downloader Express Get this Extension for 🦊 Firefox (en US) https://www.youtube.com/embed/ | YouTube https://yout.com/ | Yout.com http://polsy.org.uk/stuff/ytrestrict.cgi?ytid= | YouTube region restriction checker https://hooktube.com/ | HookTube https://i.ytimg.com/vi/rDdA4ggyc8E/hqdefault.jpg | hqdefault.jpg (480×360) https://downsub.com/ | Download subtitles from Youtube, Viki, Viu, Vlive and more! DownSub https://web.archive.org/web/ | Archive.org search https://ytdl-org.github.io/youtube-dl/index.html | youtube-dl https://ytdl-org.github.io/youtube-dl/download.html | youtube-dl: Download Page https://www.ffmpeg.org/ | FFmpeg https://mattw.io/youtube-metadata/ | YouTube Metadata https://one-plus.github.io/Youtube | OSINT Toolkit https://github.com/nlitsme/youtube_tool | GitHub - nlitsme/youtube_tool: Tool for extracting comments or subtitles from youtube video's https://github.com/ytdl-org/youtube-dl/blob/master/README.md | youtubedl/README.md at master · ytdl-org/youtube-dl · GitHub https://www.reddit.com/r/learnprogramming/comments/44nhzp/how_to_use_youtubedl_and ffmpeg to download/ | How to use youtube dl and ffmpeg to download YouTube videos(individual or whole playlists!) and convert them to MP3s for portable listening/learning. : learnprogramming https://inteltechniques.com/osintbook/ | IntelTechniques.com | OSINT & Privacy Services by Michael Bazzell | Open Source Intelligence https://ytcomment.kmcat.uk/ | Yt comment search

6/6

8OSINTBusinessesLinkedin.md

7/23/2021

OSINT Essentials - Employers & LinkedIn Researching Businesses and Organizations Businesses and organizations can be a great source of information when they are the focus of the investigation and when our target is one of their employees. Often by pivoting through the employer, we can collect information that would not be privy to otherwise.

1.1 Google Operators These are some examples of strategies for using your Google operators to query details about employees of a certain organization. site:company.com filetype:pdf filetype:docx site: company.com “phone list” site:company.com intitle:“contact us” OR “our staff” OR “team” OR “board” OR “about us” site:company.com “commendation” OR “employee of the month” OR “congratulations to”

1.2 Third Party ites Indeed RocketReach Ceomail OCCRP Enigma Angel Open sanctions Corporation Wiki (US business search) Funding Universe Company Profiles OpenCorporates ICIJ Offshore Leaks Database String Lowtax - Incorporation Guide Legal Entity Types by Country FinCEN - MSB Registrant Search NAICS Code Search Fortune Global 500 Ripoff Report

1.3 International List-Org (Russian Companies) Qichacha (Chinese Companies) Companies House (UK Companies) EU National Registries BBC Country Profiles

1.4 LinkedIn 1/3

8OSINTBusinessesLinkedin.md

7/23/2021

LinkedIn You will need to be logged into a burner account to do most searches, create one in the same region and field as your target. Search full name with format: https://linkedin.com/in/name You can search by company and then add your target name via the built in search or by structuring a URL with the following parameters: https://www.linkedin.com/company/microsoft/people/?keywords=jason%20jones Alternatively you could use Google: site:linkedin.com microsoft jason jones Google operator example using your target’s title: site:linkedin.com “Assistant General Counsel at Maxjet” To find profiles related to you target, from the target’s LinkedIn page select “people also viewed” or alternatively if you find someone else at your target s organization this tactic may reveal your target s profile if you are having trouble locating it. Locating an account using an email address: 1. Create a .csv file with the only contents being the target email 2. Log into a burner LinkedIn account and upload the csv to https://www.linkedin.com/mynetwork/import-contacts/ 3. With all work done directly on LinkedIn e pect the account holder to get a notification Once you locate your target s profile (reminder they will likely get notified that you viewed it): 1. Right click on their photo and open it in a new tab, then right click on it and reverse image search it via a context menu extension or Google reverse image search 2. Click on More and download a pdf of their profile 3. Copy their title to your notes 4. Click on the Contact info to see if there is more than a LinkedIn URL 5. Copy their job history to your notes, former employers are pivot points 6. Note Universities as possible pivot points 7. Note references and colleagues as pivot points 8. Review any interests or published articles

1.5 – Resources Business research links Discoverly -Google Chrome Store GitLab - linkedin2username LinkedIn script GitHub - the Endorser LinkedIn script 2/3

8OSINTBusinessesLinkedin.md

7/23/2021

GitHub- raven LinkedIn script GitHub - arlandria LinkedIn script Gathering Company Intel — The Agile Way!, 2018 Guide by sector035 A guide to searching LinkedIn by email address, 2020 Another way to search LinkedIn by email address

1.6 One-Tab Bookmarks (additional bookmarks from the lesson) https://chrome.google.com/webstore/detail/discoverly-for-gmaillink/dijhcpbkalfgkcebgoncjmfpbamihgaf?utm source chrome ntp icon | Discoverly for Gmail, LinkedIn, Facebook... - Chrome Web Store https://gitlab.com/initstring/linkedin2username | InitString / linkedin2username · GitLab https://github.com/eth0izzle/the endorser | GitHub eth0izzle/the endorser: An OSINT tool that allows you to draw out relationships between people on LinkedIn via endorsements/skills. https://github.com/0x09AL/raven | GitHub - 0x09AL/raven: raven is a Linkedin information gathering tool that can be used by pentesters to gather information about an organization employees using Linkedin. https://github.com/midnitesnake/arlandria | GitHub - midnitesnake/arlandria: Simple LinkedIn scrapper for OSINT https://www.google.com/search? q=site%3Acompany.com+filetype%3Apdf&rlz=1C1CHBF_enUS746US746&oq=site%3Acompany.com +filetype%3Apdf&aqs=chrome..69i57j69i58.1091j0j7&sourceid=chrome&ie=UTF-8 | site:company.com filetype:pdf - Google Search https://www.indeed.com/ | Job Search | Indeed https://www.ceoemail.com/us-companies.php | CEO email addresses - E-mail address database to find contact details of Chief Executive Officers (CEOs) and Managing Directors - free lists - UK - US - Asia - customer services - customer care - boss top man top woman complaints resolver https://public.enigma.com/browse/collection/corp-watch-company-subsidiaries/ | Enigma Public https://angel.co/ | AngelList - Where the world meets startups https://www.opensanctions.org/ | Open source data for due diligence OpenSanctions.org https://medium.com/@sector035/gathering-company-intel-the-agile-way-6db12ca031c9 | Gathering Company Intel — The Agile Way! – Sector035 – Medium https://www.elliott.org/ | Elliott Advocacy Here to help https://littlesis.org/ | LittleSis - Profiling the powers that be

3/3

8OSINTdocuments.md

7/23/2021

OSINT Essentials - Documents Searching for Documents We typically search for documents when researching businesses and organizations as part of white-collar investigations. We also use document search techniques when profiling individuals and digging through their employers, universities, etc.

1.1 Google Operators The following are some examples of using Google operators to locate various types of documents. Many of these also work on Bing, Yandex, etc. See a complete list of files types below. Examples:

filetype:pdf filetype:doc filetype:xlsx filetype:ppt site:irongeek.com filetype:pdf site:irongeek.com filetype:ppt site:irongeek.com filetype:pptx inurl:ftp -inurl:(http|https) “confidential” inurl:ftp -inurl:(http|https) “cisco” filetype:pdf

Academic/resume examples: E amples of what to enter into search engine:

“John Doe” “Resume” “John Doe” “Curriculum Vitae” “John Doe” “CV” “John Doe” “Resume” filetype:doc “John Doe” “Curriculum Vitae” filetype:doc “John Doe” “CV” filetype:doc “John Doe” “Resume” filetype:pdf “John Doe” “Curriculum Vitae” filetype:pdf “John Doe” “CV” filetype:pdf “John Doe” “Resume” site:docs.google.com “John Doe” “Curriculum Vitae” site:docs.google.com “John Doe” “CV” site:docs.google.com “John Doe” site:cvmkr.com "OSINT” filetype:pdf OR filetype:doc OR filetype:xls OR filetype:xlsx OR filetype:docx OR filetype:ppt OR filetype:pptx OR filetype:wpd OR filetype:txt

1.2 Third Party Document Search BASE (Bielefeld Academic Search Engine) 1/6

8OSINTdocuments.md

7/23/2021

Basic Search GitHub awesome osint (Main) A curated list of amazingly awesome open source intelligence tools and resources. GitHub awesome osint (Documentation) Document and reference management AuthorStream Upload, share and search presentations, templates FreeFullPDF PDF search engine for free scientific publications ICIJ Offshore Leaks Database PasteLert: Pastebin Alerts! PDF search engine PDF search engine - find free PDF books online CourtListener.com Advanced RECAP Archive Search for PACER Scribd Scribd - Search soPDF.com PDF search engine PSBDMP Pastebin dump collection Cryptome Wikileaks Full te t search Cable Gate Search – The truth is out there Library of Congress Chegg Sniff Paste: OSINT Pastebin Harvester

1.3 Search Presentations & Slide Shows Search PPT online Slideshare (Owned by LinkedIn) Slideworld (Powerpoint Designs, Powerpoint Presentation) Slide Bean Issuu Prezi Slides are public by default for free accounts AuthorStream Upload, share and search presentations, templates Google Operator example site:slideshare.net “keyword”

1.4 Scripts GitHub - Metagoofil 2/6

8OSINTdocuments.md

7/23/2021

Doc search by domain GitHub Spiderpig Doc search by domain

1.5 Pastes https://pastebin.com https://ghostbin.com GitHub - pwnbin Webcrawler that returns list of public paste bins containing keywords Reddit - most popular paste sites in 2019-2020 : OSINT Programmable Search Engine PasteLert: Pastebin Alerts!

1.6 Filetypes Extension

Description

7Z

Compressed File

BMP

Bitmap Image

DOC

Microsoft Word

DOCX

Microsoft Word

DWF

Autodesk

GIF

Animated Image

HTM

Web Page

HTML

Web Page

JPG

Image

JPEG

Image

KML

Google Earth

KMZ

Google Earth

ODP

OpenOffice Presentation

ODS

OpenOffice Spreadsheet

ODT

OpenOffice Te t

PDF

Adobe Acrobat

PNG

Image

PPT

Microsoft PowerPoint

PPTX

Microsoft PowerPoint

RAR

Compressed File 3/6

8OSINTdocuments.md

Extension

Description

RTF

Rich Text Format

TXT

Text File

XLS

Microsoft Excel

XLSX

Microsoft E cel

ZIP

Compressed File

7/23/2021

1.7 Document Metadata Extract Metadata Jeffery’s Exif Viewer Metadata2go Foca - ElevenPaths Collection fails, but analysis works GitHub - metagoofil Collection Linux script Free online OCR - Sodapdf Optical character Recognition Custom offline tools Your directory address likely differs:

file:///F:/casefile/tools/Documents.html file:///F:/casefile/tools/Pastes.html

1.8 One Tab Bookmarks https://www.google.com/search?hl=en&ei=Yw4WXiiOKiz0PEP4sez4Ak&q site%3Aredplum.com++filetype%3Apdf&oq site%3Aredplum.com++file type%3Apdf&gs_lcp=CgZwc3ktYWIQA1DSSljSSmDXTGgBcAB4AIABIYgBIZIBATGYAQCgAQGqAQdnd3Mt d2l6wAEB&sclient=psy-ab&ved=0ahUKEwio4NDo5NzqAhWoGTQIHeLjDJwQ4dUDCAw&uact=5 | site:redplum.com filetype:pdf - Google Search https://www.base search.net/ | BASE (Bielefeld Academic Search Engine): Basic Search https://github.com/jivoi/awesome-osint | GitHub - jivoi/awesome-osint: A curated list of amazingly awesome OSINT http://www.authorstream.com/ | Upload, Share and Search Presentations, Templates On authorSTREAM http://www.freefullpdf.com/#gsc.tab=0 | PDF search engine for free scientific publications - FreeFullPDF https://offshoreleaks.icij.org/ | ICIJ Offshore Leaks Database https://www.andrewmohawk.com/2011/06/30/pastelert-pastebin-alerts/ | PasteLert: Pastebin Alerts! - AndrewNohawk http://www.pdfsearchengine.info/ | PDF Search Engine - Find free PDF books online 4/6

8OSINTdocuments.md

7/23/2021

https://www.courtlistener.com/recap/ | Advanced RECAP Archive Search for PACER CourtListener.com https://www.scribd.com/ | Discover the Best eBooks, Audiobooks, Magazines, Sheet Music, and More | Scribd https://www.slideshare.net/ | Share and Discover Knowledge on LinkedIn SlideShare http://www.slideworld.com/ | Powerpoint Designs, Powerpoint Presentation | Slideworld http://www.sopdf.com/ | PDF Search Engine - soPDF.com https://github.com/jivoi/awesome osint# document and reference management | GitHub - jivoi/awesome-osint: A curated list of amazingly awesome OSINT https://psbdmp.ws/ | Pastebin dump collection https://cryptome.org/ | Cryptome https://wikileaks.org/plusd/ | Full text search http://cablegatesearch.net/ | Cable Gate Search – The truth is out there https://www.loc.gov/ | Home | Library of Congress https://www.chegg.com/ | Chegg - Save up to 90% on Textbooks | Don't Pay Full Price for Textbooks https://haxf4rall.com/2018/07/14/sniff-paste-osint-pastebin-harvester/ | SniffPaste: OSINT Pastebin Harvester - Haxf4rall https://www.scribd.com/search?content_type=tops&page=1&query=osint&language=1 | Search | Scribd http://www.pptsearchengine.net| Search PowerPoint Presentations Online https://www.slideshare.net/ | Share and Discover Knowledge on LinkedIn SlideShare http://www.slideworld.com/ | Powerpoint Designs, Powerpoint Presentation | Slideworld https://slidebean.com/ | Pitch Deck Design | Presentation Software: Slidebean AI https://issuu.com/ | Join Issuu – the All-In-One Content Creation & Distribution Platform. https://prezi.com/ | Presentation Software | Online Presentation Tools | Prezi https://github.com/laramies/metagoofil | GitHub - laramies/metagoofil: Metadata harvester https://github.com/hatlord/Spiderpig | GitHub - hatlord/Spiderpig: A document metadata spider. https://www.google.com/search? rlz=1C1CHBF_enUS860US860&ei=QAoWX9yQF8P19APYnbR4&q=site%3Apastebin.com+fullz&oq=si te%3Apastebin.com+fullz&gs_lcp=CgZwc3ktYWIQAzoHCAAQRxCwA1DUVViKW2COXWgBcAB4AIABM4g B0AGSAQE1mAEAoAEBqgEHZ3dzLXdpesABAQ&sclient psy ab&ved=0ahUKEwjcsLPv4NzqAhXDOn0KHdgODQ8Q4dUDCAw&uact=5 | site:pastebin.com fullz Google Search https://www.pdfdrive.com/search?q=%22jason%20jones%22 | "jason jones" Doc Search by Document Type https://www.google.com/search?q=ext%3Apdf+%22jason%20jones%22 | ext:pdf "jason jones" - Google Search https://www.google.com/search?q ext%3Adoc+OR+ext%3Adocx+%22jason%20jones%22 | ext:doc OR ext:docx "jason jones" - Google Search https://www.google.com/search? q=ext%3Axls+OR+ext%3Axlsx+OR+ext%3Acsv+%22jason%20jones%22 | ext:xls OR ext:xlsx OR ext:csv "jason jones" Google Search https://www.google.com/search? q=ext%3Appt+OR+ext%3Apptx+OR+ext%3Akey+%22jason%20jones%22 | ext:ppt OR ext:pptx OR ext:key "jason jones" - Google Search https://www.google.com/search? q=ext%3Atxt+OR+ext%3Artf+OR+ext%3Axml+%22jason%20jones%22 | ext:txt OR ext:rtf OR 5/6

8OSINTdocuments.md

7/23/2021

ext:xml "jason jones" Google Search https://www.google.com/search? q=ext%3Aodt+OR+ext%3Aodsx+OR+ext%3Aodp+%22jason%20jones%22 OR ext:odp "jason jones" - Google Search https://www.google.com/search? q=ext%3Azip+OR+ext%3Arar+OR+ext%3A7z+%22jason%20jones%22 | ext:7z "jason jones" - Google Search https://www.google.com/search? q ext%3Ajpg+OR+ext%3Ajpeg+OR+ext%3Apng+%22jason%20jones%22 OR ext:png "jason jones" - Google Search https://www.google.com/search? q=ext%3Ampg+OR+ext%3Ampeg+OR+ext%3Amp4+%22jason%20jones%22 OR ext:mp4 "jason jones" Google Search https://www.google.com/search? q=ext%3Amp3+OR+ext%3Awav+OR+ext%3Aflac+%22jason%20jones%22 ext:flac "jason jones" - Google Search

| ext:odt OR ext:odsx

ext:zip OR ext:rar OR

| ext:jpg OR ext:jpeg

| ext:mpg OR ext:mpeg

| ext:mp3 OR ext:wav OR

Doc search by platform https://www.google.com/search?q=site%3Adocs.google.com+%22jason%20jones%22 | site:docs.google.com "jason jones" - Google Search https://www.google.com/search?q site%3Adrive.google.com+%22jason%20jones%22 | site:drive.google.com "jason jones" - Google Search https://www.google.com/search?q=site%3Astorage.googleapis.com+%22jason%20jones%22 | site:storage.googleapis.com "jason jones" - Google Search https://www.google.com/search?q site%3Adocs.microsoft.com+%22jason%20jones%22 | site:docs.microsoft.com "jason jones" - Google Search https://www.google.com/search?q=site%3As3.amazonaws.com+%22jason%20jones%22 | site:s3.amazonaws.com "jason jones" - Google Search https://www.google.com/search?q site%3Acloudfront.net+%22jason% 0jones%22 | site:cloudfront.net "jason jones" - Google Search https://www.google.com/search?q=site%3Aslideshare.net+%22jason%20jones%22 | site:slideshare.net "jason jones" - Google Search https://www.google.com/search?q site%3Aprezi.com+%22jason%20jones%22 | site:prezi.com "jason jones" - Google Search https://www.google.com/search?q=site%3Aissuu.com+%22jason%20jones%22 | site:issuu.com "jason jones" - Google Search https://www.google.com/search?q site%3Ascribd.com+%22jason% 0jones%22 | site:scribd.com "jason jones" - Google Search https://buckets.grayhatwarfare.com/results/%22jason%20jones%22 | jason jones - 1 20 | Public S3 Buckets Search filetype:txt - Google Search

6/6

8OSINTMapsAddresses.md

7/23/2021

OSINT Essentials – Maps & Addresses Use Cases for Online Mapping Resources There are many use cases for online map services but let us look at the most common applications when conducting intelligence work. Addresses as Leads: If we find possible residence or work addresses for our target we will pull up both aerial and street view data on the location both for tactical considerations and possible visual verification that the target is indeed associated with the address (i.e. signage in a window, a vehicle parked nearby, etc.) Target Profiles: These can be profiles on individuals or organizations. If we isolate an address associated with a fugitive, we often pull up location visuals prior to initiating surveillance or apprehension operations. I have had other cases where we are gathering intelligence on a group or business, such as a clubhouse being used by an outlaw motorcycle gang or storefront involved in moving stolen goods. In either case, building out a set of tactical maps and location data quickly for the operational briefing is an essential skillset. (see sample operation briefing) Event Assessments: Events inherently have geographical details that must be considered when planning a response. In some instances, this is purely logistical, such as resource placement and staffing, and for others it is more tactical in establishing command posts or field intelligence. Including satellite or other geographical imagery in event plans is essential in most cases.

1.1 Government & Proprietary The first step is to query an address through any government or proprietary databases to isolate ownership, taxpayers, and/or documented residents. 1. Agency Records Management Systems (RMS) 2. County Records (most counties have parcel viewers which allow you to pull up tax records and sometimes even floor plans and photos) 3. Paid Aggregators – Clear, Accurint, etc. 4. Paid Commercial Search – Spokeo, Pipl, Intelius, etc.

1.2 atellite Imagery Aerial and satellite imagery for adding maps to reports and operation plans.

Google Mapping and Imagery Resources 1. https://earth.google.com/web/ Streetview and basic functions are lower right on the UI Menu

Settings (Change Lat/Long format as necessary)

If you enable “Photos” you may get some geotagged photo results on the map Mapstyle

Custom (adjust labels)

Choose “Add Placemark” -> Edit Place (This brings up Lat/Long and a capture button) 2. https://www.google.com/earth/studio/ Sign up with a burner account 1/7

8OSINTMapsAddresses.md

7/23/2021

Good for preparing high value briefings or post incident reviews, visuals for court 3. https://earthengine.google.com/timelapse/ Showing long term changes in rural areas such as development or construction of large facilities

Microsoft/Bing Mapping and Imagery Resources https://www.bing.com/maps An address search vs manual zooming will bring up additional Bing data such as Zillow photos of the address. Right-click will bring up the Lat-Long for easy copy as well as a “birds-eye” option if available. The image source will be listed on the lower right. Streetview is indicated with blue lines and will have the capture date top right. It tends to be less current than Google Streetview.

Other platforms Zoom Earth Near real-time earth/weather maps. Satellite imagery for most areas is recent for most domestic urban and suburban areas. It uses imagery from Esri and Microsoft Improved digital zoom over Bing Maps, but no street view Map set and date are on the top left of the UI Yandex maps Good for viewing areas censored by US companies DualMaps Google Maps, Street View & Birds Eye on one page Map Compare Compare three map sets for one location ArcGis Esri map data, used by many gov and private sector agencies World Imagery Wayback Historical captures by date Open Street Map Includes crowd sourced data. House number overlays, trails, business zones, community landmarks, etc. Also provides GeoNames results KartaView Similar mapping based on open street crowdsourced data Wikimapia Options to pull up Google, Bing, and other map sets with the addition of layer data that includes some infrastructure such as government facilities, parks, schools, etc. EOS landviewer View map sets available for target area, sign up with a burner account for more options Open Aerial Map UAV imagery project, crowdsourced aerial imagery Here Older images domestically, worth checking for international POIs Mapbo 2/7

8OSINTMapsAddresses.md

7/23/2021

Fewer options, older map sets for some areas, metrological layers Scribble Maps Edit and add your own overlays Free Map Tools Customize map views with international toolsets

Free Downloadable Imagery 1.6 million Landsat 8 OLI/TIRS scenes are available to download from EarthExplorer, GloVis, and the LandsatLook Viewer https://sentinel.esa.int/web/sentinel/missions/sentinel-2/data-products https://modis.gsfc.nasa.gov/ https://maps.descarteslabs.com/ cycle through sentinel, Landsat, and NAIP imagery https://gisgeography.com/free-satellite-imagery-data-list/ List of satellite imagery

1.3 Google Earth Pro Google maps is good enough for some basic research, but there are times when you will want a more powerful mapping tool. Google Earth pro packs in more features and supports importing data such as KML files. These files allow us to map out case data such as call detail records obtained from a cellular carrier. Google Earth Versions Great for creating custom maps or ingesting KML or other geolocation data files GE Library Store Map sets for Google Earth Pro Google Earth Hacks Thousands of crowdsources data sets Google Earth Tutorials - Google Earth Google Earth Tutorials Google Earth Blog

1.4 Social Media Geolocation One Million Tweet Map Small sample of twitter data by location Trends Map Twitter topic map OmniSci Tweetmap Small sample of twitter data GitHub - Tweetsmapper Map tweets via script (if API geo data e ists) Snap Map Small sample of Snapchat data by location YouTube Geofind YouTube geolocation based search Strava 3/7

8OSINTMapsAddresses.md

7/23/2021

Strava exercise data maps Photo map VK mapping image mapping (requires burner account, Russian Language) Paid Options Most only return only a very small percentage of data. Echosec Pricey and more of an enterprise product now

1.5 Real-Estate Sites Zillow Zillow mapped neighborhoods, home interiors, property descriptions, sale dates, real-estate stats, etc. Matterport Use Google operators on various real-estate sites to find client postings site:matterport.com Denver

1.6 Additional Mapping Resources stevemorse.org Street Address | Lat/Long conversion latlong.net Address | Lat/Long conversion Suncalc Sun position & shadow estimation by geolocation Mapchecking Crowd size estimation (use for civil disturbances etc.) Geonames Submit a search term and it will generate a concise list of locations with corresponding geographical data KartaView Useful for locating public facing cameras that may have captured video evidence. (note not all transportation departments record DOT video) TRAVIC Transit Visualization Client Transit maps Mapillary Crowdsourced streetview from cyclists liveuamap International conflict, natural disasters, civil-unrest (some domestic US data as well, but limited) mostly significant world conflicts and events University of Texas Libraries U of T Maps of current interest (pandemic, conflict, etc.) Flowingdata Aviation data maps Open Flights 4/7

8OSINTMapsAddresses.md

7/23/2021

Aviation data maps ArcGis Dashboard Pandemic data Johns Hopkins, example of academic mapping SafeCity Stalking, harassment reports (crowd sourced via app) GitHub MapSwitcher Multi map service Chrome extension

1.7 Forensic Data Mapping https://opencellid.org https://cellidfinder.com/ https://cellphonetrackers.org/

1.8 Cyber Threat Maps https://ics radar.shodan.io/ https://cybermap.kaspersky.com/ https://threatmap.checkpoint.com/ThreatPortal/livemap.html https://threatmap.fortiguard.com/ https://threatbutt.com/map/ https://talosintelligence.com/fullpage_maps/pulse https://www.fireeye.com/cyber map/threat map.html

1.9 OneTab Links https://earth.google.com/web/ https://www.google.com/earth/studio/ | Google Earth Studio https://sites.google.com/mrpiercey.com/resources/geo/kml-downloads https://earthengine.google.com/timelapse/ | Showing long term changes in rural areas https://www.bing.com/maps | Microsoft/Bing Mapping and Imagery Resources https://zoom.earth/ | Zoom Earth https://yandex.com/maps/ | Good for viewing areas censored by US companies https://mapchannels.com/DualMaps.aspx | Google Maps, Street View & Birds Eye on one page https://mc.bbbike.org/mc/ | Compare three map sets for one location https://www.arcgis.com/ | Esri map data, used by many gov and private sector agencies http://livingatlas.arcgis.com/wayback/ | Historical captures by date https://www.openstreetmap.org | Includes crowd sourced data. House number overlays https://kartaview.org/landing | KartaView http://wikimapia.org – Options to pull up Google, Bing, and other map sets with the addition of layer data that includes some infrastructure such as government facilities, parks, schools, etc. https://eos.com/landviewer/ | View map sets available for target area, sign up with a burner account for more options https://map.openaerialmap.org/ | UAV imagery project, crowdsourced aerial imagery https://wego.here.com/ | Older images domestically, worth checking for international POIs 5/7

8OSINTMapsAddresses.md

7/23/2021

https://www.mapbox.com/ | Fewer options, older map sets for some areas, metrological layers https://www.scribblemaps.com/ | Edit and add your own overlays https://www.freemaptools.com/ | Customize map views with international toolsets https://sentinel.esa.int/web/sentinel/missions/sentinel 2/data products https://modis.gsfc.nasa.gov/ https://maps.descarteslabs.com/?layer=landsat-8_v3_rgb_20132017#lat=39.2322531&lng=-100.8544921&zoom=5 | Descartes Labs: Maps https://gisgeography.com/free satellite imagery data list/ | List of satellite imagery https://www.google.com/earth/versions/ | Great for creating custom maps or ingesting KML https://www.gelib.com/store/ | GE Library Store https://www.gearthhacks.com – Thousands of crowdsources data sets https://www.google.com/earth/outreach/learn/ | Google Earth Tutorials https://www.gearthblog.com/basics | Google Earth Tutorials https://onemilliontweetmap.com/ | Small sample of twitter data by location https://www.trendsmap.com/ | Twitter topic map https://www.omnisci.com/demos/tweetmap | Small sample of twitter data https://github.com/r3mlab/tweetsmapper | Map tweets via script (if API geo data exists) https://map.snapchat.com – Small sample of Snapchat data by location https://mattw.io/youtube-geofind/location | YouTube geolocation based search https://www.doogal.co.uk/strava.php | Strava exercise data maps http://photo map.ru/ | VK mapping image mapping https://www.echosec.net – Pricey and more of an enterprise product now https://www.zillow.com/homes/ | Zillow mapped neighborhoods https://matterport.com – use Google operators on various real-estate sites to find client postings site:matterport.com Denver | Matterport use site colon https://stevemorse.org/jcal/latlon.php | Street Address | Lat/Long conversion https://www.latlong.net/convert-address-to-lat-long.html | Address | Lat/Long conversion shttps://suncalc.org/ | Sun position & shadow estimation by geolocation https://www.mapchecking.com/ | Crowd size estimation (use for civil disturbances etc.) http://www.geonames.org/ | Submit list https://www.mapillary.com/app/ | Crowdsourced streetview from cyclists https://liveuamap.com/ | International conflict, natural disasters, civil-unrest (some domestic US data as well, but limited) mostly significant world conflicts and events https://legacy.lib.utexas.edu/maps/ | U of T Maps of current interest (pandemic, conflict, etc.) https://flowingdata.com/tag/flights/ | Aviation data maps https://openflights.org/ | Aviation data maps https://gisanddata.maps.arcgis.com/apps/opsdashboard/index.html#/bda7594740fd40299 423467b48e9ecf6 | Pandemic data Johns Hopkins, example of academic mapping https://maps.safecity.in/main | Stalking, harassment reports (crowd sourced via app) https://github.com/david r edgar/MapSwitcher | Multi map service Chrome extension https://opencellid.org https://cellidfinder.com/ https://cellphonetrackers.org/ https://ics radar.shodan.io/ https://cybermap.kaspersky.com/ 6/7

8OSINTMapsAddresses.md

7/23/2021

https://threatmap.checkpoint.com/ThreatPortal/livemap.html https://threatmap.fortiguard.com/ https://threatbutt.com/map/ https://talosintelligence.com/fullpage_maps/pulse https://www.fireeye.com/cyber map/threat map.html

7/7

8OSINTOrg_Walkthrough.md

7/23/2021

Org Walk-Through - Part 1 This is part 1 in a series walking through a complete OSINT work-up on an organization. Specifically the scenario is one where we are profiling vulnerabilities of the company's leadership to include c level principals (CEO, CFO, VPs, etc.) This video covers the initial planning and setup while future portions will take us all the way through to a final case report and complete work product. Real world investigations often take hours to complete, therefor portions of the video is time-lapsed to enable us to present a dozen hours of work in just a few video lessons. Included below each video are some of the resources used such as scripts and templates, although the majority are already covered and available in the course resources in the Setup & Workflow section. Note: The OneNote packages do not tend to work well with anything other than the 2016 desktop version of OneNote. It really is just the section structure from the video so it is easily replicated by hand.

1/1

8OSINTScenariosUsingMaps.md

7/23/2021

OSINT Scenarios - Using Maps This is an rough-cut video that I put together to show how we work a target name back to an address and then start building out some location intelligence for field operations. The audio is a little rough on this cut so apologies for that, but it is a very realistic walk-through utilizing both mapping resources and basic name search.

1/1

9OSINTCommandCenter.md

7/23/2021

OSINT Essentials - Setting Up a Command Center OBS Studio

1/1

9OSINTDiscord.md

7/23/2021

OSINT Essentials - DISCORD v.6.2021 https://discord.com

1.1 What is Discord Started as a voice chat service for gamers, Discord is now widely used outside of gaming communities and the focus is more on the chat/messaging/forum function of the service. Below are a handful of innocuous servers that are options for familiarizing yourself with Discord. It is recommended to use servers that are not associated with missions or adversaries for practice prior to initiating an investigation or intelligence operation on a real target. Examples of servers which may be used for practice and familiarity: Defcon Discord Server Defcon Discord Guide Spiderfoot Discord Server OSINTFr.com Discord Server Bellingcat Discord Articles demonstrating the investigative value of Discord: Terrorism Example Media Sonar Discord Article Propublica Atomwaffen Article How To Access Discord For OSINT work we typically use a browser, although you can also access Discord via desktop and mobile applications. The advantage of using your browser is gaining the functionality of extensions and other browser based tools/tactics. If you do choose to use the desktop application, consider using a virtual machine to limit access to other data on your workstation. The mobile application can be used on a hardware or software based burner phone, but there are few advantages and some limitations incurred by going that route. Official Discord Applications

1.2 Platform Interface Servers & channels If you are completely new to Discord you will want to become familiar these key platform components: invites, user interface (browser based interface in particular), and server administration. The latter is important because server admins have a lot of flexibility in adjusting user permissions and privacy settings, both of which affect our ability to locate and recover intelligence. Servers are made up of te t and voice channels. These can be private or open to all members. Most servers have a mix of open and privatized "VIP" channels. Server members can also send each other direct messages. 1/8

9OSINTDiscord.md

7/23/2021

With a valid invite link you can join a server with a temporary guest username or log in with a Discord account. Using guest access will limit your ability to interact with the server (restrictions on posting for example). Most Discord servers are managed by admins who rely heavily on member reputation so those using guest access are typically not trusted. Understanding Invites Official FAQ Accessing Discord as a Guest Per Discord support: Head to discord.com Click on "Open Discord on your browser" They will be prompted to enter a username (unless they already have an account saved on the cookies of the browser, which would just open their own account.) Once a username has been entered, they would have effectively created an unclaimed "guest" account, which they can use to create or join servers There will still be a popup asking them to register an email address, but they can simply click/tap out of that and keep the account unclaimed The user can then use the invite link to join your server and the voice channels Note: If the user wishes to retain the account, they will have to claim it by registering their email address, otherwise they won't be able to access the account anymore after exiting the browser. If you are new to Discord you should spend some time studying and testing the graphical user interface. Discord Interface Official FAQ URL format: Discord.com/channels/servernumber/channelnumber/ E ample of a server invite URL: https://discord.com/invite/yeUbPNR

1.3 Account Creation Operational Security & Best Practices Consider utilizing a virtual machine to isolate your Discord session (especially if you opt to use the desktop application) Be aware of mic/camera access - many servers have audio and/or video channels. Review all account and application settings The app will be more invasive than using a browser Understanding User Accounts Once you have reviewed the settings on your burner account, it is recommended that you read through support documents for a better understanding of this affects our offense and defense. Settings to Consider on Your Burner Account - First time look through all tabs and settings, use common sense to make adjustments - Go to privacy and safety and adjust message filter - Connections -- turn off detect accounts - Appearance -- turn developer mode on - Windows settings -- disable open discord and disable minimize to tray Other Considerations Users have Vanity names: Dingo, usernames Dingo#0019 user number: 219565618792235008 Locating IDs on Discord Creating a user account https://support.discord.com/hc/en-us/articles/360033931551-Getting-Started Customizing your account 2/8

9OSINTDiscord.md

7/23/2021

https://support.discord.com/hc/en-us/articles/360035491151-Account-Customization Verification levels are a server setting The server settings will define what level of verification you need on your investigative account https://support.discord.com/hc/en us/articles/216679607 What are Verification Levels An account that was just created is more likely to be blocked Discord Phone Number Challenges There is a chance you will receive a security challenge requiring a phone number (VOIP numbers have a low rate of success) How to join a server Invite Links - https://support.discord.com/hc/en-us/articles/208866998 These can e pire depending on how they were setup (date, user limit, etc.) Permanent links have seven characters in the URL Links with e pirations have 5 characters unless they predate 2016 Create a Test Server A great way to better understand the ins and outs of servers is to create your own test server. How users create a server Official Server FAQ Understanding Bots (must be an admin or moderator)

1.4 Finding Discord Servers Searching for a server without knowing the URL: Search within the Discord interface or in the application User Search Server Search by Topic "Server Discovery" from bottom left of the interface Using Google to Locate Servers Sample structured queries: discord keyword site:discord.com keyword site:https://discordapp.com/invite/* keyword site:https://discordapp.com/invite/* game site:twitter.com "discord.gg" osint https://discordapp.com/invite/* vouch https://discordapp.com/invite/* "china" https://discord.gg/ "COMB" "breach" "discord.gg" "COMB" "breach" 3/8

9OSINTDiscord.md

7/23/2021

Invite Result Examples (note that these invites die often so some of these may not work): https://discord.gg/raidforums https://discord.gg/ogusers https://discord.gg/parler https://discord.gg/fullz Third Party Search Sites Many third party server search sites are opt in for promoting your server so they are very incomplete https://disboard.org/search?keyword osint (probably the best, accepts URL manipulation) https://top.gg/servers/search (URL structure e ample: https://top.gg/servers/search?q cvv) https://discord.center/ https://www.discordportal.com/ (kind of garbage) https://discord.me/ https://discordservers.com/ https://discordbee.com/servers?q OSINT https://top.gg/servers Reddit Many servers are promoted on Reddit so a quick search for discord and the topic keyword will likely bring up results. For example: https://www.reddit.com/r/OSINT/comments/f9am2m/osint_discord_server/ http://www.osinteditor.com/pagina-di-esempio/

1.5 Capture/Collection - Scripts & Tools Our standard capture extensions to preserve portions of the server channels by hand Hunchly users will find that it does a fairly good job of capturing channels as long as you scroll and fully load the content. Chylex comment scraper - Scrape channel content to txt files viewer - Make sure to get the viewer as well Tampermonkey (Firefox, Edge, Chrome, Opera) - Tampermonkey is required for some application of DHT. It is also useful with some of our tactics capturing Telegram so it is a good extension to have on hand. Discord Chat Exporter - This script works with the desktop application and is more complicated to use. It makes for a good secondary option. Discord Chat Exporter Wiki Unfurl URLS Useful for extracting timestamps (credit to https://twitter.com/_RyanBenson/status/1346854657272942593) Setting Discord Chat Exporter on a VM Use the app on a Linux or windows VM for extra security. 4/8

9OSINTDiscord.md

7/23/2021

Clone your Master Windows 10 machine created previously Title your new VM "Discord" and conduct the following inside the VM Download and install the Discord app from https://discordapp.com/download Download the first file titled "DiscordChatE porter.zip" from the website located at https://github.com/Tyrrrz/DiscordChatExporter/releases E tract the contents of the zip file to your Windows VM Desktop Launch DiscordChatExporter.exe from within the new folder Launch the Discord app, provide your account credentials, and connect to the target Discord server (example: https://discordapp.com/invite/DBtGker) Press ctrl shift I on the keyboard to launch the Discord developer options Click the arrows in the upper right and select "Application" Double click "Local Storage" and select "https://discordapp.com" Press ctrl-r on the keyboard and look for "Token" in the right menu Select and copy the entire token key (without the quotes) Paste the token into the DiscordChatExporter program and click the arrow Select the desired target server in the left and the target channel on the right Choose the "CSV" export format and leave the dates empty Choose the save location and click "E port"

1.6 Legal Requests Considerations and resources for preservation and other legal requests. If you work in Law Enforcement, consider sending Discord a preservation request when you begin your investigation. When servers get closed due to abuse complaints, they get flushed, potentially resulting in lost evidence. If you are investigating server there is a chance that they are posting material which violate the terms of service so there is always a chance that the server could get wiped during your investigation. Contact for Law Enforcement Requests Emergency Requests: use a subject line of "Emergency Request" and articulate the imminent threat of harm or loss of life in the body of the email Privacy Policy - Read through their privacy policy for an idea of what they collect Understand how to reference servers and users in legal requests - Discord trust and safety Developer mode - Go to User Settings-> Appearance and turn on Developer Mode and make additional info viewable - For the User ID, right-click the user's username. You should see the last item on the drop-down menu. Click on 'Copy ID'. Click this to get the ID. - To get a link for a message - click on the 3 dots to the far right of the message. You will see an option to copy the link. - For the Server ID, right-click the Server name above the channel list. - Click Copy ID to get the ID. - There are instructions for doing the same in the mobile app on the Discord trust and safety page - Channel ID numerical examples: 458831883384651787,458832125391536138 Check the latest guidelines for legal requests at Search.org. Search.org also provides guides for authorized law enforcement Discord.app Online Service Discord,Inc. Address 444 De Haro St, Suite 200 City San Francisco State CA Zip Code 94107 Phone Number 8885940085 Email [email protected] Discord, Inc Law Enforcement Guide available from SEARCH.ORG. In order to process a request, Discord, Inc. requires that you 5/8

9OSINTDiscord.md

7/23/2021

issue legal process with any of the following identifying information related to this user, so that we're able to locate them in the system: Full username including the 4 digit discriminator (e ample of the format: UserName#1234) Email address of the account 17 or 18 digit User ID number (if needed, the instructions for locating a User ID can be found here

1.7 Resources, Projects, and Scripts Official support pages NW3C Discord Resources PDF Discord Official Privacy Policy Discord.io Be aware of third party integrators such as https://discord.io/ which creates custom links and collects marketing data, so you may want to serve a subpoena/warrant on them as well if your target is using them to obtain the subscriber data. Discordia Wiki Discord.id - Locate User by ID Dutchosintguy's Discord Resource List Discord System Status Chylex Discord Text Exporter - scrape channel content to txt files Make sure to get the chylex viewer DiscordChatExporter more complicated content scraper Official Instructions Unicorn Riot Discord Scrape

1.8 Sample OSINT Focused Discord Servers Spiderfoot Discord Server OSINTFr.com Discord Server Searchlight Bellingcat Discord Independent OSINT Investigations Discord OSINT Editor OSINT Monkey Project Owl i-intelligence list

1.9 Lesson Links (OneTab Format) https://discord.com/invite/defcon | DEFCON https://www.defcon.org/html/defcon safemode/dc safemode discord.html#step0 | DEF 6/8

9OSINTDiscord.md

7/23/2021

CON® 28 Safe Mode Discord Server https://www.nationalheraldindia.com/national/kashmiri-couple-arrested-for-islinks-ran-kashmirosint-handle | Kashmiri couple arrested for IS links ran Kashmirosint handle https://mediasonar.com/2019/11/13/bad actors discord/ | Bad Actors on Discord | Blog | Media Sonar nologies https://www.propublica.org/article/atomwaffen-division-inside-white-hate-group? utm_campaign=sprout | Inside Atomwaffen As It Celebrates a Member for Allegedly Killing a Gay Jewish College Student ProPublica https://discord.com/brand-new/download | Download Discord to Talk, Chat, and Hang Out https://support.discord.com/hc/en-us/categories/200404398 | Discord Interface – Discord https://discord.com/channels/370945003566006272/370945003566006274 | general https://discord.com/invite/yeUbPNR | My Anime Chat https://support.discord.com/hc/en-us/articles/206346498-Where-can-I-find-my-UserServer Message ID | Where can I find my User/Server/Message ID? Discord https://support.discord.com/hc/en-us/articles/360033931551-Getting-Started | Getting Started – Discord https://support.discord.com/hc/en-us/articles/360035491151-Account-Customization | Account Customization Discord https://support.discord.com/hc/en-us/articles/216679607-What-are-VerificationLevels- | What are Verification Levels? – Discord https://support.discord.com/hc/en-us/articles/208866998 | Invites 101 – Discord https://support.discord.com/hc/en us/articles/ 04849977 How do I create a server | How do I create a server? – Discord https://discord.com/privacy | Privacy Policy | Discord https://support.discord.com/hc/en-us/articles/360000291932-How-to-Properly-ReportIssues to Trust Safety | How to Properly Report Issues to Trust & Safety Discord https://discord.com/invite/* | Discord https://disboard.org/search?keyword=osint https://discord.center/ https://www.discordportal.com/ https://discord.id/ | Discord.id - Locate User by ID https://discord.me/servers | Public Discord Servers You'll Love ❤ | Discord Me https://discordservers.com/ https://discordbee.com/servers?q OSINT https://top.gg/servers | Discord Servers | Discord Server List https://www.reddit.com/r/OSINT/comments/f9am2m/osint_discord_server/ | OSINT Discord server : OSINT http://www.osinteditor.com/pagina di esempio/ https://dht.chylex.com/ https://dht.chylex.com/build/viewer.html https://github.com/Tyrrrz/DiscordChatExporter | Tyrrrz/DiscordChatExporter: Exports Discord chat logs to a file https://github.com/Tyrrrz/DiscordChatExporter/wiki | Home · Tyrrrz/DiscordChatExporter Wiki https://support.discord.com/hc/en-us | Discord https://www.nw3c.org/docs/research/discord.pdf | discord.pdf https://discord.com/privacy | Privacy Policy | Discord https://discord.io/ | Discord.io https://github.com/Dutchosintguy/OSINT-Discord-resources | Dutchosintguy/OSINTDiscord resources: Some OSINT Discord resources https://www.search.org/ | SEARCH | The National Consortium for Justice Information 7/8

9OSINTDiscord.md

7/23/2021

and Statistics https://dht.chylex.com/ https://dht.chylex.com/ https://github.com/Tyrrrz/DiscordChatExporter | Tyrrrz/DiscordChatExporter: Exports Discord chat logs to a file https://github.com/Tyrrrz/DiscordChatExporter/wiki | Home · Tyrrrz/DiscordChatExporter Wiki https://discord.com/brand-new/download | Download Discord to Talk, Chat, and Hang Out https://github.com/Tyrrrz/DiscordChatExporter/releases | Releases · Tyrrrz/DiscordChatExporter https://discord.com/invite/DBtGker | Team Omega Cybersecurity and Analysis https://discord.com/brand new | Discord | Your Place to Talk and Hang Out https://support.discord.com/hc/en-us/articles/360000291932-How-to-Properly-ReportIssues-to-Trust-Safety | How to Properly Report Issues to Trust & Safety – Discord https://top.gg/servers/search?q=cvv | Example of a 3rd party query using URL structuring

8/8

9OSINTGab.md

7/23/2021

OSINT Essentials - Gab v.6.2021 https://gab.com/ Gab is a social media platform largely known for associations with "right-wing" individuals and groups. This does not mean that it is e clusive to that cultural niche and keep in mind that there will also be accounts belonging to those counter to that political leaning as well as journalists, other investigators, and politicians. Just like all other popular social media platforms, there will also be accounts set up for marketing and other legitimate and criminal enterprises. Gab has a format similar to Twitter and profile analysis is similar, although with fewer third party tools and resources. We typically must break down and capture the profile manually using our standard tactics. Posts are called "gabs" and for a format similar to tweets. Replies are just called replies. Users can pin a gab to the top of their feed, again just like Twitter.

1.1 Account Creation We can view basic profile details and timelines without being logged in. As we will no doubt want to locate as much potential intelligence as possible, we will need to create a burner account in order to examine data such as followers, following, comments, media, etc. Account creation is straight forward and relatively painless. You will need to provide the following: Account name Burner email address Password Solve a captcha Currently you are unlikely to run into any major issues creating investigative Gab accounts, although they could add additional scrutiny in the future. Therefore, it is wise to create some accounts before you need them. This also allows them time to mature and appear more legitimate. As always, consider your investigative environment and operational security when creating and using your burner accounts. Setting up a dedicated virtual machine for Gab investigations is advisable as when we look at more advanced search it will become necessary to isolate our sessions. Use of VPN will depend on your target and threat model, but it is always a best practice to protect your IP address from platforms such as Gab. Even if they are not malicious or selling your user data, they always eventually have some level of data breach.

1.2 earch We can use Google and our usual operators to find content on Gab. If you end up with results such as "trends" pages that you want to filter out, use your operators to remove the non-pertinent results. Below are just a couple of e amples. Be creative and do not limit yourself to these operators. Keep in mind that some Google results will be direct you to pages that require you to be logged into a Gab account in order to see the full page contents. Google Query Examples site:gab.com site:trends.gab.com do OR do

site:gab.com site:trends.gab.com

#osint site:gab.com -site:trends.gab.com "username" site:gab.com intitle:"(@" -inurl:trends -inurl:help (this

1/7

9OSINTGab.md

7/23/2021

profile search example was provided by OSINT researcher Jake Creps, article linked below) site:gab.com/groups aliens URL Structuring You will want to be logged into a Gab burner account to take full advantage of the results. Username: https://gab.com/username Gab Search: https://gab.com/search?q keyword Groups Hashtags: https://gab.com/groups/browse/tags/hashtag1 hashtag2 hashtag3 https://gab.com/browse/tags/hashtag

1.3 Profile Analysis Our analysis approach is very similar to what we use when processing a Twitter profile. We start at the top left and work our way through potential pivot points (identifiers which may serve as leads to other accounts or the true identity of our target). Profile and/or Banner Images Vanity Name Username Bio Membership Date (this is less a pivot and more context on the maturity of the account) Followers/Following Posts (these are called "gabs") The following are some sample Gab targets which you may use to gain familiarity with the platform and extracting intelligence/evidence from profiles. Remember to practice good operational security and digital hygiene when testing the waters, even if it on practice targets. https://gab.com/Sabretooth https://gab.com/daeshhunter https://gab.com/american_futurist (Extremist) https://gab.com/Spartan_ (OSINT Example) Note: The examples used are purely for educational purposes and their use does not infer any guilt or wrongdoing on the part of the account owners. Most examples are chosen at random, although we try to throw in some that reflect what we typically deal with in our operations and investigations. Page Capture As always, consider conducting captures as you go so that if posts or accounts are removed/edited we have them preserved. Use your page capture of choice to preserve the profile page and add it to your investigative directory or notes. Hunchly Fireshot (the free version has limited ability to capture long pages) Single File Instant Data Scraper Reverse Image Search Right-click on the profile image and open in a new tab. If you have not done so already consider saving a copy for your case file or investigative notes. Next feed the image to reverse image search 2/7

9OSINTGab.md

7/23/2021

engines such as Google either by right clicking on it or by copying the URL and pasting it into reverse image search form fields on the Images tab of you custom OSINT tools. Alternatively, you can use the developer tools in your browser: Right click on image and select inspect element. This will open the developer panel and allow you to see the direct file location for the image. Now that you have the file link from your developer panel use it with the same steps as above. Note: The same tactics can be used to reverse image search the banner image if one is present. Vanity Name Pivot Although the vanity name is arbitrary and is often an alias, it is worth doing a quick search to see if it has been used on other social media sites. Although aliases are common, occasionally you will find targets that list their real name as a vanity name. If the vanity name resembles a moderately unique full name, it may be worth running it through the Name tab of you custom OSINT tools. If the vanity name is generic (ie: Bill Smith) then a reverse search on the vanity name will likely be of little use due to the prevalence of false positives. Username Pivot Below the vanity name you will find the target's username. This is often more useful as a pivot point as many people choose to use the same username across multiple platforms. Again, the value will be dependent on the uniqueness of the username (ie: hacker vs hacks4hugs). You can do a manual reverse search on the username in Google or fire off a search in the Username tab of your custom OSINT tools. Note: Below the username you may see icons or "badges" indicating an account status. Specifics on what these mean can be found at: https://pro.gab.com/ Membership Date The date a target joined the platform should be noted in your case file (it is also memorialized when you performed a screen capture of the profile page). This date is the following potential value depending on your mission: It provides an idea of how long the target has been on Gab, which may give you an idea of what types of historical data you might find via breach and archive data. If you are working a Gov/LE case, you will include this intelligence in your affidavit and warrant/subpoena as fact supporting the date range of your request. Contextual intelligence on your target: dedicated early adopter vs casual member once a platform is popular. Bio Aside from a unique username, the bio is one of your best potential pivot points. A bio containing unique verbiage or identifiers can be a fantastic pivot point. Maybe the vanity name and username are generic, but the bio contains a unique cultural reference, unusual choice of words, or mention of other sites/groups associated with the target. The bio often provides some contextual intelligence in regard to interests, hobbies, and beliefs. If you are really lucky the bio will contain a private or professional domain.

3/7

9OSINTGab.md

7/23/2021

Following/Followers Following and followers lists provide the usual value to our investigation. Things to remember: For famous targets who they are following typically offers more intelligence value and for relatively unknown targets, the followers tend to be more telling. Preservation and analysis can be achieved by copying the following and followers lists and pasting them into an Excel spreadsheet. You can also try using an extension such as Instant Data Scraper to harvest the data, but be aware that use of aggressive extensions will possibly increase risks of receiving a security challenge. I have not run into this issue on Gab specifically, but it is a best practice to avoid scraping using any valuable accounts that you can't afford to lose. Posts ("Gabs") We process these similar to Twitter, but lack of third party tools have us relying primarily on manual review. Things to keep in mind: You will need to be logged into a burner account to properly access and analyze threads. Opening a post will cause it to display a more accurate time/date stamp User's interact with a thread similar to Twitter although the terminology and icons are slightly different. Replying, quoting, favoriting, and reposting do exactly what you would think. If you are new to Gab, do not over think it, just use the same approach you would when manually reviewing threads on Twitter. We are typically looking for who is actively interacting with our target's posts. This helps us start to develop a network of associates and other potential targets to pivot off of. Start by noting the most prolific associates along with page captures and then long term consider working up a link-chart illustrating connections and weight the relationships by the number of replies, favorites, quotes, and reposts. Full link analysis is beyond the scope of this lesson, but a good start is just making a list of the accounts which interact with your target's posts the most. Images and videos posted can be handled in our standard fashion. Images can be saved and reverse image searched after opening them into their own tab. Most videos can be saved with a simple right-click and select "save video as". If you have trouble isolating any images or video, you can open your trusty developer panel (F12) and dig through the page code for the exact file URLs. Groups Group pages can be processed easily by hand as well. https://gab.com/groups You will need to be logged in to a burner account to see posts on most group pages Group URLs use the group number not the group name, which makes URL structuring somewhat useless aside from entering random numbers to see what you get. In our testing the group numbers appeared to be in chronological order with group 1 created on May 2, 2018. There is an "About" section on the right site of a group page which lists a group bio, if it is publicly viewable, if it is searchable in the Gab search bar, number of members, date created, and a list of hashtags. 4/7

9OSINTGab.md

7/23/2021

The group bio and hashtags are often very good intelligence and cultural context. Often the bio contains e ternal sites and communities. The hashtags can make great pivot points for searching for other prolific groups and individuals sharing similar interests, beliefs, goals, and overall culture. The member lists are handled similar to how we process followers/following. Example Conspiracy Group: https://gab.com/groups/476 (Paranormal) E ample Innocuous Group: https://gab.com/groups/75 (Smoke Meats)

1.4 Dissenter Browser Dissenter is a browser created and maintained by Gab. It used to be a browser extension, but the extension was later banned by Google and Mozilla: Dissenter ban article. The primary benefit of the Dissenter browser is that when using it you can find Gab comments on third party sites. The browser provides a comment overlay and maintains a database of comments associated with any websites where another Gab user has left a comment. So, if you go to an article on CNN.com for example you can check to see if Gab members have logged a comment for that page. Their comment would only be visible to those using the Dissenter browser. This is an important intelligence tool for anyone working targets who might be associated with Gab. The browser is easy to download, install and use. Here are some best practices: The browser will collect user data so use good operational security. Use the browser while on a VPN or other protected connection Use a virtual machine to isolate your Dissenter session and limit the data collected by Gab Dissenter is available for Windows, Mac, and Linux at Dissenter.com Dissenter is Chromium based so you are able to install Chrome extensions such as OneTab or Fireshot if you like.

1.5 Infiltration Involved investigations or infiltrations may benefit from the additional access afforded by a pro account. More information on the gains from this status can be found on Gab's pro-account benefits page. This is a premium service, but they do accept Bitcoin which makes it accessible without too many operational security hurdles when it comes to payment option. This option is likely only worth the trouble if you do a fair amount of work on Gab or if you need to run infiltration operations. Cultural Context We always talk about the importance of understanding culture when infiltrating any online community. The quickest path to failure is rushing in and "cold calling" targets without understanding the standard practice on both the platform and your target group. Always take time to "wall flower" and observe first, unless your mission parameters dictate otherwise. Operational Security Standard best practices apply. Use burner email addresses and phone numbers. Protect your connection with VPN or other covert internet access. A virtual machine will isolate your sessions from your workstation and reduce cross-contamination with other work and accounts.

1.6 Resources & Articles Gab FAQ Gab Privacy Policy Gab Wiki - historical info Gab OSINT Article by Sinwindie, dated by well done Sinwindie also has some resources on Github, again a little dated but worth a look Skopenow Gab Article Gab Data Breach

5/7

9OSINTGab.md

7/23/2021

1.7 Lesson Links (OneTab Format) https://hub.packtpub.com/mozilla-and-google-chrome-refuse-to-support-gabsdissenter-extension-for-violating-acceptable-use-policy/ | Mozilla and Google Chrome refuse to support Gab’s Dissenter extension https://gab.com/groups | Groups / Gab Social https://gab.com/groups/ | Groups / Gab Social https://gab.com/groups/1 | Nocoiners / Group / Gab Social https://gab.com/groups/393 | QAnon / Group / Gab Social https://www.google.com/search?q site%3Agab.com+intitle%3A%22(%40%22+ inurl%3Atrends+inurl%3Ahelp&rlz=1C1CHBF_enUS860US860&oq=site%3Agab.com+intitle%3A%22(%40%22+inurl%3Atrends+-inurl%3Ahelp&aqs=chrome..69i57j69i58&sourceid=chrome&ie=UTF-8 | site:gab.com intitle:"(@" inurl:trends inurl:help Google Search https://www.google.com/search?q=site%3Agab.com+site%3Atrends.gab.com+%23osint&biw=2048&bih=1041&ei=JNXGYJvZHcn1gTx3rqwCQ&oq=site%3Agab.com+site%3Atrends.gab.com+%23osint&gs lcp Cgdnd3Mtd2l6EANQkPYBWLmjAmDkpQJoAnAAeACAAYUB iAG5DpIBBDIxLjGYAQCgAQGqAQdnd3Mtd2l6wAEB&sclient=gws-wiz&ved=0ahUKEwib-6On5bxAhXJup4KHXGvDpYQ4dUDCA4&uact=5 | site:gab.com -site:trends.gab.com #osint Google Search https://www.google.com/search? ei=uLj9X_CeJ5SPtAacqI1I&q=site%3Agab.com+intitle%3A%22%28%40%22+inurl%3Atrends+%22%7Bdisplay+name%7D%22+OR+%22%7Busername%7D%22&oq=site%3Agab.com+ intitle%3A%22%28%40%22+inurl%3Atrends+%22%7Bdisplay+name%7D%22+OR+%22%7Busername%7D%22&gs lcp CgZwc3ktYWI QA1CypwVYvZAGYJ6UBmgDcAB4AIABb4gBvRaSAQQzNi4ymAEAoAEBqgEHZ3dzLXdpesABAQ&sclient=ps y-ab&ved=0ahUKEwjw2v3e05buAhWUB80KHRxUAwkQ4dUDCA0&uact=5 | site:gab.com intitle:" (@" -inurl:trends "{display name}" OR "{username}" - Google Search https://www.google.com/search? q=filetype%3Apdf+%22gab%22+%22osint%22&rlz=1C1GCEA_enUS938US938&ei=wYTFYJXxHpL29AP m8amgAw&oq=filetype%3Apdf+%22gab%22+%22osint%22&gs_lcp=Cgdnd3Mtd2l6EANQ-B5YVhg51toAXAAeACAAeUBiAG1BJIBBTMuMS4xmAEAoAEBqgEHZ3dzLXdpesABAQ&sclient=gwswiz&ved 0ahUKEwjV1can3pPxAhUSO30KHeZ4CjQQ4dUDCA4&uact 5 | filetype:pdf "gab" "osint" - Google Search https://www.google.com/search? q=site%3Agab.com%2Fgroups+aliens&rlz=1C1CHBF_enUS860US860&ei=itrGYNVuhcj7BOu3lbAJ& oq site%3Agab.com%2Fgroups+aliens&gs lcp Cgdnd3Mtd2l6EANQhesEWLLwBGCz8gRoAnAAeACAA YUBiAH5BJIBAzUuMpgBAKABAaoBB2d3cy13aXrAAQE&sclient=gwswiz&ved=0ahUKEwjV25GhpJbxAhUF5J4KHetbBZYQ4dUDCA4&uact=5 | site:gab.com/groups aliens - Google Search https://gab.com/daeshhunter | ⎛⎝DH⎠⎞ (@daeshhunter) / Gab Social https://media.gab.com/system/accounts/avatars/000/120/226/original/IMG_20200614_08 3337.jpg | IMG_20200614_083337.jpg (400×400) https://gab.com/search?q=osint | Search / Gab Social https://gab.com/search?q osint | Search / Gab Social https://gab.com/about/privacy | Privacy Policy / Gab Social https://en.wikipedia.org/wiki/Gab_(social_network) | Gab (social network) Wikipedia https://pro.gab.com/#plans | Gab PRO | Upgrade To Support Gab https://dissenter.com/ | Dissenter | The Comment Section of the Internet https://www.secjuice.com/investigate-gab-users-osint/ | Gab OSINT Techniques 6/7

9OSINTGab.md

7/23/2021

https://github.com/sinwindie/OSINT/tree/master/Gab | OSINT/Gab at master · sinwindie/OSINT · GitHub https://github.com/sinwindie/OSINT/blob/master/Gab/Gab%20OSINT%20Attack%20Surface. png | OSINT/Gab OSINT Attack Surface.png at master · sinwindie/OSINT · GitHub https://www.skopenow.com/news/osint for gab and dissenter investigations | Skopenow - OSINT for Gab and Dissenter Investigations https://gab.com/american_futurist | Extremist Example

7/7

9OSINTKeywords.md

7/23/2021

OSINT Essentials - Keywords & Vernacular This excel workbook is a collections of keyword lists and vernacular which can be used for your OSINT investigations and threat intelligence missions. Some of our tools such as Hunchly will accept bulk input of terms, others we will need to copy/paste manually. These sets are not my creation, but rather I have harvested them over the last couple years from colleagues, reference sites, and subject matter e perts. I would like to continue to build out this list, so please let me know if stumble onto any good additions to the collection. It can be downloaded below. https://www.inteltechniques.net/courses/take/open source intelligence/downloads/14951667 keyword vernacular-workbook

1/1

9OSINTParler.md

7/23/2021

OSINT Essentials - Parler v.6.2021 https://parler.com

1.1 Overview of Parler With the largest social media companies embroiled in battles over whether or not they should be restricting/policing content, there have been several secondary platforms that have arisen to take advantage of the gap. Parler purports to be a "free speech" focused platform and that also makes it a haven for some of the extremists and criminals that we in the intelligence field are tasked with pursuing. The name is actually pronounced "parlay" which means to speak or converse. In the US Parler is largely associated with individuals and groups with "right-wing" political leanings. That is of course not entirely the population of the platform, but from a perspective of cultural context that is largely who you will see on the platform. Most of our research will require the use of a burner account. This was not the case prior to spring 2021 when Parler made significant changes to their platform to prevent scraping and other non-credentialed access. The functionality is similar to Twitter and other mainstream social media platforms. A post is called a "parley" and if you see the term "echo", it is to Parler what a "retweet" is to Twitter.

1.2 Account creation You will need a burner account to conduct research on Parler. Failure to log into an investigative account will result in redirection to the login page or 404 errors when attempting URL manipulation or otherwise viewing content on the platform. Account creation is straight forward, although they do require a phone number. During our tests, VOIP numbers such as Sudo phone numbers were not accepted. We were able to use landlines and real cell phone numbers to create accounts. The platform did not tolerate freemail during our testing, but this may change in the future and your experiences may vary. If you have older accounts which you have not used for a while you may find that they are dead. It appears that Parler wiped some older accounts when they rebuilt their platform in 2021. This is purely anecdotal based on a selection of 2020 burner accounts which appear to no longer be valid.

Navigation is similar to Twitter, but with a few quirks. When you look at someone's profile you will want to click on "show comments" and "show replies" to cause additional content to be displayed. Accounts default to 1/6

9OSINTParler.md

7/23/2021

public and most people do not change these over to private. If you wish to create a burner account and change it to private, the setting is straight forward:

1.3 earch For search we can start by using Google as we do with most social media platforms, although Parler changed how they handle non-credentialed access in the spring of 2021. You can still find pointers to some older posts in Google results, although you will need a burner Parler account to access the full results on Parler.com. Some search engine results will have a different URL structure and this typically indicates that they were cached prior to the spring 2021. Any results which offer a Google cache predate the recent changes on the platform requiring use of an account to view content. Thus, Google searches are great for pointers to older content and accounts and then we can use Parler's in platform search or some URL manipulation to potentially view newer content for the same target. Example of a Google cache result: https://webcache.googleusercontent.com/search? q cache:WA9lHU5Q7rEJ:https://parler.com/profile/SamBR549/posts+&cd 3&hl en&ct clnk&gl us Google Operators: Google is going to be our top resource in searching for content on Parler. This largely due to the lack of third party search sites and tools. site:parler.com keyword(s) Google Query Examples: site:parler.com portland riots "parler.com/post/" portland riot 2/6

9OSINTParler.md

7/23/2021

parler.com/post/ -site:parler.com parler.com/comment/ OR parler.com/post/ -inurl:http|https://parler.com riot "parler.com/comment" riot portland site:parler.com "san francisco" -site:api.parler.com URL Manipulation Parler made many changes in the spring of 2021 and most of our previous URL manipulation tactics no long function properly. Here are a few that remain useful as of June 2021. https://parler.com/#/user/username/ https://parler.com/#/search?type user&s keyword E ample: https://parler.com/#/search? type=user&s=patriot https://parler.com/#/search?type=hashtag&s=keyword Google Cache You will find limited Google cache results for some older posts, but now you will largely need a Parler account to properly view profiles, posts, and comments. Third Party Search Prior to changes made into Spring of 2021, Parler was scraped and appro imately 70TB of data was archived by data scientists, activists, etc. This was not a "hack" despite several reports claiming so. Below is a third party site which has culled out a much smaller, and likely more useful, data set and made it searchable. Adatascienti.st Parler Scrape Search Query E ample: https://parler.adatascienti.st/search?q portland+riot Note: Adatascienti.st is not the complete scrape so do not see lack of results as ruling anything out. You will note a clear lack of 3rd party tools for searching Parler. One tactic you can use, understanding the culture of Parler, is understanding that if your target has profiles on other platforms with a similar bent, then it might be worth doing a manual search for their known usernames using Parler's own search function. For example, if you query a group such as PatriotPrayerUSA on a site like https://whatsmyname.app/ you will not see a Parler entry, but you do see Gab and other culturally similar sites. When you log into your burner Parler account you can search for the same username and will immediately find the corresponding profile on Parler.

1.4 Capture & Preservation Your usual capture/preservation strategies for any of the typical long form social media site will serve you well on Parler. Hunchly Fireshot (the free version has limited ability to capture long pages) Single File Instant Data Scraper 3/6

9OSINTParler.md

7/23/2021

Very simple to use, just click on the extension to open the capture menu, check infinite scrolling, tell it to scrape the page, and then download the generated spreadsheet. Copy/Paste into Excel (not ideal but always good as a backup option) for grabbing who your target is following. You cannot typically pull up the list of who is following them.

1.5 Additional Reading & Resources Google Caches of Parler.com Parler Article - The Basicser/) Explanation of the Massive Parler Scrape Finding People on Parler Guide on Searching Hashtags Example of Data Collection on Parler

1.6 Practice Targets https://censored.tv/news/a-complete-guide-onhow-to-find-your-favorite-people-on-parler/ https://parler.com/#/user/defconosint https://parler.com/#/user/PatriotPrayerUSA

Lesson Links (OneTab Format) https://parler.com/main.html | About Parler https://www.google.com/search? q=site%3Aparler.com+portland+riots&oq=site%3Aparler.com+portland+riots&aqs=chrome. .69i57j69i58.913j0j7&sourceid chrome&ie UTF 8 | site:parler.com portland riots Google Search https://www.google.com/search? q=%22parler.com%2Fpost%2F%22+portland+riot&oq=%22parler.com%2Fpost%2F%22+portland+ riot&aqs chrome..69i57j69i58.1266j0j7&sourceid chrome&ie UTF 8 | "parler.com/post/" portland riot - Google Search https://www.google.com/search?q=parler.com%2Fpost%2F+site%3Aparler.com&newwindow=1&source=hp&ei=jMrUYNmdCJnX0PEPnOiPKA&iflsig=AINFCbYAA AAAYNTYnMqMuoC3QVpQ 72pvHgWYZiFHCYB&oq parler.com%2Fpost%2F+ site%3Aparler.com&gs_lcp=Cgdnd3Mtd2l6EANQpZIBWKWSAWDYlgFoAXAAeACAAYUBiAGFAZIBAzAuM ZgBAKABAqABAaoBB2d3cy13aXqwAQA&sclient=gwswiz&ved=0ahUKEwjZk4P97rDxAhWZKzQIHRz0AwUQ4dUDCAk&uact=5 | parler.com/post/ site:parler.com Google Search https://www.google.com/search?q=parler.com%2Fpost%2F+site%3Aparler.com&newwindow=1&hl=en&source=hp&ei=qcrUYPDYKzv9APj9oHICw&iflsig=AINFCbYAAAAAYNTYuVUymWiIEPKX7_cuFGzSGwQwAZGD&oq=parler.com%2Fp ost%2F+ site%3Aparler.com&gs_lcp=Cgdnd3Mtd2l6EANQqxBYqxBg5hdoAHAAeACAAXWIAXWSAQMwLjGYAQCgA QKgAQGqAQdnd3Mtd2l6&sclient=gwswiz&ved=0ahUKEwiw0ZCL77DxAhXsN30KHWN7ALkQ4dUDCAk&uact=5 | parler.com/post/ 4/6

9OSINTParler.md

7/23/2021

site:parler.com Google Search https://www.google.com/search?q=parler.com%2Fcomment%2F+OR+parler.com%2Fpost%2F+inurl%3Ahttp%7Chttps%3A%2F%2Fparler.com+riot&newwindow=1&hl=en&ei=rcrUYKiqD4bBwSl05DgDw&oq=parler.com%2Fcomment%2F+OR+parler.com%2Fpost%2F+inurl%3Ahttp%7Chttps%3A%2F%2Fparler.com+riot&gs lcp Cgdnd3Mtd2l6EANKBAhBGABQ4RJY4R JggRloAHAAeACAAZYBiAGfApIBAzAuMpgBAKABAqABAaoBB2d3cy13aXrAAQE&sclient=gwswiz&ved=0ahUKEwjotOiM77DxAhWG4J4KHaUpBPwQ4dUDCA4&uact=5 | parler.com/comment/ OR parler.com/post/ -inurl:http|https://parler.com riot - Google Search https://www.google.com/search? q=%22parler.com%2Fcomment%22+riot+portland&oq=%22parler.com%2Fcomment%22+riot+port land&aqs=chrome..69i57j69i58.915j0j15&sourceid=chrome&ie=UTF-8 | "parler.com/comment" riot portland - Google Search https://www.google.com/search?q site%3Aparler.com+%22san+francisco%22+ site%3Aapi.parler.com&oq=site%3Aparler.com+%22san+francisco%22+site%3Aapi.parler.com&aqs=chrome..69i57j69i58.757j0j15&sourceid=chrome&ie=UTF-8 | site:parler.com "san francisco" -site:api.parler.com - Google Search https://parler.com/#/user/username/ https://parler.com/#/search?type=user&s=keyword https://parler.com/#/search?type=hashtag&s=keyword https://parler.adatascienti.st/ | parler · search https://parler.adatascienti.st/search?q portland+riot | parler · portland riot https://hunch.ly/ | Hunchly - OSINT Software for Cybersecurity, Law Enforcement, Journalists, Private Investigators and more. https://getfireshot.com/ | FireShot - Instant Full page Screen Capture in your browser https://github.com/gildas-lormeau/SingleFile | gildas-lormeau/SingleFile: Web Extension for Firefox/Chrome/MS Edge and CLI tool to save a faithful copy of an entire web page in a single HTML file https://webrobots.io/instantdata/ | Instant Data Scraping Extension Web Scraping Service https://webcache.googleusercontent.com/search? q=cache:AzVjvN9WUE8J:https://parler.com/ | About Parler https://ricochet.com/772478/an idiots guide to parler/ | An Idiot’s Guide to Parler – Ricochet https://soundcloud.com/user-98066669/202-parler-privacy-security-osint | 202Parler: Privacy, Security, & OSINT by The Privacy, Security, & OSINT Show https://censored.tv/news/a complete guide onhow to find your favorite people on parler/ | A COMPLETE GUIDE ON HOW TO FIND YOUR FAVORITE PEOPLE ON PARLER CENSORED.TV BLOG https://www.skopenow.com/news/the-new-digital-meeting-place-what-parler-means-forosint investigators | Skopenow The New Digital Meeting Place; What Parler Means for OSINT Investigators https://projects.propublica.org/parler-capitol-videos/ | What Parler Saw During the Attack on the Capitol | ProPublica https://censored.tv/news/a complete guide onhow to find your favorite people on parler/ | A COMPLETE GUIDE ON HOW TO FIND YOUR FAVORITE PEOPLE ON PARLER CENSORED.TV BLOG https://webcache.googleusercontent.com/search? q cache:WA9lHU5Q7rEJ:https://parler.com/profile/SamBR549/posts+&cd 3&hl en&ct clnk &gl=us| Google cache example https://parler.com/#/user/PatriotPrayerUSA | Parler https://whatsmyname.app/ | Username Search

5/6

9OSINTParler.md

7/23/2021

6/6

9OSINTTelegram.md

7/23/2021

OSINT Essentials - Telegram v.6.2021 https://telegram.org/ Intro and Use Case Although other chat and messaging platforms are certainly used by criminals and platforms such as Discord are popular across the board, Telegram remains a consistent favorite of groups looking to traffic in illicit goods and activities. Although more of a mobile messenger, we can carry out research on the Telegram platform via browsers, scripts, and of course emulators. It should be noted that not all Telegram users, groups, and channels or malicious/criminal in nature. There are plenty of innocuous targets which are great for practicing your OSINT skills and getting familiar with the platform with little risk. For Law Enforcement, Telegram is currently based out of Dubai, so our ability to execute legal requests will largely be non e istent.

1.1 Basic Use As Telegram is a mobile messaging platform you will want to do a little prep prior to researching a target group or individual. Remember that just like any other online operation, you should bear in mind your threat model when setting up your environment. For operational security purposes, you may want to run your investigation in a Virtual Machine, on a VPN connection, or use a burner phone and access telegram via the mobile application. A great way to get comfortable with users, groups, channels, and bots is to use a burner account to create some test groups and channels. This will give you a chance to review the admin settings and better understand why you are seeing or not seeing your target's content or individual features.

1.2 Users User Accounts User accounts are based on a phone number, but may also contain a username, profile image, vanity name, and bio line. Usernames unique, but display names are not unique. Assigning a username to a user, group, channel, or bot makes it publicly visible. If you know the username you can add it onto t.me/ as in https://t.me/username Usernames are case sensitive and have a minimum of five characters.

1 / 10

9OSINTTelegram.md

7/23/2021

Example: https://t.me/maker

Contact Exploitation - We can use contact exploitation by uploading target information to an empty contact list on a burner phone or emulator and then giving the Telegram app access to our burner contact list.

1.3 Groups Group Chats are not end to end encrypted. Groups have a username, ID, profile image, and description. You can also see the number of members in the group. Basic Groups Always private Maximum of 200 members Private Super Groups Maximum of 100,000 members Only admins can invite users directly Only the admins have access to the invite link Invite links begin with t.me Private groups are no searchable via the Telegram search bar Public Super Groups Member limit of 200,000 (note member limits have changed as various points and you will find differing reports online related to the ma member limit, some sites say 100k and others 200k) Any member can access the group invite link and share it will others The invite link is customizable Searchable the Telegram search bar Visibility of the chat history is set by the group admin (you may only see messages going forward depending on how they have it set)

2 / 10

9OSINTTelegram.md

7/23/2021

Broadcast Groups Broadcast groups are a new feature and function similar to channels. Only admins can post, but members can participate in voice chat. Broadcast groups have no member limits

1.4 Channels Official Telegram Channels FAQ How do channels differ from groups? Channels are non-interactive, think of them as a broadcasting platform, whereas groups function more as an interactive chat Channels have no limit on the number of subscribers Subscribers cannot see who else is subscribed so users are no visible to one another (admins can see the members) Like groups, public channels are searchable and private channels are not The number next to the eye icon on a post indicates the number of times it has been viewed. This will give you an idea of the channel's popularity in addition to the number of subscribers Without being logged in to Telegram, you may be able view a public channel using "preview". This will give you a glimpse of the profile image, description, number of subscribers, and possibly an owner/admin contact. This will be dependent on the channels privacy settings. Channel Example: http://t.me/bestmemes

3 / 10

9OSINTTelegram.md

7/23/2021

Some channels do not allow a full preview without signing in: https://t.me/BreachedData

1.4 Bots Some channels have "bots" which are distinctive in that: 1. They will respond immediately if you message them. 2. They do not initiate one-on-one conversations. 3. They also sometimes are useful in that they do things like listing user info when posting welcome messages and other automated functions. 4. Bots do not have an associated phone number. Telegram Limits Telegram Limits Site Ma characters, posts, members, etc

1.5 Account Creation Setting up a burner telegram account: 1. You will need a phone number to create a telegram account (VOIP typically do not work) 2. User your burner phone to install the Telegram app and create a telegram account 4 / 10

9OSINTTelegram.md

7/23/2021

3. Once created, you can log in via a web browser so that you have your browser extensions available during your investigation https://web.telegram.org/z/ 4. There are also desktop applications for Windows, Mac, and Linux, but if you choose to use the applications you will limit your ability to use capture and preservation tools.

1.6 Google Search & URL Structuring Google Search Examples site:t.me/joinchat "keyword" Example: site:t.me/joinchat "cvv" Result example: https://t.me/joinchat/uPP0S-HqUiRjMTBh "t.me/joinchat" keyword Examples: "t.me/joinchat" osint Result Example: https://t.me/joinchat/Rl9gyE4H0AHbOJjW Search for telegram links shared outside of telegram: https://t.me/joinchat/username -site:telegram.org https://t.me/joinchat/hashvalue -site:telegram.org Note: The username search is for a link to a user and the second example is searching an invite link. The scenario for this type of query is when you know the link and want to see who is posting it elsewhere on the internet. Example of looking for telegram mentions on other platforms: site:reddit.com "telegram" "cvv" URL Structuring User: https://t.me/username Channel: https://t.me/channelname Preview: https://telegram.me/s/channelname https://t.me/s/channelname Example: https://t.me/s/osint Channel invite links: https://t.me/joinchat/hashvalue Videos: https://telesco.pe/channelname

1.7 Third Party earch 5 / 10

9OSINTTelegram.md

7/23/2021

telegogo CSE - Google Search Intel Google CSEs catalog of Telegram channels Private Chat Join Links Largest catalog of Telegram channels TGStat Search Page Also available at tgstat.ru Download data sets or use search bar top right Searching for Telegram Channels Programmable Search Engine by Pielco11 Programmable Search Engine by Pielco11 Find Telegram Channels Bots Groups Telegram Groups List Tlgrm.eu Search Buzz Telegrampol Searching for Telegram Channels Telegram Italia Telegram Friends Channels 4 Telegram Tgchannels Group Search Telegram Channels Groups Bots List NSFW Type Telegram Site Primarily Showing Girls Accounts Channels 4 Telegram Private Links Telegram Channel Xtea.io Lyzem Telemetr.io

1.8 Chat Capture/Preservation Login via your browser and use your go-to capture extensions such as Fireshot or SingleFile. Some additional tools that may be beneficial: Hunchly - Use Hunchly to capture via your browser or use Hunchly on mobile with a burner. https://hunch.ly Pigpagnet_Save-Telegram-Chat-History - Save Telegram Chat History Chrome extension (does not save images or videos) Fabledowl Telegram Script - Useful for capturing member lists, chat history, and/or locating Telegram ID number. install greasemonky (Firefox only) or tampermonkey (Firefox or Chrome) https://addons.mozilla.org/enUS/firefox/addon/greasemonkey/ https://addons.mozilla.org/en-US/firefox/addon/tampermonkey/ https://chrome.google.com/webstore/detail/dhdgffkkebhmkfjojejmpbldmpobfkfo (Tampermonkey Chrome) install telegramscript.user.js install getUsers.user.js

6 / 10

9OSINTTelegram.md

7/23/2021

Browse to the page using the web interface (https://web.telegram.org) and scrape group or chat history to t t or csv Fabledowl blog posts on how to use scripts:

https://fabledowlblog.wordpress.com/2017/07/10/telegram-api-for-osint-part-1users/ https://fabledowlblog.wordpress.com/2017/09/09/telegram-api-for-osint-part-2messages/

Note: capture scripts are not typically successful on secret chats (one-on-one encrypted chats)

1.9 Geolocation Telegram has an optional feature where you can allow the app to use your location and then locate other users near you (if they have their location set to discoverable). The option is off by default and most users do not enable it as it defeats most of the value of a privacy focused communication platform. For OSINT purposes there are a couple ways with which we can attempt to locate telegram users who are discoverable at a certain location. Hardware Burner Install Telegram on a burner phone Create or login with an existing burner telegram account Open the app and select contacts and "add people nearby" You can now view nearby users and groups (if they have it enabled) Use a spoofing application to move your perceived location to that of your target: https://play.google.com/store/apps/details?id=com.lexa.fakegps Software Burner Install Telegram on your Android emulator or choice, such as Genymotion Create or login with an existing burner telegram account Open the app and select contacts and "add people nearby" You can now view nearby users and groups (if they have it enabled) Adjust your perceived location in your emulator to that of your target. If you prefer you can use a third party spoofing application such as: https://apkpure.com/fake-gps-location/com.lexa.fakegps Further reading: https://telegram.org/blog/contacts-local-groups#add-people-nearby https://github.com/jkctech/TelegramTrilateration https://www.androidpolice.com/2021/01/05/telegrams-people-nearby-feature-reveals-exactuser-locations-through-triangulation/ Alternate Method A colleague posted an alternate approach to identifying an IP for your target, which would provide another pivot point to investigate and also potentially a rough regional location for the target if they are not on VPN. This approach involved initiating a call with the target via Telegram and then capturing packets from the call via Wireshark. Scraping packets from data connections is beyond the scope of this 7 / 10

9OSINTTelegram.md

7/23/2021

lesson, but if you are desperate to gain more leads on a target and if direct contact (active-recon/infiltration) is appropriate and authorized, this approach might be worth considering. https://twitter.com/GONZOs_int/status/1353815251133849600 https://github.com/n0a/telegram-get-remoteip

1.10 Scripts & Resources Telegogo Twitter Feed Awesome Telegram Francesco Poldi's Maltego Transform Username Bot GitHub - RSS-Bridge/rss-bridge GitHub - pielco11/telescan GitHub th3unkn0n TeleGram-Scraper Leveraging Telegram by Nico Dekens Dutchosinguy LinksTelegram Open Source Projects UK-osint Telegram Links OSINT Scenario Library

1.11 ample Targets https://t.me/BreachedData https://www.reddit.com/r/market/comments/j72y7c/instant_cashouts_shop_cc_fullz_verified_haxker/ | example of locating telegram users on reddit from comments: "HIGH BALANCE CC AVAILABLE CHEAP PRICE COME WITH YOUR BIN MOST COUNTRIES AVAILABLE ALL VALID CARDS COME BTC READY Telegram @EbiThaGenius" https://webhose.io/blog/dark-web/the-top-5-dark-web-telegram-chat-groups-and-channels/ | Dated list of prominent criminal groups and channels https://t.me/s/HowToFind RU | Russian OSINT Channel https://t.me/s/ipshit | Russian IP Channel https://t.me/s/osint_channel | Portuguese OSINT Channel https://t.me/OSINT BR | Portuguese OSINT Group https://t.me/atlantisreborn | Italian Fraud Group https://t.me/s/pol_central_8ch | Lists of extremist accounts and sites https://www.tg-me.com/us | Popular Channels and Groups to practice on

1.12 One-Tab Bookmarks https://telegram.org/ | Telegram Messenger https://t.me/hackers valley | Telegram: Contact @hackers valley https://www.google.com/search?q=%22t.me%2Fjoinchat%22&tbs=qdr%3Ay&ei=cQHZYIHtIMfzgSf_56QCg&oq=%22t.me%2Fjoinchat%22&gs_lcp=Cgdnd3Mtd2l6EAMyAggAMgIIADIECAAQHjIECAAQ HjIECAAQHjIECAAQHjIECAAQHjIECAAQHjIECAAQHjIECAAQHjoJCAAQsAMQBxAeOgUIABCwA0oECEEYAV Ds0AhY194IYJnkCGgCcAB4AIABgQWIAZkGkgEHMS4xLjUtMZgBAKABAaoBB2d3cy13aXrIAQbAAQE&scli ent=gws-wiz&ved=0ahUKEwjB6Zry87jxAhXHuZ4KHZ-_B6IQ4dUDCA8&uact=5 | "t.me/joinchat" - Google Search https://www.google.com/search? q site%3At.me%2Fjoinchat%2F+%22fullz%22&oq site%3At.me%2Fjoinchat%2F+%22fullz%22&a qs=chrome..69i57j69i58.864j0j7&sourceid=chrome&ie=UTF-8 | site:t.me/joinchat/ 8 / 10

9OSINTTelegram.md

7/23/2021

"fullz" Google Search https://tgstat.com/ | Largest catalog of Telegram channels. Statistics, analytics, TOP chart. Telegram Analytics. https://awesomeopensource.com/projects/telegram?categoryPage=47 | The Top 366 Telegram Open Source Projects https://cse.google.com/cse? q=+&cx=006368593537057042503:efxu7xprihg#gsc.tab=0&gsc.q=%20&gsc.page=1 | Programmable Search Engine https://www.uk osint.net/messengerapps.html | UK OSINT Messenger Apps https://webintmaster.com/blog/webint-tool/telegago/ | Telegago - Webint Master https://tgstat.ru/en/search | Telegram Search. Search for posts https://telegramdb.org/ | TelegramDB.org https://t.me/s/privatelinks | Global Telegram Database Telegram https://t.me/joinprivatechat | Telegram: Contact @joinprivatechat https://telegramchannels.me/search | Searching for Telegram Channels https://tgstat.ru/en | Russian Telegram-channels. Statistics, analytics, TOP chart. Telegram Analytics. https://www.telegram-group.com/en/ | Telegram Group: Find Telegram Channels, Bots & Groups https://tgram.io/ | Telegram Groups List https://telegramchannels.me/search | Searching for Telegram Channels https://www.telegramitalia.it/ | I migliori canali telegram, gruppi e bot ~ Telegram Italia https://telegramfriends.com/ | Telegram Girls age from 18 to 26 years https://channelsfortelegram.com/ | Channels 4 Telegram https://www.telegram-group.com/en/ | Telegram Group: Find Telegram Channels, Bots & Groups https://telegramchannels.me/ | 18000+ Telegram Channels, Groups, Bots and Stickers List https://telegramfriends.com/ | Telegram Girls age from 18 to 26 years https://channelsfortelegram.com/ | Channels 4 Telegram http://tlgrm.eu/channels | Telegram Channels List: Discover interesting channels for your Telegram https://search.buzz.im/ | Search.buzz.im https://cse.google.com/cse?cx=004805129374225513871:p8lhfo0g3hg%20 | Programmable Search Engine https://cse.google.com/cse?cx 004805129374225513871:fm2aftwr3ik | Programmable Search Engine https://t.me/joinchat/KhNQwBWiEctXae3vKhyFxQ | Telegram: Join Group Chat https://t.me/joinchat/KhNQwFNS5IeX49XpQ-aXjw | Telegram: Join Group Chat https://t.me/natsecjeff | Telegram: Contact @natsecjeff https://twitter.com/Natsecjeff | (1) FJ (@Natsecjeff) / Twitter https://t.me/atlantisdark | Telegram: Contact @atlantisdark https://t.me/prtship | Telegram: Contact @prtship https://t.me/prtshipcarding | Telegram: Contact @prtshipcarding https://t.me/ipshit | Telegram: Contact @ipshit https://t.me/spys_one | Telegram: Contact @spys_one https://t.me/majzaa80 | Telegram: Contact @majzaa80 https://combot.org/ | Combot https://botostore.com/c/usinfobot/ | Telegram bot Inline Info Username — @usinfobot https://github.com/RSS-Bridge/rss-bridge | GitHub - RSS-Bridge/rss-bridge: The RSS feed for websites missing it http://rss-bridge/rss-bridge:%20The%20RSS%20feed%20for%20websites%20missing%20it 9 / 10

9OSINTTelegram.md

7/23/2021

https://github.com/pielco11/telescan | GitHub pielco11/telescan https://github.com/th3unkn0n/TeleGram-Scraper | GitHub - th3unkn0n/TeleGramScraper: telegram group scraper tool. fetch all information about group members http://th3unkn0n/TeleGram-Scraper https://keybase.pub/pielco11/links.zip | links.zip Keybase.pub https://hunch.ly/ | Hunchly - OSINT Software for Cybersecurity, Law Enforcement, Journalists, Private Investigators and more. https://github.com/pigpagnet/save-telegram-chat-history | GitHub - pigpagnet/savetelegram chat history https://gist.github.com/fabledowl | fabledowl’s gists · GitHub https://addons.mozilla.org/en-US/firefox/addon/greasemonkey/ | Greasemonkey – Get this Extension for 🦊 Firefox (en-US) https://addons.mozilla.org/en US/firefox/addon/tampermonkey/ | Tampermonkey Get this Extension for 🦊 Firefox (en-US) https://chrome.google.com/webstore/detail/tampermonkey/dhdgffkkebhmkfjojejmpbldmpo bfkfo | Tampermonkey - Chrome Web Store https://fabledowlblog.wordpress.com/2017/07/10/telegram api for osint part 1 users/ | Telegram API for OSINT – Part 1 – Users – Fabled Owl https://fabledowlblog.wordpress.com/2017/09/09/telegram-api-for-osint-part-2messages/ | Telegram API for OSINT – Part 2 – Messages – Fabled Owl https://github.com/ItIsMeCall911/Awesome Telegram OSINT | GitHub ItIsMeCall911/Awesome-Telegram-OSINT: 📚 A Curated List of Awesome Telegram OSINT Tools, Sites & Resources

10 / 10

9OSINTVMExpress.md

7/23/2021

Custom OSINT Virtual Machine - Two Line Quick Build v.6.2021 For those new to building custom OSINT virtual machines, we recommend that you first build one by hand. This helps you to learn the steps and understand what is going on under the hood. You will want to use the steps at https://inteltechniques.com/osintbook8/linux.txt (login listed below) and watch the video just above this lesson in Section 12: Virtual Machines. For those experienced with manual builds, we can use the two commands below to auto-mate the customization of our Ubuntu VM.

Two Liner: wget --user osint9 --password book143wt https://inteltechniques.com/osintbook9/linux.sh && chmod +x linux.sh && ./linux.sh

Update & Upgrade Commands: sudo apt-get update sudo apt-get upgrade

Resource Links: https://www.virtualbox.org/wiki/Downloads | Downloads – Oracle VM VirtualBox https://ubuntu.com/download/desktop/thank-you?version=20.04.2.0&architecture=amd64 | Thank you for downloading Ubuntu Desktop | Ubuntu https://inteltechniques.com/osintbook8/ | IntelTechniques Online Resources https://inteltechniques.com/osintbook8/linux.txt | inteltechniques.com/osintbook8/linux.txt

General Steps (this is a rough outline, please see the video for specifics): 1. Update or install VirtualBox

2. Download Ubuntu Desktop 20.04

3. In VirtualBox create a new VM using the wizard

4. Click on settings and make the recommended changes from the video lesson or from the linux.txt available at https://inteltechniques.com/osintbook8/linux.txt (your login is "inteltechniques" your password is "training2021!" DO NOT SHARE THIS LOGIN) 5. Start the VM and walk through the installation wizard as demonstrated in the video

6. Once your VM is up click on Device in the VirtualBox menu and select insert the guest CD, then run it at the prompt, this will update drivers for your VM 7. Open a command prompt and run this command: wget --user osint9 --password book143wt https:// inteltechniques.com/osintbook9/linux.sh && chmod +x linux.sh && ./linux.sh

8. Restart when prompted

9. Adjust your display if need be, using the View menu on VirtualBox

10. Select the update scripts shortcut from the left side of the bottom shortcut bar, let that finish updating and then shutdown. 11. (optional) Save a snapshot

12. Start the VM and update Ubuntu either using the terminal or using the update application. 1/2

9OSINTVMExpress.md

7/23/2021

13. (optional) If everything looks good, save another snapshot and/or a clone now that you have a clean, unused, and full patched VM 14. (optional) Hang on to a clean master version from which you can make quick clones

2/2

Record         DOMAIN

Date of Record

PROFILE

        GEOGRAPHICAL         SITE

MAP - LINK ANALYSIS

        WHOIS

- CURRENT RECORD

        NAME

SERVERS         PORT STATUS         HISTORICAL         HISTORICAL

WHOIS IPS

        SNAPSHOT         TECHNOLOGIES         ARCHIVES         ROBOTS.TXT         DNS

TRANSFERS

        ASN         ANALYTICS

IDS

        SSL

CERTIFICATES         BREACH DATA         EXPOSED FILES         SHODAN

RESULTS RATING

        EXPOSURE

        ARTICLES/PUBLIC         APPENDIX         PRESERVATION         CONTENT

LEADS

RECORDS

Source (URL or File)

Note

Domain

Google Operators

Goal #1

Goal #2

Goal #3

Goal #4

Attribution

Footprinting

Vulnerability/Exposure

Intelligence/Leads

"domain.com"

site:domain.com

related:domain.com

inurl:domain.com

*Tier 2:Bing, Yandex, etc. cache:domain.com

site:domain.com ext:pdf OR ext:docx OR ext.xlsx

inanchor:domain.com

OSINT Toolset

Triage

Process Each Tab

Preserve

Tab Management

inteltechniques.com/net

Close Poor Result Tabs

Copy/Paste Key Records to Notes or Report

Page Captures

Collapse & Export to Notes

WHOIS Record

Current WHOIS

Annotate & Capture

Historical WHOIS

Capture & Annotate

Basic Domain Registration Details

Copy/Paste to Notes

Source URL & Page Capture

Search for Deprivatized Registrant Data

Repeat Documentation Steps for Historical WHOIS

DNS Records

IP Address

Name Servers

CNAME

Additional Domain Intel

Reverse Search IP

Who hosts their DNS?

Hostname, sub-domains

ASN/Netblock

MX Server

Search IP Proximity, Banners

Email hosted at the domaain

SPF/TXT Records Locate unique references & items such as mail servers

Identifiers

SSL Certificate

Google Analytics

FB Analytics

Other IDs

Analytic IDs & SSL Certs

Used on other domains?

Used on other domains?

Used on other domains?

analyzeid.com /id/

Traffic

Backlinks

Alexa.com Data

Additional Analysis

Back-links/Posts/Traffic

Who is linking to our target?

Similar Sites by Traffic

similarweb.com, spyonweb.com

Content Analysis

Archives

WebCache

Direct Examination

Active Recon Scripts

Active Reconnaissance

Archive.org, Archive.today

Not Completely Passive

Preserve & Analyze

From Secure VM & VPN

Reporting

Case Notes

File Captures

Written Report

Verbal Briefing

Row 1

Digital Notebook

Logical Structure

Template Optional

PPTX Optional

Domain Report

DOMAIN/IP DOMAIN REPORT - DATE Mission Scope

PREPARED BY Gene Parmesan Agency Title Street Address City, State, Zip Country Contact/Email

CONTENTS » » » » » » » » » » » » » »

Objective/Scope Key Findings Executive Summary Link Chart/Diagram Current Whois Historical Whois Historical DNS Owners/Managers IT/Administrators Technologies Similar/Related Sites Breach Data Appendix Supporting Files

METHODOLOGY This report has been prepared for and to the specifications of XXXXXX. The report contains both research data as well as analysis. All data was recovered from publicly available resources on the internet.

Orro conecae plit odis nume mint rescill anisima porpore pudit, odi quas sum rescime ndiscium erorit, endella ccuptate etur Am sit, omni occus, odi volori delecab orectia velliquam, con corrumque eium volo Icid quo voluptur? Everum accus,

KEY FINDINGS Attribution I Administration & Ownership Site Owner/Operator: Marzipan Lanu Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut at dui imperdiet, volutpat tellus sit amet, tempus felis. Aenean nec massa mattis, vehicula dui egestas, dapibus erat. Aenean ac luctus eros. » Nullam ac neque euismod nibh condimentum lacinia nec at nunc » Vivamus mattis sagittis eros. Sed ullamcorper massa ultrices sapie » Ut blandit tristique sem, at gravida arcu. Donec eu tincidunt quam

Infrastructure I Technologies & Vulnerbilities See Sections III & IV: Infrastructure Overview Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut at dui imperdiet, volutpat tellus sit amet, tempus felis. Aenean nec massa mattis, vehicula dui egestas, dapibus erat. Aenean ac luctus eros. » Nullam ac neque euismod nibh condimentum lacinia nec at nunc » Vivamus mattis sagittis eros. Sed ullamcorper massa ultrices sapie » Ut blandit tristique sem, at gravida arcu. Donec eu tincidunt quam

Breach Data I Account & Credential Exposures See Appendix p.16-32 Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut at dui imperdiet, volutpat tellus sit amet, tempus felis. Aenean nec massa mattis, vehicula dui egestas, dapibus erat. Aenean ac luctus eros. » Nullam ac neque euismod nibh condimentum lacinia nec at nunc » Vivamus mattis sagittis eros. Sed ullamcorper massa ultrices sapie » Ut blandit tristique sem, at gravida arcu. Donec eu tincidunt quam Associations I Reputation & Related Entities Additional Domains and Involved Communities Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut at dui imperdiet, volutpat tellus sit amet, tempus felis. Aenean nec massa mattis, vehicula dui egestas, dapibus erat. Aenean ac luctus eros. » Nullam ac neque euismod nibh condimentum lacinia nec at nunc » Vivamus mattis sagittis eros. Sed ullamcorper massa ultrices sapie » Ut blandit tristique sem, at gravida arcu. Donec eu tincidunt quam

11/03/2021

DOMAIN.COM 35.208.131.248 (CLASS C) EXECUTIVE SUMMARY

DOMAIN PROFILE » » » » » » » » » » » » » » » » » » » » » » » » » »

Domain.com IP: 1.1.1.1 ASN: AS19527 NS: NS1.USM57.SITEGROUND.BIZ NS: NS1.USM57.SITEGROUND.BIZ Host: Registrar: Registrant: Privatized 2020 Owner: Admin: Created: August 17th, 2015 Historical Whois: Assoc. Domain 1: Assoc. Domain 2: Assoc. Domain 3: Global Rank: Key Archive: Reference 1: Reference 2: Reference 3: Port Exposure: Technologies: Emails: Analytic IDs: Critical Breach Data: Reference:

GEOGRAPHICAL Geographic Location City: Council Bluffs State: Iowa Country: United States (US) Coordinates: 41 2591, -95.8517 Timezone: America/Chicago

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut at dui imperdiet, volutpat tellus sit amet, tempus felis. Aenean nec massa mattis, vehicula dui egestas, dapibus erat. Aenean ac luctus eros. Aliquam maximus mauris in sem suscipit venenatis. Integer laoreet nunc vel diam rutrum, ut malesuada odio aliquam. Proin fermentum lacus nec sem gravida sagittis. Suspendisse potenti. Cras eget auctor enim. Ut dapibus consequat mauris, eget interdum nunc eleifend a. In hac habitasse platea dictumst. Nullam ac neque euismod nibh condimentum lacinia nec at nunc. Vivamus mattis sagittis eros. Sed ullamcorper massa ultrices sapien dignissim, sit amet dictum lacus faucibus. Vivamus scelerisque neque non risus tempor, ac suscipit sem vulputate. Curabitur nulla purus, imperdiet ut consectetur non, finibus in neque. Fusce commodo ultrices augue id tincidunt. Donec porttitor maximus sollicitudin. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Phasellus blandit, lacus sed varius ultrices, odio velit posuere ante, vel iaculis ligula ex nec metus. Vestibulum a egestas tellus, eu suscipit diam. Mauris lacus augue, imperdiet vel erat sed, porttitor pulvinar arcu. Duis at magna euismod, imperdiet eros et, lacinia quam. Suspendisse quis urna non mi ornare dapibus non luctus nulla. Vivamus posuere sem nulla, eu sodales nibh rutrum a. Ut blandit tristique sem, at gravida arcu. Donec eu tincidunt quam. Sed pulvinar vitae mauris in finibus. Etiam vitae nulla viverra, dignissim nisi ac, aliquet lectus. Curabitur condimentum, orci quis posuere volutpat, purus nulla bibendum diam, vitae viverra erat tellus vel elit. Suspendisse quis vestibulum ipsum. Phasellus in finibus massa, nec vehicula dolor. Sed ullamcorper massa ultrices sapien dignissim, sit amet dictum lacus faucibus. Vivamus scelerisque neque non risus tempor, ac suscipit sem vulputate.

https://search.censys.io/ hosts/35.208.131.248

11/03/2021

DOMAIN/IP DOMAIN REPORT - DATE

SITE MAP - LINK ANALYSIS

SOURCE:

Data and visualizations depicted herein where obtained via the following publicly available resources: https://sitename.com/blah, https://othersite.net/blah, https://thirdsite.org.

DOMAIN.COM 35.208.131.248 (CLASS C) WHOIS - CURRENT RECORD WHOIS Information for Domain.com ==============

NAME SERVERS ns1.usm57.siteground.biz. [NO GLUE] [TTL=172800] ns2.usm57.siteground.biz . [NO GLUE] [TTL=172800]

PORT STATUS Port 21 22 23 25 80 110 443 445 1433 1521 3306 3389 5001

Service FTP SSH Telnet SMTP HTTP POP3 HTTPS SMB MSSQL ORACLE MySQL RDP Synology

Status open open closed open open open open closed closed closed open open open

Domain Name: DOMAIN.COM Registry Domain ID: 1953695582_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.godaddy.com Registrar URL: http://www.godaddy.com Updated Date: 2019-05-16T01:28:59Z Creation Date: 2015-08-17T16 52:14Z Registrar Registration Expiration Date: 2022-08-17T16 52:14Z Registrar: GoDaddy.com, LLC Registrar IANA ID: 146 Registrar Abuse Contact Email: [email protected] Registrar Abuse Contact Phone: +1.4806242505 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferPro- hibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhi- bited Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibi- ted Registry Registrant ID: Not Available From Registry Registrant Name: Registration Private Registrant Organization: Domains By Proxy, LLC Registrant Street: DomainsByProxy.com Registrant Street: 2155 E Warner Rd Registrant City: Tempe Registrant State/Province: Arizona Registrant Postal Code: 85284 Registrant Country: US Registrant Phone: +1.4806242599 Registrant Phone Ext: Registrant Fax: +1.4806242598 Registrant Fax Ext: Registrant Email: [email protected] Registry Tech ID: Not Available From Registry

HISTORICAL WHOIS

IP HISTORY

September 2021 March 2019 April 2017 Jun 2016 August 2015 October 2012 July 2011 September 2010 May 2008

» IP history results for Domain.com. » ============== » IP Location IP Owner Last seen IP » 35.208.131.248 Mountain View - USA Google LLC 2021-10-18 » 37.60.252.212 Chicago - USA CHI-3 2020-03-05 » 109.73.236.220 Chicago - USA Ground Chicago 2019-01-08 » 50.87.216.65 Provo - USA Unified Layer 2018-02-18 » 50.87.237.96 Provo - USA Unified Layer 2017-02-14

4

DOMAIN.COM 35.208.131.248 (CLASS C) HISTORICAL DNS

ATTRIBUTION Samuel Smith Admin/Domain Owner P: +01.123.5557890 E: [email protected] T: @ssmithfakeguy

» Hostname » lockdownyourlife.com min@usm57 siteground.bi » lockdownyourlife.com » lockdownyourlife.com » lockdownyourlife.com tion.com » lockdownyourlife.com tion.com

Type SOA

TTL Content 21599 ns1.siteground.net dnsad-

NS NS MX

21600 ns1.siteground.net 21600 ns2.siteground.net 3600 mx10.mailspamprotec-

MX

3600

mx30.mailspamprotec-

WHOIS RECORD

F: facebook.com/ssmithfake W: blog.blogsport.com A: 1234 Toast Dr, Shorewood,CA. 32345

ASSOC. ACCOUNTS

facebook.com/joebob linkedin.com/joebob twitter.com/joebob

ALTERNATE TLDS » Domain.net » Domain.xyz » Domain.org NOTE: No Verified Associa tion

SUBDOM AINS » mail.domain.com » info.domain.com » forum.domain.com » gopher.domain.com » ftp.domain.com

WHOIS Information for lockdownyourlife.com ============== Domain Name: LOCKDOWNYOURLIFE.COM Registry Domain ID: 1953695582_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.godaddy.com Registrar URL: http://www.godaddy.com Updated Date: 2019-05-16T01:28:59Z Creation Date: 2015-08-17T16:52:14Z Registrar Registration Expiration Date: 2022-08-17T16:52:14Z Registrar: GoDaddy.com, LLC Registrar IANA ID: 146 Registrar Abuse Contact Email: [email protected] Registrar Abuse Contact Phone: +1.4806242505 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Registry Registrant ID: Not Available From Registry Registrant Name: Registration Private Registrant Organization: Domains By Proxy, LLC Registrant Street: DomainsByProxy.com Registrant Street: 2155 E Warner Rd Registrant City: Tempe Registrant State/Province: Arizona Registrant Postal Code: 85284 Registrant Country: US Registrant Phone: +1.4806242599 Registrant Phone Ext: Registrant Fax: +1.4806242598 Registrant Fax Ext: Registrant Email: [email protected] Registry Tech ID: Not Available From Registry

5

DOMAIN.COM 35.208.131.248 (CLASS C) SNAPSHOT

ARCHIVES » https://web.archive.org/web/ http://www.who.is/whois/domain.com » https://web.archive.org/web/ https://whoisology.com/domain.com » http://web.archive.org/web/*/ domain.com

TECHNOLOGIES ROBOTS.TXT User-Agent: MJ12bot Disallow: / User-agent: * Disallow: /aboutAppC/ Disallow: /admin/ Disallow: /affiliateAppC/ Disallow: /affiliateControl/ Disallow: /appinterface/ Disallow: /appinterfaceAppC/ Disallow: /articlesAppC/ Disallow: /bandwidth/ Disallow: /BizBuilder/ Disallow: /build/ Disallow: /categoryAppC/ Disallow: /cgi-bin/ Disallow: /cgi-fy/ Disallow: /cgi-va/ Disallow: /cobrand/ Disallow: /cobrandAppC/ W: [email protected] Disallow: /data/ Disallow: /directMail/ Disallow: /directoryAppC/ Disallow: /directory/ Disallow: /error/ Disallow: /firetest/ Disallow: /homeAppC/ Disallow: /joinAppC/ Disallow: /knowledgebase/allkeywords.cmp Sitemap: https://www.domain. com/sitemap.xml

/ /

/ /

Analytics and Tracking I October 20, 2021 https://builtwith.com/domain.com Last technology detected on 3rd October 2021. We know of 72 technologies on this page and 32 technologies removed from lockdownyourlife.com since 3rd June 2017. Link to this page. » Company Match - https://builtwith.com/company/Rythmia-Domain-Company-LLC » https://builtwith.com/domain..com » Facebook, Google, Kjabi, Wordpress, OneTrust, Sitelinks, Twemoji, Pixel Widgets I Google Fonts https://trends.builtwith.com/widgets/Google-Font-API Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut at dui imperdiet, volutpat tellus sit amet, tempus felis. Aenean nec massa mattis, vehicula dui egestas, dapibus erat. Aenean ac luctus eros. » Nullam ac neque euismod nibh condimentum lacinia nec at nunc » Vivamus mattis sagittis eros. Sed ullamcorper massa ultrices sapie » Ut blandit tristique sem, at gravida arcu. Donec eu tincidunt quam

Widgets 2 I Twemoji https://trends.builtwith.com/widgets/Twemoji Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut at dui imperdiet, volutpat tellus sit amet, tempus felis. Aenean nec massa mattis, vehicula dui egestas, dapibus erat. Aenean ac luctus eros. » Nullam ac neque euismod nibh condimentum lacinia nec at nunc » Vivamus mattis sagittis eros. Sed ullamcorper massa ultrices sapie » Ut blandit tristique sem, at gravida arcu. Donec eu tincidunt quam

6

DOMAIN.COM 35.208.131.248 (CLASS C)

TECHNOLOGIES (CONT.) Frameworks I Organization Schema https://trends.builtwith.com/framework/Organization-Schema

DNS TRANSFERS https://api.hackertarget. com/zonetransfer/?q=zonetransfer.me (plain text zone transfer record example, replace transfer.me with target domain.)

Orro conecae plit odis nume mint rescill anisima porpore pudit, odi quas sum rescime ndiscium erorit, endella ccuptate etur Am sit, omni occus, odi volori a velliquam, con corrumque eium volo Icid quo voluptur? » Orro conecae plit odis nume mint rescill anisima porpore pudit, odi » quas sum rescime ndiscium erorit, endella ccuptate etur Am sit, omnioc » cus, odi volori a velliquam, con corrumque eium volo Icid quo voluptur?

Web Servers I Dreamhost https://trends.builtwith.com/hosting/DreamHost-Hosting Orro conecae plit odis nume mint rescill anisima porpore pudit, odi quas sum rescime ndiscium erorit, endella ccuptate etur Am sit, omni occus, odi volori a velliquam, con corrumque eium volo Icid quo voluptur?

ASN

» Orro conecae plit odis nume mint rescill anisima porpore pudit, odi » quas sum rescime ndiscium erorit, endella ccuptate etur Am sit, omnioc » cus, odi volori a velliquam, con corrumque eium volo Icid quo voluptur?

AS19527 https://urlscan.io/domain/domain.com

Content Delivery I Cloudfront https://trends.builtwith.com/cdn/CloudFront Orro conecae plit odis nume mint rescill anisima porpore pudit, odi quas sum rescime ndiscium erorit, endella ccuptate etur Am sit, omni occus, odi volori a velliquam, con corrumque eium volo Icid quo voluptur? » Orro conecae plit odis nume mint rescill anisima porpore pudit, odi

ANALYTICS IDS Service

Adsense Google Amazon Facebook

ID

12345 54321 44443 998877

» Content Management | Wordpress https://trends.builtwith.com/cms/WordPress Orro conecae plit odis nume mint rescill anisima porpore pudit, odi quas sum rescime ndiscium erorit, endella ccuptate etur Am sit, omni occus, odi volori a velliquam, con corrumque eium volo Icid quo voluptur? » Orro conecae plit odis nume mint rescill anisima porpore pudit, odi » quas sum rescime ndiscium erorit, endella ccuptate etur Am sit, omnioc » cus, odi volori a velliquam, con corrumque eium volo Icid quo voluptur? Email Hosting Providers | Godaddy Email Hosting https://trends.builtwith.com/mx/GoDaddy-Email

SSL CERTIFICATES

Orro conecae plit odis nume mint rescill anisima porpore pudit, odi quas sum rescime ndiscium erorit, endella ccuptate etur Am sit, omni occus, odi volori a velliquam, con corrumque eium volo Icid quo voluptur?

44ab73120c4b36d32ca683148b62f3 3acd9911981ff144c9b417c171970 f1c18 Active 2020-12-21 03:11:21 — 2022-01-22 03:11:21 Subject DN: CN=*.lockdownyourlife.com Issuer DN: C=BE, O=Global

» Orro conecae plit odis nume mint rescill anisima porpore pudit, odi » quas sum rescime ndiscium erorit, endella ccuptate etur Am sit, omnioc » cus, odi volori a velliquam, con corrumque eium volo Icid quo voluptur?

7

DOMAIN.COM 35.208.131.248 (CLASS C)

Infrastructure Vulnerabilities

EXPOSED FILES site:domain.com filetype:pdf 116 results site:domain.com filetype:docx 4 results site:docs.google.com “domain.com“ - 247 re- sults ext:zip OR ext:rar OR ext:7z “domain.com“ - 2 results ext:xls OR ext:xlsx

SHODAN RESULTS

The following indications of possible infrastructure vulnerabilities were reported by publicly available sources. These indicators may apply to both potential security issues and also server as intelligence as to services and technologies used on this domain/IP.

BREACH DATA Breach Name I Date of Breach Filename/Source Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut at dui imperdiet, volutpat tellus sit amet, tempus felis. Aenean nec massa mattis, vehicula dui egestas, dapibus erat. Aenean ac luctus eros. » Nullam ac neque euismod nibh condimentum lacinia nec at nunc » Vivamus mattis sagittis eros. Sed ullamcorper massa ultrices sapie » Ut blandit tristique sem, at gravida arcu. Donec eu tincidunt quam

Breach Name I Date of Breach » https://www.shodan.io/ host/18.221.195.49 » Domains amazonaws.com » Cloud Provider Amazon » Cloud Region us-east-2 » Cloud Service AMAZON » Country United States » City Hilliard » Organization Amazon Techno- logies Inc. » ISP Amazon.com, Inc. » ASN AS16509

EXPOSURE RATINGS WHOIS Data Attribution Technologies Ports/Services Analytics Reputation Breach Data

Medium Medium Low High High Medium High

Filename/Source Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut at dui imperdiet, volutpat tellus sit amet, tempus felis. Aenean nec massa mattis, vehicula dui egestas, dapibus erat. Aenean ac luctus eros. » Nullam ac neque euismod nibh condimentum lacinia nec at nunc » Vivamus mattis sagittis eros. Sed ullamcorper massa ultrices sapie » Ut blandit tristique sem, at gravida arcu. Donec eu tincidunt quam

Breach Name I Date of Breach Filename/Source Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut at dui imperdiet, volutpat tellus sit amet, tempus felis. Aenean nec massa mattis, vehicula dui egestas, dapibus erat. Aenean ac luctus eros. » Nullam ac neque euismod nibh condimentum lacinia nec at nunc » Vivamus mattis sagittis eros. Sed ullamcorper massa ultrices sapie » Ut blandit tristique sem, at gravida arcu. Donec eu tincidunt quam

ARTICLES/PUBLIC RECORDS Article Title I Date Published Filename/Source Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut at dui imperdiet, volutpat tellus sit amet, tempus felis. Aenean nec massa mattis, vehicula dui egestas, dapibus erat. Aenean ac luctus eros. » Nullam ac neque euismod nibh condimentum lacinia nec at nunc » Vivamus mattis sagittis eros. Sed ullamcorper massa ultrices sapie » Ut blandit tristique sem, at gravida arcu. Donec eu tincidunt quam

8

DOMAIN.COM 35.208.131.248 (CLASS C)

FILE ATTACHMENTS Archived collections of images, videos, and pages may be provided upon request and delivered via secure file transfer. Please contact our staff if you require a delivery method or timetable outside of that provided to you by your assigned analysist/ investigator.

APPENDIX INDEX

1.

DOMAIN PROFILE

2.

GEOGRAPHICAL

3.

SITE MAP - LINK ANALYSIS

4. WHOIS - CURRENT RECORD 5.

NAME SERVERS

APPENDIX - SUPPORTING DOCUMENTATION Capture I Section Referenced Source | Date | Time » The appendix format may vary but consider using a full width format similarto page 10 of this template. » The appendix typically contains screen captures, documents, media files, etc. » These can attached as a separate PDF in the case of documents and screen captures » Raw captures and reference files may be included as a separate secure file download or via a secure storage device.

6. PORT STATUS 7.

HISTORICAL WHOIS

8. HISTORICAL IPS 9. SNAPHOT 10. TECHNOLOGIES 11. ARCHIVES 12. ROBOTS.TXT 13. DNS TRANSFERS 14. ASN (AUTONOMOUS SERVER NUMBERS) 15. ANALYTICAL IDS 16. SSL CERTIFICATES 17. BREACH DATA 18. EXPOSED FILES 19. SHODAN RESULTS 20. EXPOSURE RATING 21. ARTICILES/PUBLIC RECORDS 22. ADDITIONAL FINDINGS

9

DOMAIN/IP APPENDIX - DATE APPENDIX SECTION 9.1 Source | Date | Time

AGENCY/ORG/ TARGET 11/03/2021

**Goal:** Templates are meant to provide a foundation for easily creating sharp looking reports for the various common missions and tasks that we take on as OSINT professionals. The intention is that they be further customized by the user to reflect their own use case and agency branding. They often contain more categories and sections that you might include in a single report. This is because it is easier to cut content out than it is to add sections back in that look cohesive to the orginal design. Below are some categories that you might review and assess in assisting with cleaning up and improving these templates. 1. When returning an edited document please title it with your matrix handle and the date ie: domainreport_mrmumbles_nov21.docx. 2. If you wish to include notes you can add an .md/.txt file or just add a page of notes to the end of the template. 3. **Formatting improvements**. Most of our templates are built in adobe Indesign and then exported out to Word. That process is imperfect and we spend quite a bit of time cleaning up the formatting post export. Word handles columns and other features imperfectly and I am not particularly good at working with Word or PowerPoint. If you are able to clean up or otherwise formatting please do so. It may be that the way in which I have accomplished a certain aesthetic is not ideal. 4. Some filler text on templates are just typesetters code and other is meant to provide some guidance on what to put in that section. For the latter feel free to correct any spelling, grammar, or add any content to improve the value of that guidance. 5. If there are any sections or items that you think should be added please do so. You are also welcome to make multiple versions. 6. Fonts should be mostly consistent. I tend to use Montserrat (https://fonts.google.com/specimen/Montserrat) or Avenir Next (https://freefontsfamily.com/avenir-next-font-download-free/) depending on the project so if you see inconsistencies please feel free to fix them. 7. We want to clean up as much metadata as possible. This is much more difficult with files like pptx. If you find metadata showing PII (names, accounts, etc) please list in your edit notes and/or remove the metadata. Some of our templates are from scratch, others are from premium or open-source templates which we have further modified to suit investigations/operations so there may be 3rd party metadata in some cases. 8. Any other ideas or changes are 100% welcome. You can use track changes in the case of docx revisions or just list any major changes at the bottom of the template as an additional page or again as a .md or txt file. Dont worry about listing every spelling or grammar fix. Also typsetters code is latin so any boiler plate using that will set off you spell check, which you can ignore. Thank you! -Jason

Domain Worksheet 

DOMAIN PROFILE Date of Record



Source

Note

Source

Note

Source

Note

Source

Note

NAME SERVERS Date of Record



Note

WHOIS - CURRENT RECORD Date of Record



Source

SITE MAP - LINK ANALYSIS Date of Record



Note

GEOGRAPHICAL Date of Record



Source

PORT STATUS Date of Record



HISTORICAL WHOIS Date of Record



Source

Note

Source

Note

Source

Note

Source

Note

ARCHIVES Date of Record



Note

TECHNOLOGIES Date of Record



Source

SNAPSHOT Date of Record



Note

HISTORICAL IPS Date of Record



Source

ROBOTS.TXT Date of Record



DNS TRANSFERS Date of Record



Note

Source

Note

Source

Note

Source

Note

Source

Note

EXPOSED FILES Date of Record



Source

BREACH DATA Date of Record



Note

SSL CERTIFICATES Date of Record



Source

ANALYTICS IDS Date of Record



Note

ASN Date of Record



Source

SHODAN RESULTS Date of Record



EXPOSURE RATING Date of Record



Note

Source

Note

Methodology/Location

Note

Source

Note

PRESERVATION Date Preserved/Captured



Source

APPENDIX Date of Record



Note

ARTICLES/PUBLIC RECORDS Date of Record



Source

CONTENT LEADS Date of Record

OSINT – Creating a Domain Report v.11.2021 The most common goal of a domain investigation and the associated documentation is to provide attribution for activity related to a site, private email address, etc. For example, malicious activity such as a phishing campaign, network intrusion, or trafficking in illicit goods where our primary lead is a domain. It may turn out that the domain belongs to a non-complicit third party but that will still often be pertinent to you investigation or intelligence gathering as a step towards identifying responsible parties. You may just be figuring out who to serve with a subpoena or other legal request which will hopefully reveal more investigative leads or uncover usable evidence for a civil or criminal case. A smart exercise to go through if you are new to domain investigation is to purchase and set up hosting for a burner domain. Going through this process will help you understand how the various pieces fit together and make investigating target sites, operators, and hosts more efficient and fruitful.

Investigative & Reporting Resources Accompanying this lesson are templates for preparing both a domain report and briefing/presentation. These are offered as-is and the intention is to provide support for translating intelligence into a work product. Much of the templates are filled with boiler plate placeholder text, but there are some notes and guidance included. Wherever possibly assets such as fonts and images are provided for convenience. These templates are kept relatively generic so that they can be adapted to different mission goals and scopes. The expectation is that you further customize them to suit your purposes, but that you aren’t having to start from scratch. Remove portions you don’t need, add new topics in, etc. MS Word Domain Report Templates - As with most things we are providing a couple of versions depending on your comfort level working with Microsoft Word and Excel. Version 1is a straight up word document where you will input your own data by highlighting sections and replacing the text with copy/paste or by typing over it. Fair warning, these raw word docs can be temperamental in how they handle columns so it may take some experimentation to get the final formatting just right. Version 2 is updated by typing into a linked excel spread sheet. Some people find that this alternative method helps in not creating formatting issues. If you take these templates and make them better, please share them back so that others may benefit from your improvements. We are happy to host alternative versions. In the notes below you will find recommendations on sites and tools specific to the different data types that you may wish to collect and include in your domain report and briefing. More experienced practitioners may not need this is, but it is provided for those who might be new to conducting investigations into domains and/or IPs. Keep in mind as well that although we are approaching this from the angle of a domain investigation, the same approach and resources can be used for an operation that starts with a known IP address versus domain name. The following may serve as somewhat of a map if you are having trouble locating tools to flesh out a particular portion of the report. The red numbers correspond to sections in the notes below. The first set of entries is general advice and explanation on that data type and the second set is a concise list of a few places where you can get each type of data on

most targets. This is a short list for convenience and there are more sites listed in your OSINT tools should you exhaust the suggestions below.

PowerPoint Template – Multiple members requested a PowerPoint briefing template to accompany the report, so we have provided a 50 slide PowerPoint that has the framework set up for an intelligence briefing on a domain investigation. Again, you all have a wide range of missions, so this is meant to be further customized to suit your own operational goals. We pieced together some icons and other assets for convenience should you want to have a consistent look across your work products.

Elements of a Domain Report/Briefing • • • • •

•

• •

• •

Investigator/Agency Table of Contents (optional) Target Domain/IP Scope of Engagement o Typically, one paragraph concisely describing the mission Key Findings o The most important takeaways from the investigation/assessment in list format o Should be digestible at a glance Executive Summary o 2-5 paragraphs articulating the key findings with slightly more detail o Stick to the most impactful findings and recommendations Main Report Sections o See Detailed Descriptions Below Recommendations o Detailed mitigation and actional steps o Anywhere from 2 paragraphs to multiple pages Investigator Statement of Experience Appendix

Research At its core our domain investigation is going to consist of some smart Google queries and use of our OSINT custom toolset. For longer and more involved investigations you will likely want to expand beyond these measures, but they are a great way to immediately locate low hanging fruit on any domain.

To make things very straight forward for newer investigators, we have broken down the various data types which you may choose to include in your investigation work product. If you are very new to this process you should be able to use this set of notes, the supplied templates, and your custom OSINT toolset to pull together a basic investigation report without too much trouble. Think of it almost like a paint-by-number. We’ve mapped out a report and even a briefing presentation which can be used as a framework for memorializing and sharing your findings.

Passive vs Active “Recon” Domain investigations require attention to operational security requirements in avoiding unintentionally tipping off your target that they are being looked at. A high traffic domain with a non-criminal clientele may a less gentle approach, but typically when investigating a private domain or other site wherein the owner or operator is likely to pay attention to the traffic, we will want to start out with passive measures and then only progress into active reconnaissance when the risk of exposure is justified by the investigative goals. During any active reconnaissance you will want to pay extra attention to your legal standing as well. Things such as port scans may not only tip you hand, but also could be problematic legally. In some jurisdictions certain active recon measures could be considered a computer trespass so know the laws where you work and where the target data is hosted. Data collected by third party sites tends to be fair tame, but anything where you are directly interacting with the target’s infrastructure has a higher likelihood of treading into search and seizure issues.

Capture & Preservation Depending on you mission, it may be important to capture the site contents in time should they be changed or deleted in the near future. If you are law enforcement this may include a preservation letter to the hosting company IF they are not likely involved and IF you think they will not tip of your target. You might also choose for a manual preservation using a site copier like httrack or doing a capture with Hunchly. Even a manual pdf or mhtml capture is better than nothing. Your approach to an early capture may also depend on how cagey your adversary is and whether you need to stick to passive reconnaissance vs active.

Domain Profile The goal here is to provide some options for how to break up your domain report. The intent is not to take this as-is, but rather use these recommendations and the provided templates as building blocks for your own workflow and custom report. If you are more experienced, you may choose to just borrow portions and incorporate them into your existing format. For those new to domain/IP investigations, we have worked to make it very easy to take results from our custom OSINT tools and use key portions in the provided report template. Also note that you do not need to present all of the possible data sets, nor do you need to format them in the exact order of our sample report.

In each category examples are given of sites and resources that we commonly use to discover that data type. Keep in mind that these sites and pages break over time, and some may be better suited to your use case than others. This is why we provide multiple recommendations and also please remember that the links and queries built into the custom OSINT toolset will most often be the most current option. The intent is that this guide, lesson, and the provided template are used in tandem with the custom OSINT tools. So, although some of the referenced pages may no longer exist or function by the time you review this lesson. The OSINT tools at https://inteltechniques.com/net/ should have plenty of current resources to assist you in accomplishing your mission. (Reminder: the online training login for our resource page is provided in Section 2:Lesson 1 of the video training site https://inteltechniques.net). Finally, keep in mind that varying use cases likely require differences in presentation and focus. We are not pentesters or IT professionals. Our choices are based on our experience and typical mission types. Again, borrow what you like and use it in your own way to best suit your own investigation or assessment.

DOMAIN PROFILE GEOGRAPHICAL SITE MAP - LINK ANALYSIS WHOIS - CURRENT RECORD NAME SERVERS PORT STATUS

HISTORICAL WHOIS HISTORICAL IPS SNAPSHOT TECHNOLOGIES ARCHIVES ROBOTS.TXT

DNS TRANSFERS ASN ANALYTICS IDS SSL CERTIFICATES BREACH DATA EXPOSED FILES

SHODAN RESULTS EXPOSURE RATING ARTICLES/PUBLIC RECORDS APPENDIX PRESERVATION CONTENT LEADS

1. DOMAIN PROFILE Typically, a synopsis of WHOIS and basic hosting information, and key identifiers. Some identifiers and types of data you may not be familiar with: • • • •

• • •

A Record – An A-Record maps an Ipv4 address to a domain name. AAAA Records: The AAAA record exists when there is an Ipv6 address associated with the domain. MX Records: MX records pertain to mail servers so this information may indicate the presence of a mail server or service associated with the domain. NS Record: The name server translates the domain name to the IP address. You can choose to use the name server of your original registrar, hosting company, or change it to a third party nameserver. CNAME – Canonical name record which directs an alias to the root domain. For example, this could be a subdomain such as www. Or mail. Or ftp. https://ns1.com/resources/cname TXT Record: The TXT records can hold arbitrary data types, but often are used to associate certain identifiers with the domain, such as a mail provider. SPF Record: Sender Policy Framework - This can be a list of IP addresses that are allowed to send email for the domain, which makes those IP addresses valuable intelligence.

•

SOA Record: o “The SOA record includes the following details: The primary name server for the domain, which is ns1.dnsimple.com or the first name server in the vanity name server list. o The responsible party for the domain: admin.dnsimple.com. o A timestamp that changes whenever you update your domain. o The number of seconds before the zone should be refreshed. o The number of seconds before a failed refresh should be retried. o The upper limit in seconds before a zone is considered no longer authoritative. o The negative result TTL (for example, how long a resolver should consider a negative result for a subdomain to be valid before retrying).” o Source: https://support.dnsimple.com/articles/soa-record/

The following sites are some of the best at providing the most pertinent domain data. https://hackertarget.com/ip-tools/ https://gofindwhois.com/ https://app.binaryedge.io/services/query (make a burner free tier account) https://dnsdumpster.com/ https://osint.sh/ https://dnschecker.org/all-dns-records-of-domain.php https://websitebiography.com (URL Structuring: https://domain.com.websitebiography.com/) https://host.io/ (URL structuring: https://host.io/cybersocialhub.com/domain.com)

2. GEOGRAPHICAL Location data associated with the hosting or management of the domain or IP. This is often not directly reflective on the individual running the site. Often this will be the IP location for infrastructure belonging to the target’s hosting provider. There are some occasions where you will stumble into a situation of self-hosting. https://domainbigdata.com/ https://threatintelligenceplatform.com/report/ https://search.censys.io/hosts/ (by IP search)

3. SITE MAP - LINK ANALYSIS A visual representation of the domain structure and how it connects to other sites, services, and infrastructure. This may also include subdomains, mail servers, etc. depending on the mission scope

Some online resource will provide a rudimentary visualization, or you can create more advanced charts using draw.io, Maltego, or your link analysis tool of choice. If you are just getting started, dnsdumpster (listed below) can provide a pretty good turn-key network map for most domains. https://www.threatcrowd.org/domain.php?domain= https://dnsdumpster.com Subdomains: https://spyse.com/target/domain/ https://threatintelligenceplatform.com/report/ https://securitytrails.com/list/apex domain/ https://osint.sh/subdomain/

4. WHOIS - CURRENT RECORD The most recent WHOIS record which is available via many online sources. Often this is simply pasted into the report, possibly along with some analysis. The key portions will have already been included in the domain profile. https://whois.icann.org/en/dns-and-whois-how-it-works Key concept: Registrant vs registrar vs registry a. ICANN – Non-profit which oversees rules and regulations for domain registration. b. Registry – Organization which controls top-level domains such as .com or .org. (i.e.: Verisign (.com and .net), Public Interest Registry (.org). A Registry may control multiple TLDs, but each TLD is only managed by one registry. i. https://www.iana.org/domains/root/db c. Registrar – Organization which sells domain registration to end users. They essentially broker the sales of individual domain names. For example, GoDaddy and Namecheap are accredited registrars. Smaller companies might resell domains which they obtain from accredited registrars. i. https://www.icann.org/en/accredited-registrars?filter-letter=a&sortdirection=asc&sort-param=name&page=1 ii. https://domainnamestat.com/statistics/registrar/others d. Registrant – This is the end user or company which leases the domain for use on their site. For example, I might lease jasonedison.com by registering it through Namecheap, who will “middleman” the registration with Verisign who controls all .com addresses.

Source: https://www.cyberpunk.rs/domain-name-hierarchy-registry-vs-registrar https://viewdns.info/whois/ https://who.is/whois/ https://www.whoxy.com/codyhawk.com https://whoisology.com/ https://domainbigdata.com/ https://urlscan.io/domain/ https://spyse.com/target/domain/ https://threatintelligenceplatform.com/report/ https://www.threatcrowd.org/domain.php?domain= (Light Whois) Alternate TLDs: https://who.is/whois/ https://domainbigdata.com/

5. NAME SERVERS The name server is where the individual DNS record is stored. The target’s name server may be, but is not necessarily, operated by their registrar or hosting company. Nameservers might also be custom, for example if the site is hosted on a virtual private server such as in this example:

https://www.digitalocean.com/community/tutorials/how-to-create-vanity-or-brandednameservers-with-digitalocean-cloud-servers https://viewdns.info/dnsreport/ https://spyonweb.com https://who.is/whois/ https://who.is/dns/ https://www.whoxy.com/ https://domainbigdata.com/ https://urlscan.io/domain/ https://spyse.com/target/domain/ https://threatintelligenceplatform.com/report/ https://www.threatcrowd.org/domain.php?domain= - A record, NS, MX comparison https://spyse.com/target/domain/ https://builtwith.com/relationships/ https://threatintelligenceplatform.com/report/ https://dnschecker.org/ns-dns-records-of-domain.php

6. PORT STATUS Open ports may indicate both vulnerabilities and services being used to operate the site. For example, FTP indicating access vulnerabilities or the possible presence of public facing file archives. Unusual open ports may be worth some Google research into possible use cases or technologies. There are many sites which provide intel on open ports, one of the most well-known or notorious being shodan.io. https://viewdns.info/portscan/ https://threatintelligenceplatform.com/report/ https://search.censys.io/hosts/ (by IP search)

7. HISTORICAL WHOIS Often more recent domain registrations have the registrant’s contact information privatize. Often, we can see non-privatized registrant information by reviewing historical registration information from previous years. Some of the most accessible historical whois data is available as a premium

service to customers of companies such as Domaintools.com. There are some free sites that will provide some historical whois data, but many require that you create an account. https://spyse.com/target/domain/ https://who.is/domain-history/ https://www.whoxy.com/ https://whoisology.com/ (Requires free account) https://domainbigdata.com/ https://osint.sh/whoishistory/

8. HISTORICAL IPS List of IP addresses that the target domain has pointed to. https://viewdns.info/iphistory/ You can also query an IP to see related domains: https://reverse-ip.whoisxmlapi.com/overview https://securitytrails.com/domain/ (make free account)

9. SNAPHOT Some third-party services will provide a thumb-nailed capture of the main page of a domain, typically index.html. This can provide passive and, in some cases historical intelligence, providing a glimpse at the page without visiting the current live page directly. https://urlscan.io/domain/ https://www.easycounter.com/report/ https://www.domainiq.com/snapshot history#

10. TECHNOLOGIES Identify the various sets of code and/or services used by the site. This may be things such as WordPress or other content delivery or analytic software and services. These are often addons or turn-key solutions that hosting providers provide to content creators and site owners. These can be useful in identifying both vulnerabilities, but also ideas for how content is organized and how we might search for it. For example, a forum may not be clearly advertised but we may see that the site is using a forum technology such as phpbb. Likewise, if we see Google or Facebook technologies, that might be an indication of the existence of analytic IDs and/or the site operator having accounts on those platforms.

This section might also include findings on CVEs (Common Vulnerabilities & Exposures) related to technologies used by the target. https://builtwith.com/ https://threatintelligenceplatform.com/report/ https://themarkup.org/blacklight?url= CVE/Threat/Vuln Analysis: https://spyse.com/target/domain/ https://www.virustotal.com/gui/domain/ https://threatintelligenceplatform.com/report/ https://www.cve.org/ https://www.cvedetails.com/

11. ARCHIVES Sites such as archive.org, archive.today, or Google cache which may allow us to view historical or deleted content. It also provides a possible opportunity at passive reconnaissance (caveat Google cache is no completely passive recon as it often fetches images from the live site). http://web.archive.org/web/*/ https://archive.md/ (Captcha) http://timetravel.mementoweb.org https://webarchive.loc.gov/all/*/ https://arquivo.pt Google Webcache http://webcache.googleusercontent.com/search?q=cache:

12. ROBOTS.TXT The robots.txt file is where a site operator may choose to list requests that search engines and other scrapers skip or ignore certain directories when caching the web site. This is useful as a pointer to areas of the site where we might find content that the operators wish to hide from us. https://moz.com/learn/seo/robotstxt

13. DNS TRANSFERS Often a site owner will use their hosting provider for DNS but sometimes they will move to alternative name servers.

For example: https://www.namecheap.com/support/knowledgebase/article.aspx/767/10/how-tochange-dns-for-a-domain/ https://securitytrails.com/dns-trails https://spyse.com/target/domain/ https://centralops.net/co/

14. ASN (AUTONOMOUS SERVER NUMBERS) “An Autonomous System (AS) is a set of Internet routable IP prefixes belonging to a network or a collection of networks that are all managed, controlled and supervised by a single entity or organization. An AS utilizes a common routing policy controlled by the entity. The AS is assigned a globally unique 16-digit identification number一known as the autonomous system number or ASN 一by the Internet Assigned Numbers Authority (IANA).” https://www.thousandeyes.com/learning/glossary/as-autonomous-system https://securitytrails.com/blog/asn-lookup

15. ANALYTICAL IDS Analytical IDs are numbers used to associate features on a site with service such as Google, Facebook, etc. They are valuable in that we can sometimes use them to locate alternate sites run by the same target. https://analyzeid.com/id/ https://builtwith.com/relationships/ https://osint.sh/analytics/

16. SSL CERTIFICATES SSL certificates are part of enables Https on a site which is a good thing and something we want on sites that we visit. From an investigative perspective it can be useful in that similar to analytical IDs, targets will sometimes use the same SSL certificate across multiple sites. Thus that is an identifier that we want to locate and run a search on. Letsencrypt.org is a popular certificate authority run by a non-profit which is frequently used by those who self-host and want an ssl certificate. https://letsencrypt.org/docs/faq/ https://www.globalsign.com/en/ssl-information-center/what-is-an-ssl-certificate https://spyse.com/target/domain/ https://crt.sh/ (URL structuring: https://crt.sh/?q=domain.com) https://threatintelligenceplatform.com/report/

17. BREACH DATA As with other areas of OSINT investigation, breach data can be a very beneficial source of data on domains. Typically, when searching breach data on a domain mission we are locating entries where email addresses of that domain have been exposed. In some cases, we may be interested in a specific breach or leak as a whole because that company has associations with our target. If I were investigating jasonedison.com, a small private domain, I would certainly be interested in any jasonedison.com email addresses in available breach and leak data, assuming that it is within scope and policy for my agency/organization. https://haveibeenpwned.com https://dehashed.com *Proprietary in-house collections

18. EXPOSED FILES Sometimes site creators and/or operators make files publicly available that might be of use to our operation. This can be anything from documents on an open FTP server all the way up to something large like an open elastic search database. Sometimes the files are left exposed out of error or carelessness but sometimes targets simply do not understand that leaving such things public facing is a potential vulnerability. Google operators, ftp, and doc search: site:domain.com inurl: FTP-inurl: (http | https) site:domain.com filetype:docx OR filetype:pdf Check the sites robots.txt Domain.com/robots.txt Look for technologies such as databases or content delivery which might expose data or documents.

19. SHODAN RESULTS This is a specific category that you may or may not choose to include in your report. Shodan is particularly popular for locating vulnerabilities, open ports, IP locations, etc. Example: https://www.shodan.io/search?query=equifax.com https://Shodan.io https://help.shodan.io/the-basics/search-query-fundamentals

20. EXPOSURE RATING

If completing the domain report as part of a vulnerability assessment you may wish to add a visual rating or other quick indication of exposure level. Clients and bosses sometimes expect to see charts or graphs on reports, and this can meet that aesthetic expectation.

21. ARTICILES/PUBLIC RECORDS Third party articles, posts, or references which reflect on the domain, individual, or brand. This section may include articles that support the general overview of the target individual or organization. It also might reflect reputation vulnerabilities. - Discussions/Posts https://www.reddit.com/search?q=site: https://www.google.com/search?q=site%3A https://intelx.io/?s= (Paste Search)

22. Analysis/Backlinks/Related Alexa Data/Traffic Analysis: https://spyonweb.com/ https://www.easycounter.com/report/ https://www.similarweb.com/website/ https://www.alexa.com/siteinfo/ https://www.spyfu.com/overview/domain?query= https://threatintelligenceplatform.com/report/ Backlinks & Verbatim Content Search: https://host.io/backlinks/ https://www.spyfu.com/overview/domain?query= http://bc.linkody.com/en/seo-tools/free-backlink-checker/ https://www.copyscape.com/?q=

23. APPENDIX. The appendix contains more detailed captures and supporting documentation for the preceding sections. This is sometimes part of the main report or can also be an additional document such as a pdf. There might also be a set of additional files, such as media, provided as a zip or other archive.

Content Leads & Direct Reconnaissance Once low hanging fruit is collected and you’ve exhausted most of the go-to third party resources, you may wish to move to an active reconnaissance phase. This may involve more direct probing and scanning, but again be certain of you legal standing and how you might draw attention to your investigation. When we start to look at things such as scanning infrastructure, much of it is beyond the scope of OSINT so we will not dig into it here. At some point we need to analyze the actual site contents for pivot points and other leads. We should not forget that although most of our efforts so far are very passive approaches using third part intelligence and resources, at some point review and investigation of that actual site contents will likely need to occur. This is usually part of the active-reconnaissance phase of investigation and thus typically occurs after we exhaust our passive tactics. Once we are able to process the target site directly, we can start do contextual and file reversed on the content. Searching for account, image, or unique text string leads may uncover additional accounts, sites, and associations than previously known. We may also want to break some of the more aggressive scripts and tools from our custom OSINT virtual machine once we reach the active reconnaissance phase of our investigation.

Practice Targets Remember your operational security best practices when practicing on live targets, especially targets that likely have criminal ties. https://rescure.me/rescure domain blacklist.txt | List of blacklisted domains which are likely involved in scams and/or crimes

Resources & Articles https://lookup.icann.org/lookup https://maildump.co/ Search by email https://spyse.com/ https://rescure.me/feeds.html Sample target malicious domains https://maildump.co/ Search by email https://github.com/thewhiteh4t/FinalRecon Untested https://www.interserver.net/tips/kb/whois-lookup-explained/ | Whois Records Explained https://www.cloudflare.com/learning/network-layer/what-is-an-autonomous-system/ | Understanding AS Numbers https://howto.lintel.in/domain-registry-vs-registrar-vs-registrant/ | Registration Explained https://blog.dnsimple.com/2016/10/three-rs-of-domain-names/ | Registration Explained More

https://www.cyberpunk.rs/domain-name-hierarchy-registry-vs-registrar | Registration Explained Even More (Good Diagram) https://www.icann.org/en/accredited-registrars?filter-letter=a&sort-direction=asc&sortparam=name&page=1 https://bloggingwizard.com/view-dns-history/ https://securitytrails.com/dns-trails https://stormctf.ninja/ctf/blog/stormctf/bellebytes-osint-guide https://dnsdumpster.com/footprinting-reconnaissance/ https://blog.stackattack.net/2017/04/06/osint-dns/ https://www.rapid7.com/blog/post/2015/02/23/osint-through-sender-policy-framework-spf-records/ https://blog.stackattack.net/2017/04/06/osint-dns/

OSINT Spiderfoot Difficulty: Intermediate Intro and Use Case Spiderfoot is a platform for running automated OSINT queries. It is particularly useful when working on intelligence gathering or vulnerability assessments on domains and IP addresses. This is not a tool that will replace your manual OSINT process, but rather it will compliment it by gathering potential intelligence in the background while you are doing your manual research. Like many automated tools, the value of the information gathered is largely dependent on taking the time to properly setup and configure the tool. 1.1 HX vs Self Hosted Steve has generously made Spiderfoot open-source which means that we can self-host or use the premium online Spiderfoot service. We already have Spiderfoot baked into our custom OSINT virtual machine, but you may want to look into HX (Spiderfoot as an online service) to see if that is a better fit for your needs. You can find a comparison of the two options here: https://www.spiderfoot.net/open-source-vs-hx/ Our recommendation is to try both options and you can do so at no cost. As mentioned Spiderfoot (open-source) is already in our custom OSINT VM or you can install it manually from the terminal (https://github.com/smicallef/spiderfoot): Stable build (packaged release): $ wget https://github.com/smicallef/spiderfoot/archive/v3.5.tar.gz $ tar zxvf v3.5.tar.gz $ cd spiderfoot-3.5 $ pip3 install -r requirements.txt $ python3 ./sf.py -l 127.0.0.1:5001 Spiderfoot HX has a free tier and you can sign up with your burner email of choice here: https://www.spiderfoot.net/hx/#plan 1.2 Modules & APIs

Spiderfoot has over 200 modules which are the services it can leverage to conduct queries. You can add data sources we are familiar with such as Haveibeenpwned, Shodan, and many others. Some of these require API keys to use and some API keys will require a paid account on that platform. You don’t need to use all 200 modules and most people pick and choose to add API keys for services they already use or APIs that are particularly useful for their type of work. Many of the modules and supported APIs are geared towards domain and IP address research. You can start out with the stock modules and add additional API keys once you get comfortable using Spiderfoot. Documentation is available to assist you in obtaining/purchasing API keys. Module Lists & Supported APIs: https://github.com/smicallef/spiderfoot#modules--integrations https://www.spiderfoot.net/documentation/#api There are some good articles on Spiderfoot.net which give advice on types of modules and APIs to use for various types of investigation. Threat Intelligence: https://www.spiderfoot.net/top-5-osint-sources-for-threatintelligence/ Penetration Tests & Bug Bounties: https://www.spiderfoot.net/top-5-osint-sources-forpenetration-testing-and-bug-bounties/ Attack Surface Management: https://www.spiderfoot.net/top-5-osint-sources-forattack-surface-management/ People Investigations: https://www.spiderfoot.net/top-5-osint-sources-for-peopleinvestigations/ If you don’t know which API’s are worth grabbing, here is a list of API’s favored by one of our members (you can find links in the Spiderfoot API documentation linked above): ○ HIBP (onetime fee of $3,50) ○ Dehashed ( it’s $5,49 per week, $15,49 per month or $179.99 per year). Keep in mind that this fee only get you access to the console and allows you to perform searches there, it does not include API connectivity. For a 100 API calls it costs $2,50. ○ OTX threat feed by Alien Vault (free) ○ IBM X-force (free) ○ RiskIQ threat intel feed (free) ○ Shodan (free) ○ Greynoise (free) ○ Virustotal

1.3 Scanning Basics Spiderfoot is only as powerful as the APIs you connect to it. Out of the box it will complete some default scans, but your results will be much improved if you add additional API keys. Steve has put together a pretty good list of APIs (referenced above) to get you started along with the steps to obtain them. To get started either create a free account on Spiderfoot.net to us the free tier of Spiderfoot HX or fire up your custom OSINT virtual machine and we already have Spiderfoot installed for you. One you log in to either HX or open Spiderfoot with the spider icon at the bottom of your virtual machine: • •

• • •

•

• •

Although you can manage and run Spiderfoot from the terminal, it is easiest to use the graphic interface via your browser If you wish to add more APIs to your scan, click on “Settings” and you will see a very easy to use list of active and potential APIs. Anything with a lock symbol is something where you would need to go obtain an API key from the provider (i.e.: Bing, Virustotal, Censys, etc.) and add it to Spiderfoot. If you are just starting out don’t worry about adding API’s and just run a test scan by clicking on Scan on the top left. Name your scan Enter a target (use an innocuous domain for your test such as instructables.com) If you wish to scan multiple targets, paste each to a new line or separate them with commas. If you do not wish to scan a domain (web site) you can click on “Help” to see a list of other support target types such as IP address, phone numbers, usernames, and human names. I have found that Spiderfoot is best at digging on domains or IP addresses. Choose a scan type – Some scan types are “louder” than others, which means they are more active in their reconnaissance and may be more likely to tip off your target. o Alternatively, you can select which modules to use or not to use for more granular control. For your test scan, on your test target, just use default settings. o Note: Spiderfoot HX will have some options not present in the opensource version. Your virtual machine is using the open-source version which is more limited on features and also will run slower than the premium online version. Start the scan and go do something else – manual OSINT, have a coffee, take a walk, etc. Come back later and check your results, testing out the different options for viewing the results

Like many advanced tools the best way to learn Spiderfoot is to use it. We want to get some repetitions using the tool before we need to use it on a real case or operation. Once you get comfortable with the interface you can start looking at the API options and deciding which additional APIs that you may want to add to your Spiderfoot installation. The official “running a scan” video: https://www.youtube.com/watch?v=sL94OqOvjHQ The official video explaining scan results: https://www.youtube.com/watch?v=UtFl5a7Zfo Pro-tip: If you add your additional API keys, there is a built in API export which you should take advantage of to back up your API keys. This will also allow you to transfer your keys to a different Spiderfoot instance, such as Spiderfoot HX. Spiderfoot HX: Spiderfoot HX is more powerful and convenient than running your own open-source version (like we are doing in our virtual machine) but it does come with some limitations. On the scan page it will list the number of API keys you have set up and any scan limits on your account. Pay attention to this so that you can use your scan allotments wisely. My advise is to start out using the open-source version, then try out the free tier of HX, and then if you find the tool valuable consider a paid account. Steve, the creator of Spiderfoot, is a very active member of the OSINT community and it’s great that he provides an open-source version of his tool. We like to support this type of work in our field, so if you find Spiderfoot useful, maybe consider a paid account as a potentially valuable asset to your tool-set.

1.4 Additional Resources Sites, write-ups, and walkthroughs Official Documentation https://www.spiderfoot.net/documentation/ Github-Repository https://github.com/smicallef/spiderfoot Spiderfoot Discord Server https://discord.com/invite/vyvztrG Investigating a Crypto Scam https://www.spiderfoot.net/nixintel-crypto-scam-investigation-using-spiderfoot-hx-forosint-automation/

Investigating a Phishing Domain https://www.spiderfoot.net/nixintel-spiderfoot-hx-case-study-of-investigating-aphishing-domain/ Investigating a Malicious IP Address https://www.spiderfoot.net/nixintel-spiderfoot-hx-case-study-of-investigating-amalicious-ip-address/ Investigating an Online Scam https://www.spiderfoot.net/investigating-an-online-scam-with-spiderfoot-hx/ Command Line Tutorials https://asciinema.org/~spiderfoot Attack Surface Monitoring https://hakluke.com/open-source-asm-spiderfoot/ One-Tab Bookmarks https://www.spiderfoot.net/open-source-vs-hx/ | Open Source or HX? - SpiderFoot https://github.com/smicallef/spiderfoot | GitHub - smicallef/spiderfoot: SpiderFoot automates OSINT for threat intelligence and mapping your attack surface. https://discord.com/invite/vyvztrG | SpiderFoot https://www.spiderfoot.net/documentation/#toc | Documentation - SpiderFoot https://asciinema.org/~spiderfoot | spiderfoot's profile - asciinema https://www.spiderfoot.net/modules/ | Modules – SpiderFoot https://www.spiderfoot.net/documentation/#api | Spiderfoot API List https://www.spiderfoot.net/how-to-create-a-custom-spiderfoot-module/ | How to Create a Custom SpiderFoot Module - SpiderFoot https://www.spiderfoot.net/documentation/ | Documentation - SpiderFoot https://www.youtube.com/watch?v=sL94OqOvjHQ&list=PLjMD8_ywOGw2ZviMmW5rY yB-uh1BczldR | Running a Scan in SpiderFoot HX - YouTube https://www.spiderfoot.net/about/ | About SpiderFoot - SpiderFoot https://www.spiderfoot.net/hx/#plan | SpiderFoot HX - SpiderFoot https://www.spiderfoot.net/osint-for-security-assessments/ | OSINT for Security Assessments - SpiderFoot

https://hakluke.com/open-source-asm-spiderfoot/ | How to achieve enterprise-grade attack-surface monitoring with open source software - HΔKLUKΞ https://login.hx.spiderfoot.net/signin?requested=aHR0cDovL3NmLTlmZDQ0MGIuaHg uc3BpZGVyZm9vdC5uZXQvbW9uaXRvcnM= | SpiderFoot HX | Log in https://www.spiderfoot.net/nixintel-spiderfoot-hx-case-study-of-investigating-aphishing-domain/ | Nixintel: SpiderFoot HX Case Study of Investigating A Phishing Domain - SpiderFoot https://www.spiderfoot.net/top-5-osint-sources-for-people-investigations/ | Top 5 OSINT Sources for People Investigations - SpiderFoot

OSINT – Creating a Domain Report v.11.2021 The most common goal of a domain investigation and the associated documentation is to provide attribution for activity related to a site, private email address, etc. For example, malicious activity such as a phishing campaign, network intrusion, or trafficking in illicit goods where our primary lead is a domain. It may turn out that the domain belongs to a non-complicit third party but that will still often be pertinent to you investigation or intelligence gathering as a step towards identifying responsible parties. You may just be figuring out who to serve with a subpoena or other legal request which will hopefully reveal more investigative leads or uncover usable evidence for a civil or criminal case. A smart exercise to go through if you are new to domain investigation is to purchase and set up hosting for a burner domain. Going through this process will help you understand how the various pieces fit together and make investigating target sites, operators, and hosts more efficient and fruitful.

Investigative & Reporting Resources Accompanying this lesson are templates for preparing both a domain report and briefing/presentation. These are offered as-is and the intention is to provide support for translating intelligence into a work product. Much of the templates are filled with boiler plate placeholder text, but there are some notes and guidance included. Wherever possibly assets such as fonts and images are provided for convenience. These templates are kept relatively generic so that they can be adapted to different mission goals and scopes. The expectation is that you further customize them to suit your purposes, but that you aren’t having to start from scratch. Remove portions you don’t need, add new topics in, etc. MS Word Domain Report Templates - As with most things we are providing a couple of versions depending on your comfort level working with Microsoft Word and Excel. Version 1is a straight up word document where you will input your own data by highlighting sections and replacing the text with copy/paste or by typing over it. Fair warning, these raw word docs can be temperamental in how they handle columns so it may take some experimentation to get the final formatting just right. Version 2 is updated by typing into a linked excel spread sheet. Some people find that this alternative method helps in not creating formatting issues. If you take these templates and make them better, please share them back so that others may benefit from your improvements. We are happy to host alternative versions. In the notes below you will find recommendations on sites and tools specific to the different data types that you may wish to collect and include in your domain report and briefing. More experienced practitioners may not need this is, but it is provided for those who might be new to conducting investigations into domains and/or IPs. Keep in mind as well that although we are approaching this from the angle of a domain investigation, the same approach and resources can be used for an operation that starts with a known IP address versus domain name. The following may serve as somewhat of a map if you are having trouble locating tools to flesh out a particular portion of the report. The red numbers correspond to sections in the notes below. The first set of entries is general advice and explanation on that data type and the second set is a concise list of a few places where you can get each type of data on

most targets. This is a short list for convenience and there are more sites listed in your OSINT tools should you exhaust the suggestions below.

PowerPoint Template – Multiple members requested a PowerPoint briefing template to accompany the report, so we have provided a 50 slide PowerPoint that has the framework set up for an intelligence briefing on a domain investigation. Again, you all have a wide range of missions, so this is meant to be further customized to suit your own operational goals. We pieced together some icons and other assets for convenience should you want to have a consistent look across your work products.

Elements of a Domain Report/Briefing • • • • •

•

• •

• •

Investigator/Agency Table of Contents (optional) Target Domain/IP Scope of Engagement o Typically, one paragraph concisely describing the mission Key Findings o The most important takeaways from the investigation/assessment in list format o Should be digestible at a glance Executive Summary o 2-5 paragraphs articulating the key findings with slightly more detail o Stick to the most impactful findings and recommendations Main Report Sections o See Detailed Descriptions Below Recommendations o Detailed mitigation and actional steps o Anywhere from 2 paragraphs to multiple pages Investigator Statement of Experience Appendix

Research At its core our domain investigation is going to consist of some smart Google queries and use of our OSINT custom toolset. For longer and more involved investigations you will likely want to expand beyond these measures, but they are a great way to immediately locate low hanging fruit on any domain.

To make things very straight forward for newer investigators, we have broken down the various data types which you may choose to include in your investigation work product. If you are very new to this process you should be able to use this set of notes, the supplied templates, and your custom OSINT toolset to pull together a basic investigation report without too much trouble. Think of it almost like a paint-by-number. We’ve mapped out a report and even a briefing presentation which can be used as a framework for memorializing and sharing your findings.

Passive vs Active “Recon” Domain investigations require attention to operational security requirements in avoiding unintentionally tipping off your target that they are being looked at. A high traffic domain with a non-criminal clientele may a less gentle approach, but typically when investigating a private domain or other site wherein the owner or operator is likely to pay attention to the traffic, we will want to start out with passive measures and then only progress into active reconnaissance when the risk of exposure is justified by the investigative goals. During any active reconnaissance you will want to pay extra attention to your legal standing as well. Things such as port scans may not only tip you hand, but also could be problematic legally. In some jurisdictions certain active recon measures could be considered a computer trespass so know the laws where you work and where the target data is hosted. Data collected by third party sites tends to be fair tame, but anything where you are directly interacting with the target’s infrastructure has a higher likelihood of treading into search and seizure issues.

Capture & Preservation Depending on you mission, it may be important to capture the site contents in time should they be changed or deleted in the near future. If you are law enforcement this may include a preservation letter to the hosting company IF they are not likely involved and IF you think they will not tip of your target. You might also choose for a manual preservation using a site copier like httrack or doing a capture with Hunchly. Even a manual pdf or mhtml capture is better than nothing. Your approach to an early capture may also depend on how cagey your adversary is and whether you need to stick to passive reconnaissance vs active.

Domain Profile The goal here is to provide some options for how to break up your domain report. The intent is not to take this as-is, but rather use these recommendations and the provided templates as building blocks for your own workflow and custom report. If you are more experienced, you may choose to just borrow portions and incorporate them into your existing format. For those new to domain/IP investigations, we have worked to make it very easy to take results from our custom OSINT tools and use key portions in the provided report template. Also note that you do not need to present all of the possible data sets, nor do you need to format them in the exact order of our sample report.

In each category examples are given of sites and resources that we commonly use to discover that data type. Keep in mind that these sites and pages break over time, and some may be better suited to your use case than others. This is why we provide multiple recommendations and also please remember that the links and queries built into the custom OSINT toolset will most often be the most current option. The intent is that this guide, lesson, and the provided template are used in tandem with the custom OSINT tools. So, although some of the referenced pages may no longer exist or function by the time you review this lesson. The OSINT tools at https://inteltechniques.com/net/ should have plenty of current resources to assist you in accomplishing your mission. (Reminder: the online training login for our resource page is provided in Section 2:Lesson 1 of the video training site https://inteltechniques.net). Finally, keep in mind that varying use cases likely require differences in presentation and focus. We are not pentesters or IT professionals. Our choices are based on our experience and typical mission types. Again, borrow what you like and use it in your own way to best suit your own investigation or assessment.

DOMAIN PROFILE GEOGRAPHICAL SITE MAP - LINK ANALYSIS WHOIS - CURRENT RECORD NAME SERVERS PORT STATUS

HISTORICAL WHOIS HISTORICAL IPS SNAPSHOT TECHNOLOGIES ARCHIVES ROBOTS.TXT

DNS TRANSFERS ASN ANALYTICS IDS SSL CERTIFICATES BREACH DATA EXPOSED FILES

SHODAN RESULTS EXPOSURE RATING ARTICLES/PUBLIC RECORDS APPENDIX PRESERVATION CONTENT LEADS

1. DOMAIN PROFILE Typically, a synopsis of WHOIS and basic hosting information, and key identifiers. Some identifiers and types of data you may not be familiar with: • • • •

• • •

A Record – An A-Record maps an Ipv4 address to a domain name. AAAA Records: The AAAA record exists when there is an Ipv6 address associated with the domain. MX Records: MX records pertain to mail servers so this information may indicate the presence of a mail server or service associated with the domain. NS Record: The name server translates the domain name to the IP address. You can choose to use the name server of your original registrar, hosting company, or change it to a third party nameserver. CNAME – Canonical name record which directs an alias to the root domain. For example, this could be a subdomain such as www. Or mail. Or ftp. https://ns1.com/resources/cname TXT Record: The TXT records can hold arbitrary data types, but often are used to associate certain identifiers with the domain, such as a mail provider. SPF Record: Sender Policy Framework - This can be a list of IP addresses that are allowed to send email for the domain, which makes those IP addresses valuable intelligence.

•

SOA Record: o “The SOA record includes the following details: The primary name server for the domain, which is ns1.dnsimple.com or the first name server in the vanity name server list. o The responsible party for the domain: admin.dnsimple.com. o A timestamp that changes whenever you update your domain. o The number of seconds before the zone should be refreshed. o The number of seconds before a failed refresh should be retried. o The upper limit in seconds before a zone is considered no longer authoritative. o The negative result TTL (for example, how long a resolver should consider a negative result for a subdomain to be valid before retrying).” o Source: https://support.dnsimple.com/articles/soa-record/

The following sites are some of the best at providing the most pertinent domain data. https://hackertarget.com/ip-tools/ https://gofindwhois.com/ https://app.binaryedge.io/services/query (make a burner free tier account) https://dnsdumpster.com/ https://osint.sh/ https://dnschecker.org/all-dns-records-of-domain.php https://websitebiography.com (URL Structuring: https://domain.com.websitebiography.com/) https://host.io/ (URL structuring: https://host.io/cybersocialhub.com/domain.com)

2. GEOGRAPHICAL Location data associated with the hosting or management of the domain or IP. This is often not directly reflective on the individual running the site. Often this will be the IP location for infrastructure belonging to the target’s hosting provider. There are some occasions where you will stumble into a situation of self-hosting. https://domainbigdata.com/ https://threatintelligenceplatform.com/report/ https://search.censys.io/hosts/ (by IP search)

3. SITE MAP - LINK ANALYSIS A visual representation of the domain structure and how it connects to other sites, services, and infrastructure. This may also include subdomains, mail servers, etc. depending on the mission scope

Some online resource will provide a rudimentary visualization, or you can create more advanced charts using draw.io, Maltego, or your link analysis tool of choice. If you are just getting started, dnsdumpster (listed below) can provide a pretty good turn-key network map for most domains. https://www.threatcrowd.org/domain.php?domain= https://dnsdumpster.com Subdomains: https://spyse.com/target/domain/ https://threatintelligenceplatform.com/report/ https://securitytrails.com/list/apex domain/ https://osint.sh/subdomain/

4. WHOIS - CURRENT RECORD The most recent WHOIS record which is available via many online sources. Often this is simply pasted into the report, possibly along with some analysis. The key portions will have already been included in the domain profile. https://whois.icann.org/en/dns-and-whois-how-it-works Key concept: Registrant vs registrar vs registry a. ICANN – Non-profit which oversees rules and regulations for domain registration. b. Registry – Organization which controls top-level domains such as .com or .org. (i.e.: Verisign (.com and .net), Public Interest Registry (.org). A Registry may control multiple TLDs, but each TLD is only managed by one registry. i. https://www.iana.org/domains/root/db c. Registrar – Organization which sells domain registration to end users. They essentially broker the sales of individual domain names. For example, GoDaddy and Namecheap are accredited registrars. Smaller companies might resell domains which they obtain from accredited registrars. i. https://www.icann.org/en/accredited-registrars?filter-letter=a&sortdirection=asc&sort-param=name&page=1 ii. https://domainnamestat.com/statistics/registrar/others d. Registrant – This is the end user or company which leases the domain for use on their site. For example, I might lease jasonedison.com by registering it through Namecheap, who will “middleman” the registration with Verisign who controls all .com addresses.

Source: https://www.cyberpunk.rs/domain-name-hierarchy-registry-vs-registrar https://viewdns.info/whois/ https://who.is/whois/ https://www.whoxy.com/codyhawk.com https://whoisology.com/ https://domainbigdata.com/ https://urlscan.io/domain/ https://spyse.com/target/domain/ https://threatintelligenceplatform.com/report/ https://www.threatcrowd.org/domain.php?domain= (Light Whois) Alternate TLDs: https://who.is/whois/ https://domainbigdata.com/

5. NAME SERVERS The name server is where the individual DNS record is stored. The target’s name server may be, but is not necessarily, operated by their registrar or hosting company. Nameservers might also be custom, for example if the site is hosted on a virtual private server such as in this example:

https://www.digitalocean.com/community/tutorials/how-to-create-vanity-or-brandednameservers-with-digitalocean-cloud-servers https://viewdns.info/dnsreport/ https://spyonweb.com https://who.is/whois/ https://who.is/dns/ https://www.whoxy.com/ https://domainbigdata.com/ https://urlscan.io/domain/ https://spyse.com/target/domain/ https://threatintelligenceplatform.com/report/ https://www.threatcrowd.org/domain.php?domain= - A record, NS, MX comparison https://spyse.com/target/domain/ https://builtwith.com/relationships/ https://threatintelligenceplatform.com/report/ https://dnschecker.org/ns-dns-records-of-domain.php

6. PORT STATUS Open ports may indicate both vulnerabilities and services being used to operate the site. For example, FTP indicating access vulnerabilities or the possible presence of public facing file archives. Unusual open ports may be worth some Google research into possible use cases or technologies. There are many sites which provide intel on open ports, one of the most well-known or notorious being shodan.io. https://viewdns.info/portscan/ https://threatintelligenceplatform.com/report/ https://search.censys.io/hosts/ (by IP search)

7. HISTORICAL WHOIS Often more recent domain registrations have the registrant’s contact information privatize. Often, we can see non-privatized registrant information by reviewing historical registration information from previous years. Some of the most accessible historical whois data is available as a premium

service to customers of companies such as Domaintools.com. There are some free sites that will provide some historical whois data, but many require that you create an account. https://spyse.com/target/domain/ https://who.is/domain-history/ https://www.whoxy.com/ https://whoisology.com/ (Requires free account) https://domainbigdata.com/ https://osint.sh/whoishistory/

8. HISTORICAL IPS List of IP addresses that the target domain has pointed to. https://viewdns.info/iphistory/ You can also query an IP to see related domains: https://reverse-ip.whoisxmlapi.com/overview https://securitytrails.com/domain/ (make free account)

9. SNAPHOT Some third-party services will provide a thumb-nailed capture of the main page of a domain, typically index.html. This can provide passive and, in some cases historical intelligence, providing a glimpse at the page without visiting the current live page directly. https://urlscan.io/domain/ https://www.easycounter.com/report/ https://www.domainiq.com/snapshot history#

10. TECHNOLOGIES Identify the various sets of code and/or services used by the site. This may be things such as WordPress or other content delivery or analytic software and services. These are often addons or turn-key solutions that hosting providers provide to content creators and site owners. These can be useful in identifying both vulnerabilities, but also ideas for how content is organized and how we might search for it. For example, a forum may not be clearly advertised but we may see that the site is using a forum technology such as phpbb. Likewise, if we see Google or Facebook technologies, that might be an indication of the existence of analytic IDs and/or the site operator having accounts on those platforms.

This section might also include findings on CVEs (Common Vulnerabilities & Exposures) related to technologies used by the target. https://builtwith.com/ https://threatintelligenceplatform.com/report/ https://themarkup.org/blacklight?url= CVE/Threat/Vuln Analysis: https://spyse.com/target/domain/ https://www.virustotal.com/gui/domain/ https://threatintelligenceplatform.com/report/ https://www.cve.org/ https://www.cvedetails.com/

11. ARCHIVES Sites such as archive.org, archive.today, or Google cache which may allow us to view historical or deleted content. It also provides a possible opportunity at passive reconnaissance (caveat Google cache is no completely passive recon as it often fetches images from the live site). http://web.archive.org/web/*/ https://archive.md/ (Captcha) http://timetravel.mementoweb.org https://webarchive.loc.gov/all/*/ https://arquivo.pt Google Webcache http://webcache.googleusercontent.com/search?q=cache:

12. ROBOTS.TXT The robots.txt file is where a site operator may choose to list requests that search engines and other scrapers skip or ignore certain directories when caching the web site. This is useful as a pointer to areas of the site where we might find content that the operators wish to hide from us. https://moz.com/learn/seo/robotstxt

13. DNS TRANSFERS Often a site owner will use their hosting provider for DNS but sometimes they will move to alternative name servers.

For example: https://www.namecheap.com/support/knowledgebase/article.aspx/767/10/how-tochange-dns-for-a-domain/ https://securitytrails.com/dns-trails https://spyse.com/target/domain/ https://centralops.net/co/

14. ASN (AUTONOMOUS SERVER NUMBERS) “An Autonomous System (AS) is a set of Internet routable IP prefixes belonging to a network or a collection of networks that are all managed, controlled and supervised by a single entity or organization. An AS utilizes a common routing policy controlled by the entity. The AS is assigned a globally unique 16-digit identification number一known as the autonomous system number or ASN 一by the Internet Assigned Numbers Authority (IANA).” https://www.thousandeyes.com/learning/glossary/as-autonomous-system https://securitytrails.com/blog/asn-lookup

15. ANALYTICAL IDS Analytical IDs are numbers used to associate features on a site with service such as Google, Facebook, etc. They are valuable in that we can sometimes use them to locate alternate sites run by the same target. https://analyzeid.com/id/ https://builtwith.com/relationships/ https://osint.sh/analytics/

16. SSL CERTIFICATES SSL certificates are part of enables Https on a site which is a good thing and something we want on sites that we visit. From an investigative perspective it can be useful in that similar to analytical IDs, targets will sometimes use the same SSL certificate across multiple sites. Thus that is an identifier that we want to locate and run a search on. Letsencrypt.org is a popular certificate authority run by a non-profit which is frequently used by those who self-host and want an ssl certificate. https://letsencrypt.org/docs/faq/ https://www.globalsign.com/en/ssl-information-center/what-is-an-ssl-certificate https://spyse.com/target/domain/ https://crt.sh/ (URL structuring: https://crt.sh/?q=domain.com) https://threatintelligenceplatform.com/report/

17. BREACH DATA As with other areas of OSINT investigation, breach data can be a very beneficial source of data on domains. Typically, when searching breach data on a domain mission we are locating entries where email addresses of that domain have been exposed. In some cases, we may be interested in a specific breach or leak as a whole because that company has associations with our target. If I were investigating jasonedison.com, a small private domain, I would certainly be interested in any jasonedison.com email addresses in available breach and leak data, assuming that it is within scope and policy for my agency/organization. https://haveibeenpwned.com https://dehashed.com *Proprietary in-house collections

18. EXPOSED FILES Sometimes site creators and/or operators make files publicly available that might be of use to our operation. This can be anything from documents on an open FTP server all the way up to something large like an open elastic search database. Sometimes the files are left exposed out of error or carelessness but sometimes targets simply do not understand that leaving such things public facing is a potential vulnerability. Google operators, ftp, and doc search: site:domain.com inurl: FTP-inurl: (http | https) site:domain.com filetype:docx OR filetype:pdf Check the sites robots.txt Domain.com/robots.txt Look for technologies such as databases or content delivery which might expose data or documents.

19. SHODAN RESULTS This is a specific category that you may or may not choose to include in your report. Shodan is particularly popular for locating vulnerabilities, open ports, IP locations, etc. Example: https://www.shodan.io/search?query=equifax.com https://Shodan.io https://help.shodan.io/the-basics/search-query-fundamentals

20. EXPOSURE RATING

If completing the domain report as part of a vulnerability assessment you may wish to add a visual rating or other quick indication of exposure level. Clients and bosses sometimes expect to see charts or graphs on reports, and this can meet that aesthetic expectation.

21. ARTICILES/PUBLIC RECORDS Third party articles, posts, or references which reflect on the domain, individual, or brand. This section may include articles that support the general overview of the target individual or organization. It also might reflect reputation vulnerabilities. - Discussions/Posts https://www.reddit.com/search?q=site: https://www.google.com/search?q=site%3A https://intelx.io/?s= (Paste Search)

22. Analysis/Backlinks/Related Alexa Data/Traffic Analysis: https://spyonweb.com/ https://www.easycounter.com/report/ https://www.similarweb.com/website/ https://www.alexa.com/siteinfo/ https://www.spyfu.com/overview/domain?query= https://threatintelligenceplatform.com/report/ Backlinks & Verbatim Content Search: https://host.io/backlinks/ https://www.spyfu.com/overview/domain?query= http://bc.linkody.com/en/seo-tools/free-backlink-checker/ https://www.copyscape.com/?q=

23. APPENDIX. The appendix contains more detailed captures and supporting documentation for the preceding sections. This is sometimes part of the main report or can also be an additional document such as a pdf. There might also be a set of additional files, such as media, provided as a zip or other archive.

Content Leads & Direct Reconnaissance Once low hanging fruit is collected and you’ve exhausted most of the go-to third party resources, you may wish to move to an active reconnaissance phase. This may involve more direct probing and scanning, but again be certain of you legal standing and how you might draw attention to your investigation. When we start to look at things such as scanning infrastructure, much of it is beyond the scope of OSINT so we will not dig into it here. At some point we need to analyze the actual site contents for pivot points and other leads. We should not forget that although most of our efforts so far are very passive approaches using third part intelligence and resources, at some point review and investigation of that actual site contents will likely need to occur. This is usually part of the active-reconnaissance phase of investigation and thus typically occurs after we exhaust our passive tactics. Once we are able to process the target site directly, we can start do contextual and file reversed on the content. Searching for account, image, or unique text string leads may uncover additional accounts, sites, and associations than previously known. We may also want to break some of the more aggressive scripts and tools from our custom OSINT virtual machine once we reach the active reconnaissance phase of our investigation.

Practice Targets Remember your operational security best practices when practicing on live targets, especially targets that likely have criminal ties. https://rescure.me/rescure domain blacklist.txt | List of blacklisted domains which are likely involved in scams and/or crimes

Resources & Articles https://lookup.icann.org/lookup https://maildump.co/ Search by email https://spyse.com/ https://rescure.me/feeds.html Sample target malicious domains https://maildump.co/ Search by email https://github.com/thewhiteh4t/FinalRecon Untested https://www.interserver.net/tips/kb/whois-lookup-explained/ | Whois Records Explained https://www.cloudflare.com/learning/network-layer/what-is-an-autonomous-system/ | Understanding AS Numbers https://howto.lintel.in/domain-registry-vs-registrar-vs-registrant/ | Registration Explained https://blog.dnsimple.com/2016/10/three-rs-of-domain-names/ | Registration Explained More

https://www.cyberpunk.rs/domain-name-hierarchy-registry-vs-registrar | Registration Explained Even More (Good Diagram) https://www.icann.org/en/accredited-registrars?filter-letter=a&sort-direction=asc&sortparam=name&page=1 https://bloggingwizard.com/view-dns-history/ https://securitytrails.com/dns-trails https://stormctf.ninja/ctf/blog/stormctf/bellebytes-osint-guide https://dnsdumpster.com/footprinting-reconnaissance/ https://blog.stackattack.net/2017/04/06/osint-dns/ https://www.rapid7.com/blog/post/2015/02/23/osint-through-sender-policy-framework-spf-records/ https://blog.stackattack.net/2017/04/06/osint-dns/

Record         DOMAIN

Date of Record

PROFILE

        GEOGRAPHICAL         SITE

MAP - LINK ANALYSIS

        WHOIS

- CURRENT RECORD

        NAME

SERVERS         PORT STATUS         HISTORICAL         HISTORICAL

WHOIS IPS

        SNAPSHOT         TECHNOLOGIES         ARCHIVES         ROBOTS.TXT         DNS

TRANSFERS

        ASN         ANALYTICS

IDS

        SSL

CERTIFICATES         BREACH DATA         EXPOSED FILES         SHODAN

RESULTS RATING

        EXPOSURE

        ARTICLES/PUBLIC         APPENDIX         PRESERVATION         CONTENT

LEADS

RECORDS

Source (URL or File)

Note

Domain Worksheet 

DOMAIN PROFILE Date of Record



Source

Note

Source

Note

Source

Note

Source

Note

NAME SERVERS Date of Record



Note

WHOIS - CURRENT RECORD Date of Record



Source

SITE MAP - LINK ANALYSIS Date of Record



Note

GEOGRAPHICAL Date of Record



Source

PORT STATUS Date of Record



HISTORICAL WHOIS Date of Record



Source

Note

Source

Note

Source

Note

Source

Note

ARCHIVES Date of Record



Note

TECHNOLOGIES Date of Record



Source

SNAPSHOT Date of Record



Note

HISTORICAL IPS Date of Record



Source

ROBOTS.TXT Date of Record



DNS TRANSFERS Date of Record



Note

Source

Note

Source

Note

Source

Note

Source

Note

EXPOSED FILES Date of Record



Source

BREACH DATA Date of Record



Note

SSL CERTIFICATES Date of Record



Source

ANALYTICS IDS Date of Record



Note

ASN Date of Record



Source

SHODAN RESULTS Date of Record



EXPOSURE RATING Date of Record



Note

Source

Note

Methodology/Location

Note

Source

Note

PRESERVATION Date Preserved/Captured



Source

APPENDIX Date of Record



Note

ARTICLES/PUBLIC RECORDS Date of Record



Source

CONTENT LEADS Date of Record

Domain

Google Operators

Goal #1

Goal #2

Goal #3

Goal #4

Attribution

Footprinting

Vulnerability/Exposure

Intelligence/Leads

"domain.com"

site:domain.com

related:domain.com

inurl:domain.com

*Tier 2:Bing, Yandex, etc. cache:domain.com

site:domain.com ext:pdf OR ext:docx OR ext.xlsx

inanchor:domain.com

OSINT Toolset

Triage

Process Each Tab

Preserve

Tab Management

inteltechniques.com/net

Close Poor Result Tabs

Copy/Paste Key Records to Notes or Report

Page Captures

Collapse & Export to Notes

WHOIS Record

Current WHOIS

Annotate & Capture

Historical WHOIS

Capture & Annotate

Basic Domain Registration Details

Copy/Paste to Notes

Source URL & Page Capture

Search for Deprivatized Registrant Data

Repeat Documentation Steps for Historical WHOIS

DNS Records

IP Address

Name Servers

CNAME

Additional Domain Intel

Reverse Search IP

Who hosts their DNS?

Hostname, sub-domains

ASN/Netblock

MX Server

Search IP Proximity, Banners

Email hosted at the domaain

SPF/TXT Records Locate unique references & items such as mail servers

Identifiers

SSL Certificate

Google Analytics

FB Analytics

Other IDs

Analytic IDs & SSL Certs

Used on other domains?

Used on other domains?

Used on other domains?

analyzeid.com /id/

Traffic

Backlinks

Alexa.com Data

Additional Analysis

Back-links/Posts/Traffic

Who is linking to our target?

Similar Sites by Traffic

similarweb.com, spyonweb.com

Content Analysis

Archives

WebCache

Direct Examination

Active Recon Scripts

Active Reconnaissance

Archive.org, Archive.today

Not Completely Passive

Preserve & Analyze

From Secure VM & VPN

Reporting

Case Notes

File Captures

Written Report

Verbal Briefing

Row 1

Digital Notebook

Logical Structure

Template Optional

PPTX Optional

Domain Report

DOMAIN/IP DOMAIN REPORT - DATE Mission Scope

PREPARED BY Gene Parmesan Agency Title Street Address City, State, Zip Country Contact/Email

CONTENTS » » » » » » » » » » » » » »

Objective/Scope Key Findings Executive Summary Link Chart/Diagram Current Whois Historical Whois Historical DNS Owners/Managers IT/Administrators Technologies Similar/Related Sites Breach Data Appendix Supporting Files

METHODOLOGY This report has been prepared for and to the specifications of XXXXXX. The report contains both research data as well as analysis. All data was recovered from publicly available resources on the internet.

Orro conecae plit odis nume mint rescill anisima porpore pudit, odi quas sum rescime ndiscium erorit, endella ccuptate etur Am sit, omni occus, odi volori delecab orectia velliquam, con corrumque eium volo Icid quo voluptur? Everum accus,

KEY FINDINGS Attribution I Administration & Ownership Site Owner/Operator: Marzipan Lanu Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut at dui imperdiet, volutpat tellus sit amet, tempus felis. Aenean nec massa mattis, vehicula dui egestas, dapibus erat. Aenean ac luctus eros. » Nullam ac neque euismod nibh condimentum lacinia nec at nunc » Vivamus mattis sagittis eros. Sed ullamcorper massa ultrices sapie » Ut blandit tristique sem, at gravida arcu. Donec eu tincidunt quam

Infrastructure I Technologies & Vulnerbilities See Sections III & IV: Infrastructure Overview Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut at dui imperdiet, volutpat tellus sit amet, tempus felis. Aenean nec massa mattis, vehicula dui egestas, dapibus erat. Aenean ac luctus eros. » Nullam ac neque euismod nibh condimentum lacinia nec at nunc » Vivamus mattis sagittis eros. Sed ullamcorper massa ultrices sapie » Ut blandit tristique sem, at gravida arcu. Donec eu tincidunt quam

Breach Data I Account & Credential Exposures See Appendix p.16-32 Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut at dui imperdiet, volutpat tellus sit amet, tempus felis. Aenean nec massa mattis, vehicula dui egestas, dapibus erat. Aenean ac luctus eros. » Nullam ac neque euismod nibh condimentum lacinia nec at nunc » Vivamus mattis sagittis eros. Sed ullamcorper massa ultrices sapie » Ut blandit tristique sem, at gravida arcu. Donec eu tincidunt quam Associations I Reputation & Related Entities Additional Domains and Involved Communities Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut at dui imperdiet, volutpat tellus sit amet, tempus felis. Aenean nec massa mattis, vehicula dui egestas, dapibus erat. Aenean ac luctus eros. » Nullam ac neque euismod nibh condimentum lacinia nec at nunc » Vivamus mattis sagittis eros. Sed ullamcorper massa ultrices sapie » Ut blandit tristique sem, at gravida arcu. Donec eu tincidunt quam

11/03/2021

DOMAIN.COM 35.208.131.248 (CLASS C) EXECUTIVE SUMMARY

DOMAIN PROFILE » » » » » » » » » » » » » » » » » » » » » » » » » »

Domain.com IP: 1.1.1.1 ASN: AS19527 NS: NS1.USM57.SITEGROUND.BIZ NS: NS1.USM57.SITEGROUND.BIZ Host: Registrar: Registrant: Privatized 2020 Owner: Admin: Created: August 17th, 2015 Historical Whois: Assoc. Domain 1: Assoc. Domain 2: Assoc. Domain 3: Global Rank: Key Archive: Reference 1: Reference 2: Reference 3: Port Exposure: Technologies: Emails: Analytic IDs: Critical Breach Data: Reference:

GEOGRAPHICAL Geographic Location City: Council Bluffs State: Iowa Country: United States (US) Coordinates: 41 2591, -95.8517 Timezone: America/Chicago

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut at dui imperdiet, volutpat tellus sit amet, tempus felis. Aenean nec massa mattis, vehicula dui egestas, dapibus erat. Aenean ac luctus eros. Aliquam maximus mauris in sem suscipit venenatis. Integer laoreet nunc vel diam rutrum, ut malesuada odio aliquam. Proin fermentum lacus nec sem gravida sagittis. Suspendisse potenti. Cras eget auctor enim. Ut dapibus consequat mauris, eget interdum nunc eleifend a. In hac habitasse platea dictumst. Nullam ac neque euismod nibh condimentum lacinia nec at nunc. Vivamus mattis sagittis eros. Sed ullamcorper massa ultrices sapien dignissim, sit amet dictum lacus faucibus. Vivamus scelerisque neque non risus tempor, ac suscipit sem vulputate. Curabitur nulla purus, imperdiet ut consectetur non, finibus in neque. Fusce commodo ultrices augue id tincidunt. Donec porttitor maximus sollicitudin. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Phasellus blandit, lacus sed varius ultrices, odio velit posuere ante, vel iaculis ligula ex nec metus. Vestibulum a egestas tellus, eu suscipit diam. Mauris lacus augue, imperdiet vel erat sed, porttitor pulvinar arcu. Duis at magna euismod, imperdiet eros et, lacinia quam. Suspendisse quis urna non mi ornare dapibus non luctus nulla. Vivamus posuere sem nulla, eu sodales nibh rutrum a. Ut blandit tristique sem, at gravida arcu. Donec eu tincidunt quam. Sed pulvinar vitae mauris in finibus. Etiam vitae nulla viverra, dignissim nisi ac, aliquet lectus. Curabitur condimentum, orci quis posuere volutpat, purus nulla bibendum diam, vitae viverra erat tellus vel elit. Suspendisse quis vestibulum ipsum. Phasellus in finibus massa, nec vehicula dolor. Sed ullamcorper massa ultrices sapien dignissim, sit amet dictum lacus faucibus. Vivamus scelerisque neque non risus tempor, ac suscipit sem vulputate.

https://search.censys.io/ hosts/35.208.131.248

11/03/2021

DOMAIN/IP DOMAIN REPORT - DATE

SITE MAP - LINK ANALYSIS

SOURCE:

Data and visualizations depicted herein where obtained via the following publicly available resources: https://sitename.com/blah, https://othersite.net/blah, https://thirdsite.org.

DOMAIN.COM 35.208.131.248 (CLASS C) WHOIS - CURRENT RECORD WHOIS Information for Domain.com ==============

NAME SERVERS ns1.usm57.siteground.biz. [NO GLUE] [TTL=172800] ns2.usm57.siteground.biz . [NO GLUE] [TTL=172800]

PORT STATUS Port 21 22 23 25 80 110 443 445 1433 1521 3306 3389 5001

Service FTP SSH Telnet SMTP HTTP POP3 HTTPS SMB MSSQL ORACLE MySQL RDP Synology

Status open open closed open open open open closed closed closed open open open

Domain Name: DOMAIN.COM Registry Domain ID: 1953695582_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.godaddy.com Registrar URL: http://www.godaddy.com Updated Date: 2019-05-16T01:28:59Z Creation Date: 2015-08-17T16 52:14Z Registrar Registration Expiration Date: 2022-08-17T16 52:14Z Registrar: GoDaddy.com, LLC Registrar IANA ID: 146 Registrar Abuse Contact Email: [email protected] Registrar Abuse Contact Phone: +1.4806242505 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferPro- hibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhi- bited Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibi- ted Registry Registrant ID: Not Available From Registry Registrant Name: Registration Private Registrant Organization: Domains By Proxy, LLC Registrant Street: DomainsByProxy.com Registrant Street: 2155 E Warner Rd Registrant City: Tempe Registrant State/Province: Arizona Registrant Postal Code: 85284 Registrant Country: US Registrant Phone: +1.4806242599 Registrant Phone Ext: Registrant Fax: +1.4806242598 Registrant Fax Ext: Registrant Email: [email protected] Registry Tech ID: Not Available From Registry

HISTORICAL WHOIS

IP HISTORY

September 2021 March 2019 April 2017 Jun 2016 August 2015 October 2012 July 2011 September 2010 May 2008

» IP history results for Domain.com. » ============== » IP Location IP Owner Last seen IP » 35.208.131.248 Mountain View - USA Google LLC 2021-10-18 » 37.60.252.212 Chicago - USA CHI-3 2020-03-05 » 109.73.236.220 Chicago - USA Ground Chicago 2019-01-08 » 50.87.216.65 Provo - USA Unified Layer 2018-02-18 » 50.87.237.96 Provo - USA Unified Layer 2017-02-14

4

DOMAIN.COM 35.208.131.248 (CLASS C) HISTORICAL DNS

ATTRIBUTION Samuel Smith Admin/Domain Owner P: +01.123.5557890 E: [email protected] T: @ssmithfakeguy

» Hostname » lockdownyourlife.com min@usm57 siteground.bi » lockdownyourlife.com » lockdownyourlife.com » lockdownyourlife.com tion.com » lockdownyourlife.com tion.com

Type SOA

TTL Content 21599 ns1.siteground.net dnsad-

NS NS MX

21600 ns1.siteground.net 21600 ns2.siteground.net 3600 mx10.mailspamprotec-

MX

3600

mx30.mailspamprotec-

WHOIS RECORD

F: facebook.com/ssmithfake W: blog.blogsport.com A: 1234 Toast Dr, Shorewood,CA. 32345

ASSOC. ACCOUNTS

facebook.com/joebob linkedin.com/joebob twitter.com/joebob

ALTERNATE TLDS » Domain.net » Domain.xyz » Domain.org NOTE: No Verified Associa tion

SUBDOM AINS » mail.domain.com » info.domain.com » forum.domain.com » gopher.domain.com » ftp.domain.com

WHOIS Information for lockdownyourlife.com ============== Domain Name: LOCKDOWNYOURLIFE.COM Registry Domain ID: 1953695582_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.godaddy.com Registrar URL: http://www.godaddy.com Updated Date: 2019-05-16T01:28:59Z Creation Date: 2015-08-17T16:52:14Z Registrar Registration Expiration Date: 2022-08-17T16:52:14Z Registrar: GoDaddy.com, LLC Registrar IANA ID: 146 Registrar Abuse Contact Email: [email protected] Registrar Abuse Contact Phone: +1.4806242505 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Registry Registrant ID: Not Available From Registry Registrant Name: Registration Private Registrant Organization: Domains By Proxy, LLC Registrant Street: DomainsByProxy.com Registrant Street: 2155 E Warner Rd Registrant City: Tempe Registrant State/Province: Arizona Registrant Postal Code: 85284 Registrant Country: US Registrant Phone: +1.4806242599 Registrant Phone Ext: Registrant Fax: +1.4806242598 Registrant Fax Ext: Registrant Email: [email protected] Registry Tech ID: Not Available From Registry

5

DOMAIN.COM 35.208.131.248 (CLASS C) SNAPSHOT

ARCHIVES » https://web.archive.org/web/ http://www.who.is/whois/domain.com » https://web.archive.org/web/ https://whoisology.com/domain.com » http://web.archive.org/web/*/ domain.com

TECHNOLOGIES ROBOTS.TXT User-Agent: MJ12bot Disallow: / User-agent: * Disallow: /aboutAppC/ Disallow: /admin/ Disallow: /affiliateAppC/ Disallow: /affiliateControl/ Disallow: /appinterface/ Disallow: /appinterfaceAppC/ Disallow: /articlesAppC/ Disallow: /bandwidth/ Disallow: /BizBuilder/ Disallow: /build/ Disallow: /categoryAppC/ Disallow: /cgi-bin/ Disallow: /cgi-fy/ Disallow: /cgi-va/ Disallow: /cobrand/ Disallow: /cobrandAppC/ W: [email protected] Disallow: /data/ Disallow: /directMail/ Disallow: /directoryAppC/ Disallow: /directory/ Disallow: /error/ Disallow: /firetest/ Disallow: /homeAppC/ Disallow: /joinAppC/ Disallow: /knowledgebase/allkeywords.cmp Sitemap: https://www.domain. com/sitemap.xml

/ /

/ /

Analytics and Tracking I October 20, 2021 https://builtwith.com/domain.com Last technology detected on 3rd October 2021. We know of 72 technologies on this page and 32 technologies removed from lockdownyourlife.com since 3rd June 2017. Link to this page. » Company Match - https://builtwith.com/company/Rythmia-Domain-Company-LLC » https://builtwith.com/domain..com » Facebook, Google, Kjabi, Wordpress, OneTrust, Sitelinks, Twemoji, Pixel Widgets I Google Fonts https://trends.builtwith.com/widgets/Google-Font-API Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut at dui imperdiet, volutpat tellus sit amet, tempus felis. Aenean nec massa mattis, vehicula dui egestas, dapibus erat. Aenean ac luctus eros. » Nullam ac neque euismod nibh condimentum lacinia nec at nunc » Vivamus mattis sagittis eros. Sed ullamcorper massa ultrices sapie » Ut blandit tristique sem, at gravida arcu. Donec eu tincidunt quam

Widgets 2 I Twemoji https://trends.builtwith.com/widgets/Twemoji Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut at dui imperdiet, volutpat tellus sit amet, tempus felis. Aenean nec massa mattis, vehicula dui egestas, dapibus erat. Aenean ac luctus eros. » Nullam ac neque euismod nibh condimentum lacinia nec at nunc » Vivamus mattis sagittis eros. Sed ullamcorper massa ultrices sapie » Ut blandit tristique sem, at gravida arcu. Donec eu tincidunt quam

6

DOMAIN.COM 35.208.131.248 (CLASS C)

TECHNOLOGIES (CONT.) Frameworks I Organization Schema https://trends.builtwith.com/framework/Organization-Schema

DNS TRANSFERS https://api.hackertarget. com/zonetransfer/?q=zonetransfer.me (plain text zone transfer record example, replace transfer.me with target domain.)

Orro conecae plit odis nume mint rescill anisima porpore pudit, odi quas sum rescime ndiscium erorit, endella ccuptate etur Am sit, omni occus, odi volori a velliquam, con corrumque eium volo Icid quo voluptur? » Orro conecae plit odis nume mint rescill anisima porpore pudit, odi » quas sum rescime ndiscium erorit, endella ccuptate etur Am sit, omnioc » cus, odi volori a velliquam, con corrumque eium volo Icid quo voluptur?

Web Servers I Dreamhost https://trends.builtwith.com/hosting/DreamHost-Hosting Orro conecae plit odis nume mint rescill anisima porpore pudit, odi quas sum rescime ndiscium erorit, endella ccuptate etur Am sit, omni occus, odi volori a velliquam, con corrumque eium volo Icid quo voluptur?

ASN

» Orro conecae plit odis nume mint rescill anisima porpore pudit, odi » quas sum rescime ndiscium erorit, endella ccuptate etur Am sit, omnioc » cus, odi volori a velliquam, con corrumque eium volo Icid quo voluptur?

AS19527 https://urlscan.io/domain/domain.com

Content Delivery I Cloudfront https://trends.builtwith.com/cdn/CloudFront Orro conecae plit odis nume mint rescill anisima porpore pudit, odi quas sum rescime ndiscium erorit, endella ccuptate etur Am sit, omni occus, odi volori a velliquam, con corrumque eium volo Icid quo voluptur? » Orro conecae plit odis nume mint rescill anisima porpore pudit, odi

ANALYTICS IDS Service

Adsense Google Amazon Facebook

ID

12345 54321 44443 998877

» Content Management | Wordpress https://trends.builtwith.com/cms/WordPress Orro conecae plit odis nume mint rescill anisima porpore pudit, odi quas sum rescime ndiscium erorit, endella ccuptate etur Am sit, omni occus, odi volori a velliquam, con corrumque eium volo Icid quo voluptur? » Orro conecae plit odis nume mint rescill anisima porpore pudit, odi » quas sum rescime ndiscium erorit, endella ccuptate etur Am sit, omnioc » cus, odi volori a velliquam, con corrumque eium volo Icid quo voluptur? Email Hosting Providers | Godaddy Email Hosting https://trends.builtwith.com/mx/GoDaddy-Email

SSL CERTIFICATES

Orro conecae plit odis nume mint rescill anisima porpore pudit, odi quas sum rescime ndiscium erorit, endella ccuptate etur Am sit, omni occus, odi volori a velliquam, con corrumque eium volo Icid quo voluptur?

44ab73120c4b36d32ca683148b62f3 3acd9911981ff144c9b417c171970 f1c18 Active 2020-12-21 03:11:21 — 2022-01-22 03:11:21 Subject DN: CN=*.lockdownyourlife.com Issuer DN: C=BE, O=Global

» Orro conecae plit odis nume mint rescill anisima porpore pudit, odi » quas sum rescime ndiscium erorit, endella ccuptate etur Am sit, omnioc » cus, odi volori a velliquam, con corrumque eium volo Icid quo voluptur?

7

DOMAIN.COM 35.208.131.248 (CLASS C)

Infrastructure Vulnerabilities

EXPOSED FILES site:domain.com filetype:pdf 116 results site:domain.com filetype:docx 4 results site:docs.google.com “domain.com“ - 247 re- sults ext:zip OR ext:rar OR ext:7z “domain.com“ - 2 results ext:xls OR ext:xlsx

SHODAN RESULTS

The following indications of possible infrastructure vulnerabilities were reported by publicly available sources. These indicators may apply to both potential security issues and also server as intelligence as to services and technologies used on this domain/IP.

BREACH DATA Breach Name I Date of Breach Filename/Source Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut at dui imperdiet, volutpat tellus sit amet, tempus felis. Aenean nec massa mattis, vehicula dui egestas, dapibus erat. Aenean ac luctus eros. » Nullam ac neque euismod nibh condimentum lacinia nec at nunc » Vivamus mattis sagittis eros. Sed ullamcorper massa ultrices sapie » Ut blandit tristique sem, at gravida arcu. Donec eu tincidunt quam

Breach Name I Date of Breach » https://www.shodan.io/ host/18.221.195.49 » Domains amazonaws.com » Cloud Provider Amazon » Cloud Region us-east-2 » Cloud Service AMAZON » Country United States » City Hilliard » Organization Amazon Techno- logies Inc. » ISP Amazon.com, Inc. » ASN AS16509

EXPOSURE RATINGS WHOIS Data Attribution Technologies Ports/Services Analytics Reputation Breach Data

Medium Medium Low High High Medium High

Filename/Source Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut at dui imperdiet, volutpat tellus sit amet, tempus felis. Aenean nec massa mattis, vehicula dui egestas, dapibus erat. Aenean ac luctus eros. » Nullam ac neque euismod nibh condimentum lacinia nec at nunc » Vivamus mattis sagittis eros. Sed ullamcorper massa ultrices sapie » Ut blandit tristique sem, at gravida arcu. Donec eu tincidunt quam

Breach Name I Date of Breach Filename/Source Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut at dui imperdiet, volutpat tellus sit amet, tempus felis. Aenean nec massa mattis, vehicula dui egestas, dapibus erat. Aenean ac luctus eros. » Nullam ac neque euismod nibh condimentum lacinia nec at nunc » Vivamus mattis sagittis eros. Sed ullamcorper massa ultrices sapie » Ut blandit tristique sem, at gravida arcu. Donec eu tincidunt quam

ARTICLES/PUBLIC RECORDS Article Title I Date Published Filename/Source Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut at dui imperdiet, volutpat tellus sit amet, tempus felis. Aenean nec massa mattis, vehicula dui egestas, dapibus erat. Aenean ac luctus eros. » Nullam ac neque euismod nibh condimentum lacinia nec at nunc » Vivamus mattis sagittis eros. Sed ullamcorper massa ultrices sapie » Ut blandit tristique sem, at gravida arcu. Donec eu tincidunt quam

8

DOMAIN.COM 35.208.131.248 (CLASS C)

FILE ATTACHMENTS Archived collections of images, videos, and pages may be provided upon request and delivered via secure file transfer. Please contact our staff if you require a delivery method or timetable outside of that provided to you by your assigned analysist/ investigator.

APPENDIX INDEX

1.

DOMAIN PROFILE

2.

GEOGRAPHICAL

3.

SITE MAP - LINK ANALYSIS

4. WHOIS - CURRENT RECORD 5.

NAME SERVERS

APPENDIX - SUPPORTING DOCUMENTATION Capture I Section Referenced Source | Date | Time » The appendix format may vary but consider using a full width format similarto page 10 of this template. » The appendix typically contains screen captures, documents, media files, etc. » These can attached as a separate PDF in the case of documents and screen captures » Raw captures and reference files may be included as a separate secure file download or via a secure storage device.

6. PORT STATUS 7.

HISTORICAL WHOIS

8. HISTORICAL IPS 9. SNAPHOT 10. TECHNOLOGIES 11. ARCHIVES 12. ROBOTS.TXT 13. DNS TRANSFERS 14. ASN (AUTONOMOUS SERVER NUMBERS) 15. ANALYTICAL IDS 16. SSL CERTIFICATES 17. BREACH DATA 18. EXPOSED FILES 19. SHODAN RESULTS 20. EXPOSURE RATING 21. ARTICILES/PUBLIC RECORDS 22. ADDITIONAL FINDINGS

9

DOMAIN/IP APPENDIX - DATE APPENDIX SECTION 9.1 Source | Date | Time

AGENCY/ORG/ TARGET 11/03/2021

**Goal:** Templates are meant to provide a foundation for easily creating sharp looking reports for the various common missions and tasks that we take on as OSINT professionals. The intention is that they be further customized by the user to reflect their own use case and agency branding. They often contain more categories and sections that you might include in a single report. This is because it is easier to cut content out than it is to add sections back in that look cohesive to the orginal design. Below are some categories that you might review and assess in assisting with cleaning up and improving these templates. 1. When returning an edited document please title it with your matrix handle and the date ie: domainreport_mrmumbles_nov21.docx. 2. If you wish to include notes you can add an .md/.txt file or just add a page of notes to the end of the template. 3. **Formatting improvements**. Most of our templates are built in adobe Indesign and then exported out to Word. That process is imperfect and we spend quite a bit of time cleaning up the formatting post export. Word handles columns and other features imperfectly and I am not particularly good at working with Word or PowerPoint. If you are able to clean up or otherwise formatting please do so. It may be that the way in which I have accomplished a certain aesthetic is not ideal. 4. Some filler text on templates are just typesetters code and other is meant to provide some guidance on what to put in that section. For the latter feel free to correct any spelling, grammar, or add any content to improve the value of that guidance. 5. If there are any sections or items that you think should be added please do so. You are also welcome to make multiple versions. 6. Fonts should be mostly consistent. I tend to use Montserrat (https://fonts.google.com/specimen/Montserrat) or Avenir Next (https://freefontsfamily.com/avenir-next-font-download-free/) depending on the project so if you see inconsistencies please feel free to fix them. 7. We want to clean up as much metadata as possible. This is much more difficult with files like pptx. If you find metadata showing PII (names, accounts, etc) please list in your edit notes and/or remove the metadata. Some of our templates are from scratch, others are from premium or open-source templates which we have further modified to suit investigations/operations so there may be 3rd party metadata in some cases. 8. Any other ideas or changes are 100% welcome. You can use track changes in the case of docx revisions or just list any major changes at the bottom of the template as an additional page or again as a .md or txt file. Dont worry about listing every spelling or grammar fix. Also typsetters code is latin so any boiler plate using that will set off you spell check, which you can ignore. Thank you! -Jason

INTELLIGENCE BRIEFING TEMPLATE Notes About This Briefing Template 1.

This template is intended to accompany the following materials,

T a r g e t

D o m a i n

without which some portions may appear confusing:

2.

1.

Domain Lesson Notes

2.

Domain Video Lesson

3.

Domain Report Template

4.

PTTX Template

The theme is very subdued, but you can change the overall theme and adjust the master slide by selecting View -> Slide Master

3.

If the animations are too busy for your use case, feel free to remove them. It is easier to remove functions than it is to add them back in, so animations were included in the provided default version.

4.

This is a generic template that requires customization to suit your own use case. Depending on your mission objectives you will certainly need to add, remove, or further customize pages and content.. This is meant to be a starting framework and is in no way meant to be used as-is.

5.

You are welcome to use this framework to build out your own templates. You are welcome to use those for professional purposes. Please do not repackage and “sell” our materials outside of preparing your own reports and presentations.

1

T a r g e t

D o m a i n

ICON ASSETS

Master Slide Components • Replace “Target Domain” (view -> master slide) • Fonts Used: Montserrat & Avenir Next

https://www.fontsquirrel.com/fonts/montserrat https://freefontsfamily.com/avenir-next-font-download-free/

• Icon #1: Main Profile • Icon #2: Attribution

• Icon #3: Link Analysis/Site Diagram

• Icon #4: Technologies/Identifiers/Traffic Analysis • Icon #5: Closing/Appendix 2

• Slide Number

T a r g e t

D o m a i n

Optional Cover Page #1

D o m a i n T a r g e t

Domain.com Investigative Profile & Vulnerability Assessment Prepared By: Sr. Analyst Gene Parmesan

5

November 14th, 2021

D o m a i n T a r g e t

Domain.com

Investigative Profile & Vulnerability Assessment Prepared By: Sr. Analyst Gene Parmesan

6

Mission Objectives The mission objective is the ask, the assignment, goal of the operation/engagement. This might be a vulnerability assessment, competitive intelligence gathering, or a criminal investigation into a malicious site. For the later a

T a r g e t

D o m a i n

typical primary objective is attribution. Who owns the site, who runs the site, and where can we put our hands on those people and that data? Mission priorities are typically set by the client or a supervisor, but they also may be selfgenerated. Regardless, early clarification of objectives assists in maintaining an efficient scope of operations.

Methodology This report has been prepared for and to the specifications of XXXXXX. The report contains both research data as well as analysis. All data was recovered from publicly available resources in a manner consistent with best practices and law.

Report Disposition: \\share\unit\case 7

T a r g e t

D o m a i n

Scope of Engagement

8

Site Map

Domain Registration

Historical Data

A visual representation of the

The most recent WHOIS record

Often, we can see non-privatized

domain structure and how it

which is available via many

registrant information by reviewing

connects to other sites, services,

online sources.

historical registration information

and infrastructure.

from previous years.

Attribution

Technologies

Vulnerabilities

Identify the domain owners and

What are the various sets of code

Open ports, vulnerable code,

operators. Where are they

and/or services used by the site?

breach data, and even

located, what accounts do they

This may be content management

reputation can be a critical

use, all of the OSINT things.

code, analytics services, or similar.

vulnerability.

Key Findings Key Finding #1

T a r g e t

D o m a i n

Key findings are the most important, at a glance, takeaways from the investigation/operation. You may wish to include an image that supports the #1 or multiple key findings.

Key Finding #2 Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Maecenas porttitor congue massa. Fusce posuere, magna sed pulvinar ultricies, purus lectus malesuada libero, sit amet

Key Finding #3 Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Maecenas porttitor congue massa. Fusce posuere, magna sed pulvinar ultricies, purus lectus malesuada libero, sit amet

Key Finding #4 Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Maecenas porttitor congue massa. 9

D o m a i n T a r g e t

Key Finding #1 Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Maecenas porttitor congue massa. Fusce posuere, magna sed pulvinar ultricies, purus lectus malesuada libero, sit amet commodo magna eros quis urna. Nunc viverra imperdiet enim. Fusce est Fusce est. Vivamus a

Risk/Impact/Urgency Discoverability

10

D o m a i n T a r g e t

Key Finding #2 Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Maecenas porttitor congue massa. Fusce posuere, magna sed pulvinar ultricies, purus lectus malesuada libero, sit amet commodo magna eros quis urna. Nunc viverra imperdiet enim. Fusce est Fusce est. Vivamus a

Risk/Impact/Urgency Discoverability

11

D o m a i n T a r g e t

Key Finding #3 Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Maecenas porttitor congue massa. Fusce posuere, magna sed pulvinar ultricies, purus lectus malesuada libero, sit amet commodo magna eros quis urna. Nunc viverra imperdiet enim. Fusce est Fusce est. Vivamus a

Risk/Impact/Urgency Discoverability

12

D o m a i n T a r g e t

Key Finding #4 Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Maecenas porttitor congue massa. Fusce posuere, magna sed pulvinar ultricies, purus lectus malesuada libero, sit amet commodo magna eros quis urna. Nunc viverra imperdiet enim. Fusce est Fusce est. Vivamus a

Risk/Impact/Urgency Discoverability

13

Domain.com

This is where you may choose to focus on one significant overall take-away. This may be a particularly significant exposure or vulnerability. This could also be a snapshot of the organization for context. For example, the image might be a capture of the main page or the about page. The verbal explanation might be covering the focus of the investigation, the general traffic and significance of the site and so on. It can be the punchline. This slide can also be moved further up in the deck or to the end.

Domain Profile » Domain.com » IP: 1.1.1.1 » ASN: AS19527 » NS: NS1.USM57.SITEGROUND. BIZ » NS: NS1.USM57.SITEGROUND. BIZ D o m a i n

» Registrar:

T a r g e t

» Host:

» Created: August 17th, 2015

» Registrant: Privatized 2020 » Owner: » Admin: » Historical Whois: » Assoc. Domain 1: » Global Rank: » Key Archive: » Reference 1: » Reference 2: » Port Exposure: » Technologies: » Emails: » Analytic IDs: » Critical Breach Data: » Reference:

15

Full Profile: \\share\unit\case#

Hosting Company Insert key hosting company data, typically obtained from sites like search.org. For example: https://www.search.org/resources/isp-list/

T a r g e t

D o m a i n

Optional: insert images of the hosting records.

ISP: Godaddy.com LLC GoDaddy.com, LLC Attn: Subpoena Compliance 2155 E. GoDaddy Way Tempe Arizona 85284 480-505-8800 (480) 624-2546 GoDaddy prefers service of legal process by fax. No email service will be accepted. "Emergency requests from law enforcement agencies are given expedited attention. If this request is an emergency, please send a fax to 480.624.2546 or an email to [email protected]”

16

T a r g e t

D o m a i n

Target Location Location data associated with the hosting or management of the domain or IP. This is often not directly reflective on the individual running the site.

Business Address OR Hosting Location Typically, this is the address and geographical intelligence for the physical servers. If we need to get our hands on the data by serving a search warrant or otherwise physically seizing the servers, where would we find them?

17

T a r g e t

D o m a i n

Hosting Geolocation

18

D o m a i n T a r g e t

Site Diagram 19

Registrar

Hosting

Subdomain

MX Server

Technologies

File Server

https://icann.org/epp#clientTransferPro- hibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhi- bited Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibi- ted Registry Registrant ID: Not Available From Registry Registrant Name: Registration Private Registrant Organization: Domains By Proxy, LLC Registrant

WHOIS Record

T a r g e t

D o m a i n

Domain.com WHOIS September 2016 "registrantContact": { "name": "Domain Administrator", "organization": "Endurance International Group West, Inc", "street": "10 Corporate Drive Suite 300", "city": "Burlington", "state": "MA", "postalCode": "01803", "country": "UNITED STATES", "email": "[email protected]", "telephone": "13604495900",

Source: https://whois-history.whoisxmlapi.com/ (URL of site providing historical WHOIS record) 22

T a r g e t

D o m a i n

Current DNS Records

23

A Records

AAAA Records

Flexential Colorado Corp. 63.247.140.44

No Records

MX Records Flexential Colorado Corp. 10 mail..domain.com

NS Records Flexential Colorado Corp. ns46.hmdnsgroup.com 23 ns45.hmdnsgroup.com 23

SOA Records

SOURCE

ttl: 14400 email: hostmaster.domain.com

https://securitytrails.com/domai n/domain.com/dns

Historical IP Addresses

T a r g e t

D o m a i n

2021-10-18 35.208.131.248 Mountainview, USA Google LLC

2020-5-20 37.60.252.212 Chicago - USA CHI-3

2019-1-8

109.73.263.220 Chicago – USA Ground Chicago

24

» IP history results for Domain.com. » ============== » IP Address Location IP Owner Last seen on this IP » 35.208.131.248 Mountain Google LLC 2021-10-18 » 37.60.252.212 Chicago - USA CHI-3 2020-03-05 » 109.73.236.220 Chicago - USA Ground Chicago 2019-01-08 » 50.87.216.65 Provo - USA Unified Layer 2018-02-18 » 50.87.237.96 Provo - USA Unified Layer 2017-02-14

Source: https://viewdns.info/iphistory/

Historical DNS 2021-10-18 35.208.131.248 D o m a i n

Mountainview, USA Google LLC

2020-5-20

T a r g e t

37.60.252.212 Chicago - USA CHI-3

2019-1-8

109.73.263.220 Chicago – USA Ground Chicago

» Hostname Type » lockdownyourlife.com » lockdownyourlife.com » lockdownyourlife.com » lockdownyourlife.com » lockdownyourlife.com 25

TTL SOA NS NS MX MX

Content 21599 ns1.siteground.net dnsad21600 ns1.siteground.net 21600 ns2.siteground.net 3600 mx10.mailspamprotec- tion.com 3600 mx30.mailspamprotec- tion.com

Source: https://viewdns.info/iphistory/

T a r g e t

D o m a i n

PORT STATUS PORT 21

PORT 80

File Transfer Protocol (FTP)

Hypertext Transfer Protocol

control (command)

(HTTP)[

PORT 22

PORT 110

SSH - Secure Shell (SSH),[11]

Post Office Protocol, version 3

secure logins, file transfers (scp,

(POP3)

sftp) and port forwarding

26

PORT 23

PORT 443

Telnet protocol—unencrypted

HTTPS - Hypertext Transfer

text communications

Protocol Secure (HTTPS)

Obfuscation ROBOTS.txt https://targetdomain.com/robots.txt

T a r g e t

D o m a i n

User-Agent: MJ12bot Disallow: / User-agent: * Disallow: /aboutAppC/ Disallow: /admin/ Disallow: /affiliateAppC/ Disallow: /affiliateControl/ Disallow: /appinterface/ Disallow: /appinterfaceAppC/ Disallow: /articlesAppC/ Disallow: /bandwidth/ Disallow: /BizBuilder/ Disallow: /build/ Disallow: /categoryAppC/ Disallow: /cgi-bin/ Disallow: /cgi-fy/ Disallow: /cgi-va/ Disallow: /cobrand/ Disallow: /cobrandAppC/ Disallow: /directMail/ Disallow: /data/ Disallow: /directoryAppC/ Disallow: /directory/ Disallow: /error/ Disallow: /firetest/ Disallow: /homeAppC/ Disallow: /joinAppC/ Disallow: /knowledgebase/allkey- words.cmp Sitemap: https://www.domain. com/sitemap.xml 27

Admin Panel https://domain.com/admin/

Open Service https://domain.com/BizBuilder

Historical Domain Registration 2019

2016

Registrant Details

Registrant Details

Registrant Details

Lorem ipsum dolor sit amet, consectetuer

Lorem ipsum dolor sit amet, consectetuer

Lorem ipsum dolor sit amet, consectetuer

adipiscing elit. Maecenas porttitor congue

adipiscing elit. Maecenas porttitor congue

adipiscing elit. Maecenas porttitor congue

massa. Fusce posuere, magna sed

massa. Fusce posuere, magna sed

massa. Fusce posuere, magna sed

ultricies

ultricies

ultricies

T a r g e t

D o m a i n

2021

28

2013

2012

T a r g e t

D o m a i n

2014

Registrant Details

29

Registrant Details

Registrant Details

Lorem ipsum dolor sit amet, consectetuer

Lorem ipsum dolor sit amet, consectetuer

Lorem ipsum dolor sit amet, consectetuer

adipiscing elit. Maecenas porttitor congue

adipiscing elit. Maecenas porttitor congue

adipiscing elit. Maecenas porttitor congue

massa. Fusce posuere, magna sed

massa. Fusce posuere, magna sed

massa. Fusce posuere, magna sed

ultricies

ultricies

ultricies

T a r g e t

D o m a i n

Attribution

30

Subject #1 Domain Owner

Subject #2 Site Administrator

Subject #3 Forum Moderator

This is typically who owns the domain per

This is the primary person who manages the

This could be a forum or any subsection of

current or historical registration (WHOIS)

site. In some cases, the owner and admin are

the site. Really any additional person of

data. This is not the registrar or a privacy

the same person. This person makes

interest such as a partner or additional

masking service. It is the true registrant of

changes to the content and controls the site

administrator. On a criminal case you may

the domain.

on a day-to-day basis.

duplicate this page for more accomplices.

Source

Source

Source

List of records supporting the identification

List of records supporting the identification

List of records supporting the identification

of this person of interest.

of this person of interest.

of this person of interest.

Optional: embedded links to pertinent

Optional: embedded links to pertinent

Optional: embedded links to pertinent

records

records

records

Persons of Interest

T a r g e t

D o m a i n

Subject #1 Domain Owner

Subject #2 Site Administrator Lorem ipsum dolor sit amet, consectetuer

Lorem ipsum dolor sit amet, consectetuer

Address

Address

12456 Turtle Ave.

124 La Tripe Street #45

Rocksberry CO

Vallyview CO

USA 44442

USA 44442

Phone

Phone +1 234 567 890

+1 234 567 890

+1 098 765 432

+1 098 765 432

Email [email protected] Linkedin.com/dummyaccount Facebook.com/dummyaccount @dummyaccount

Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Maecenas porttitor congue massa. Fusce posuere, magna sed pulvinar ultricies, purus lectus malesuada libero, sit

[email protected] [email protected]

amet commodo magna eros quis urna. Nunc viverra imperdiet enim. Fusce est. Vivamus a tellus. Pellentesque

Business/Blog

habitant morbi tristique senectus et netus et malesuada

Billions LLC

fames ac turpis egestas. Proin pharetra nonummy pede.

billiondollarbillions.com

Mauris et orci. 31

Email

Subject #1 Site Owner/Administrator Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Maecenas porttitor congue massa. Fusce posuere, magna sed pulvinar ultricies, purus lectus malesuada libero, sit amet commodo magna eros quis urna. Nunc viverra imperdiet

Address

T a r g e t

D o m a i n

124 Purple Street St. San Pedro CA USA 23456

Phone +1 234 567 890 +1 098 765 432

Email [email protected] [email protected]

Alternate Domain billiondollarbillions.com

Social Media Accounts Linkedin.com/dummyaccount Facebook.com/dummyaccount

32

@dummyaccount

33

T a r g e t

D o m a i n

T a r g e t

D o m a i n

Target Location Location data associated with the hosting or management of the domain or IP. This is often not directly reflective on the individual running the site.

Business Address OR Hosting Location Typically, this is the address and geographical intelligence for the physical servers. If we need to get our hands on the data by serving a search warrant or otherwise physically seizing the servers, where would we find them? 34

T a r g e t

D o m a i n

Additional Target Locations Address 1234 Schooner Tuna Lane Santa Maritz, CA 54362

Address 1234 Schooner Tuna Lane Santa Maritz, CA 54362

Address 1234 Schooner Tuna Lane Santa Maritz, CA 54362

35

T a r g e t

D o m a i n

Site Archives Sites such as archive.org, archive.today, or Google cache which may allow us to view historical or deleted content. It also provides a possible opportunity at passive reconnaissance (caveat Google cache is not completely passive recon as it often fetches images from the live site). Optional: Add image of capture to the left.

DATE: September 2020 DATE: May 2018 DATE: August 2016 DATE: September 2015 DATE: September 2012 (Optional: embed links to records) 36

T a r g e t

D o m a i n

Key Archive Image On this slide you may wish to add a screen capture or other image depicting the portion of an archive record that supports a key finding. You may duplicate this slide to include as many images to support key findings as is appropriate to your mission scope.

37

T a r g e t

D o m a i n

Key Archive Image #2 On this slide you may wish to add a screen capture or other image depicting the portion of an archive record that supports a key finding. You may duplicate this slide to include as many images to support key findings as is appropriate to your mission scope.

38

D o m a i n T a r g e t

Google Analytics

Addthis Lorem ipsum dolor sit amet, consectetuer

UA-7234138

adipiscing elit. Maecenas porttitor congue

Fusce posuere, magna sed pulvinar ultricies

massa. Fusce posuere, magna sed pulvinar ultricies

Doubleclick

Facebook App

Lorem ipsum dolor sit amet, consectetuer

Lorem ipsum dolor sit amet, consectetuer

adipiscing elit. Maecenas porttitor congue

adipiscing elit. Maecenas porttitor congue

massa. Fusce posuere, magna sed pulvinar

massa. Fusce posuere, magna sed pulvinar

ultricies

ultricies

Analytic Identifiers 39

Source: https://analyzeid.com/id/domain.com

T a r g e t

D o m a i n

TECHNOLOGIES

Analytics

Widgets

Optimizely

Google Fonts

Organizational Schema

Lorem ipsum dolor sit amet,

Lorem ipsum dolor sit amet,

consectetuer adipiscing elit.

consectetuer adipiscing elit.

Maecenas porttitor congue massa.

Maecenas porttitor congue massa.

Fusce posuere, magna sed

Fusce posuere, magna sed

pulvinar ultricies, purus lectus

pulvinar ultricies, purus lectus

malesuada

malesuada

Optimizely empowers companies to deliver more relevant and effective digital experiences on websites and mobile through A/B testing and personalization. https://trends.builtwith.com/analyt ics/Optimizely

40

Frameworks

Source: https://builtwith.com/?https://domain.com

T a r g e t

D o m a i n

TECHNOLOGIES

41

Content Delivery

Content Management

Email Hosting

CloudFront

WordPress

GoDaddy Email Hosting

Lorem ipsum dolor sit amet,

Lorem ipsum dolor sit amet,

Lorem ipsum dolor sit amet,

consectetuer adipiscing elit.

consectetuer adipiscing elit.

consectetuer adipiscing elit.

Maecenas porttitor congue massa.

Maecenas porttitor congue massa.

Maecenas porttitor congue massa.

Fusce posuere, magna sed

Fusce posuere, magna sed

Fusce posuere, magna sed

pulvinar ultricies, purus lectus

pulvinar ultricies, purus lectus

pulvinar ultricies, purus lectus

malesuada

malesuada

malesuada

Source: https://builtwith.com/?https://domain.com

SSL CERTIFICATES

T a r g e t

D o m a i n

44ab73120c4b36d32ca683148b62f3 3acd9911981ff144c9b417c171970 f1c18 Active 2020-12-21 03:11:21 — 2022-01-22 03:11:21 Subject DN: CN=* domainblah.com Issuer DN: C=BE, O=Global

Source: https://spyse/com/target/domain/domain.com

Domain2.com Shared SSL Certificate 44ab73120c4b36d32ca683148b62f3 3acd9911981ff144c9b417c171970 f1c18 Active 2020-12-21 03:11:21 — 2022-01-22 42

TECHNOLOGY VULNERABILITIES CVE-2021-39357

T a r g e t

D o m a i n

The Leaky Paywall WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via the ~/class.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 4.16.5. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled. Source: http://cve.mitre.org/cgibin/cvename.cgi?name=CVE-2021-39357

Technology Two Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Maecenas porttitor congue massa. Fusce posuere, magna sed pulvinar

43

D o m a i n T a r g e t

DATA LEAKS Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Maecenas porttitor congue massa. Fusce posuere, magna sed pulvinar ultricies, purus lectus malesuada libero, sit amet commodo magna eros quis urna. Nunc viverra imperdiet enim. Fusce est Fusce est. Vivamus a

Risk/Impact Discoverability

44

Breach Data Breach Name | Date of Breach Number of records present for the target domain Source:

T a r g e t

D o m a i n

Breach Name | Date of Breach Number of records present for the target domain Source:

Breach Name | Date of Breach Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Maecenas porttitor congue massa. Fusce posuere, magna

Number of records present for the target domain Source:

sed pulvinar ultricies, purus lectus malesuada libero, sit amet commodo magna eros quis urna. Nunc viverra

Breach Name | Date of Breach

imperdiet enim. Fusce est. Vivamus a tellus. Pellentesque

Number of records present for the target domain

habitant morbi tristique

Source:

Breach Name | Date of Breach Number of records present for the target domain Source:

45

T a r g e t

D o m a i n

BREACH DATA

46

Breach Name | Date

Breach Name | Date

Breach Name | Date

Size, date, and other details which add

Size, date, and other details which add

Size, date, and other details which add

context to the level of impact this

context to the level of impact this

context to the level of impact this

breach data has on our target.

breach data has on our target.

breach data has on our target.

Source:

Source:

Source:

Breach Name | Date

Breach Name | Date

Breach Name | Date

Size, date, and other details which add

Size, date, and other details which add

Size, date, and other details which add

context to the level of impact this

context to the level of impact this

context to the level of impact this

breach data has on our target.

breach data has on our target.

breach data has on our target.

Source:

Source:

Source:

T a r g e t

D o m a i n

REPUTATION VULNERABILITIES Article #1 Pertinent summary or quote Source:

Article #2 Pertinent summary or quote Source:

Article #3 Pertinent summary or quote Source:

47

RECOMMENDATIONS/ACTION ITEMS

T a r g e t

D o m a i n

Section One

48

Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Maecenas porttitor congue massa. Fusce posuere, magna sed pulvinar

Section Two Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Maecenas porttitor congue massa. Fusce posuere, magna sed pulvinar

Section Three

Section Four

Lorem ipsum dolor sit amet,

Lorem ipsum dolor sit amet,

consectetuer adipiscing elit. Maecenas

consectetuer adipiscing elit. Maecenas

porttitor congue massa. Fusce posuere,

porttitor congue massa. Fusce posuere,

magna sed pulvinar

magna sed pulvinar

DISCUSSION

This presentation and the associated reports have been prepared consistent with operational best practices and agency policy. The report contains both research data as well as analysis. The research data presented was collected from publicly available sources on the internet.

50

T a r g e t

D o m a i n

APPENDIX

10OSINTdomains.md

7/23/2021

OSINT Essentials - Domain Names Intro and Use Case Domain investigation is bread and butter for anyone working in cyber-crime or vulnerability assessment. We also often find private domains related to our individual targets and data such as whois information can at times produce valuable leads. Search process Current Domain Registration Server and Content Details IP/DNS Configurations Subdomain Locations Historical Domain Registration Robots.t t Information Live & Historical Visual Depictions Search Engine Marketing & Optimization Website Analytics Replication of Content

1.1 Current Domain Registration Whois DomainTools ViewDNS

1.2 Domain Search Tools ViewDNS Whois ViewDNS Reverse IP ViewDNS Port Scan View DNS IP History DNS Dumpster

1.3 Historical Registration Data Who y Whoisology Domain Big Data

1.4 Historical Visual Depictions Search Engine Cache: Google Website Informer URLScan 1/4

10OSINTdomains.md

7/23/2021

Easy Counter Spyse Sub Domain Finder DomainIQ Wayback Machine

1.5 Website Monitoring Follow That Page Visual Ping

1.6 Domain Analytics Spy On Web Analyze ID DomainIQ Nerdy Data Built With Pentest-Tools

1.7 Robots.txt File at the root of a website that holds instructions for search engines crawling the site looking for keywords. Example for Reddit https://www.reddit.com/robots.txt Google or Bing site:twit.tv “robots.txt” Wayback Machine https://web.archive.org/web/*/twit.tv/robots.txt

1.8 Search Engine Marketing Tools Similar Web Alexa Search Metrics Majestic SpyFu Shared Count Small SEO Tools - Backlinks Small SEO Tools - Plagiarism Checker Copy Scape Hunter Visual Site Mapper Reddit Domains https://reddit.com/domain/

1.9 Threat Data Top four websites that monitor for malicious content. 2/4

10OSINTdomains.md

7/23/2021

Virus Total Threat Intelligence Threat Crowd Censys

1.10 Shortened URLs s Bitly bitly.com include a + after the URL Tiny.cc tiny.cc include a ~ at the end of the URL Google goo.gl include a + after the URL Bit.do bit.do include a – after the URL GitHub - Carbon 14

1.11 Additional Resources Both of these articles provide information on subdomain enumeration: How to find subdomains of a domain in minutes (Geekflare), 2020 Subdomain enumeration made easy (Medium), 2020

1.12 One-Tab Bookmarks https://whois.com | Whois https://domaintools.com | DomainTools https://viewdns.info | ViewDNS https://viewdns.info/whois | ViewDNS Whois https://viewdns.info/reverseip | ViewDNS Reverse IP https://viewdns.info/portscan | ViewDNS Port Scan https://viewdns.info/iphistory | View DNS IP History https://dnsdumpster.com/ | DNS Dumpster https://whoxy.com | Whoxy https://whoisology.com | Whoisology https://domainbigdata.com | Domain Big Data https://webcache.googleusercontent.com/search?q cache:https://denver.org | Google https://website.informer.com | Website Informer https://urlscan.io | URLScan https://easycounter.com | Easy Counter https://findsubdomains.com | Find Sub Domains https://domainiq.com/snapshot_history | DomainIQ https://web.archive.org/web/ | Wayback Machine https://followthatpage.com | Follow That Page https://visualping.io | Visual Ping https://spyonweb.com | Spy On Web https://analyzeid.com | Analyze ID 3/4

10OSINTdomains.md

7/23/2021

https://domainiq.com/reverse analytics | DomainIQ https://search.nerdydata.com | Nerdy Data https://builtwith.com | Built With https://pentest-tools.com/reconnaissance/find-subdomains-of-domain | Pentest-Tools https://similarweb.com | Similar Web https://alexa.com | Alexa https://suite.searchmetrics.com | Search Metrics https://majestic.com | Majestic https://spyfu.com | SpyFu https://sharedcount.com | Shared Count https://smallseotools.com/backlink-checker | Small SEO Tools https://smallseotools.com/plagiarism-checker | Small SEO Tools https://copyscape.com | Copy Scape https://hunter.io | Hunter http://visualsitemapper.com | Visual Site Mapper https://virustotal.com | Virus Total https://threatintelligenceplatform.com | Threat Intelligence https://threatcrowd.org | Threat Crowd https://censys.io | Censys https://geekflare.com/find-subdomains/ | Subdomain Enumeration

4/4

11OSINTBreachData.md

7/23/2021

OSINT Essentials - Breach Data (v.3.2021) What is breach data? Breach data is typically data that was at one point stolen and then later sold, traded, and otherwise released on the internet. (ie: Data sets utilized by Dehashed.com or haveibeenpwned.com) Leak data was inadvertently made public by an individual or organization (ie: Elasticsearch or MongoDB databases) Public data was released by a government entity or a 3rd party organization associated with the a goverment agency. (ie: court or voter records) Use cases Defensive What accounts, passwords, and PII belonging to myself, my client, or my organization is e posed? Offensive Locate leads on additional accounts and identifiers belonging to the target. Develop contextual intel from passwords. (We never use credentials to gain unauthorized access to a targets accounts)

1.1 Basics OSINT Breach Data Steps 1. Know your policies and legal standing 2. Search against target email address, phone number, etc. 3. Collect any results and identify any unique passwords or hash values for passwords 4. Search breach data again using unique passwords and hash values - goal: locate other accounts using those unique passwords/hash values 5. Further utilize and/or document your findings as intelligence leads or publishable findings dependant on policy and use case. (ie: if this process turns up other accounts you might now have additional leads to work off of)

1.2 Third Party Breach Sites Dehashed PSBDMP Dump Search IntelX Black Kite (BKT) Cybernews Check Have I been Pwned (HIBP) Leakcheck Account required/premium Spycloud Account required/premium

1.3 Offline Breach Collection **Note:**Be certain of your agency policies as well as your legal standing in the jurisdictions where you live and work. It is your responsibility to know if you can legally use breach data in your assignments. 1/5

11OSINTBreachData.md

7/23/2021

We only use breach data defensively and for operations where it has been authorized. Know your legal standing and use any data ethically. We never support criminal organizations by purchasing breach data from them. If you are uncertain of your legal standing, do not proceed with a data collection. For some of you this section will be for awareness purposes only. For e ample, in my government role I do not use breach data outside of defensive assessments looking for our own exposed accounts.

Sample Data Sets Special K on Archive.org https://web.archive.org/web/20151110195654/http://www.updates4news.com:80/kyledata/ Once downloaded combine to a single file using this command: cat * > SpecialK.txt LinkedIn Data - Contains LI ID number and email address https://archive.org/details/LIUsers.7z Unpack archive to get txt file 2015 snapchat breech with partial phone numbers https://archive.org/download/SnapChat.7z

Breach Data Leads from Communities Note: be very cautious hunting for breaches in online communities, they can be super sketchy and full of criminals. Use your google skills to get leads on breach downloads: "compilationofmanybreaches.7z" An example of a reasonably safe OSINT community which discusses breach sources: https://osint.team There is a leaks channel On the riskier side (know what you are doing) you can use your google skills and venture into communities such as telegram channels. For example: https://t.me/leaks_db

1.4 Cleaning Data - Examples cat * > SpecialK.txt Combine all files in folder into one t t file sed

i 's/ /:/g' Voter FL.txt Replaces tabs with colons Note that the spaces in the command are created by pressing the control, v, and tab keys at the same time. This represents a "tab" to the command

2/5

11OSINTBreachData.md

7/23/2021

sed -i 's/::/:/g' Voter-FL.txt Removes unnecessary colons sed The command for "Sed" -i - Modify the file and save it in real-time 's/ ::/:/g' Replace every occurrence of :: with : throughout the entire file Voter-FL.txt - The file to modify (* would modify all files in the folder)

1.5 Search Scripts Ripgrep Installation: https://github.com/BurntSushi/ripgrep/#installation MacOS - brew install ripgrep Linux (Ubuntu) - sudo apt-get install ripgrep Windows - choco install ripgrep Windows WSL - sudo apt-get install ripgrep Commands rg

a

F

i

N searchterm

rg The command for Ripgrep -a - The switch to search all data as text F The switch to treat the pattern as a literal string -i - The switch to ignore case N The switch to e clude the line number rg

a

F

i

N 'NW 48Th St'

Terms with spaces need quotes Phone numbers rg

a

F

i

N 6185551212

rg

a

F

i

N 618 555 1212

Pattern General format: rg [OPTIONS] keyword

[OutputFile]

E ample: rg rg

a

F

i

N '[email protected]' > result.txt

help 3/5

11OSINTBreachData.md

7/23/2021

long descriptions with detailed explanations

Sift https://sift-tool.org/ Pattern General format: sift keyword --output=filname.txt Example: sift [email protected] --output=147testmail.txt Additional Examples: M:\CompilationOfManyBreaches>sift sf.gov M:\CompilationOfManyBreaches>sift sf.gov --output=sf.txt M:\CompilationOfManyBreaches>sift [email protected]

Shoewind's Cleaning Script https://github.com/frozenjelly304/inteltechniques/blob/main/Breach%20Data/Setup%20Guides/cleanInput.sh

1.6 Hashes Recognizing hashes by string length. The password of "password1234" translated with four of the most common hash algorithms: MD5: BDC87B9C894DA5168059E00EBFFB9077 SHA1: E6B6AFBD6D76BB5D2041542D7D2E3FAC5BB05593 SHA256: B9C950640E1B3740E98ACB93E669C65766F6670DD1609BA91FF41052BA48C6F3 SHA512: C7C9D16278AC60A19776F204F3109B1C2FC782FF8B671F42426A85CF72B1021887DD9E4FEBE420DCD2 15BA499FF12E230DAF67AFFFDE8BF84BEFE867A8822C4

IntelTechniques OSINT Toolset - Hash Tools GitHub - Search That Hash GitHub - Helpful Stuff Learn to crack hashes 4/5

11OSINTBreachData.md

7/23/2021

1.7 Resources & Articles The Privacy, Security, & OSINT Show, Episode 209-New OSINT Tactics Fast searching with ripgrep (mariusschulz.com), 2020 Voter Data Guide on GitHub (this is leak data, not breach data and will be discussed in another lesson) GitHub - Voter-files Sample Query: [email protected]

5/5

11OSINTHashes.md

7/23/2021

OSINT Essentials - Hashes - TLDR Updated April 7th, 2021

1.1 What is a hash? Hashes - One-way cryptographic representation of a specific string of characters. A specific string of characters will always result in the same hash when converted using the same type of hash algorithm. Hashes differ from encryption in that they are a one-way encoding so in theory you cannot put a hash value into a formula to calculate the original string that it represents. There are other ways of figuring out plain text strings represented by hash values, but we'll get to that soon enough. First let's look at examples of the same string run through some of the most popular hash algorithms so that we can get familiar with how hashes look and the relative lengths associated with the different flavors of hashing. Example: "inteltechniques" hashed using SHA1 = 56b0e8ad47bfae63db9f15c30924302921b76b08 It will always equal the same value using SHA1, it is a set unique result, therefore any instance of inteltechniques will have the same value when run through the SHA1 algorithm. This means if we are searching through hash data, we can search for 56b0e8ad47bfae63db9f15c30924302921b76b08 to locate instances where people have used inteltechniques. Comparison Hash lengths for "inteltechniques": MD2 95c4d507d2d4eaeec035397b0ca37901 MD4 220e92d67c04e03afdd19ca75c90e36c MD5 db3b177b4720bf525a5f189eb9430c96 MD6 a04379dcce3ce676e940da47145fd2a0360433464cccb84acf282c2f6c536e5a SHA0 40176afa956d1f0d0693ad4ddbf52324d2223250 SHA1 56b0e8ad47bfae63db9f15c30924302921b76b08 SHA2 224 8b20d8ab5c5add8a9b08ea6df9da62ad1c9777622baf67f4f5a37397 SHA2 256 ccaf754cb29091ec9a7111026991cc522944c68f3d429d82f4d0e1fc6ae5db81 SHA2 384 43874480806f0942c68cfa39bbd8b692b5a0d612a9ce1da7df7fe6dd4164b4d95e0d703508569bfd 9ac9bb4a059096df SHA2 512 1/3

11OSINTHashes.md

7/23/2021

b7d63b22bfd3b59a353cb4b4f606a5bf6f73593efe176fd5152826788f5d7969cbbbc8d8b23a9fd9cc fdba7ecca1964cb71a30f662f5e5d147696b1c7f82db10 SHA3 224 5a966a55c8807efa405b55c7447a392f16c42644440613e55b5fcae3 SHA3 256 8661ec27ac0627c2221dcd67286f89d3a7138b5edcd06a91c095aeb7b84f71e9 SHA3 384 e09e4d3abbf90e5cf2d2f9b11e619f90500eb0ce3a9aedbc857325bb955fc1eaf6ac3673248084b4b9 52658b9ed71dec SHA3 512 3a8b78b3be9a572a7e4bd8f779c776e63b7c Or if you want to look at all common hashes for "inteltechniques": http://icyberchef.com/#recipe Generate all hashes()&input aW50ZWx0ZWNobml dWVz

Collisions In theory every hash value should represent only one exact string or file, but in reality weaker algorithms such as MD5 can in rare circumstances result in two different strings having the same hash. That is one reason those older, weaker algorithms are being phased out. For our purposes we do not have to worry too much about collisions, because they are so rare, but now you know what they are if you see them referenced.

1.2 How do we use hash data? We use hash data how we use any other data in OSINT and security. Offensively ,we may find a hash value of data associated with our target and it might lead us to other accounts or identity intelligence related to that individual. Defensively, we or our organization or clients likely have breach data online that contains hash data. We need to know how to search for and pivot off that hash data in order to know what our level of exposure is. In either case the steps are going to be similar: Identify passwords and hashes Reverse search passwords Reverse search hashes In both cases this effective only if they use unique passwords In any situation where we are successful in locating or dehashing data into plain text passwords, the password choice may be valuable conte tual intel. (We of course never use these passwords to break into an account or otherwise commit a computer trespass.)

1.3 Online & Offline Hash Value Search Remember, we cannot "decrypt" hashes, we can only search for known associated plain te t strings from lists of hash data collections.

Online 1. spycloud 2/3

11OSINTHashes.md

7/23/2021

2. dehashed 3. pastebin

Offline Collection 1. hashes.org archive 2. Hashcat 3. GitHub - Search that Hash STH install command: pip3 install search-that-hash STH command: sth -t 'hashvalue' -g Example: sth -t '4dded7d65b8bb2112eb1a31c5645aa2ddc408832' -t 4. GitHub - ripgrep command: rg -a -F -i -N hashvalue ripgrep output to text file: rg -a -F -i -N hashvalue > filename.txt

1.4 Resources & Further Reading Privacy, Security & OSINT Show - Episode 213-Hashes 101 Set of tools for encoding/decoding and converting stings of te t as well as other functions Dehash.me - Hash & Dehash The difference between Encryption, Hashing and Salting (The SSL Store), 2018 Hashcat explained: How this password cracker works (CSO), 2020 Hashing vs. Encryption (JPEG Image, 712

1024 pi els)

Scaled (91%), 2018

Hashing vs encryption vs salting: what’s the difference? (CyberNews), 2020 Hash Analyzer (TunnelsUP.com) GitHub - Search That Hash HashPals Search ThatHas 🔎 Searches Hash APIs to crack your hash quickly If hash is not found, automatically pipes into HashCat⚡ Name That Hash (nth.skerritt.blog)

3/3

11OSINTLeakData.md

7/23/2021

OSINT Essentials - Leak Acquisition Demo Updated: 04/04/2021 Short demonstration of tracking down a recent Facebook leak file set, collecting it, and then using ripgrep to e amine the data. Reference: OSINT Ream rocket chat community acquisition IntelTechniques Training - Breach data basics

1.1 Search Scripts - Ripgrep Installation: https://github.com/BurntSushi/ripgrep/#installation MacOS - brew install ripgrep Linux (Ubuntu) - sudo apt-get install ripgrep Windows - choco install ripgrep Windows WSL - sudo apt-get install ripgrep Commands rg -a -F -i -N searchterm rg - The command for Ripgrep a The switch to search all data as text -F - The switch to treat the pattern as a literal string i The switch to ignore case -N - The switch to exclude the line number rg -a -F -i -N 'NW 48Th TER' Terms with spaces need quotes Phone numbers rg -a -F -i -N 6185551212 rg -a -F -i -N 618-555- 1212 Pattern General format: rg [OPTIONS] keyword > [OutputFile] Example: 1/2

11OSINTLeakData.md

7/23/2021

rg -a -F -i -N '[email protected]' > result.txt rg --help long descriptions with detailed explanations

2/2

Cleaning Data – The Intelx.io Whois Data Scrape Difficulty: Advanced/Experimental

Michael has put together a set of steps for cleaning up the large Intelx whois data scrape that was referenced on podcast episode 247 (https://soundcloud.com/user-98066669/247-weekly-recap). His guide can be found at https://inteltechniques.com/osintbook9/whois.html which can be accessed using our general training login that is listed on our resource page. (The same login that we use for https://inteltechniques.com/net/) This is an advanced process with a lot of room for error depending on your environment (Mac vs Windows vs Linux, drive location, etc.). It is impossible with this type of process for us to provide steps that work for every environment or skill level, so do expect to do some of your own research and trouble shooting. If you are new to OSINT and working with breach or leak data, I would recommend setting this process/lesson aside until you get comfortable with breach data basics.

The official steps are listed at https://inteltechniques.com/osintbook9/whois.html and those are the steps you should use. Below I am providing some tips and notes based on my own experience troubleshooting some errors I ran into due to my own unique workstation setup. I recommend working through the steps in the link and then if you run into errors, some of my own trouble shooting may apply to your situation, but again, expect to do some of your own research. In my case, I am fairly bad at using a Mac, so I had to do a lot of my own research when I hit errors.

My Notes/Tips: 1. This was mentioned in the podcast but if you are trying to find the scraped files search for “Scrape of all WHOIS info on intelx.io”. Google will likely show results for pages on RaidForums. That is a very sketchy site so I would only go there on VPN and in a virtual machine (basically use good op-sec). The password for the archive is "pompompurin". 2. As mentioned in the steps, some commands take a long time to run. Also unpacking the zip file can take a long time to finish. These wait times will be greater if you are on slow or external drives. It is totally normal to have terminal commands take a long time to finish. 3. The process requires significant free drive space. I did not have 615 gigs free on my training Mac so I used an external drive. Michael’s instructions are written based on using your Downloads folder to hold the raw starter data. I was using an external SSD called “Extreme SSD” attached to my Mac via USB-C. 1. I made my own copy of Michael’s steps so that I could edit commands before copying and pasting them into my terminal. 2. After completing phase 2 of the steps, I had to open my newly created _script.sh file in VSCode (or any text editor). I ran a find/replace exchanging

/Volumes/Extreme\ SSD for all instances of ~/Downloads and then saved the script. 3. In phase 4 for any commands with ~/Downloads I replaced that part of the command with /Volumes/Extreme\ SSD. 4. The backslash in my drive path is because I have a space in the drive name “Extreme SSD” so for the command I had to put a \ in front of that space. 4. On Mac in phase 4 I ran into an issue where the generated txt files all had an extension of .txt? instead of .txt. I believe this to be a Mac issue specifically. 1. For commands in phase 4 such as: LANG=C cut -d, f1,3,6,10,11,13,17,18,19,23,25,26,38 *.txt > 01.csv I had to edit them to have a .txt? for example: LANG=C cut -d, -f1,3,6,10,11,13,17,18,19,23,25,26,38 *.txt? > 01.csv 2. Note: If you have a .txt? situation as I did, it should not affect the commands that resemble mv 01.csv ~/Downloads/intelx_whois_scrape/Whois/01.txt. It only affects the commands resembling the previous step above. 5. In phase 6 I received an error when running the sed commands: error illegal byte sequence 1. A little research on stackoverflow gave me a solution of adding “LC_CTYPE=C “ before each sed command. This seemed to resolve the error.  Example: LC_CTYPE=C sed -i '' "s/[\"]//g" Whois.txt Again, and I cannot emphasize this enough, your own errors and issues may not be the same as mine, but if you are also on a Mac and using an external drive, my findings may be useful. Also, I wanted to show how with these more advanced tactics, we almost always have to do some of our own trouble shooting and research. The more complicated the procedure, the less likely we are to have a one-size-fits-all set of steps. Feel free to post questions and your own findings in the Matrix training channel. Some of your own findings and recommendations may help others.

11OSINTRipgrepCheatSheet.md

7/23/2021

Ripgrep Cheat Sheet v.7.2021 Warning: Be very aware and cautious of your legal standing and agency policy when conducting research on breach and leak data. Contributors: Training members Blackfal0n and Shoewind1997

Ripgrep installation Ripgrep Intallation via Terminal Ripgrep Github Page: https://github.com/BurntSushi/ripgrep Linux: sudo snap install ripgrep --classic Mac: brew install ripgrep Windows: choco install ripgrep

Ripgrep Common Flags ("Operators") rg The command for Ripgrep  a The switch to search all data as te t  F The switch to treat the pattern as a literal string  -i The switch to ignore case  -N The switch to exclude the line number  -w The switch to search for a complete keyword Basic Examples rg -a -F -i -N searchterm rg -aFiN searchterm (this functions the same as above, see below Additional Notes & Tips) rg -aFiN searchterm filename.txt (search only in a specific file) rg -z keyword (Search in gzip, bzip2, xz, LZ4, LZMA, Brotli and Zstd compressed files) rg keyword breaches/ (Search for keyword in the directory named "breaches") Emails rg '^[email protected]' Note: If you know the e act number of * then drop the + and put a . for each * . is a wildcard for single character ^ means look at the start of the line + means accept any character multiple times in a row \ means treat the period as an actual period and not a flag (credit to nemec over on the osint.team) Addresses rg -a -F -i -N 'NW 48th St'  (Terms with spaces need quotes) Phone numbers rg a F i N 6185551212 rg a F i N 618 555 1212 rg 618.*555.?1212 This rege format allows for results where the string includes varying spaces,brackets, and dashes in the phone number. Advanced Examples *rg a F i N keyword

filename.t t**Search keyword and store results in te t file: * 1/2

11OSINTRipgrepCheatSheet.md

7/23/2021

rg -i "word1" | rg -i "word2" Search 2 words in a line (AND operator) in all files in this folder: rg -i "john|jon" facebook.csv Search for John or Jon (OR operator) in one file: rg '00,\b' america.csv Match string ending with '00' add a comma after the last digit (as that's the format in the FB breach): rg keyword breach.txt r keyphrase Replace any instances of the keyword with "keyphrase" (basically find and replace)

Additional on Using Flags You may condense the flags: rg -aFiN keyword Set an alias: You can alias that command in this way: "alias rr="rg -aFiN" and now you can just type "rr target" from then on I have two aliases for rg, one called rr (as above, for static lookups), and one called rrw (w is for wildcards), which aliases "rg -aiN" - this allows you to search with regexp, like so: rrw 'first.?last' That second command would match firstlast, first.last, first-last, first last, etc. Of course you can use other regex there if you want too." If you specify -F as one of your arguments, it will ignore regex. https://www.mankier.com/1/rg Ripgrep will attempt to allocate an appropriate number of threads to your search, but if you believe you know better you can use -j argument, e.g.: rg -j 100 searchterm to use 100 threads.

Resources & Articles https://github.com/BurntSushi/ripgrep#installation https://cheatography.com/njones/cheat-sheets/ripgrep/ | ripgrep Cheat Sheet by njones Download free from Cheatography Cheatography.com: Cheat Sheets For Every Occasion https://www.philipdaniels.com/blog/2019/ripgrep-cheatsheet/ | Ripgrep Cheatsheet • Phil's Blog https://jdhao.github.io/ 020/02/16/ripgrep cheat sheet/ | Ripgrep Searching CheatSheet - jdhao's blog https://devpoga.org/post/2019-09-20_ripgrep_cheat_sheet/ | Ripgrep Cheat Sheet Dev.Poga https://unix.stackexchange.com/questions/453183/ripgrep print only filenames matching-pattern | search - ripgrep: print only filenames matching pattern - Unix & Linux Stack Exchange https://github.com/BurntSushi/ripgrep/blob/master/FAQ.md#does-ripgrep-havesupport for shell auto completion | ripgrep/FAQ.md at master · BurntSushi/ripgrep https://github.com/BurntSushi/ripgrep/blob/master/GUIDE.md | ripgrep/GUIDE.md at master · BurntSushi/ripgrep https://gigazine.net/gsc_news/en/20201204-ripgrep-all/ | 'Ripgrep-all' that allows you to search for character strings in image files and databases like 'grep' GIGAZINE https://webinstall.dev/rg/ | Ripgrep | webinstall.dev https://www.mankier.com/1/rg

2/2

12OSINTAndroidNox.md

7/23/2021

When talking about No , we always mention how it is a "dirty" application. Upside: runs just about anything Downside: pushes ads, clickbait, etc. A member shared that now they have had a flat out supply chain interception and recent updates may have included malware. A good run down is this article including what to look for to see if you were affected: Operation NightScout: Supply chain attack targets online gaming in Asia, 2021 I checked a couple of my installations and didn't have any signs of the malware, but I likely just hadn't updated in the window where the malware was being pushed out. I will probably cut Nox completely out of my workflow, even when isolating it with VMs and so on. We will be dropping an updated lesson building an Android VM in Vbox without using Genymotion or Nox, as Michael walks through in the new book. More hassle but much, much cleaner. If you have used No on any host systems, you should check the indicators in that article and consider running a malwarebytes scan.

1/1

12OSINTVirtualMachinesBuild.md

7/23/2021

OSINT Essentials - Building Your Custom OSINT VM v.5.2021 May 10th, 2021 - The text file with the steps for the VM build have been updated to the most recent version. This is a walk-through of the updated VM build steps for September 2020. Download the text file below. This the new condensed version of the steps which Michael built just for you training members. The total build time is only 20-30 minutes, but the video is much longer as it is geared toward new VM users so I do quite a bit of e plaining as I go. I also recorded real time so you may want to use the slider to skip past the sections where I am just waiting for installations/downloads to complete. You can also play it back at double time using the settings on the lesson player. I purposefully made this version real time so that first timers could build along side the lesson and mimic my actions if they choose to. This version also automatically downloads the custom VM files so you do not need to use the files at https://inteltechniques.com/osintbook/. We intend to keep improving, streamlining, and growing out this base build over the ne t year. We will incorporate your feedback and suggestions as we move forward. Once you get the base VM set up feel free to e periment and add your own customization. Please remember if that if you deviate from the steps above during the initial installation we may not be able to help you trouble shoot any issues. This lesson will be updated/replace with each major update to our build process. Half the point of it is to start building up our Linux skills so roll up your sleeves and have fun with it. What you will need: The text file (or download below): https://inteltechniques.com/osintbook/linux.20.training.txt Ubuntu iso file: https://releases.ubuntu.com/20.04/ Virtualbox & Extension Pack https://virtualbo .org/wiki/Downloads

1/1

12OSINTVMExpress.md

7/23/2021

Custom OSINT Virtual Machine - Two Line Quick Build v.6.2021 For those new to building custom OSINT virtual machines, we recommend that you first build one by hand. This helps you to learn the steps and understand what is going on under the hood. You will want to use the steps at https://inteltechniques.com/osintbook8/linux.txt (login listed below) and watch the video just above this lesson in Section 12: Virtual Machines. For those experienced with manual builds, we can use the two commands below to auto-mate the customization of our Ubuntu VM.

Two Liner: wget --user osint9 --password book143wt https://inteltechniques.com/osintbook9/linux.sh && chmod +x linux.sh && ./linux.sh

Update & Upgrade Commands: sudo apt-get update sudo apt-get upgrade

Resource Links: https://www.virtualbox.org/wiki/Downloads | Downloads – Oracle VM VirtualBox https://ubuntu.com/download/desktop/thank-you?version=20.04.2.0&architecture=amd64 | Thank you for downloading Ubuntu Desktop | Ubuntu https://inteltechniques.com/osintbook8/ | IntelTechniques Online Resources https://inteltechniques.com/osintbook8/linux.txt | inteltechniques.com/osintbook8/linux.txt

General Steps (this is a rough outline, please see the video for specifics): 1. Update or install VirtualBox

2. Download Ubuntu Desktop 20.04

3. In VirtualBox create a new VM using the wizard

4. Click on settings and make the recommended changes from the video lesson or from the linux.txt available at https://inteltechniques.com/osintbook8/linux.txt (your login is "inteltechniques" your password is "training2021!" DO NOT SHARE THIS LOGIN) 5. Start the VM and walk through the installation wizard as demonstrated in the video

6. Once your VM is up click on Device in the VirtualBox menu and select insert the guest CD, then run it at the prompt, this will update drivers for your VM 7. Open a command prompt and run: wget --user osint9 --password book143wt https:// inteltechniques.com/osintbook9/linux.sh && chmod +x linux.sh && ./linux.sh

8. Restart when prompted

9. Adjust your display if need be, using the View menu on VirtualBox

10. Select the update scripts shortcut from the left side of the bottom shortcut bar, let that finish updating and then shutdown. 11. (optional) Save a snapshot

12. Start the VM and update Ubuntu either using the terminal or using the update application. 1/2

12OSINTVMExpress.md

7/23/2021

13. (optional) If everything looks good, save another snapshot and/or a clone now that you have a clean, unused, and full patched VM 14. (optional) Hang on to a clean master version from which you can make quick clones

2/2

12OSINTVMExpress.md

1/14/2022

Custom OSINT Virtual Machine - Two Line Quick Build v.1.2022 For those new to building custom OSINT virtual machines, we recommend that you first build one by hand. This helps you to learn the steps and understand what is going on under the hood. You will want to use the steps at https://inteltechniques.com/osintbook9/linux.txt (login listed below) and watch the video just above this lesson in Section 12: Virtual Machines. For those e perienced with manual builds, we can use the two commands below to auto mate the customization of our Ubuntu VM.

Two Liner: wget --user inteltechniques --password training2021! https://inteltechniques.com/osintbook9/linux.sh chmod +x linux.sh && ./linux.sh

Update & Upgrade Commands: sudo apt-get update sudo apt-get upgrade

Resource Links: https://www.virtualbo .org/wiki/Downloads | Downloads

Oracle VM VirtualBo

https://ubuntu.com/download/desktop| Thank you for downloading Ubuntu Desktop | Ubuntu https://inteltechniques.com/osintbook9/ | IntelTechniques Online Resources https://inteltechniques.com/osintbook9/linux.txt | inteltechniques.com/osintbook9/linux.txt

General Steps (this is a rough outline, please see the video for specifics): 1. Update or install VirtualBox 2. Download Ubuntu Desktop 20.04 3. In VirtualBox create a new VM using the wizard 4. Click on settings and make the recommended changes from the video lesson or from the linux.txt available at https://inteltechniques.com/osintbook9/linux.txt (your login is "inteltechniques" your password is "training2021!" DO NOT SHARE THIS LOGIN)) 5. Start the VM and walk through the installation wizard as demonstrated in the video 6. Once your VM is up click on Device in the VirtualBox menu and select insert the guest CD, then run it at the prompt, this will update drivers for your VM 7. Open a command prompt and run the two lines separately and in order: wget --user inteltechniques -password training2021! https://inteltechniques.com/osintbook9/linux.sh chmod +x linux.sh && ./linux.sh 8. Restart when prompted 9. Adjust your display if need be, using the View menu on VirtualBox 10. Select the update scripts shortcut from the left side of the bottom shortcut bar, let that finish updating and then shutdown. 11. (optional) Save a snapshot 1/2

12OSINTVMExpress.md

1/14/2022

12. Start the VM and update Ubuntu either using the terminal or using the update application. 13. (optional) If everything looks good, save another snapshot and/or a clone now that you have a clean, unused, and full patched VM 14. (optional) Hang on to a clean master version from which you can make quick clones

2/2

OSINT - WSL 2 and Windows Terminal OSINT - WSL 2 and Windows Terminal v.12.2021 December 2021 Update and WSL2 warning: A member was kind enough to send me some info on the hyper-v conflicts with VirtualBox and VMwarewhich can result from using WSL2. I've been testing this all morning and have replicated the conflict several times and the fixes are unreliable at best. For now I would recommend that heavy VM users do not use WSL2 or other hyper-v reliant applications on their VM host machine. It is not worth the potential problems. I will continue to test and research. If you have a rig that you are not using Vbox or VMware on, you should be fine. At this juncture that is my recommendation, only use WSL2 on a box where you are OK only using hyper-v for virtualization. Oracle purports some support for hyper-v but so far in my tests it is not solving the issues. This warning will also be added to the lesson. I you installed WSL2 and are now having trouble with VirtualBox, here are the steps that worked for me to disable Hyper-V and get VirtualBox working again. Enable/disable the following windows feature by going into programs and features (Win + R >> appwiz.cpl) Disable Hyper-V (if it is available on your machine) Enable "Virtual Machine platform" Enable "Windows Hypervisor Platform" Disable "Windows Sandbox" (if available on your machine) Open PowerShell or command prompt as admin and then run following command: bcdedit /set hypervisorlaunchtype off

Original Lesson Instructions Windows Terminal

https://github.com/microsoft/terminal Installation There are a few ways to install Windows Terminal, but the easiest are to either use the Windows store or Chocolatey. More options can be found on the github page linked at the top of this section. Option #1: Microsoft Store 1. type store in the Windows 10 search bar and then search for Terminal OR use your browser to search the Windows Store for Terminal: https://www.microsoft.com/en-us/search?q=terminal 2. Once you've located Terminal in the Windows Store (either the Windows Store application or in a browser) select install 3. Reboot Windows Option #2: use Chocolatey 1. If you do not already have Chocolatey installed, you can review our lesson on that topic or follow the steps at https://chocolatey.org/install. 2. Open a CMD window as administrator (type cmd in the windows search bar, right-click on CMD and choose to open as administrator)

3. Type in the following command and hit enter: choco install microsoft-windows-terminal 4. Reboot Windows (rebooting may not be nessessary but it is a best practice)

WSL2 WSL2 is the current version of Windows Subsystem for Linux. Version 2 supports the full Linux kernel which allows it to support most of our terminal based OSINT scripts. In addition to installing WSL you will need a Linux distro to use with it. Ubuntu installation steps are provided following the WSL2 steps. WSL system requirements per Microsoft: Windows 10 May 2020 (2004), Windows 10 May 2019 (1903), or Windows 10 November 2019 (1909) or later A computer with Hyper-V Virtualization support Installation:

1. Right click on windows Terminal or PowerShell and open as administrator. 2. Check to see if you have WSL installed and if so which version (1 or 2): wsl -l -v 3. Install WSL2 by typing in the following in a PowerShell window and hitting enter: wsl --install 4. Restart your PC. Install Ubuntu Option #1: Installing from the Microsoft Store. 1. Open the Microsoft Store by typing "store" in the Windows search bar or by finding it in your start menu. 2. Once the Microsoft Store opens, search for Ubuntu. Select Ubuntu 20.04 LTS and click install. You may also find it via your browser: https://www.microsoft.com/en-us/search?q=ubuntu Option #2: From terminal: 1. List itemOpen a CMD window as admin (right-click open as administrator). 2. Enter the following command and hit enter, this will list available distos. wsl --list --online 3. The format for installing a specific distro is: wsl --install -d DISTRO-NAME So for Ubuntu we want to type in: wsl --install -d Ubuntu 4. Reboot your Windows 10 machine. 5. When you boot back up a CMD window should automatically open, but if it doesn't Windows Terminal as administrator. Then click the drop down menu and select Ubuntu. You can also open Ubuntu by searching for "Ubuntu" in your Windows start menu. 6. You should not be at the Ubuntu terminal and you'll want to update/upgrade using this command: sudo apt update && sudo apt upgrade -y

Removing or resetting your current WSL installation. If you want a clean slate or you decide that WSL2 is not useful, you can reset or uninstall the various pieces of WSL2 and/or Ubuntu. Option #1: Use the Windows 10 Settings menu to remove WSL2 and/or Ubuntu. This is straight forware and handled just as you would remove any Windows program or component. If you need a walkthrough, you can find a good one at the site below. The first covers the Windows 10 steps to removed WSL2: https://pureinfotech.com/uninstall-wsl2-windows-10/ Reset Ubuntu on WSL2 for a clean start: https://pureinfotech.com/reset-wsl2-linux-distro-windows-10/ Option #2: Remove Ubuntu using the command line. 1. Open PowerShell as administrator. If you open Windows Terminal as admin, powershell will be an option in the tab drop down menu. 2. Type in the following command and hit enter: wslconfig /unregister Ubuntu-20.04

3. Reboot 4. Now you can reinstall from scratch if you want a fresh installation.

WSL Resources and Guides (OneTab Format) https://www.microsoft.com/en-us/search?q=terminal | microsoft.com/en-us/search?q=terminal https://chocolatey.org/install | Chocolatey Software | Installing Chocolatey https://pureinfotech.com/checkwsl-version-windows-10/ | How to check WSL version on Windows 10 • Pureinfotech https://pureinfotech.com/reset-wsl2-linux-distro-windows-10/ | How to reset WSL2 Linux distro on Windows 10 • Pureinfotech https://pureinfotech.com/run-linux-gui-apps-wsl-windows-10/ | Howto install Linux GUI apps on Windows 10 • Pureinfotech https://pureinfotech.com/install-windows- subsystemlinux-2-windows-10/ | How to install WSL2 (Windows Subsystem for Linux 2) on Windows 10 • Pureinfotech https://petri.com/how-to-uninstall-and-reset-windows-subsystem-for-linux-distributions | How to Uninstall and Reset Windows Subsystem for Linux Distributions | Petri IT Knowledgebase https://medium.com/swlh/how-to-remove-a-package-installed-from-source-code-on-ubuntu-wsl2dce36cc8086a | How to Remove Software Installed From Source Code in WSL2 | by David Littlefield | The Startup | Medium https://www.omgubuntu.co.uk/how-to-install-wsl2-on-windows-10 | How to Install WSL 2 on Windows 10 (Updated) - OMG! Ubuntu! https://ubuntu.com/blog/ubuntu-on-wsl-2-is- generallyavailable | Ubuntu on WSL 2 Is Generally Available | Ubuntu https://petri.com/how-to-install- ubuntu-inwindows-10-with-wsl-2 | How to Install Ubuntu in Windows 10 with WSL 2 | Petri IT Knowledgebase https://superuser.com/questions/1663868/how-to-uninstall-ubuntu-20-04-from-wsl- windows-10 | linux How to Uninstall Ubuntu 20.04 from WSL Windows 10? - Super User https://www.youtube.com/watch?v=uR-vkx3d fA | How to Reset WSL 2 Ubuntu | Reset WSL 2 Installed Distro on Windows 10 | Reset Ubuntu on Windows - YouTube https://askubuntu.com/questions/761360/how-do-i-reset-my-installation-of-ubuntu-on-windows | How do I reset my installation of Ubuntu on Windows? - Ask Ubuntu

## Virtual Machines – Windows VM We use Linux virtual machines quite a bit in the training and they have become a staple in OSINT work. There are scenarios where you may need the additional option of spinning up a Windows virtual machine. For example, if you need access to an application that only runs on Windows, but you are on a Linux or Mac host (reminder that the host is your hardware computer and the guest is your virtual machine). One scenario that comes to mind is using a Windows virtual machine to set up burner Microsoft accounts so that you can run OneNote, Teams, Onedrive, etc. as we did in a recent video covering collaboration tools.

### Windows VM Using the MS Edge ISO or OVA Files There are many different way to set up Windows virtual machines, but in this module we will cover one of the easiest. We will use a free test version of Windows, downloaded from Microsoft and our hypervisor of choice will be VirtualBox. You may use VMWare, but understand that your steps may differ slightly. If you use any of the free test ISOs from Microsoft the licenses expire after 90 days. Our steps are specific to VirtualBox and therefor we will be downloading an OVF file, but you could install the windows VM from an ISO file if that is what you have. In that scenario you will mount the ISO file as an optical disc just as we do when we build our Linux virtual machines.

**Windows VM Build Steps:** - Download the .ova file from https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/ (if this page is down refer to additional ISO page links in the Guides & Resources list at the bottom of this document) Understanding hypervisor file types: (http://sabareeswar.blogspot.com/2014/04/differencebetween-ova-ovf-and-iso.html)

- Select "MSEdge on Win10" in the top box: - Select "VirtualBox" as the Platform in the second box and click "Download Zip". - Unzip the downloaded file and place it in a directory where you can find it easily. I have a directory on most of my workstations where I store ISO files and other VM resources.

- In VirtualBox, click "File" on the top menu and then "Import Appliance".

- Choose the "ova" file which you extracted from the zip file and click "Next".

- Make any desired modifications as explained previously and click "Import".

- In the VirtualBox menu, click "Settings" then "Storage".

- Click the first "+" to a dd an optical drive, click "Leave empty", and click "OK". Adjust ram, cpu, video memory etc just as we would with our Linux VMs

- (Optional) Under General -> Advanced change the clipboard and drag’n drop to bidirectional

- Under Display change the video memory to 128

- (Optional) Before launching, create a snapshot of the VM if you like - Double-click the new Windows 10 machine or click on “Start” to launch the VM. - Enter the password of "Passw0rd!" when prompted.

- Once the virtual machine loads, on the VirtualBox menu at the top of the window, click "Devices" and "Insert Guest Additions CD".

- Using file explorer, double-click the mounted CD and choose "Yes". - Click "Next", " Next", and "Install" to configure the default options.

- Reboot when prompted

- Now you can customize your VM however you see fit. You can refer to our Windows customization resources for scripts etc. Once you get it configured to suit your preference, shutdown the VM and save a new snapshot. (Windows Customization https://www.inteltechniques.net/courses/take/open-sourceintelligence/lessons/21215855-windows-setup) Understand that some customization steps may not function properly in the virtual environment, but most should.

- I typically at least clean up the desktop and taskbar, add shortcuts for powershell/CMD, install VSCode and any other tools I might need depending on the use case for the VM - Shutdown the VM and create a snapshot in VirtualBox. The free Windows ISOs expire after 90 days, so the snapshot will allow you to reset the VM back to the beginning of the trial. - If you want to use OneNote, Teams, OneDrive, or other MS applications, I had luck making burner accounts with SimpleLogin alias emails and Telnyx phone numbers.

### Guides & Resources

https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/ | MSEdge Win10 VM https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise | More Windows VM options)

https://consogame.com/software/windows/microsoft-windows-10-professional?ref=5 | cheap windows 10 license https://uupdump.net/?dark=1 | windows preview isos https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/ | Official MS VMs https://www.partitionwizard.com/partitionmagic/use-windows-10-as-virtual-machine.html | usewindows-10-as-virtual-machine.html https://www.extremetech.com/computing/198427-how-to-install-windows-10-in-a-virtual-machine | Building a Windows 10 VM https://www.youtube.com/watch?v=JT8EXoobjSc | Setting up Windows 10 in VirtualBox https://petri.com/how-to-install-windows-10-in-a-virtual-machine | Setting up Windows 10 in Hyper-V https://www.youtube.com/watch?v=SNHVuY3JJ94 | Windows 10 VM on UnRaid https://github.com/felixrieseberg/windows95 | This is no super useful, but if you want to run Windows 95 for some reason

13OSINTBatchFiles.md

7/23/2021

OSINT Essentials - Batch Files (v.9.2020) Using Batch Files for OSINT Batch files are small scripts that can be useful for providing some light automation for frequently used terminal commands. In our use case, it applies well for our use of tools such as youtube dl and ffmpeg, saving us from having to type in the operators manually every time we want to rip a video. The downside is we lose out on that granular control and knowledge gained from the repetition of running those tasks manually. This is not a replacement for learning how to use those scripts from a command line, but rather is an additional tool that can be used for efficiency. Batch files are specific to Windows, but Mac users already have a better tool in bash. We will have future lessons on setting up similar convenience scripts on Mac and of course Linux. We are simply filling in some gaps for the Windows specific users who miss out on some of power of a Uni based OS. In the long run we will be using bash far more than CMD or PowerShell in Windows, but it is all about showing options.

1.1 Batch File Basics This is not a computer science course, so we'll stick to the basic need-to-know aspects of applying batch files to our workflow. Batch files are recognizable by the file extension .bat "Batch" references the typical use case of running a batch of commands It is an efficient simple way to run a small list of commands Depending on the type of commands included, you may need to run the file as Administrator CMD vs PowerShell Batch scripts typically are run via the CMD terminal, but they can also be run in PowerShell. For most simple scripts CMD is fine. PowerShell can do everything the CMD terminal can, but the reverse is not true. The downside of PowerShell is that is a little more complicated and some commands are different.

1.2 Creating Your First Batch File Tools: any text editor (e.g., Notepad++, Atom, VSCode, etc.) Called Scripts: our script will make calls to the youtube-dl and ffmpeg scripts so you will want to have those scripts downloaded to the directory you are running your script from, if you wish to replicate our steps (https://youtube-dl.org/ and https://ffmpeg.org/download.html) Place the .exe files from each package in your investigative directory where you plan to run the script. Sample commands:

F:\Drive>Youtube-dl URL F:\Drive>FFmpeg example: ffmpeg -i https://URL -c copy calli_c.mp4

Basic Commands: 1/5

13OSINTBatchFiles.md

7/23/2021

ECHO - Turns on the on-screen text display for executed commands @ECHO OFF Turns off the on screen te t display for e ecuted commands START - Runs a file with its default associated application REM Indicates a comment line MKDIR - Creates directory RMDIR Deletes a directory DEL - Deletes selected file(s) COPY Copies selected file(s) TITLE - Sets the title of the CMD window References: Creating a batch file: How to write your own .bat file (IONOS) Batch Script Files (tutorialspoint) Sample .bat file:

@ECHO OFF SET /P URL="[Enter video URL] " ECHO. youtube-dl %URL% ECHO. PAUSE EXIT

Test Youtube Video URL: https://www.youtube.com/watch?v=UZCO5k1Nu70 Adding Operators:

@ECHO OFF SET /P URL "[Enter video URL] " ECHO. youtube-dl -o Downloads/%%(title)s.%%(ext)s -i --ignore-config --hls-prefer-native %URL% ECHO. PAUSE EXIT

1.3 Advanced Youtube dl Batch File This is an example of a more involved batch file (reference: GitHub youtube del batch):

@ECHO OFF ECHO ----------------------------------------------------------------------------SET /P URL="[Enter video URL] " ECHO ----------------------------------------------------------------------------2/5

13OSINTBatchFiles.md

7/23/2021

goto formatList :formatList ECHO. ECHO --------------------------------------------------------------------------------------------------------------------youtube-dl -F %URL% ECHO ----------------------------------------goto selection

:selection ECHO. ECHO ----------------------------------------------------------------------------ECHO 1) Video + Audio ECHO 2) Single format (Audio only / Video only) ECHO. SET /P option "Select option: " if %option% == 1 (goto download) if %option% == 2 (goto downloadSingle) ECHO. ECHO Unknown value ECHO --------------------------------------------------------------------------------------------------------------------goto selection :download ECHO --------------------------------------------------------------------------------------------------------------------ECHO. ECHO --------------------------------------------------------------------------------------------------------------------SET /P video="Select video format: " SET /P audio "Select audio format: " ECHO. youtube-dl -o Downloads/%%(title)s.%%(ext)s -f %video%+%audio% -i --ignore-config --hls-prefer-native %URL% ECHO ----------------------------------------ECHO. PAUSE EXIT :downloadSingle ECHO ----------------------------------------------------------------------------ECHO. ECHO --------------------------------------------------------------------------------------------------------------------SET /P format "Select format: " ECHO. 3/5

13OSINTBatchFiles.md

7/23/2021

youtube dl o Downloads/%%(title)s.%%(ext)s f %format% i ignore config hls prefer-native %URL% ECHO --------------------------------------------------------------------------------------------------------------------ECHO. PAUSE EXIT

1.4 Ffmpeg atch Files Ffmpeg commands can be quite lengthy so it is the perfect application of a batch file (additional reference .bat files: GitHub - BAT_FFMPEG) Sample Command:

ffmpeg

i "http://example.com/video url.m3u8"

c copy "output.mp4"

Sample batch file:

@echo off set /p "address Video Address:" set /p "filename=File name:" ffmpeg -i "%address%" -c copy "%filename%.mp4" PAUSE

Notes: You must end your output filename with .mp4 or another supported format Use your stream detector extension in FireFox or your dev panel to find the stream URL More Examples: https://l0lock.github.io/FFmpeg-bat-collection/

1.5 One-Tab Bookmarks https://www.tutorialspoint.com/batch_script/batch_script_files.htm | Batch File Tutorials https://www.ionos.com/digitalguide/server/tools/creating-a-batch-file/ | Creating a batch file and batch processing of CMD commands - IONOS https://www.makeuseof.com/tag/use powershell instead batch/ | 5 Reasons You Should Use PowerShell Instead of Batch Scripting https://superuser.com/questions/1487962/youtube-dl-record-live-stream-segmentation | streaming - youtube-dl record live stream segmentation - Super User https://pypi.org/project/pylivestream/ | pylivestream · PyPI https://www.codementor.io/@chuksdurugo/download-and-combine-media-segments-of-ahls- stream-locally-using-ffmpeg-150zo6t775 | Download and Combine Media Segments of a HLS Stream Locally Using FFMpeg | Codementor https://www.reddit.com/r/youtubedl/comments/i7874w/how do i download part of an in f inite_livestream/ | How do I download part of an infinite livestream on YouTube? 4/5

13OSINTBatchFiles.md

7/23/2021

: youtubedl https://windowsloop.com/download-m3u8-video-with-ffmpeg/ | How to Download M3U8, TS, & HLS Streaming Videos with FFmpeg https://hands-on.cloud/the-most-useful-ffmpeg-commands-for-audio-and-videoconversion/ | The most useful FFmpeg commands for audio and video conversion Hands-On-Cloud https://addons.mozilla.org/en-US/firefox/addon/hls-stream-detector/ | The Stream Detector – Get this Extension for 🦊🦊 Firefox (en-US) https://www.reddit.com/r/youtubedl/comments/gfcqrs/stream detector easily detect m 3u8 _url_etc/ | Stream Detector (Easily detect .m3u8 url etc.) : youtubedl https://github.com/search?q=stream+detector | Search · stream detector · GitHub https://github.com/lzpfmh/M3U8-Downloader | GitHub - lzpfmh/M3U8-Downloader: A tiny program to download m3u8 by ffmpeg. https://github.com/rowrawer/stream-detector | GitHub - rowrawer/stream-detector: A Firefox addon written in JavaScript which provides an easy way to keep track of URLs to playlists and subtitles used by Apple HLS, Adobe HDS, MPEG-DASH, and Microsoft Smooth Streaming streams. https://l0lock.github.io/FFmpeg-bat-collection/ | ffmpeg Bat Collection | FFmpeg BAT Collection by -L0Lockhttps://stackoverflow.com/questions/60311360/how-can-i-batch-sequentiallydownload m3u8 files using ffmpeg | macos How can I batch/sequentially download m3u8 files using ffmpeg? - Stack Overflow https://stackoverflow.com/questions/44411350/how-to-create-batch-file-for-ffmpegto- download-stream-videos | How to create batch file for FFMpeg to download stream videos Stack Overflow https://www.youtube.com/channel/UCFwMITSkc1Fms6PoJoh1OUQ | LabPadre - YouTube https://superuser.com/questions/912730/ffmpeg-batch-convert-make-same-filename | conversion - ffmpeg | batch convert | make same filename - Super User https://www.windowscentral.com/how create and run batch file windows 10 | How to create and run a batch file on Windows 10 | Windows Central https://stackoverflow.com/questions/39620373/mac-equivalent-bat-file-to-performterminal- functions | macos - Mac equivalent .bat file to perform terminal functions Stack Overflow https://www.alvinpoh.com/how-to-make-and-run-batch-files-in-terminal-in-mac-osx/ | How To Make and Run Batch Files In Terminal In Mac OSX - Alvin Poh https://ffmpeg.org/download.html https://github.com/Schytheron/youtube dl batch | GitHub Schytheron/youtube dl batch: Simple batch files for simplifying basic usage of https://github.com/rg3/youtube-dl Windows .exe releases https://github.com/KnightDanila/BAT_FFMPEG/blob/master/Video-ToMP4_x264.bat | BAT FFMPEG/Video ToMP4 x264.bat at master · KnightDanila/BAT FFMPEG · GitHub https://ostechnix.com/youtube-dl-tutorial-with-examples-for-beginners/ | Youtubedl commands

5/5

13OSINTDirectoryScript.md

7/23/2021

OSINT Essentials - Bash Script In our PowerShell lesson I made a very simple script to build an investigative directory structure with a simple te t template. One of my live course students took the initiative to write a Bash script that does the same function only better. This script is below and the video walks through using it on WSL. You should be able to use it on Mac and Linu as well, any platform that supports Bash. Thanks to Niftycello for contributing the script and everyone feel free to take it, customize it, and make your own versions. This is all working towards building out a process and some scripts for a full investigative drive. My intention is that this will be a team effort so I am welcoming all contributions in order to make the end product something e ceptional.

#! /bin/bash #Prompt for and get Case name echo "Enter Case Name" read cName echo "Where would you like to construct your case?" read makeHere # Array of folders folderArray=(Case-$cName/P Case-$cName/Search Case-$cName/Email Case $cName/Username Case $cName/Name Case $cName/Twitter Case $cName/Instagram Case-$cName/Facebook Case-$cName/Communities Case-$cName/Mobile Case-$cName/Locations Case-$cName/Breaches Case-$cName/Business Case-$cName/Currencies Case-$cName/Documents Case-$cName/Images Case-$cName/IP Case $cName/LinkedIn Case $cName/Pastes Case $cName/TelePhone Case $cName/Videos) # Creates file structure from array cd "$makeHere" for n in {$folderArray}; do mkdir -p /${folderArray[@]} done echo "File structure constructed and SimpleProfile.txt created" # Creates SimpleProfile.txt echo ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>> Target Profile >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>> Name : 1/3

13OSINTDirectoryScript.md

7/23/2021

Date of Birth : Age : ============================= Emails ============================= ============================= Usernames ============================ ============================= Passwords ============================= ============================= Criminal Records ============================= ============================= Phone Numbers ============================= ============================= Addresses ============================= ============================= Family ============================= ============================= Vehicles ============================= ============================= Assets ============================= ============================= Professional History ============================= ============================= Education ============================= ============================= Social Medias ============================= ============================= Licenses =============================" >> Case-$cName/SimpleProfile.txt 2/3

13OSINTDirectoryScript.md

7/23/2021

3/3

13OSINTGoogleDocsScript.md

7/23/2021

OSINT Essentials - Google Docs Script *Source/Author: https://github.com/Malfrats/xeuledoc Michael's Blog Post: https://inteltechniques.com/blog/2021/03/21/investigating-google-doc-owners/ WSL Installation Steps 1. git clone https://github.com/Malfrats/xeuledoc.git 2. cd xeuledoc/ 3. sudo python3 setup.py install 4. enter password (osint on our default VM) Linux VM Installation sudo

H python3

m pip install xeuledoc

Test Docs: https://docs.google.com/document/d/1BfLPJpRtyq4RFtHJoNpvWQjmGnyVkfE2HYoICKOGguA https://docs.google.com/spreadsheets/d/15dD0qSCDYDwVtWKC9zfZk1j8RzmvZARXTu9hrM34DnU

1/1

13OSINTPowerShellExample.md

7/23/2021

OSINT Essentials - OSINT PowerShell Example (v1.2021) Building a Simple PowerShell Script Linux is my preferred environment for playing with scripts, but we can also leverage PowerShell in windows when a Linux option is not available. This is a very simple example of a script that I wrote to automate a repetitive task: building a set of nested investigative folders on my case drives.

1.1 Running PowerShell PowerShell is baked into windows and I will give you two ways to fire it up. 1. Click on start or your locator box and start typing “power”. From the options that pop up choose Windows PowerShell and a blue terminal will open. You may want to run it as an administrator for certain tasks, but it will not be required for this lesson.

2. If you have already gone through the VSCode lesson and have VSCode installed start it up. Once it is running select terminal from the menu and then PowerShell. A terminal will open on the bottom half of your screen.

1.2 Running the Code Here are the steps to run the sample code. They are the same for those of you in VSCode. 1. Download SimpleProfile.txt from the lesson page and place it in your investigative directory. In my example this is my F drive which is a flash drive. 2. Type the drive letter of your investigative drive followed by a colon and hit enter. F: 1/4

13OSINTPowerShellExample.md

7/23/2021

3. Type ls and hit enter. This will show the contents of that drive and you should see your SimpleProfile.txt file. 4. Copy the text from section 1.3 below and paste it into a text editor. This can be VSCode, Notepad++, or your editor of choice. You can highlight it and hit ctrl c to copy it and then ctrl v to paste it. Once in your editor you need to change your directories to match the script. The two pieces that you need to change are: New-Item (Join-Path 'F:' $_) -ItemType Directory -force}; Copy Item Path F:\SimpleProfile.t t Destination F:\Case XXXXXX\ 5. For example if your drive is E instead of F, change all three instances of F: to E:. You can do this by hand or hit ctrl f and use replace all .

6. Once you have edited the code to match your drive letter save it as a text file to the same drive so that you have a copy handy. Now highlight the code by hitting ctr-a or dragging your mouse over it. Hit ctrl-c to copy it and paste it into your PowerShell terminal. Hit Enter. 7. You should see the script run and it will pause before running the last line of code so hit enter again. Now if you check your drive you should have a case directory and simple text profile template loaded. 8. That is it, you are done. You now have a script that you can use to preload any destination with a case directory and simple template. Take this and make it better. 1. You can add folders or nest more using the logical structure of the code. For example, 'CaseXXXXXX\SearchEngines\Google' could be changed to 'Case-XXXXXX\SearchEngines\Google\images' which would add an images folder in the Google directory. 2. Also, this code is ugly so if you make better please share your improvements back with the other members via an email to me or the discussion section.

2/4

13OSINTPowerShellExample.md

7/23/2021

1.3 – OSINT Directory Code @('Case-XXXXXX\LE_Gov', 'Case-XXXXXX\SearchEngines\Google', 'Case-XXXXXX\Email', 'CaseXXXXXX\Username', 'Case XXXXXX\Realname', 'Case XXXXXX\Twitter', 'Case XXXXXX\Instagram', 'Case XXXXXX\Facebook', 'Case-XXXXXX\Communities', 'Case-XXXXXX\Mobile', 'Case-XXXXXX\Locations') | 3/4

13OSINTPowerShellExample.md

7/23/2021

ForEach-Object { New-Item (Join-Path 'F:' $_) -ItemType Directory -force}; Copy-Item -Path F:\SimpleProfile.txt -Destination F:\Case-XXXXXX\

1.4 – Additional Resources Writeups and walkthroughs: Powershell Tutorial for Beginners: Learn Powershell Scripting (Guru99) Basic Tutorial PowerShell in Visual Studio Code (Visual Studio Code) Using VSCode With Powershell GitHub- Powershell Official guide PowerShell learning resources (Microsoft), 2020 MS recommended learning Channel 9 Videos Learn Powershell (YouTube) Beginner Video

4/4

13OSINTWSL.md

7/23/2021

OSINT Essentials - WSL Linux Note: EyeWitness is not working correctly so it has been removed from the steps until I find a solution. Windows Subsystem for Linux Windows Subsystem for Linux is a optional Windows 10 component that can be used to run Linux distributions within a Windows environment.Functionally what this means is that we can set up a mini version of the Ubuntu Linux terminal on our Windows desktop without having to setup additional virtualization software. This IS NOT a replacement for our custom virtual machines, but rather a smaller tool.

1.1 Install Ubuntu via WSL There are a few different routes for installing your WSL Ubuntu instance, but if you are unsure just start with step one and move forward in order. Step One: Activate WSL Locator box -> search for "Turn Windows features on" Scroll to "Windows Subsystem for Linux" and check the box This will start a download, when prompted apply the change and reboot Step Two: Set your WLS version If you are running Windows 10 at a version lower than 2004:build 19041 skip this section as you are stuck with WSL1.Otherwise, set WSL2 as the default version: wsl --set-default-version 2. Step Three: Install Linux Open the Windows Store via the same Locator box or start menu Search for Linux or Ubuntu Alternatively you can manually get the latest version as an appx file at https://docs.microsoft.com/en-us/windows/wsl/install-manual, if you choose this method follow the instructions on the download page Select the latest version of Ubuntu Choose Install Once complete, find Ubuntu in your Start menu, right click and choose add to task bar Start Ubuntu by clicking on it Provide a new username and password, write these down in your password manager Step Four: Update and upgrade Open Ubuntu terminal and enter

sudo apt update && sudo apt upgrade

Alternate Manual Download Option: 1/7

13OSINTWSL.md

7/23/2021

You can manually get the latest version as an appx file at https://docs.microsoft.com/enus/windows/wsl/install manual If you choose this method follow the instructions on the download page) Alternate Command Line install Right click on PowerShell and run as administrator (run all commands in this section as administrator) Enter the following in teh command line: Invoke WebRequest

Uri https://aka.ms/wslubuntu2004

OutFile Ubuntu.appx

UseBasicParsing Change 2004 to match the current or desired version Navigate to the download directory if other than your current. Install by entering: Add-AppxPackage .\Ubuntu_2004.2020.424.0_x64.appx Change the app filename to match your download Set WSL2 as the default version: wsl

set default version 2

If you see this message: WSL 2 requires an update to its kernel component, follow the link (https://aka.ms/wsl2kernel) and install the MSI from that page Provide a new username and password, add these to your password manager Install via script: Enable WSL

PS C:\> Invoke WebRequest Uri https://aka.ms/wslubuntu 004 OutFile ~/Ubuntu.appx -UseBasicParsing PS C:\> Add-AppxPackage -Path ~/Ubuntu_2004.2020.424.0_x64.appx Install Ubuntu 20.04 PS C:\> RefreshEnv PS C:\> Ubuntu2004 install --root PS C:\> Ubuntu2004 run apt update PS C:\> Ubuntu2004 run apt upgrade -y

1.2 Scripts/Applications The follow is a list of recommended scripts and the commands to install them. Update Prior to installing scripts you will want to update your Ubuntu instance. Do this prior to any new changes or installs:

$ sudo apt update && sudo apt upgrade

python3 2/7

13OSINTWSL.md

7/23/2021

Ubuntu 20 comes with python 3.X installed, so you may skip this unless you have issues

$ python3

version

If you do not see a version do the next step, otherwise skip to Pip

$ $ $ $

sudo sudo sudo sudo

apt-get add apt apt-get apt-get

install software-properties-common repository ppa:deadsnakes/ppa update install python3.8

Pip

sudo apt-get install -y python3-pip

Get started using Python for web development on Windows, 2019 - Support for python/pip Curl

$ sudo apt install

y curl

Git

$ sudo apt install -y git

Ripgrep

$ curl -LO https://github.com/BurntSushi/ripgrep/releases/download/11.0.2/ripgrep_11.0.2_amd6 4.deb $ sudo dpkg -i ripgrep_11.0.2_amd64.deb

YouTube-DL

$ sudo

H pip3 install

upgrade youtube dl

Sherlock

3/7

13OSINTWSL.md

7/23/2021

$ git clone https://github.com/sherlock project/sherlock.git $ cd sherlock $ python3 -m pip install -r requirements.txt

FFMpeg

$ sudo apt install ffmpeg

Instaloader

$ sudo

H pip3 install Instaloader

Instalooter

$ sudo -H pip3 install instalooter

Twint

$ $ $ $

git clone https://github.com/twintproject/twint.git cd twint sudo H pip3 install twint sudo -H pip3 install -r requirements.txt

Midiainfo

$ sudo apt get install

y mediainfo gui

Exiftool

$ sudo apt install -y libimage-exiftool-perl

Metagoofil

$ git clone https://github.com/opsdisk/metagoofil.git $ cd metagoofil $ sudo H pip3 install r requirements.txt

4/7

13OSINTWSL.md

7/23/2021

Sublist3r

git clone https://github.com/aboul3la/Sublist3r.git $ cd Sublist3r && sudo -H pip3 install -r requirements.txt

1.3 – Updating Scripts Sample commands for updating the most popular OSINT scripts and components. In Terminal, enter the following:

sudo apt-get update sudo apt-get upgrade pip3 install --upgrade pip sudo /usr/bin/python3 m pip install upgrade pip sudo -H pip3 install --upgrade youtube-dl sudo -H pip3 install instalooter -U sudo -H pip3 install Instaloader -U sudo H pip3 install Twint U cd ~/Downloads/Programs/Sublist3r git pull https://github.com/aboul3la/Sublist3r.git cd ~/Downloads/Programs/Photon git pull https://github.com/s0md3v/Photon.git cd ~/Downloads/Programs/metagoofil git pull https://github.com/opsdisk/metagoofil.git cd ~/Downloads/Programs/sherlock git pull https://github.com/sherlock project/sherlock.git cd ~/Downloads/Programs/spiderfoot git pull https://github.com/smicallef/spiderfoot.git cd ~/Downloads/Programs/EyeWitness git pull https://github.com/ChrisTruncer/EyeWitness.git

1.4 – Tips, Tricks, Commands, & Resources Option steps and resources to become more familiar and gain better control over your Linux environment. Command/Operator Key -y - Answer yes to any prompts such as "are you sure?" i Display results -v - Verbose, list more information about what is happening

1.5 Reference and resources Ubuntu 20.04 on Win10 Windows Subsystem for Linux (WSL) Installation Guide for Windows 10 (Microsoft), 2021 Manually download Windows Subsystem for Linux distro packages (Microsoft) , 2020 How to install WSL2 (Windows Subsystem for Linux 2) on Windows 10 (Pureinfotech), 2021 5/7

13OSINTWSL.md

7/23/2021

Linux Commands Cheat Sheet (Linux Training Academy) How to Enable Copy and Paste Keyboard Shortcuts in Windows 10 s Bash Shell (How-To Geek), 2018

1.6 One-Tab Bookmarks Search:

https://docs.microsoft.com/en-us/windows/wsl/interop | Windows interoperability with Linux | Microsoft Docs https://gist.github.com/kostaz/6e0cf1eee35a34cd6589ec15b58e682c | Install ripgrep on Ubuntu · GitHub https://github.com/BurntSushi/ripgrep#installation | GitHub - BurntSushi/ripgrep: ripgrep recursively searches directories for a regex pattern https://www.google.com/search?client=firefox-b-1-d&q=install+curl+ubuntu | install curl ubuntu - Google Search https://www.spiderfoot.net/ | Overview - SpiderFoot https://inteltechniques.com/osintbook/linux.20.txt | inteltechniques.com/osintbook/linux.20.txt https://www.google.com/search?newwindow=1&client=firefox-b-1d&ei=fNn_XpqfNKeV0PEP1eSqKA&q=install+elasticsearch+crawler+ubuntu&oq=install+elas ticsearch+crawler+ubuntu&gs lcp CgZwc3ktYWIQAzIFCCEQoAE6BAgAEEc6BQgAEJECOgUIABCDAT oFCAAQsQM6AggAOgQIABBDOgcIABCDARBDOggIABAWEAoQHjoFCCEQqwI6BwghEAoQoAFQ5pNuWL7wbmDX 8m5oBHABeAGAAYsCiAH3FZIBBjM3LjIuMZgBAKABAaoBB2d3cy13aXo&sclient=psyab&ved=0ahUKEwiazeWit7LqAhWnCjQIHVWyCgUQ4dUDCAs&uact=5 | install elasticsearch crawler ubuntu Google Search https://github.com/dadoonet/fscrawler | GitHub - dadoonet/fscrawler: Elasticsearch File System Crawler (FS Crawler) https://askubuntu.com/search?q=ubuntu+operator+list | Posts containing 'ubuntu operator list' Ask Ubuntu https://www.google.com/search?newwindow=1&client=firefox-b-1d&ei=R9r_XtvSJYfF0PEP2MOV4AI&q=linux+cheat+sheet+-H&oq=linux+cheat+sheet+H&gs_lcp=CgZwc3ktYWIQAzoECAAQRzoCCAA6BAgAEEM6BggAEBYQHlD959UBWIzx1QFg7_PVAWgAcAJ4A IABPYgBoQGSAQEzmAEAoAEBqgEHZ3dzLXdpeg&sclient psy ab&ved=0ahUKEwibkr2DuLLqAhWHIjQIHdhhBSwQ4dUDCAs&uact=5 | linux cheat sheet -H Google Search https://www.nixtutor.com/linux/all-the-best-linux-cheat-sheets/ | All the Best Linux Cheat Sheets https://files.fosswire.com/2007/08/fwunixref.pdf | fwunixref.pdf https://www.google.com/search? newwindow=1&sa=X&source=univ&tbm=isch&q=linux+commands+cheat+sheet&client=firefoxb 1 d&ved 2ahUKEwjgidz xbLqAhVkNn0KHbU1Bh8QsAR6BAgKEAE&biw=1284&bih=1308#imgrc=eHGEr10vINmAKM | linux commands cheat sheet - Google Search https://www.pinterest.com/pin/454863631096208571/ | (467) Pinterest https://latesthackingnews.com/2015/08/16/kali linux commands cheat sheet/ | Linux Commands Cheat Sheet https://www.improgrammer.net/linux-commands-cheat-sheet/#GSID | Linux commands cheat sheet - Most Popular Linux commands https://www.ubuntupit.com/best linux commands to run in the terminal/ | The 50 Most Useful Linux Commands To Run in the Terminal https://www.amazon.com/gp/product/1593279523/ref=as_li_ss_tl? ie=UTF8&linkCode=sl1&tag=ubuntupit756/7

13OSINTWSL.md

7/23/2021

20&linkId 470bf9ad31f1b4cf355a896b0a5a9502&language en US | Amazon.com: The Linux Command Line, 2nd Edition: A Complete Introduction (9781593279523): Shotts, William: Books https://www.google.coms/search? newwindow 1&source univ&tbm isch&q linux+cheat+sheet&client firefox b 1 d&sa=X&ved=2ahUKEwibkr2DuLLqAhWHIjQIHdhhBSwQsAR6BAgKEAE | linux cheat sheet Google Search https://www.linuxtrainingacademy.com/linux-commands-cheat-sheet/ | Linux Commands Cheat Sheet | Linux Training Academy https://www.geeksforgeeks.org/basic-operators-in-shell-scripting/ | Basic Operators in Shell Scripting - GeeksforGeeks https://www.google.com/search?newwindow=1&client=firefox-b-1d&biw 1284&bih 1308&ei xOn Xposg j0A7XBqogB&q linux+operators+%22 H%22&oq=linux+operators+%22H%22&gs_lcp=CgZwc3ktYWIQDDIFCCEQqwIyBQghEKsCOgQIABBHOgUIIRCgAVD5OFiNR2DNVGgAcAF4AI ABVYgBiAGSAQEymAEAoAEBqgEHZ3dzLXdpeg&sclient=psyab&ved 0ahUKEwianuzlxrLqAhUDNH0KHbWgChEQ4dUDCAs | linux operators " H" Google Search https://linuxhint.com/bash_operator_examples/#o59 | 74 Bash Operators Examples – Linux Hint https://www.google.com/search?client firefox b 1 d&q install+sherlock+ubuntu | install sherlock ubuntu - Google Search https://github.com/sherlock-project/sherlock | GitHub - sherlock-project/sherlock: 🔎 Hunt down social media accounts by username across social networks https://www.google.com/search?client firefox b 1 d&q install+python+3+ubuntu | install python 3 ubuntu - Google Search https://docs.python-guide.org/starting/install3/linux/ | Installing Python 3 on Linux — The Hitchhiker's Guide to Python https://phoenixnap.com/kb/how to install python 3 ubuntu | How to Install Python 3 on Ubuntu 18.04 or 20.04 {Step-by-Step} https://forum.snapcraft.io/t/running-snaps-on-wsl2-insiders-only-for-now/13033 | Snaps and mobaxterm

7/7

14OSINTCriminalMarkets1.md

7/23/2021

OSINT Essentials - Criminal Markets I Forthcoming

1/1

14OSINTCriminalMarkets2.md

7/23/2021

OSINT Essentials - Criminal Markets II Forthcoming

1/1

15OSINTCareerDevelopment.md

7/23/2021

OSINT Essentials - Career Development v9.2020 Making OSINT Into a Career One of the most frequent questions we get asked is how to turn your OSINT interest and skillset into a career. This is a difficult area to give guidance on as there are so many different paths, most of which involve non-traditional workplaces. I find that when something is difficult to quantify, it is best to lay it out in a series of actionable steps. The recommendations in this section will not give you all the answers but will hopefully help you better define what you are looking for and how to increase your chances of finding it. As with most portions of this training, I want to focus on general best practices versus specific sites and resources because those change over time. This is more about your approach and building a plan, than it is the actual job research.

1.1 Define Your Goals Just like with our analyst’s approach to case work, I think it is beneficial to articulate in writing what exactly you hope to achieve. Where do you want to be in 10 years, both in title and in regard to location? Some areas I would consider and address: 1. Contract vs Full-time Employment -- do you value flexibility and control or long-term stability and structure 2. Specialization vs Generalization – do you want to be the best at one narrow field or be someone who can tackle a range of challenges and tasks 3. Government vs Private Sector – Do you have strong feelings about working for corporations, government agencies, or non-profits 4. Location -- is region and living situation more important than gratification and diversity of opportunity in missions and body of work 5. Time – How much can you focus and devote on building this career? How flexible can you be? Do you have other responsibilities that supersede your work? Be honest with yourself about how much you have to give to build this career. Also does it need to be a career? Maybe a better fit is part time or side contracting. 6. Money – For most of us financial compensation matters. Where is pay scale in your list of priorities? What do you need to bring in to live relatively stress free? How much of your time could you give away for free just to build experience? 7. Personality check – do you need to receive acknowledgment or credit for your work aside from a paycheck? Are you ok being a small part of a team or do you want to lead the team? Keep this list in your security notebook and consider it a living document that will change over time. Revise it as your situation and priorities shift. As you get more exposure to what is out there you may find that what you once wanted is no longer the best fit.

1.2 Research As with most things, diligent homework will pay off. Not only in finding positions to pursue, but also in landing the job. I have sat on many hiring panels for various positions and I always favor the candidate that shows up clearly having researched the position and the organization. We are hunters and diggers, so you 1/4

15OSINTCareerDevelopment.md

7/23/2021

best show up front that you know how to canvas a potential employer. (Note: probably do not dig too deep on the actual people, that can backfire). So where to look: 1. What are you applying for? Surprisingly, most people pursuing OSINT do not know the job title of the position they think they want. Most of the time you are going to be looking for positions with analyst or investigator in the title. 2. Make a list of people who you know work in the general field you are interested in. List where they work and what their job title is. 3. Use your Google skills and search for historical job postings from those employers and also for job postings for that title i.e. Intelligence Analyst, Competitive Intelligence Analyst, or Investigative Claims Specialist 4. If you are on the infosec side of the house or wish to move towards IT, your path is more straight forward. There are very well-defined roles in most large tech companies for Threat Intelligence Analysts, Security Operations Analyst, Threat Analyst, etc. Start with the security positions at major tech firms and look up historical and current job postings. Also ask the people on osint.team as that community is full of infosec OSINT practitioners. 5. If you are going the gov route, you should have a pretty easy time finding postings on Google. Most US agencies have to publicly post their positions for any hiring categorized outside of internal only. You can look on sites like Indeed but you will also find gov sites that may be useful: https://www.intelligencecareers.gov/. Remember that may agencies use contractors for civilian analysis functions. A side benefit of a gov position is potentially picking up a security clearance. 6. As you find job postings, start a list of preferred and required e perience, education, training, certs, and qualifications. Then do additional Google searches for other occurrences of any particularly unique trade terms or certs i.e.: OSINT, SOCMINT, etc. The people writing the job descriptions don t always understand the actual role and often these postings will be a lot of boilerplate and buzzwords. 7. This is also where you will also start a list of accounts and people who are subject matter e perts in the industry. What are they talking about? What are they reading? Who are they following? 8. Review the techniques for looking up resumes, pair that with your Google skills, and find out what other people in our industry are putting on their resumes as well as previous job titles and organizations.

1.3 Experience, Skillset, & Education Education and certifications are important, yet they are not everything. While many employers continue to list boiler plate prerequisites, some are now realizing that “soft-skills” and potential are more important. Ideally you want to build a little of both. You need some education or experience that shows you have a base line of skills and qualifications to make it to the pool of final candidates, but the impression you put forth on a personal level will make the difference more often than not when it come to selecting a new team member. No one wants to work with a know it all or difficult personality no matter how many certifications they have. Getting certifications definitely helps, but do not put all of your eggs in that basket. My personal feeling is that the certification industry is a little bit of a racket, but unfortunately many companies still put weight in them. It does show a level of commitment and effort on your part, I just don’t like the money-grab that is behind it all. College degrees can come into play in getting past the arbitrary job requirements. In the public sector there is little flexibility there. Sometimes you need that box checked in to be considered at all (even though we all know real world experience is much more important). Security clearances are similar; If you have one already it is a huge bonus in the private sector as they will not have to pay, wait, and hope that you get one. For public 2/4

15OSINTCareerDevelopment.md

7/23/2021

sector often you just need to be eligible and willing to go through the process, which can be quite invasive and is not beneficial to your privacy (i.e.: the OPM breach).

1.4 Networking Networking serves two primary purposes; developing contacts that may lead to job opportunities and more importantly it allows you to stay abreast of the latest trends and techniques. Here are some of the best avenues that I have found for networking with other OSINT practitioners. 1. Join online communities. Listen, learn, contribute, but do not talk just to be heard or recognized. Take it all in, learn who brings value to the community, and follow those people on their other platforms and projects. 2. Be kind, appreciative, and gracious. That might seem basic, but I have found two things to be true: being pushy and confident can yield short term gains but those people always seem to fizzle quickly, which being a confident, empathetic, listener is the person that I want on my team. When you approach or interact with people in our industry, be direct but grateful for any time they give you. Once you are deep in your career, time is your most precious commodity so show them you appreciate any that they give you. When I look for a new team member, I look for the quiet observer, the good listener, the eager learner, and someone who does not know all the answers. 3. Volunteer- When you are starting out or moving into a new field you have to be willing to trade your time and effort for experience and exposure. Donating time to internships and projects are a good way to build a resume and also a network of colleagues. One way to get your foot in the door is to be a free resource. Do not wait for people to solicit you for help, take initiative and propose what you can do for them. Create a win-win situation with a team that needs skilled labor and has no budget for it. 4. Be helpful and encouraging, a calm, positive energy in the room.

1.5 Chicken & Egg The cru always seems to be that e perience is required to get positions and it can be difficult to get documentable experience without having a position in the industry. Many of these are already mentioned, but here are some ways to attack that problem. 1. Military

Many of my colleagues gained their skills and e perience in the military. It is not for everyone

but is one path to getting both experience and education without going into debt. 2. Internships

Don t e pect to get paid, but rather recognize that you are earning a resume and long

term that will result in an actual payday. One of my very best OSINT team members was an unpaid intern because he was interested, hungry, and 0% entitled. He worked longer hours than many paid employees while going to school and I could not have been happier than to write him a recommendation for his first paying analyst job. 3. Volunteer – This is the best way to actively network. Volunteer at conferences, with trade- groups, charities, and your local agencies. They may not even know that they need a volunteer analyst until you show them what you can do for them. 4. Learn

When it comes time to shine, let your clear knowledge base speak for itself. Most of us are

pretty good at smelling BS, so don’t try to fake it, but allowances are sometimes made for official e perience when someone is clearly a subject matter e pert.

1.6 Resources One-Tab Bookmarks 3/4

15OSINTCareerDevelopment.md

7/23/2021

https://www.linkedin.com/jobs/search/?keywords Intel%20Analyst | LinkedIn https://www.intelligencecareers.gov/ | US Public Sector Intel Jobs https://www.indeed.com/q-Title-Cyber-Threat-Intelligence-Analyst-jobs.html | Indeed http://www.enlightenjobs.com/synonyms.php?q Intelligence+Analyst | Titles https://cvmaker.com | CV Maker

Remember your resume search tactics: Examples of Google searches for resumes: “John Doe” “resume” filetype:doc OR filetype:docx OR filetype:pdf “John Doe” “Resume” John Doe

Curriculum Vitae

“John Doe” “CV” John Doe

Resume filetype:doc

“John Doe” “Curriculum Vitae” filetype:doc John Doe

CV filetype:doc

“John Doe” “Resume” filetype:pdf John Doe

Curriculum Vitae filetype:pdf

“John Doe” “CV” filetype:pdf John Doe

Resume site:docs.google.com

“John Doe” “Curriculum Vitae” site:docs.google.com John Doe

CV site:docs.google.com

4/4

12/13/21, 4:58 PM

OneNote

Street: Kalkofnsvegur 2 City: Reykjavik State: Capital Region Postal Code: 101 Country: IS (iceland) Phone:+354.4212434 1. ISP/Host Contact • Hidden via Cloudflare.com 2. Historical Whois • N/A 3. DNS Data

• Hidden via Cloudflare.com 4. Certificate Data • N/A

1. Associated Sites https://www.plurk.com/tut4dl stale since 2013 https://www.alexa.com/siteinfo/tut4dl.com • From the outgoing links section on Virustotal • httJ;!s://feeds.feedburner.com/tut4dltraining (news feed site) • httJ;!s://raJ;!idgator.net/article/J;!remium/ref/389459 (donation site) • httJ;!s://nitroflare.com/pav.ment?webmaster=1024153 {donation site) 5. Analytics IDs (Google, etc.) • Google analytic o UA-186097536 (July 2021 to present dee 2021) o UA-41192494 (june 13 2021- oct 13 2021) • Google+ o GP-106400282997443823967 6. Technologies Collected from https://builtwith.com/tut4dl.com • Google analytic • Google Adsense • Google tag manager • Google search • Google viewport meta • Doubleclick.net • Ads.txt • Wordpress (genesis theme from studio press) • Gravatar profile • IMGUR • Twemoji • Postimage.org • Iphone mobile compatible • Cloudflare dns • Cloudflare ssl • Cloudflare hosting • Email hosting provider- SPF • OS is using IPv6 • Syndication o Rss https://onedrive.live.com/redir?resid = 8C31BEB304C21B39%21104&authkey = %21 AiP9Y6ML1 KMjlyU&page=View&wd = target%28Quick Notes.one%7... 3/4

12/13/21, 4:58 PM

OneNote

o Feedburner o Really simple discovery o Pingback support o Windows live writer support 7. Email Addresses As per 2015 : [email protected] until last capture in 2018 b.llps://web.arcbive.org/web/201s0G10001s10/http://tut4dl.com/contact-us/ 8. Site/Page Captures N/A 9. Archived Captures First active January since 2013 according webarchive Last capture was 2018, with email still listed httgs://web.archive.org/web/*/http://tut4dl.com/ 10. Social Media httgs://twitter.com/tut4dl not posted since 2013 11. Email Address Linkages Obtained through Sherlock and WhatsMyName are non affiliated tut4dl websites. [email protected] As per Sherlock: [+] EyeEm: https://www.eyeem.com/u/[email protected] [+] Football: https://www.rusfootball.info/user/[email protected]/ [+] opennet: [email protected] EyeEm.com - Stock image website Rusfootball.info- Russian soccer Open net- Russian computer fosum As per WhatsMyName Found user at httgs://[email protected]/

https://onedrive.live.com/redir?resid= 8C31BEB304C21B39%21104&authkey = %21AiP9Y6ML1 KMjlyU&page=View&wd= target%28Quick Notes.one%7...

4/4

15OSINTSMEsToFollow.md

7/23/2021

OSINT Essentials - Experts Worth Following These are some people who may want to follow. They each have a nexus to the OSINT community and many are subject matter e perts who share wonderful tips and resources.

The Short List The spreadsheet has a more comprehensive list, but there are always new talents emerging in the industry so the best way to stay current on who is sharing great OSINT information is to check out these resources: https://twitter.com/IntelTechniques Of course Michael is continuing to push out OSINT, privacy, and security info at https://inteltechniques.com, in his books, and on the podcast. https://twitter.com/i/lists/965121312988409856 Ph055a from our forums has a great list of OSINT professionals to follow on Twitter https://osint.team Ph055a also runs a RocketChat OSINT group, it has a pretty heaving infosec/private sector focus but that is great when you want to pick up more skills on that flavor of OSINT https://twitter.com/ding0snax/following Any easy way to see an up to date list of who I follow is to look at my Twitter profile https://www.bellingcat.com/ OSINT from an investigative journalism perspective https://www.technisette.com/p/home OSINT guru https://nixintel.info/ OSINT ariticles by nixintel https://osintcurio.us/ A group of OSINT trainers, primarily from infosec. Some good European practitioners. https://twitter.com/search?q=osint&src=typed_query I often run a query to check twitter for anyone else talking about OSINT that may not be aware of

1/1

OSINT - Team Collaboration.md

12/27/2021

OSINT - Team Collaboration v12.2021

Collaboration Tips Make sure all team members are clear on the tools, process, and responsibilities. Make sure there is a clear understanding of scope, policy, and any legal constraints. Have a discussion about operational security and passive vs active reconnaissance. Establish a written list of tasks along with who is assigned to work on which areas Whenever possible split tasks by target or leads which are unlikely to overlap or collide. Ideally you will have multiple targets, but if not split up the tasks logically so that you aren’t wasting time doing work that someone else may have already done. For example, having one person work on the primary target person while another works on the company domain. You will need a communications platforms and some method of sharing files Platforms which support team collaboration on documents are a huge benefit but many are premium and/or do not have the best privacy (for example the Microsoft Teams/OneNote combination is a staple for many teams that work in an enterprise environment) Alternatives to those premium platforms are provided below If you already have a good team workflow go with it It is highly recommended to assign a “lead” or case agent to steer the teams direction and progress. Too many cooks can be a problem. A good leader takes feedback graciously and makes sure members feel valuable. A good leader empowers the team members but helps focus their ideas and work. Concise communication (radio discipline) will cut down on noise and make it easier to follow team progress. Avoid off-topic or frivolous chatter on the team channels or dedicate an additional chat channel for side conversations.

Team/Mission Roles Not all missions will require all of these roles and often individual investigators will wear multiple hats. Lead - Define overall investigative strategy, prioritize, assign, and track tasks/progress, quality control on final work product, track deadlines and deliverables, manages communication with client, presents final work product, ensures team is aware of and stays within scope, policy, and law, ensures that team members receive credit for their work, ensures team members have resources to successfully complete their tasks, take team feedback and make the tough decisions Collator- Data, captures, and team notes organization, report preparation (often the case lead or analyst will handle this role) Analyst - Organize and review collected data, produce intelligence, assign confidence levels, vet sources, produce link charts/diagrams Digger - Often this is everyone on the team but sometimes there is a research specialist Tinker - Prepare, distribute, and support OSINT tools and scripts, Automation support, VM support. etc. Breach/Leak/Darknet Specialist - Checks known identifiers and strong leads against specialized sources

Full Office/Productivity Platforms

1/4

OSINT - Team Collaboration.md

12/27/2021

Collaboration and documentation options vary and typically the more feature rich the platform, the more likely that it is premium or has a privacy cost involved (i.e.: Google Docs). The following are some options which provide a combination of features to support group communications and real time document collaboration. Microsoft: OneNote, Teams, and the MS Office offerings such as Word, E cel, Outlook, etc. Google: Google docs, Gmail, Hangouts, Google Voice (powerful free option if you don't care about privacy at all)

Communications Platforms The following are some platforms which support team communication and basic file sharing. Most do not however support live document collaboration. An important aspect of communication, no matter which platform you choose is what we in the public safety industry call radio discipline. Try to limit posts and chatter to concise, mission relevant updates. The more “noise” on your coms channel, the more difficult it will be to keep track of the overall progress and efforts. Matrix: https://matrix.org/ Pros: Good privacy, open-source, encryption, chat function, limited file-sharing, voice/video meeting support Cons: No shared document support, no static pages Keybase: https://keybase.io/ Pros: Good privacy, encryption, open-source, chat function, file sharing, Github integration, static pages (place a markdown document in the files section for your team https://book.keybase.io/sites) Cons: No shared document collaboration support Wire: https://wire.com/ Pros: Good privacy, Encryption, Audio/Video, File sharing Cons: No document collaboration, no static pages Signal: https://signal.org/ Pros: Good privacy, Encryption, Audio/Video, File sharing, Good adoption rate Cons: No document collaboration, no static pages Microsoft Teams: https://www.microsoft.com/en-us/microsoft-teams/group-chat-software https://answers.microsoft.com/en-us/msoffice/forum/all/upload-a-onenote-workbook-to-teams/a70bd8827c8e-4d80-b314-0c57e50aa802 | Importing OneNote Notebooks to Teams Pros: Powerful, Good security, High adoption rate in enterprise environments, File sharing, Static pages, task lists, Calendar, Audio/Video, White boards, Paid tiers have many integrations including MS Office suite features Cons: Microsoft account required, MS will collect telemetry data, Free tier has feature limitations Discord: https://discord.com/ Pros: Limited file sharing, voice/video meeting support, bots and integrations, full featured chat support, Good adoption rate Cons: Closed source, not privacy focused but better than Slack Slack: https://slack.com/ Pros: full featured chat support, large number of integrations, voice/video meeting support, Good adoption rate Cons: Closed source, horrible privacy, limited chat history, limited file sharing, No shared document support, no static pages Others: Rocketchat, Mattermost

Notetaking Collaboration

2/4

OSINT - Team Collaboration.md

12/27/2021

That challenge with all note-taking platforms is that the platforms which support team collaboration tend to either be premium and/or have very poor privacy policies. Recommendations are provided on how to possible use some platforms collaboratively despite their not being truly multi-user. There is always a usability/feature cost to sticking with free yet private options. Standard Notes: https://standardnotes.com/ Pros: Great privacy Cons: Standard notes does not support teams, but I have previously worked on projects where the team shared a login to a standard notes account. This can be a little messy if too many people log in at the same time. Cryptpad: https://cryptpad.fr/ Pros: E cellent privacy, collaboration support Cons: limited document formats OneNote: https://www.onenote.com/download Pros: Powerful, great for collaboration, Team annotation/Note/chat support, export support for pdf, docs, etc. Accepts many file attachments, Hierarchical notebook structure Cons: MS account required, Microsoft will try to collect telemetry data, Browser and desktop options P3X OneNote: https://github.com/patrikx3/onenote Pros: Open-source Linux version of OneNote, Better privacy Cons: Limited functionality [https://www.tecmint.com/install microsoft onenote in linu /] VSCode: https://code.visualstudio.com/ Pros: Powerful, VSCode has man useful e tensions for converting and dealing with markdown and other documentation formats as well as the ability to deal with and run scripts, There are options to add collaboration functionality, File support, Github integration Cons: MS Product (make sure to disable telemetry and VSCodium is a less powerful but more private option), No native chat/collaboration support Atom: https://teletype.atom.io/ Pro: Large ecosystem of addons, collaboration via https://teletype.atom.io/ Cons: Additional configuration required for collaboration, similar to VSCode Etherpad: https://etherpad.org/#about Pro: Open Source collaborative notes, control your own data and access Cons: Requires self hosting, technical knowledge required to setup Xmind: https://www.xmind.net/ Pro: Mind map collaboration Cons: Collaboration requires premium account

Utilities Additional tools for working with shared files and documentation. - Tresorit - Secure, free, filesharing https://send.tresorit.com/ Additional File Transfer Options - https://github.com/timvisee/send-instances/

- Pandoc: gold standard in open source document conversion https://pandoc.org/ 3/4

OSINT - Team Collaboration.md

12/27/2021

Groupdocs: Conversion and document utilities, good privacy policy https://www.groupdocs.app/

Note: included with this lesson are two pdf s put together by member teams. They were challenged to look at a criminal domain (tut4dl.com) and find out who is running that website. If you wish to practice your OSINT skills on that specific target, do know that they sell pirated content and are criminals so you should use good operational security if you decide to poke around that site. Each of the teams provided some concise findings and we re also asked to list the tools they used for collaboration. Thank you to OSINT Kramer, Robblob, Blackfalc0n, and 0s1nt87 for their contributions to this lesson.

4/4

OSINT - Team Collaboration.md

12/27/2021

OSINT - Team Collaboration v12.2021

Collaboration Tips Make sure all team members are clear on the tools, process, and responsibilities. Make sure there is a clear understanding of scope, policy, and any legal constraints. Have a discussion about operational security and passive vs active reconnaissance. Establish a written list of tasks along with who is assigned to work on which areas Whenever possible split tasks by target or leads which are unlikely to overlap or collide. Ideally you will have multiple targets, but if not split up the tasks logically so that you aren’t wasting time doing work that someone else may have already done. For example, having one person work on the primary target person while another works on the company domain. You will need a communications platforms and some method of sharing files Platforms which support team collaboration on documents are a huge benefit but many are premium and/or do not have the best privacy (for example the Microsoft Teams/OneNote combination is a staple for many teams that work in an enterprise environment) Alternatives to those premium platforms are provided below If you already have a good team workflow go with it It is highly recommended to assign a “lead” or case agent to steer the teams direction and progress. Too many cooks can be a problem. A good leader takes feedback graciously and makes sure members feel valuable. A good leader empowers the team members but helps focus their ideas and work. Concise communication (radio discipline) will cut down on noise and make it easier to follow team progress. Avoid off-topic or frivolous chatter on the team channels or dedicate an additional chat channel for side conversations.

Team/Mission Roles Not all missions will require all of these roles and often individual investigators will wear multiple hats. Lead - Define overall investigative strategy, prioritize, assign, and track tasks/progress, quality control on final work product, track deadlines and deliverables, manages communication with client, presents final work product, ensures team is aware of and stays within scope, policy, and law, ensures that team members receive credit for their work, ensures team members have resources to successfully complete their tasks, take team feedback and make the tough decisions Collator- Data, captures, and team notes organization, report preparation (often the case lead or analyst will handle this role) Analyst - Organize and review collected data, produce intelligence, assign confidence levels, vet sources, produce link charts/diagrams Digger - Often this is everyone on the team but sometimes there is a research specialist Tinker - Prepare, distribute, and support OSINT tools and scripts, Automation support, VM support. etc. Breach/Leak/Darknet Specialist - Checks known identifiers and strong leads against specialized sources

Full Office/Productivity Platforms

1/4

OSINT - Team Collaboration.md

12/27/2021

Collaboration and documentation options vary and typically the more feature rich the platform, the more likely that it is premium or has a privacy cost involved (i.e.: Google Docs). The following are some options which provide a combination of features to support group communications and real time document collaboration. Microsoft: OneNote, Teams, and the MS Office offerings such as Word, E cel, Outlook, etc. Google: Google docs, Gmail, Hangouts, Google Voice (powerful free option if you don't care about privacy at all)

Communications Platforms The following are some platforms which support team communication and basic file sharing. Most do not however support live document collaboration. An important aspect of communication, no matter which platform you choose is what we in the public safety industry call radio discipline. Try to limit posts and chatter to concise, mission relevant updates. The more “noise” on your coms channel, the more difficult it will be to keep track of the overall progress and efforts. Matrix: https://matrix.org/ Pros: Good privacy, open-source, encryption, chat function, limited file-sharing, voice/video meeting support Cons: No shared document support, no static pages Keybase: https://keybase.io/ Pros: Good privacy, encryption, open-source, chat function, file sharing, Github integration, static pages (place a markdown document in the files section for your team https://book.keybase.io/sites) Cons: No shared document collaboration support Wire: https://wire.com/ Pros: Good privacy, Encryption, Audio/Video, File sharing Cons: No document collaboration, no static pages Signal: https://signal.org/ Pros: Good privacy, Encryption, Audio/Video, File sharing, Good adoption rate Cons: No document collaboration, no static pages Microsoft Teams: https://www.microsoft.com/en-us/microsoft-teams/group-chat-software https://answers.microsoft.com/en-us/msoffice/forum/all/upload-a-onenote-workbook-to-teams/a70bd8827c8e-4d80-b314-0c57e50aa802 | Importing OneNote Notebooks to Teams Pros: Powerful, Good security, High adoption rate in enterprise environments, File sharing, Static pages, task lists, Calendar, Audio/Video, White boards, Paid tiers have many integrations including MS Office suite features Cons: Microsoft account required, MS will collect telemetry data, Free tier has feature limitations Discord: https://discord.com/ Pros: Limited file sharing, voice/video meeting support, bots and integrations, full featured chat support, Good adoption rate Cons: Closed source, not privacy focused but better than Slack Slack: https://slack.com/ Pros: full featured chat support, large number of integrations, voice/video meeting support, Good adoption rate Cons: Closed source, horrible privacy, limited chat history, limited file sharing, No shared document support, no static pages Others: Rocketchat, Mattermost

Notetaking Collaboration

2/4

OSINT - Team Collaboration.md

12/27/2021

That challenge with all note-taking platforms is that the platforms which support team collaboration tend to either be premium and/or have very poor privacy policies. Recommendations are provided on how to possible use some platforms collaboratively despite their not being truly multi-user. There is always a usability/feature cost to sticking with free yet private options. Standard Notes: https://standardnotes.com/ Pros: Great privacy Cons: Standard notes does not support teams, but I have previously worked on projects where the team shared a login to a standard notes account. This can be a little messy if too many people log in at the same time. Cryptpad: https://cryptpad.fr/ Pros: E cellent privacy, collaboration support Cons: limited document formats OneNote: https://www.onenote.com/download Pros: Powerful, great for collaboration, Team annotation/Note/chat support, export support for pdf, docs, etc. Accepts many file attachments, Hierarchical notebook structure Cons: MS account required, Microsoft will try to collect telemetry data, Browser and desktop options P3X OneNote: https://github.com/patrikx3/onenote Pros: Open-source Linux version of OneNote, Better privacy Cons: Limited functionality [https://www.tecmint.com/install microsoft onenote in linu /] VSCode: https://code.visualstudio.com/ Pros: Powerful, VSCode has man useful e tensions for converting and dealing with markdown and other documentation formats as well as the ability to deal with and run scripts, There are options to add collaboration functionality, File support, Github integration Cons: MS Product (make sure to disable telemetry and VSCodium is a less powerful but more private option), No native chat/collaboration support Atom: https://teletype.atom.io/ Pro: Large ecosystem of addons, collaboration via https://teletype.atom.io/ Cons: Additional configuration required for collaboration, similar to VSCode Etherpad: https://etherpad.org/#about Pro: Open Source collaborative notes, control your own data and access Cons: Requires self hosting, technical knowledge required to setup Xmind: https://www.xmind.net/ Pro: Mind map collaboration Cons: Collaboration requires premium account

Utilities Additional tools for working with shared files and documentation. - Tresorit - Secure, free, filesharing https://send.tresorit.com/ Additional File Transfer Options - https://github.com/timvisee/send-instances/

- Pandoc: gold standard in open source document conversion https://pandoc.org/ 3/4

OSINT - Team Collaboration.md

12/27/2021

Groupdocs: Conversion and document utilities, good privacy policy https://www.groupdocs.app/

Note: included with this lesson are two pdf s put together by member teams. They were challenged to look at a criminal domain (tut4dl.com) and find out who is running that website. If you wish to practice your OSINT skills on that specific target, do know that they sell pirated content and are criminals so you should use good operational security if you decide to poke around that site. Each of the teams provided some concise findings and we re also asked to list the tools they used for collaboration. Thank you to OSINT Kramer, Robblob, Blackfalc0n, and 0s1nt87 for their contributions to this lesson.

4/4

12/13/21, 4:58 PM

OneNote

Street: Kalkofnsvegur 2 City: Reykjavik State: Capital Region Postal Code: 101 Country: IS (iceland) Phone:+354.4212434 1. ISP/Host Contact • Hidden via Cloudflare.com 2. Historical Whois • N/A 3. DNS Data

• Hidden via Cloudflare.com 4. Certificate Data • N/A

1. Associated Sites https://www.plurk.com/tut4dl stale since 2013 https://www.alexa.com/siteinfo/tut4dl.com • From the outgoing links section on Virustotal • httJ;!s://feeds.feedburner.com/tut4dltraining (news feed site) • httJ;!s://raJ;!idgator.net/article/J;!remium/ref/389459 (donation site) • httJ;!s://nitroflare.com/pav.ment?webmaster=1024153 {donation site) 5. Analytics IDs (Google, etc.) • Google analytic o UA-186097536 (July 2021 to present dee 2021) o UA-41192494 (june 13 2021- oct 13 2021) • Google+ o GP-106400282997443823967 6. Technologies Collected from https://builtwith.com/tut4dl.com • Google analytic • Google Adsense • Google tag manager • Google search • Google viewport meta • Doubleclick.net • Ads.txt • Wordpress (genesis theme from studio press) • Gravatar profile • IMGUR • Twemoji • Postimage.org • Iphone mobile compatible • Cloudflare dns • Cloudflare ssl • Cloudflare hosting • Email hosting provider- SPF • OS is using IPv6 • Syndication o Rss https://onedrive.live.com/redir?resid = 8C31BEB304C21B39%21104&authkey = %21 AiP9Y6ML1 KMjlyU&page=View&wd = target%28Quick Notes.one%7... 3/4

12/13/21, 4:58 PM

OneNote

o Feedburner o Really simple discovery o Pingback support o Windows live writer support 7. Email Addresses As per 2015 : [email protected] until last capture in 2018 b.llps://web.arcbive.org/web/201s0G10001s10/http://tut4dl.com/contact-us/ 8. Site/Page Captures N/A 9. Archived Captures First active January since 2013 according webarchive Last capture was 2018, with email still listed httgs://web.archive.org/web/*/http://tut4dl.com/ 10. Social Media httgs://twitter.com/tut4dl not posted since 2013 11. Email Address Linkages Obtained through Sherlock and WhatsMyName are non affiliated tut4dl websites. [email protected] As per Sherlock: [+] EyeEm: https://www.eyeem.com/u/[email protected] [+] Football: https://www.rusfootball.info/user/[email protected]/ [+] opennet: [email protected] EyeEm.com - Stock image website Rusfootball.info- Russian soccer Open net- Russian computer fosum As per WhatsMyName Found user at httgs://[email protected]/

https://onedrive.live.com/redir?resid= 8C31BEB304C21B39%21104&authkey = %21AiP9Y6ML1 KMjlyU&page=View&wd= target%28Quick Notes.one%7...

4/4

15OSINTWritingPolicy.md

7/23/2021

OSINT Essentials - Writing policy Key Components Do not overthink your policy. Shoot for a one- or two-page policy that focuses on appropriate use and controls. Stay clear of specific technologies and do not be overly specific.

1.1 Training Standard The most important thing is to have a training standard rather than sweating what that training is. When you are getting started this can be in-service or online training, but long term you should work towards some type of sustainable yearly “refresher training”. There should also be a set of training materials provided to new investigators. I like to use a combination of books, video, and some type of recognized national curriculum. It must be applicable to your industry and mission.

1.2 Approval Process I prefer the approval stay with the front-line supervisor. They may want to keep a very simple log of employee training and possibly approvals for use of undercover accounts, funds, and infiltrations. Which of these you include depends on your agency's and jurisdiction’s policies, ordinances, and community expectations. The more layers of approval and complicated the process, the more laborious it will be to not only conduct the work, but also to administrate the program. Simple and concise is the goal. Let the front line supervisor be the gatekeeper.

1.3 Appropriate Use This really can just be summed up as for official use only. Recycle the same policies that you apply to your other investigative resources such as vehicles, gas cards, and other equipment. You should include language indicating that personal accounts used for work and no work accounts used for personal business.

1.4 Audit & Review An annual audit usually includes the review of training, expenditures/procurement, infiltrations, and in some cases accounts/deployments. The depth of this will vary by the level of concern in your organization regarding online investigations and intelligence gathering. The audit should be executed by someone with investigative experience and if possible, some level of technical understanding. In the public sector this is usually an inspector general or city/state auditor.

1.5 Additional Resources Sites, write ups, and articles: Digital Evidence and the U.S. Criminal Justice System: Identifying Technology and Other Needs to More Effectively Acquire and Utilize Digital Evidence (Rand Corporation, PDF), 2015 Government Access to and Manipulation of Social Media: Legal and Policy Challenges (Brennan Center for Justice, PDF), 2018

1/2

15OSINTWritingPolicy.md

7/23/2021

Map: Social Media Monitoring by Police Departments, Cities, and Counties (Brennan Center for Justice), 2019 Developing a Policy on the Use of Social Media in Intelligence and Investigative Activities: Guidance and Recommendations (Bureau of Justice Assistance, PDF), 2013 Law Enforcement Social Media Policies (Urban Institute, PDF), 2019 One Step Ahead: How Social Media is Changing the Face of Investigations (Le isNe is, PDF) Social Media and Tactical Considerations for Law Enforcement (Community Oriented Policing Services & Police E ecutive Research Forum, PDF), 2013 The IACP - Social Media (International Association of Chiefs of Police) The IACP Social Media Considerations (International Association of Chiefs of Police, PDF), 2019 Writing Your Department's Social Media Policy: A Step-by-Step Guide (PowerDMS, Blog), 2020 "social media investigations policy" Google Search Todd Shipley Slides (Slide 1, PDF) Developing Policy on Using Social Media for Intelligence and Investigations (Police Chief Magazine) Sample police department social media policies (Police1), 2010 Brook Park OH Police Department: Internet Sites / Web Pages / Social Networking (Americans for Effective Law Enforcement, PDF), 2009 Cumberland IN Police Department: Professionalism (Americans for Effective Law Enforcement, PDF) DoD: Responsible and Effective Use of Internet Capabilities (Americans for Effective Law Enforcement, PDF), 2010 Saline County KS Sheriff's Office: Use of County and Agency images, recordings and logos in the public domain (Americans for Effective Law Enforcement, PDF), 2009 Northhampton MA Police Department: Internet Sites / Web Pages / Social Networking (Americans for Effective Law Enforcement, PDF)

2/2

Disinformation Fall 2021 Disinformation Resource List Fall 2021 v.10.2021 Contributors: BlackFalc0n, IntelTechniques Forum Membership Home Delivery Services https://www.instacart.com/ | Instacart https://sunbasket.com/join | Build Your Order | Sunbasket https://www.gobble.com/ | Gobble https://www.greenchef.com | Greenshef https://blueapron.com | blueapron.com https://www.epicurious.com | epicurious https://marleyspoon.com/ | Martha Stewart's Meal Delivery Service https://www.purplecarrot.com/ | Purple Carrot Plant-Based Meal Delivery https://dinnerly.com/ | The Affordable Meal Delivery Service https://splendidspoon.com/get-started/ | Get Started https://www.hellofresh.com | Hello Fresh https://www.veestro.com/ | Organic Prepared Meal Delivery Service https://www.everyplate.com/plans | Select your plan https://order.freshnlean.com/fnl | Order Fresh-n-Lean https://www.littlespoon.com | cna.st Employment/Job Listings https://www.monster.com/ | Monster Jobs - Job Search, Career Advice & Hiring Resources | Monster.com https://secure.indeed.com/account/register | Create an account | Indeed Accounts https://www.careerbuilder.com/user/register | Register | CareerBuilder.com https://www.glassdoor.com/index.htm | Glassdoor Job Search | Find the job that fits your life https://www.ziprecruiter.com/candidate/onboard | ZipRecruiter Job Posting, Job Search and Free Job Alerts https://onboarding.resumerabbit.com/rabbit-onboarding/?e=r/#/job-boards/ | Customer Onboarding https://www.themuse.com/ | Job Search, Companies Hiring Near Me, and Advice | The Muse https://www.resume-library.com/candidate/registration | Register Your Resume | Resume-Library.com https://help.wonolo.com/s/article/How-do-I-update-my-address-to-get-notified-for-nearby-jobs Classifieds https://www.freeclassifieds.com/ | Free Classifieds - Buy or Sell anything for free, freeclassifieds.com! https://atlanta.craigslist.org/ | craigslist: atlanta, GA jobs, apartments, for sale, services, community, and events https://www.classifiedads.com/post.php | Post a Classified Ad

https://www.pennysaverusa.com/item/new | PennySaver | Post Your Free Classified ad! https://join.booking.com/ | List Your Apartment, Hotel, Holiday Home or B&B on Booking.com Gift Registries https://www.bedbathandbeyond.com/store/giftregistry/createRegistryForm | Create a Wedding & Bridal Registry | Bed Bath & Beyond https://www.amazingregistry.com/create-registry | Create Your Free Gift Registry AmazingRegistry.com https://www.theknot.com/gs/wedding-websites | Wedding Websites - Free Wedding Websites - The Knot https://carnival.honeymoonwishes.com/ | Carnival Honeymoon Registry Subscritpions - Magazines & Catalogues https://subscribe.wired.com/subscribe/wired/127693 | WIRED Magazine Subscription https://www.discountmags.com/ | Cheap Magazine Subscriptions | The Best Discount Magazines & Deals - DiscountMags.com https://thekrazycouponlady.com/deals/magazines | Magazine Coupons Freebies and Deals - The Krazy Coupon Lady - October 2021 https://www.liveabout.com/free-magazine-subscriptions-1356536 | Free Magazine Subscriptions With No Strings Attached https://www.freeflys.com/save-money/free-magazines-in-the-mail/ | Free Magazines https://dealtrunk.com/free-magazines/ | 75+ Free Magazines Sent Right to Your Door - DealTrunk https://valuemags.com/pages/free-magazines | Free Magazine Offers - ValueMags https://clark.com/save-money/free-magazines/ | Where To Get Free Magazines - Clark Howard https://www.sweetfreestuff.com/free-magazines/ | Free Magazines - SweetFreeStuff.com https://www.magzter.com/top-free-magazines | Get your Digital Access to Top Free Magazines https://www.omahasteaks.com/info/Catalog-Request | Omaha Steaks Catalog Request https://christmas.lovetoknow.com/Christmas Catalog Business Listings & Reviews https://www.yelp.com/ | Restaurants, Dentists, Bars, Beauty Salons, Doctors - Yelp http://listyourself.net/ | ListYourself https://www.google.com/business/ | Google My Business - Manage Your Business Profile https://smallbusiness.yahoo.com/local | How to create your Business Listing? | Yahoo! Small Business https://www.bingplaces.com/ | Bing Places for Business https://www.merchantcircle.com/ | Deals, Quotes, Coupons, Advice from Local Merchants MerchantCircle.com https://getstarted.thryv.com/free-listing-yp/ | Free Scan: see how you look online. Verify the accuracy of your listings. https://advertising.superpages.com/contact/ https://www.mercurymagazines.com/pr1/100/10000 Retailers - Online Accounts https://www.homedepot.com/auth/view/createaccount | The Home Depot: sign in, create or secure your

account https://www.walmart.com/account/signup | Login https://www.vons.com/account/short-registration.html | Short Registration | Vons Contests & Sweepstakes https://www.sweepsadvantage.com/ https://sweepstakesfanatics.com/ https://www.liveabout.com/new-sweepstakes-and-contests-896980 https://www.liveabout.com/sweepstakes-directory-prizes-to-win-4057568 (includes Canada and UK options) https://www.allcanadacontests.com/ (Canada) https://www.contestgirl.com/ https://sweetiessweeps.com/ https://www.sweepsheet.com/Default.aspx https://sweepingamerica.com/ Product Registrations https://www.yeti.com/en US/register-product https://kidsindanger.org/wp-content/uploads/2019/12/Manufacturer-Directory-2019.pdf | pdf of child related product registration sites Hotel Points Memberships https://all.accor.com/usa/index.en.shtml | ALL - Accor Live Limitless https://www.bestwestern.com/en US/best-western-rewards.html | Best Western Rewards Award Winning Loyalty Program https://www.choicehotels.com/choice-privileges | Choice Privileges® - Best Hotel Rewards Program from Choice Hotels® https://www.hilton.com/en/hilton-honors/join/ | Hilton Honors https://www.ihg.com/rewardsclub/content/us/en/home | IHG Rewards Club https://preferredhotels.com/iprefer | Preferred Hotels & Resorts: The World's Best Independent Hotels | Preferred Hotels & Resorts https://www.lhw.com/leaders-club/about | Leaders Club Hotel Rewards Program – The Leading Hotels of the World https://www.marriott.com/loyalty.mi | HMarriott Bonvoy https://www.radissonhotelsamericas.com/en-us/ | Radisson Hotels Americas | Official Site | Book Hotels Direct https://world.hyatt.com/ | World of Hyatt SOC-MED https://thispersondoesnotexist.com/ https://www.linkedin.com/ https://wordpress.com/ https://soundcloud.com/ https://www.facebook.com/

https://medium.com/ https://instagram.com/ https://twitter.com/ https://speakerhub.com/ https://www.youtube.com/ https://flickr.com/ https://voip.operationprivacy.com/ https://www.twitter.com/0perationP https://dashboard.operationprivacy.com/donate https://dashboard.operationprivacy.com/category/61494f00ce2a280016ae9783#page-top Misc https://help.classmates.com/hc/en-us/sections/115000561872-Updating-Your-Info https://www.reddit.com/r/freebies/ http://www.listyourself.net https://www.softwaretestinghelp.com/top-product-testing-websites/ https://www.pykal.com/pages/producttestersa https://dollarsprout.com/get-paid-to-test-products/

Privacy/Security – Email Management v.5.2022 Difficulty: Basic Email Services & Private Domains In this lesson we will cover two primary areas of email management: third party email services which offer privacy/security benefits and configuring email for private domains. The former is pretty straight forward and we will most be talking through which email services we favor and how they fit into our personal and professional workflows. The second portion of the lesson will talk about hosting email using private domains. We previously covered advice on selecting and purchasing private domains in this lesson: https://www.inteltechniques.net/courses/take/open-source-intelligence/lessons/18152891purchasing-domains-privately-v-11-2020

1

Sample Breakdown by Type & Use Case

Below we will illustrate how you might setup up various email services by sharing some of our own choices and use cases. You do not need to emulate our setup exactly. This is here to give you ideas on how you might structure you own email services. • • • • • • • • • •

Professional Accounts – These are typically business accounts used for correspondence and communication for overt business matters. OSINT – Seed email addresses for account creation OSINT – Private email for colleague and client correspondence OSINT – Forwarder accounts for signing up for 3rd party services OSINT – Private domain accounts Personal – Forwarders for personal junk accounts Personal – Personal privacy/security control accounts Personal – Family accounts Personal – Private domain accounts Other – You will likely have some additional categories unique to your professional and personal needs. We will not address enterprise or large scale professional email management as it is beyond the scope of this lesson and in most scenarios this will be managed by your employer. Just make sure to include any of those other email addresses in your password managers.

Using my own setup as an example, here are some examples of how I break up my services and accounts by use case. Note, this does not take into account email addresses managed by

employers or in my case government accounts as those are typically managed by the employer and beyond the scope of this lesson. Professional Accounts: These are accounts used for business and correspondence with colleagues and clients. Preferred Services: Private domains or logical addresses setup in Protonmail or Fastmail. A key feature of using a private domain for email, is that we can move our service and prevent interruption if Protonmail or Fastmail were to go out of business. The naming conventions for these accounts typically reflect the professional entity or the full name of the investigator. These are overt business accounts with good unique passphrases and multi-factor authentication setup on each account. If you decide to utilize a private domain make sure to set a reminder to renew your domain registration. The last thing you would want is someone stealing away your domain and all associated email traffic by allowing your domain to lapse. An example would be [email protected], [email protected], or Jason.edison@inteltechniquescom. Account Control: You may also have business accounts which are more permanent than the burner accounts you use for OSINT work. OSINT Accounts: These stay completely isolated from all personal accounts and services. These are primarily used for signing up for online services or creating covert online accounts. Infiltration Addresses: These are isolated individual email addresses used for communications and accounts used on long term cases and/or target infiltrations. (Protonmail) Utility/Account Control: These are emails used to sign up for other online accounts and services. For example, if I need to sign up for API access to a particular online service, I might use one of my forwarding address services (SimpleLogin, AnonAddy, Blur, etc.) Most of these accounts are “burners” or accounts which are not critical or valuable so using semi-disposable addresses is fine. Junk: Junk accounts are those used to sign up for various online services where we expect that service to abuse the privacy of our address. We know they will likely sell whatever data we give them to brokers and 3rd parties, so we like to use forwarders/masking services for this category. We give the services a temporary masked email so that we can trash that email address later once it starts to get abused with spam and the like. (SimpleLogin, AnonAddy, Blur, 33 mail, etc.) Personal Accounts: Our personal accounts stay isolated from all professional accounts. I like to further compartmentalize these by use case. Personal Communication (Family/Friends): This is a dedicated email address or addresses used for correspondence with family and friends. We isolate this from our other use cases because we expect family and friends to have imperfect security and then chances of

them leaking out email is high. For example, we would not use this email address also for banking or anything sensitive. (Typically, this is a Protonmail or a private domain hosted on Protonmail.) Finance/Sensitive Account Control: Any accounts tied to personal finances, medical, or other sensitive information should have their own address. Typically, in my setup this is a dedicated Protonmail address or a private domain hosted on Protonmail. Account Control: These are addresses used for creation and control of any personal accounts such as social media, gaming, hobbies, etc. Junk: These are forwarding and masked addresses for use in signing up for any online services with poor security and where they are likely to resell our user data. Everything from newsletters to online communities. Often for these junk addresses we will use naming conversations which describe the services they are associated with. See the video lesson for an example of this.

2

Third Party Email Services

Below is a list of third party email services which we use for various personal and professional purposes. Although there is no one-size-fits all email solution, many of those were chosen because they offer privacy/security advantages OR they fit into our workflow for managing accounts and “junk mail.” These services typically provide one or all of the following features: encryption, privacy respecting terms of service, email masking/forwarding, dedicated subdomains, and/or use of private domains.

Encrypted and/or Privacy Respecting Webmail Services These are the three services which are privacy focused and have proven tracker records. They are listed in order of preference based on privacy features and adoption rates. Protonmail – Protonmail is our number one choice for private, encrypted email due to its highest in class adoption rate. This is important because emails are only encrypted if both parties are on the same platform. So Protonmail to Protonmail is encrypted. Protonmail sent to a Gmail loses its privacy benefits because Gmail will scan and retain the email contents. https://protonmail.com/privacy-policy Protonmail is based in Switzerland. One of the reasons we like Protonmail is the results of independent audits https://protonvpn.com/blog/no-logs-audit/. Tutanota – Tutanota is second behind Protonmail for privacy focused email services and this is mostly because it has a smaller user base. It is a fine service but most of us have more colleagues already in the Protonmail ecosystem. https://tutanota.com/privacy/ Keep in mind that sending encrypted emails to external mail services (people who are not on Tutanota) additional steps are required https://tutanota.com/faq/#encrypted-emails-external. Tutanota is based in Germany.

Fastmail - Fastmail is not end-to-end encrypted but is privacy respecting overall. It is in a less privacy respecting country than Protonmail https://www.fastmail.com/privacy-and-security/ Fastmail is hosted in Australia. Here is a third party review comparing Fastmail to the more secure options above https://restoreprivacy.com/email/reviews/fastmail/. In short, it’s not bad, it’s just not as good overall.

Masked Email Providers & Forwarders This category represents email services we use to primarily for email masking and “burner” accounts. These services all allow you to create multiple email addresses which will then forward to an account of your choosing. We use these addresses to sign up for services where we do not trust the business or site requesting an email address. For example, if I wanted to sign up for a free account at https://www.instructables.com/ I would use a “burner” address so that if the site gets hacked or if they resell my data, I wont end up with my Protonmail or other real address getting exposed in breaches or by data brokers. So for https://www.instructables.com/ I would use my SimpleLogin address of [email protected] which is a burner forwarding address I set up on SimpleLogin. Any email sent to that address forwards to one of my Protonmail addresses. SimpleLogin – SimpleLogin is my preferred email forwarder. They have paid and free tiers. They support random and subdomain addresses. I have had very good luck and good service from them. They were recently acquired by Protonmail so I would expect more integrations between the two. https://simplelogin.io/privacy/ AnonAddy – AnonAddy has been a popular email forwarder option for quite a few years. Although SimpleLogin has surpassed it in popularity within our training circles, it remains a solid option. Another consideration is that ProtonMail now owns SimpleLogin, so if you are Protonmail user you may want an option in your arsenal that is not tied to ProtonMail. https://anonaddy.com/faq/ Blur – Blur offers email masking which will provide you with addresses that forward to other email accounts of your choosing. So, you just create a free Blur account, associate a secondary email such as a Protonmail address, and then your Blur account will provide you with burner addresses which all forward to your Protonmail or email of choice. https://dnt.abine.com/#dashboard and their privacy policy: https://www.abine.com/legal.html 33Mail – 33Mail is a simple email forwarder where you can set up a subdomain and all emails to that subdomain get forwarded to an email of your choice. For example [email protected] gets forwarded to one of my Protonmail accounts so I can use [email protected] to sign up on garbage sites and not have to worry about the site getting hacked or my data sold by the site owners. If I start to get spam from that address I can just turn off the forwarding and this way my Protonmail address is not given to any of these risky sites 33Mail has the worst privacy policies of the three which is why it is my last choice https://www.33mail.com/tos.

Mainstream Freemail (Not private but possibly useful)

These email service are free and popular, but they are not very privacy respecting. That being said for some of us they have use cases. For example, Gmails make fine junk accounts as long as you understand that Google scans all emails and uses the data to push adds and control content you see on other Google services. It’s up to you to decide if some of these are appropriate for less sensitive communications or maybe you just have some legacy accounts which you cannot get rid of due to them being used by important contacts to potentially reach out to you. As always we recommend viewing the privacy policy for these services and also review your account settings to see if you can dial up the privacy a bit more. Most of these involve using the platforms cloud services which add varying degrees of privacy complications. These are not services we use for privacy’s sake, but again they have use cases. iCloud - https://support.apple.com/en-us/HT202303 Outlook – https://answers.microsoft.com/en-us/outlook com/forum/all/outlook-email-privacypolicy/ab5094cb-630a-46a1-83fd-2c6f751203c4 & https://www.thewindowsclub.com/outlook-comprivacy-settings Gmail - https://safety.google/intl/en us/gmail/ Yahoo - https://legal.yahoo.com/us/en/yahoo/privacy/index.html Mail.com - https://www.mail.com/company/privacypolicy/

3

Strategies & Compartmentalization

More than just knowing which services to use, it is important to understand that at the end of the day your privacy and security is dependent on using best practices across the board. This means paying attention to how you use the email addresses that you are creating and avoiding cross-contamination whenever possible. For example, I am never going to use one of my burner OSINT email addresses for personal business and vice versa.

4

Hosting Email for Private Domains

We discuss how to obtain a private domain (web site address) in another lesson (https://www.inteltechniques.net/courses/take/open-source-intelligence/lessons/18152891purchasing-domains-privately-v-11-2020) and one of the main reasons for doing so is to facilitate the creation of email addresses. Therefor, this section covers some tips on setting up email for your private domain. This is not the only way to manage email for a private domain so your own setup may vary. We wanted to provide some basic steps for those setting up email service on their domain for the first time. 1. Purchase a private domain following the steps in the link above or using another method or hosting provider of your choosing. I primarily use hostmatters.com for hosting these days as they support private purchasing but Namecheap.com is another popular option for domain registration and hosting.

2. Options #1 :Now that you have your private domain (ie:jasonedison.com) you can either set up hosting on the same provider where you registered your domain or you can use a third party service. In the example of those using Namecheap you can get hosting for one email account for about $1 a month. https://www.namecheap.com/hosting/email/ Once you set up hosting your provider will have a page detailing how to either view email via their web client or how to serve the emails out to another email service or software, such as Outlook or Thunderbird. https://www.namecheap.com/support/knowledgebase/article.aspx/1165/2215/how-to-ordernamecheap-private-email/ 3. Option #2: Setup your private domain with a third party email service such as Protonmail. This is the preferred option, although you can also similarly setup your private domain on Fastmail, Tutanota, or SimpleLogin depending on which tier of account you have. Often use of a private domain is only available on paid tiers. Let’s go through the steps to setup a private domain on Protonmail: a. Use of a private domain on Protonmail requires that you have one of the paid plans b. Settings → ProtonMail → Domain Names c. Click on “Add domain” d. The wizard will walk you through setup but you will need to change your DNS records and Protonmail provides guidance on this, for example here are the steps for Namecheap: https://protonmail.com/support/knowledge-base/dns-records/. The record is changed with the provider that sold you the domain, in this case Namecheap. https://protonmail.com/support/knowledge-base/dns-records-namecheap/ is another good example where they walk you through changing the DNS record. So again, to be clear, you are making the DNS record change via the company where you purchased/registered your domain (hostmatters, namecheap, etc.). Godaddy is not a recommended provider despite its popularity. e. In my example I am setting up email on Protonmail but I bought my domain via hostmatters. My hostmatters account is where I will make the DNS record change and my Protonmail account is where I will add the domain. Protonmail walks us through the process with a wizard, which makes the process painless. Again, you will need to make changes both on your Protonmail account and also wherever your domain is registered. Refer to my video to watch my example of going through this process. SimpleLogin: Another third party option for hosting your private domain email is SimpleLogin and you can find their confirmation steps here https://simplelogin.io/docs/custom-domain/add-domain/.

5

Articles and Resources

We always like to include some articles which reflect other opinions on the assorted topics we cover. Always keep in mind that some sites receive kickbacks for reviews and ratings so always read with a critical eye.

https://restoreprivacy.com/email/secure/ | Restore Privacy Email Provider Reviews https://proprivacy.com/email/comparison/secure-privacy-email-options | Comparison https://theprivacyguide.org/tutorials/email-client-privacy-comparison.html | Comparison Privacy Guide https://tutanota.com/email-comparison/ | Note that this is by Tutanota so probably not objective https://app.anonaddy.com/register | Anonaddy email forwarding https://anonaddy.com/#pricing | Anonaddy Plan Comparison https://abine.com/ | Abine Blur https://33mail.com | Mail forwarding (less privacy respecting) https://beta.fastmail.com/ | Fastmail https://outlook.com | MS Free Email https://safety.google/intl/en us/gmail/ | Gmail Settings https://www.namecheap.com/hosting/email/ | Namecheap Hosting https://www.namecheap.com/support/knowledgebase/article.aspx/1165/2215/how-to-ordernamecheap-private-email/ | Setting up email on Namecheap https://simplelogin.io/docs/custom-domain/add-domain/ | Custom Domain on Simplelogin https://simplelogin.io/docs/subdomain/new/ | Subdomain on SimpleLogin https://www.youtube.com/watch?v=KxK5Mq8LfAg | Simplelogin overview https://www.reddit.com/r/Simplelogin/ | SimpleLogin Subreddit https://protonmail.com/support/knowledge-base/set-up-a-custom-domain/ | Set up a private domain on Protonmail https://proton.me/support/custom-domain | Custom Domains at Proton https://www.reddit.com/r/protonmail | Proton.me subreddit https://www.youtube.com/watch?v=WU7xg-EipJU | Video Overview Adding Custom Domain to Proton.me https://www.mail-tester.com/ | Mail Tester https://www.youtube.com/watch?v=frhqezLi 2Q | Video Custom Domain setup on proton.me https://ap.www.namecheap.com/Domains/DomainControlPanel/ | Namecheap CTRL Panel (must be logged in) https://miranda.hmdnsgroup.com:2222/user/dns | Hostmatters DNS Control (must be logged in) you own link may vary

6

Examples of Email Folders/Labels on Proton.me

(example provided by member Jun https://matrix.to/#/!KtioSOJclafqAdZgIf:matrix.org/$s92YdHdkeMxBQPz5rFINGotncecIR1uUQe9h6qy8P E4?via=matrix.org&via=secretsquirrel.ems.host&via=tchncs.de)

16Security10DaySecurity.md

7/23/2021

Ten Day Security v.10.2020

About This Guide This ten-step security guide should not be considered "Extreme Privacy" or only relevant to some situations. These are essential steps that everyone should complete. Some will find that they have already taken care of many digital security measures, while others may find this a more daunting undertaking. Either way, keep in mind that this is effort up front that will spare you a huge amount of hassle in the long run. As someone who works with victims of cyber-crime daily, the damage tends to be long lasting and much more exhausting than the preventative steps listed here. Although laid out as a ten-day exercise, take it at your own pace and spread out the work in a manner that allows you to be successful without feeling overwhelmed. Some may choose to power through everything in a day, while others might make it something you pick at a little each weekend. The goal is break security down into actionable steps. Bite sized pieces that anyone can work into their busy lives. This not "all or nothing". If any step is a deal-breaker, skip it with the understanding that doing so may leave a vulnerability in place. We all have lives to live and it is understood that some of these methods may not work for everyone's lifestyle. If you finish these steps and find yourself wanting more, consider moving on to a more in-depth privacy campaign. Some find "disappearing" in the modern age of technology a rewarding long-term challenge. For those, I recommend Michael Bazzell's newest book Extreme Privacy: What It Takes to Disappear (3rd Ed.) For the rest, the following steps will put you well ahead of the crowd in regards to security and privacy. We always say that when hiking in bear country, do not be the slowest runner. Once you complete this training you will be in good shape.

1.1 Day One - Start Your Security Journal We are going to start off this effort by taking the time to make a solid privacy & security plan. The following steps may seem simple, but they will set us up for success as we move forward with more specific action items. This does not need to be complicated, and operational security always benefits from simplicity. Therefore, we will start out with a planning stage that should only take matter of minutes to complete.

1.1.1

Security Notebook

1. You will need a paper notebook or binder to store notes related to your privacy security work. It does not have to be fancy and I do not like using electronic formats for such sensitive information. 2. Find a secure location to store your notebook and make sure it does not leave your home. In my case, I chose to use a simple Moleskin journal which lives in the fire safe in my office. I only work with this notebook in my home office and it never leaves that room. Make a strict rule for yourself regarding where this notebook will live and how it will be accessed. Paper is just about the most private method of data storage if it stays in a security and private environment. This journal is for sensitive, infrequently accessed information so a secure, private location is the important thing. It is not and probably should not be convenient to use.

1 / 15

16Security10DaySecurity.md

7/23/2021

3. Find a reliable pen that will live with you journal and write your start date on the inside cover. Although this is specifically for our 10 day effort, may people go on to use this notebook as a long term security journal. That is it, you are done with your first task. Step Two will be a little more involved, but we will use our journal throughout our security make over, so it was important to establish a secure place to store our analogue notes. Just like our offensive intelligence work, taking the time to construct a actionable plan will reap rewards in both effectiveness and efficiencies further into the process.

1.2 Day Two - Secure Your Passwords Weak and recycled passwords are the most common vulnerability for most people. A weak password is anything under 12 characters and a recycled password is one that has been used on more than one account. If you have not yet completed the video course, the sections covering passwords and breaches explain in detail why this step is so important. Our end goal is to have a unique long passphrase (something closer to 30 character in length) for each of our accounts.

1.2.1 -- Password Manager 1. If you already have a password manager that you are comfortable with go to the corresponding website and review the privacy/security policies. Your existing password manager must support multifactor authentication. Using SMS (a te t message) for authentication is better than nothing, but the popularity of "SIM-jacking" or cloning cell numbers is a major weakness. Whenever possible using an authenticator such as Authy or the Google Authenticator is advised. 2. If you do not yet have a secure password manager, subscribe to one of the following. They are companies with good track records, which offer multi-factor authentication. The benefit of using a popular, mainstream manager, is that the company has a lot to lose if it messes up and has a high level of resources to put into securing your data. Multi-factor authentication and heavy encryption are key. We always warn against using free products for security as they typically mine your data. If you wish to test a trial version of these products, they are an exception to that rule, although we recommend moving on a paid plan. Your security is worth it. Here are our recommended managers from most to least private/secure. Keypass XC Bitwarden LastPass 1Password Dashlane Note: Keepass is the most secure option in that it is well encrypted and offline. It is also free and open source. The downside is lack of convenience. As it is offline, you will be limited where you can access it and the setup can be difficult for a layperson. https://keepassxc.org/docs/KeePassXC_GettingStarted.html 3. Set-up your password manager based on security best practices Turn on multi-factor authentication (MFA or sometimes referred to as 2FA) LastPass 1Password 2 / 15

16Security10DaySecurity.md

7/23/2021

Dashlane KeepassXC

Being offline, KeepassXC is much less dependent on MFA safeguards, but if

you choose you add a YubiKey or other hardware key as secondary security measure https://keepass c.org/docs/#faq yubikey 2fa Syncing your password manager to the cloud is not as secure as only using it offline, but for most of us "online syncing" between devices is necessary functionality. If you choose to enable cloud sync, ensure that you have MFA in place. Now install the associated e tensions and apps on your browsers and devices. The reason we do not push harder for using offline password managers is that we have found that if your system for integrating password management is too cumbersome, most people will avoid using it which is much worse. The master passphrase that is used to secure your password manager must be strong. Use a long phrase that is at least 20 characters. E ample: Doritosrokwhenyurhungry#89 Write this master passphrase down in your security notebook (remember this is living at home in a safe or other secure location). 4. Password Migration & Audit Collect your account logins from any current sources: other password managers, notebooks, post-it notes, etc. As you enter accounts, log into their corresponding sites, and update the passwords to "passphrases" using the generator in your password manager. Remember, a password is short, a passphrase is e ceptionally long. The manager is storing it for you so there is no reason to use anything less than 30 characters unless the site hosting your that account limits your options. Most password managers have an audit function where they will look at all your entries to ensure that no passphrases are repeated or too short. It is good to run this audit periodically to make sure all your accounts are squared away. 5. Multi factor Authentication (MFA) As mentioned in section one, MFA is essential to protect your passwordmanager so the master passphrase to unlock your password manager mustbe reinforced by multi-factor authentication (sometimes referred to as2FA which means specifically two factor authentication). In additionto your password manager review any critical accounts such as bankingor social media and add MFA. Authy has a great guide on enabling MFAon various platforms https://authy.com/guides/. If you want to takeit a step further, consider using a hardware key as your secondfactor, such as a Yubikeyhttps://www.yubico.com/why yubico/for individuals/. Note This step can be laborious if you have not used a password manager before. If need be, take care of your most sensitive accounts first, such as financial, and then revisit more basic accounts in another sitting. Review the password video if you need further guidance working through these steps.

1.3 Day Three - Secure Your Mobile Devices Mobile devices are the biggest threat to our digital privacy. We need to limit access to the contents of our phones and also limit the phone's access to our critical and personal data. 3 / 15

16Security10DaySecurity.md

1.3.1

7/23/2021

Passcodes

Change your unlock/passcode to a stronger setting. Biometrics are not recommended because if someone steals your biometrics, you cannot get new ones. 1. IOS Passcode Settings Apple Account Passcode: Settings -> Select your Apple ID at the top -> Password & Security -> Make sure two factor authentication is on and update the passcode for your apple account to something very strong (this is your Apple account passphrase, not your device passcode) Now update your device passcode: Settings

Touch ID & Passcode

Change Passcode

Passcode Options -> Custom Alphanumeric Code (this is the strongest option) Write down your device passcode and your apple ID passcode in your security journal. 2. Android Android has many flavors based on brand Remember that with the constantly changing security settings, the best approach is to go through every setting in the privacy tab: Settings

Advanced

Privacy

The selections are logical, uncheck everything that shares data out and stop sharing your location, no personalization, no sharing of diagnostic data Delete any apps that you do not need and check permissions on any you keep A good guide can be found at https://restoreprivacy.com/secure android privacy/

1.3.2 -- Device Settings Apple is constantly changing IOS device settings with each update and Android settings may differ across manufacturers. That is why it is important to browse through all your device settings to familiarize yourself with the current options. Pay special attention to anything related to privacy, security, location, and applications. As you work through these steps, Apple may have just dropped an update that changes settings options, so it is a good practice to do an online search for recent articles. Browse to Duckduckgo.com on your privacy focused browser (Firefox or Brave) and search for "IOS security settings". Change the date filter to "Past Month" and the phone type to suit your situation. https://duckduckgo.com/? q=ios+privacy+setttings&t=hk&df=m&ia=web

1.3.3

Apps

The number one threat on most mobile devices are the apps, especially free apps. With few e ceptions free apps are mining your data and selling it. One possible exception are apps that accompany a paid product such as a companion app or a "try before you buy" product. 1. Remove any unused or blatant privacy offending apps from your mobile device. 2. Review application permissions in your device settings and restrict data access as much as possible for any applications that you choose to keep. Top offenders often have access to contact, camera/microphone, and geolocation data. On IOS

Settings

Privacy

(review each data type: photos, contacts, etc.)

Consider turning off Location Services completely. You can always turn it back on if you need to fire up Google Maps for navigation and then turn it back off again. 4 / 15

16Security10DaySecurity.md

7/23/2021

On Android -- Settings -> Apps & Notifications -> Advanced App Permissions -> (review each data type to see which apps have access and toggle those permissions accordingly)

1.4 Day Four - Secure Your Accounts As you work through your accounts, double check that you have updated passphrases and entered them into your password manager. Also make sure that you have enabled multi-factor authentication for any accounts that offer it.

1.4.1 -- Social Media Remove Unwanted Accounts Properly close any accounts that you no longer wish to maintain, do not just abandon them. https://www.accountkiller.com/en/home or https://justdelete.me. Settings - For your remaining social media accounts go into settings and review the privacy/security options. Like mobile devices, these tend to change over time, but most of the choices are intuitive, it's just a matter of looking at them periodically, which most people do not do. https://staysafeonline.org/stay-safeonline/managing your privacy/manage privacy settings/ Review photos & videos

Consider removing face shots as profile photos as those are often public. Are

there any photos on your account that unintentionally share private information, such as an address or other visual overshares in the background? Are there any photos that you would not be proud of if an employer were to see them? Friends -- Check your friend settings to limit who can see what and who can contact you. If only friends can message you, then an e tortionist will not be able to send you that scam message. Social Media is Public

Assume everything posted to social media will eventually become public. Social

media is one of the first places that people will look to find information about you, whether for good purposes or bad. Criminals, employers, and acquaintances will all eventually scour through your online profiles, so always keep that in mind when posting and sharing personal information online.

1.4.2 -- Financial 1. Every financial account must have a strong passphrase and two-factor authentication enabled. If your financial institution does not support both functions, get a new one. 2. You may wish to only save your most valuable account credentials in your offline security journal vs your online password manager.

1.4.3 -- Everything Else For most people this will primarily be entertainment accounts such as Netflix, but also things like e-commerce. The possibilities here are far too numerous to list, but a good approach is to look at your password manager for an idea of what sites you might need to adjust your privacy/security settings.

1.5 Day Five - Secure Your Computers Like our mobile devices, when it comes to personal computers, we want to limit who can access them and what personal details they collect. Think of it as your digital house: you want to keep strangers out and even if 5 / 15

16Security10DaySecurity.md

7/23/2021

you invite someone in, you do not want them to be able to see straight into your shower. As with all sections of this guide, if you are confused by any steps please refer to the corresponding video training at Inteltechniques.net.

1.5.1 -- Windows OS (PC) Windows is arguably the least secure operating system and requires the most care to secure. 1. When you install Windows uncheck any settings that give Microsoft your data. Consider NOT using a Microsoft account, but rather create an offline login only. https://www.makeuseof.com/tag/completeguide-windows-10-privacy-settings/ 2. If you are using a Microsoft account associated with your PC control what Microsoft collects: https://support.microsoft.com/en-us/help/4027945/windows-change-privacy-settings-in-windows-10 3. Anti-Malware - Windows10 has Windows Defender built in. Additional layers of protect can be obtained using Malwarebytes, preferred paid option (their free trial is fine). 4. If you are using a laptop, full disk encryption is a must: Windows has Bitblocker built in and the wizard will walk you through encrypting your drives. Make sure to print and save any keys.

1.5.2 -- Mac OS 1. System Enable Encryption: Preferences -> FileVault 2. System Preferences -> Security & Privacy: Turn off Location Sharing 3. System Preferences -> Security & Privacy: Limit Add Tracking 4. System Preferences > Security & Privacy > Contacts: Disable Application Access to Contacts 5. System Preferences -> Security & Privacy: Photos, camera, and microphone; examine each category and remove access accordingly 6. System Preferences

Security & Privacy: Select Analytics and uncheck all

7. System Preferences

Siri: Uncheck the enable Siri bo

8. https://www.malwarebytes.com/mac/ 9. https://www.apple.com/macos/security/

1.5.3

Chrome OS

Chromebooks are inherently not private because it is Google, but we can tweak some things to make it less invasive. Keep in mind that securing your Google account will have a direct effect on your Google device. I consider any work on a Chromebook to be shared with Google, but if you must use one of these devices (some schools require them) you can lock them down a little more. 1. Settings -> Privacy and Security: go through each section and disable any function that shares data with Google 2. People

Sync: disable all syncing 6 / 15

16Security10DaySecurity.md

7/23/2021

3. Settings -> Content Settings -> Location: disable location sharing 4. People -> Addresses: Disable autofill 5. People -> Payment Methods: Disable autofill 6. Settings -> Privacy and security > Content settings > Cookies: Block third-party cookies, keep local data only until you quit the browser 7. Change the default search engine to DuckDuckGo and disable google assistant

1.5.4

Linu

If you are using Linux as your daily driver you already know more than can be concisely covered here. Refer to the online training for more specific Linux security and privacy tweaks if you are an Ubuntu user. Linux is a smaller target for things like Malware, but you will still want to use your Google skills to research the latest recommended settings for the distro that you are using. https://help.ubuntu.com/community/Antivirus

1.5.5 -- Backups One of the best defenses against ransomware is to back up your most valuable data to offline storage. I recommend backing up to an external hard drive which are very inexpensive these days. Use your operatingsystem's built in backup functionality to save documents, photos, and anything else irreplaceable. 1. Windows https://support.microsoft.com/en us/help/4027408/windows 10 backup and restore 2. Mac https://support.apple.com/mac backup 3. Chrome If you are using ChromeOS you are already backing your data up to your Google account (with the associated privacy tradeoffs). 4. Linux - One option is Rsync: https://www.howtogeek.com/427480/how-to-back-up-your-linux-system/

1.5.6 -- Browsers Browser security is covered at length in the training, but here are some top items to check. 1. Chrome is powerful and not private, use Brave or Firefox for your personal browsing. 2. For each browser go to the menu on the top right and select settings. Go to the privacy/security tab and review all settings. Adjust anything that uses or shares your personal data or location. 3. Install a privacy addons: Ublock Origin Https Everywhere Your password manager 4. Setting up "syncing" for your browser by logging into a Firefo or Google account is convenient, but a huge drain on your privacy as it is literally them building a profile of all your behaviors.

7 / 15

16Security10DaySecurity.md

7/23/2021

5. Compartmentalize -- Use Chrome if you need a powerful browser for OSINT and Brave or Firefox for your personal browsing. Using a different browser for your personal life makes it easier to prevent cross contamination. Note: Compartmentalization is a key component of both security and privacy. We want to draw distinct lines between devices, accounts, and services used in different portions of your life.

1.6 Day Six - Secure Your Network Your mobile devices and your personal computers undoubtedly connect to your home network, so it is our next stop in protecting your data.

1.6.1 -- Modems/Routers Your modem connects to your internet service provider via cable, fiber, satellite, or cellular. Your router managers the traffic on your network. For some these are separate devices, but if you are using a single bo supplied by a cable provider you likely have a hybrid modem and router in one enclosure. For security we are primarily interested in the router function as that typically handles connections and security. Some all in one boxes also provide wireless, which we will cover in the next section. Protecting your router: 1. Log into your administrative panel using the information provided when they installed your internet access. They will have given you an IP address which you enter into a browser to login. It will look something like 192.168.0.1 (although your numbers may differ). 2. After using the credentials given to you by your ISP to login, go to the administrative tab and choose to change the admin login. If it allows you to change the username from "admin" or "root", make it something unique such as "routercontrol". Next change the password from the default to a strong passphrase. Write this down in your security journal for safekeeping along with the IP address of your admin page. Hit save and it will likely force you to log back in with your new settings. 3. Again, on the administrative tab, go to the firmware section and have it check for updates. If any are available update your router and you will have to log back in once it is complete. 4. Ne t, we will secure the WiFi which will either have its own tab or on some units it is under "Status", "Setup", or "Wireless. Once there move to the next section for instruction on setup.

1.6.2 -- Access Points (WiFi) A wireless access point is how you connect to WiFi. This might be a function of your main router, or a second dedicated bo that only controls wireless access. Either way the settings are the same. Most modern units will come preconfigured with a primary network and guest network. 1. Primary Network -- this is for your trusted devices belonging to people who live in the home. On the setting tab change the "SSID" to something innocuous and unique. So, if the default is "Comcast WiFi", change it to something like "potato12 nomap". Putting nomap on the end prevents Google from adding you to their mapping when the Google cars scan your neighborhood. 8 / 15

16Security10DaySecurity.md

7/23/2021

Change the SSID so that it is not broadcast (make it hidden). By doing this you will need to enter the SSID manually when joining the WiFi from a device. It is not completely hidden but is less publicly visible to strangers. You will no longer see it in WiFi lists on devices and will need to choose "Other Network" when joining for the first time. 2. Guest Network

This is for guests and untrusted devices such as security cameras.

Repeat the above steps but name the SSID for this network something logical such as "potatoguest_nomap". This network provides internet access, but somewhat inhibits connected devices from accessing your trusted phones and computers on the primary network. You do not want that cheap insecure smart thermostat getting hacked and being used to access your main network and attached devices. If guests complain about the e tra steps to connect, they are welcome to use their own cellular connection. If they complain, you probably do not want them on your network anyway because they likely have spyware on their devices.

1.6.3

Internet of Things (IoT)

Most home electronics now offer "smart" features and require an internet connection. These tend to be inherently insecure and are the most common source of compromise on a home network. 1. Avoid connecting smart devices to your home network, but if you must, put them on your guest network. 2. Consider putting these devices on an entirely separate router/access point to further isolate them from your primary devices and sensitive data. 3. Software such as Glasswire for PC (Paid Version) can be used to monitor connection on your network to help detect odd connections by your network devices. 4. The best option, if you absolutely must use IoT devices on your network, is to install a firewall to monitor and control the traffic. We recommend using a Protectli box and PfSense which are both covered in the training and also in Michael's books. Additional Resources: 1. RouterSecurity.org -- Very detailed descriptions and additional steps for securing your network. 2. Highspeed.tips/routers/ - List of popular router brands, default logins, Ips, and sample admin page.

1.7 Day even

ecure Your Credit

The best way to protect yourself from identity theft and other electronic fraud is to establish fraud alerts and/or a credit freeze with the major credit agencies. Keep in mind that a freeze may be a non-option if you have a forthcoming large purchase such as a home. A more in depth guide can always be found at https://inteltechniques.com/data/workbook.pdf

1.7.1 -- Fraud Alert

9 / 15

16Security10DaySecurity.md

7/23/2021

Fraud alerts establish notification prior to the major credit agencies authorizing any significant line of credit. Anyone can get a 1 year fraud alert for free and identity theft victims can request a 7 year fraud alert. https://www.consumer.ftc.gov/articles/0275 place fraud alert https://www.identitytheft.gov/#/Know Your Rights

1.7.2

Credit Freeze

A credit freeze restricts access to your credit report, therefore identity thieves are prevented from opening lines of credit in your name. In some ways it is less valuable in that it lacks the notification on fraud attempts. Credit freezes are now free by law so you should not pay a third parts to do them for you. You should freeze your credit with at least the three primary credit companies. Have your security journal handy as you go through this process as the companies will issue you pins that will be necessary when it comes time to later unlock your credit. https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs#place

1.7.3 -- Government Sites A recent criminal trend is the use of breach data to open federal IRS and state benefit accounts using your identity. One strategy to combat this is to "squat" your own Social Security Number (SSN) by opening an account before the criminals can. Most government systems will not allow two accounts with the same SSN. The obvious downside is putting information in another government database and having another login to manage. The IRS already has most of our information, so it may be worth it to go ahead and claim your account. IRS -- The IRS system is very particular about the phone number you use and will not accept VOIP or other virtual numbers. https://www.irs.gov/payments/view-your ta account State Benefit Accounts

Use Duckduckgo.com to research the state employment benefits sites in your

state. Log in to create an account and see what information they require. If they require only an address, SSN, date of birth, and name, it will be quite easy for someone else to sign up as you. In that scenario you may want to consider signing up yourself. Use a Protonmail or other secure email option, multi-factor authentication, and store any credentials in your security journal.

1.8 Day Eight - Remove Yourself from Online Databases The process is often referred to as "opting-out" and involves removing your personal data from online search engine results and data brokers.

1.8.1 -- Stalk Yourself You need to locate the data so that you can submit removal requests to the correct companies. The following resources reflect how most "stalkers" will start looking for you. Refer to the online OSINT training if you would like to improve your research skills and bring them up to par with more sophisticated cyber-criminals. 1. Download/print the workbook: https://inteltechniques.com/data/workbook.pdf 10 / 15

16Security10DaySecurity.md

7/23/2021

2. Google your name and employer or name and city. Example search: "Jason Edison" AND "San Diego". The first page of Google results is your top concern, especially if anything lists your phone number, home address, or immediate family. 3. Use other OSINT tools and people search engines to search your name, address, and phone numbers for publicly viewable personal data and associations. 4. As you locate information in online databases look up the sites in the workbook. If you find sites that are not listed, consider a duckduckgo.com search of: sitename AND opt-out removal. 5. Create a new "burner" Protonmail.com email account and MySudo phone number for use in submitting opt outs. (or your private email/phone number of choice) 6. Note your progress in your security journal. That is also were I like to keep any paper correspondence or printouts related to my privacy campaign.

1.9 Day Nine - Misinformation Campaign This step is not one that can be completed in an afternoon, so really this is about getting started. A misinformation campaign is all about using the data-brokers' and marketers' tactics against them. They are constantly after our phone numbers, email addresses, etc. and we are going to start feeding them misinformation instead. For any mass marketing or spammy information requests, give them one piece of real information matched with misinformation.

1.9.1 -- Example: Value Cards If your grocery store requires a value card to get sale prices, request an application the next time you check out. On the application put your real name, but for the address and phone number use details from a library, post office, or other public building. Next time use an incorrect name and address, but a real cell number. The idea is that we are filling these sales databases with misinformation. See the video training for a more detailed explanation. For any sign-ups that require email or phone verification, consider using a MySudo or other "burner account". Important: We never use the complete details of another real person. Using someone else's name, address, phone number, or photograph could be considered identity theft and a crime. We also never give fake details to government agents or use them to commit fraud, such as buying pharmaceuticals. The tactic described in this section is for coupons and signing up for deals, it is not for legally binding contracts or dodging legal responsibilities. DO NOT COMMIT FRAUD.

1.10 Day Ten - Inform and Assist Your Circle Awareness is the single best weapon against physical and electronic threats. The weakest link theory absolutely applies to your digital life. We need to help our friends, colleagues, and loved ones up their security game for their own benefit, but also so they are not e ploited as point of weakness by our own adversaries. When we in Law Enforcement hunt elusive fugitives, we are often successful in compromising them by way of someone in their life who has weaker security awareness. Criminals use the same tactic when targeting us. If they cannot get to you directly, they will exploit people in your social, professional, or family circle to gain access.

11 / 15

16Security10DaySecurity.md

1.10.1

7/23/2021

Map Out Your Circle

Your "circle" is the collection of people who have physical and digital access to your life. We always like to approach security efforts methodically, so it is useful to make a list of the people close to you, starting with anyone sharing your home. Try to put yourself in the shoes of a cyber stalker bent on infiltrating your life. From that perspective, who are the individuals and groups that you would target as a potential point of weakness. Typical considerations are: 1. Immediate family 2. Roommates 3. Children, siblings, and parents with separate residences (i.e.: daughter away at college, sister in another state, and so on) 4. Close friends (especially those associated on social media platforms) 5. Co-workers and colleagues (again shared social media increases their likelihood of being a target) 6. Groups -- Sports teams, clubs, school associations, and other interest groups We want to raise the level of awareness amongst the people close to us. Do not be pushy and provide them with practical e amples of common threats. Cyber crime and other threat vectors are very much in the news which works in our favor. Talk about the best practices listed in previous steps and make yourself a resource. Above all else, please teach your loved ones to listen to their instincts. If something feels wrong, it probably is.

1.11 E tra Credit Keep Learning Read books, join online security-privacy communities, listen to podcasts, and stay updated on the latest trends and threats. Like all efforts, the most benefit is realized when you make security and privacy part of your lifestyle. Make a game of it and challenge yourself and your family to give away as little of your personal information as possible. Keep in mind that it is a marathon, not a sprint. At times you will feel frustrated and overwhelmed, but just take a break and come back to it once your batteries are recharged a bit.

1.12 Additional Resources Articles and Worksheets https://inteltechniques.com/links.html https://inteltechniques.com/data/workbook.pdf https://ssd.eff.org/ https://danielmiessler.com/study/ https://www.bulkorder.ftc.gov/system/files/publications/fraud alert credit freeze whats the difference.pdf

Books https://inteltechniques.com/books.html

12 / 15

16Security10DaySecurity.md

7/23/2021

https://www.goodreads.com/shelf/show/cybercrime

Podcasts & Videos https://inteltechniques.com/podcast.html https://twit.tv/shows/security-now https://www.smashingsecurity.com/ https://dailytechnewsshow.com/

1.13 Ten Day Security -- Checklist Tracking Your Progress Some items are not steps that you truly "finish", such as the misinformation campaign. Mark these complete when you feel satisfied that you have successfully started down that particular road and then settle into a routine of picking away at it when you have time. Any "all or nothing" approach is the enemy and we want to have a mindset of doing what we can and ending up better off than when we started. You will never truly be done working on you security and privacy, but you can be in much better shape than just about everyone you know. Consider printing out this packet and including it in your security notebook. The Security & Privacy Checklist and Extreme Privacy Workbook make good additions as well. Security & Privacy Resources at Inteltechniques.com Task

Date Completed

Notes

Security Notebook Password Manager & Multi-Factor Authentication Mobile Device Settings Accounts Computers Network Credit Freeze Online Data Opt-outs Misinformation Campaign Inner Circle

1.14 One-Tab Bookmarks https://inteltechniques.com/book7.html | Extreme Privacy by Michael Bazzell https://inteltechniques.com/links.html | IntelTechniques.com | OSINT & Privacy 13 / 15

16Security10DaySecurity.md

7/23/2021

Services by Michael Bazzell | Open Source Intelligence https://inteltechniques.com/data/workbook.pdf | IntelTechniques Extreme Privacy Workbook file:///H:/1981_001.pdf | 1981_001.pdf https://authy.com/ | Authy | Two factor Authentication (2FA) App & Guides https://play.google.com/store/apps/details? id=com.google.android.apps.authenticator2&hl=en_US | Google Authenticator - Apps on Google Play https://keepassxc.org/docs/ | Documentation and FAQ KeePassXC https://keepassxc.org/docs/KeePassXC_GettingStarted.html | KeePassXC: Getting Started Guide https://bitwarden.com/ | Bitwarden Open Source Password Manager | Bitwarden https://vault.bitwarden.com/\#/ | Bitwarden Web Vault https://authy.com/guides/ | Guides - Authy https://www.inteltechniques.net/courses/take/open-sourceintelligence/lessons/15686238-password-managers-bitwarden | Inteltechniques https://restoreprivacy.com/secure android privacy/ | How to Secure Your Android Device and Have More Privacy https://duckduckgo.com/?q=ios+privacy+setttings&t=hk&df=m&ia=web | ios privacy setttings at DuckDuckGo https://www.accountkiller.com/en/home | home ACCOUNTKILLER.COM https://backgroundchecks.org/justdeleteme/ | Just Delete Me | A directory of direct links to delete your account from web services. https://staysafeonline.org/stay-safe-online/managing-your-privacy/manage-privacysettings/ | Update Your Privacy Settings Stay Safe Online https://www.facebook.com/ | Facebook - Log In or Sign Up https://www.makeuseof.com/tag/complete-guide-windows-10-privacy-settings/ | The Complete Guide to Windows 10 Privacy Settings | MakeUseOf https://support.microsoft.com/en us/windows/change privacy settings in windows 10 55466b7b-14de-c230-3ece-6b75557c5227 | Change privacy settings in Windows 10 https://www.malwarebytes.com/ | Malwarebytes Cybersecurity for Home and Business | Malwarebytes https://support.microsoft.com/en us/windows/backup and restore in windows 10 352091d2-bb9d-3ea3-ed18-52ef2b88cbef | Backup and Restore in Windows 10 https://support.apple.com/mac-backup | How to back up your Mac - Official Apple Support https://www.mozilla.org/en US/firefox/new/ | Download Firefox Browser Fast, Private & Free --- from Mozilla https://support.mozilla.org/en-US/kb/focus | What is Firefox Focus? | Firefox Focus Help https://chrome.google.com/webstore/detail/ublock origin/cjpalhdlnbpafiamejdnhcphjbkeiagm?hl=en | uBlock Origin - Chrome Web Store https://www.eff.org/https-everywhere | HTTPS Everywhere | Electronic Frontier Foundation https://routersecurity.org/checklist.php | Router Security Checklist https://highspeed.tips/routers/ | Router Emulators | HighSpeed.Tips https://protectli.com/ | Protectli: Trusted Firewall Appliances with Firmware Protection https://inteltechniques.com/firewall/ | IntelTechniques.com | OSINT & Privacy Services by Michael Bazzell | Open Source Intelligence https://www.consumer.ftc.gov/articles/0275-place-fraud-alert | Place a Fraud Alert | FTC Consumer Information https://www.irs.gov/payments/view your tax account | View Your Tax Account | Internal Revenue Service 14 / 15

16Security10DaySecurity.md

7/23/2021

https://inteltechniques.com/data/workbook.pdf | IntelTechniques Extreme Privacy Workbook https://www.google.com/search?q=radaris+optout+removal&rlz=1C1CHBF_enUS860US860&oq=radaris+optout+removal&aqs chrome..69i57.4784j0j7&sourceid chrome&ie UTF 8 | radaris opt out removal - Google Search https://www.kroger.com/account/create/ | Kroger https://www.google.com/search? q online+sweepstakes&rlz 1C1CHBF enUS860US860&oq online+sweepstakes&aqs chrome..69 i57.3310j0j15&sourceid=chrome&ie=UTF-8 | online sweepstakes - Google Search https://news.clearancejobs.com/2018/05/21/us-service-members-families-targetedrussian-hackers/ | US Service Members\' Families Targeted by Russian Hackers ClearanceJobs https://inteltechniques.com/podcast.html | The Privacy, Security, & OSINT Show https://danielmiessler.com/study/ | Tutorials | Daniel Miessler https://ssd.eff.org/ | Surveillance Self-Defense | Tips, Tools and How-tos for Safer Online Communications https://inteltechniques.com/links.html | IntelTechniques.com | OSINT & Privacy Services by Michael Bazzell | Open Source Intelligence

15 / 15

16SecurityBitwarden.md

7/23/2021

OSINT Essentials - Security Bitwarden Intro and Use Case Bitwarden is an open-source password manager which can sync across devices and has passed a third-party security audit. For those looking to move to an open source option for password management, it is the recommended solution if you require cloud-based syncing across devices. There is a free tier and also a very affordable premium tier which adds features. Bitwarden is "zero trust" which means that they cannot ready your data because they do not have the decryption keys. They handle the transmission but cannot decrypt the data even if compelled by government or other third party. Bitwarden Security Audit Details Bitwarden Source code

1.1. Installation & Downloads The below are links to Bitwarden for different products: Bitwarden Homepage Windows Mac Linux IOS - App Store Android - Google Play Firefox Add-Ons Chrome web store Bitwarden Download page

1.2 Key Features & Workflow The master passphrase should be e ceptionally long and unique If you lose your master passphrase, they cannot help you, so store it securely in your security notebook (which should then be kept in your firesafe or other physically secure location.) Multi-factor authentication should be used and the paid tiers offer more options for your second factor https://bitwarden.com/help/article/setup two step login/ A password generator is included You can add additional fields to the entries to save related credential data You can host your vault on premise (on your own infrastructure) but you will be required to setup a Bitwarden account regardless, the difference is the vault is local versus on their server https://bitwarden.com/help/article/install-on-premise/ On the family or team plans you can share credentials across users

1.3 Importing Your Existing Data Scripts and/or programs for more advanced search and analysis: Import Instructions 1/2

16SecurityBitwarden.md

7/23/2021

LastPass Specific Import Steps 1Password Specific Import Steps

1.4 Additional Password Options KeePassXC our preferred offline, open-source password manager KeePassXC Browser Yubikey OnlyKey Authy

1.5 One Tab Bookmarks https://bitwarden.com/pricing/ | Pricing For You | Bitwarden https://bitwarden.com/help/article/is-bitwarden-audited/ | Is Bitwarden audited? Bitwarden Help & Support https://bitwarden.com/blog/post/third-party-security-audit/ | Bitwarden Completes Third-party Security Audit | Bitwarden Blog https://github.com/bitwarden | Bitwarden · GitHub https://bitwarden.com/help/ | Help Center | Bitwarden Help & Support https://bitwarden.com/help/article/setup-two-step-login/ | Set up two-step login (2FA) | Bitwarden Help & Support https://bitwarden.com/help/article/import-from-1password/ | Import your data from 1Password | Bitwarden Help & Support https://inteltechniques.com/blog/2020/06/12/the-privacy-security-osint-showepisode-174/ | IntelTechniques Blog » Blog Archive » The Privacy, Security, & OSINT Show -- Episode 174 https://www.google.com/search?newwindow 1&client firefox b 1 d&ei Lo9X_yUDfmT0PEP6reK0A8&q=installation+steps+bitwarden&oq=installation+steps+bitwar den&gs_lcp=CgZwc3ktYWIQAzoHCAAQRxCwAzoGCAAQBxAeOggIABAHEAoQHjoICAAQCBAHEB46CAgAEAc QBRAeOgcIABCxAxBDOggIABCxAxCRAjoECAAQQzoFCAAQsQM6AggAOgQIABANOgQIABAeOgYIABAIEB46C AgAEAgQChAeUKzGdFip6HRgpOp0aAVwAHgAgAHRAYgB2RWSAQYzLjIwLjGYAQCgAQGqAQdnd3Mtd2l6wAE B&sclient=psy-ab&ved=0ahUKEwj88LfxuqjrAhX5CTQIHeqbAvoQ4dUDCAs&uact=5 | installation steps bitwarden - Google Search https://bitwarden.com/help/article/install-on-premise/ | Installing and deploying | Bitwarden Help & Support https://bitwarden.com/help/ | Help Center | Bitwarden Help & Support https://bitwarden.com/help/article/import-from-lastpass/ | Import your data from LastPass | Bitwarden Help & Support https://www.youtube.com/watch?v 3Y8O0wyYsiQ | Bitwarden Open Source Password Manager Review and Why We Moved From LastPass - YouTube https://www.youtube.com/watch?v=TcxZyfTOyYw | How to secure your BITWARDEN account like a pro | YubiKey Tutorial - YouTube

2/2

16SecurityDDwrtFirmware.md

7/23/2021

Security Replacing Router Firmware v.12.2020 Going Open-Source Not all of us can afford to buy all new hardware and a hardware firewall. A good option for making use of e isting older hardware is installing an open source firmware package to a router that you already have on hand. We have discussed options such as Open-WRT, DD-WRT, and Tomato in the past. This lesson will walk through repurposing an old Netgear router by installing the DD WRT firmware. We will then add virtual LANs to provide segmentation to support our overall secure network scheme. Your exact steps may differ depending on your available hardware and choice of firmware, but the overall approach and strategy should apply to most situations. WARNING: When applying firmware, there is always a chance that you might "brick" or otherwise permanently ruin your router. Only move forward with these steps if you are comfortable with that risk and can afford to sacrifice the router in question.

1.1 Installing the DD-WRT Firmware Step One: Download DD-WRT firmware for your specific device dd-wrt.com - Hardware-specific firmware Step Two:: 30-30-30 power reset 1. While the router is powered on, hold the reset button on the back or bottom for 30 seconds. You may need a small pin to depress the button if internal. 2. After 30 seconds has passed, unplug the router from the power, but no not release the reset button. Instead, keep the button pressed for another 30 seconds while unplugged. 3. Finally, plug the power back into the device and continue to hold the reset button for a final 30 seconds. Basically, hold the reset button the entire time while cycling the power. After this 90 second process is complete, your router should be restored to its factory default state. Step Three: Install the firmware 1. Open a browser and type in the default IP address for your router which is typically either 192.168.1.1 or 192.168. 0.1 2. If you have trouble connecting, change your workstations IP address so that you are on the same subnet (i.e.: something like 192.168.1.40) 3. Enter the default username and password Default Router Login Password For Top Router Models (2021 List) 4. Find the Administration tab and select firmware upgrade 5. Browse to the .bin file downloaded Step One 1/4

16SecurityDDwrtFirmware.md

7/23/2021

6. Follow the prompts and once complete do another 30/30/30 reset 7. Login with the default username and password: "root" and "admin" 8. Select the administration tab and change the admin login to something unique and long

1.2 Wireless Configuration If you choose to also use this router as a wireless access point (i.e.: it is your only network appliance) you will want to set up strong security configurations and credentials. 1. Select Wireless > Basic Settings 2. Set the Wireless Network Name (SSID) to something generic and mark it as hidden, this will not make it completely undetectable, but is a good best-practice 3. Select Wireless > Wireless Security 4. Security Mode: WPA2 5. WPA Algorithm: AES 6. WPA Shared Key: enter a long unique passphrase, place it in your password manager, and then hit Save

1.3 egmentation In my demo I am using a very old router and therefore during my research I found mostly really old steps and recommendations that were not 100% accurate to how DD-WRT is setup in the 2017 build that I was using to flash my hardware. I primarily used an e ample from the following site, but then tweaked the steps to suit my situation. Remember, your steps may differ based on your hardware male/model and the firmware version you are using. Reference for my demo: What is VLAN & How to Setup VLANs in DD WRT (Router FAQ) 1. First you may want to rename your router on the main setup tab 2. Ne t we need to define our sub nets 3. Click on the Networking tab 4. Go to the DHCP tab at the bottom and add a subnet for each of your segments. For each segment select a port. 5. Click Apply Settings 6. Above that section you will see Network configuration entries for each of these subnets and we need to mark them as unbridged. 7. Now we need to assign them an IP scheme. I am going to use: a. 192.168.1.8 b. 192.168.1.9 2/4

16SecurityDDwrtFirmware.md

7/23/2021

c. 192.168.1.10 8. Click Save and Apply Settings 9. Connect an Ethernet cable from your workstation to port 1 on the router (this may vary based on your router model) 10. Unplug the router power for 30 seconds and then plug it back in, waiting for the lights to normalize 11. Once back on your main Setup tab scroll down and look for a positive connection for your workstation 12. Now we will set up rules to prevent the three segments from talking to one another. 13. Browse to Administration

Commands.

14. Copy and paste the following commands into the Commands te t bo (the IP subnets may be different for you if you chose a different scheme in previous steps or if you have more or fewer segments):

I FORWARD s 192.168.9.0/255.255.255.0 192.168.10.0/255.255.255.0 -j DROP

j DROP iptables

16. Click "Save Firewall". 17. Your DD-WRT VLAN basic configuration is now complete.

1.4 Additional Resources Initial flash from Netgear firmware What is VLAN & How to Setup VLANs in DD-WRT (Router FAQ) Introduction to DD-WRT - What Is DD-WRT Firmware? dd-wrt.com - Hardware-specific firmware Using DD-WRT with OpenVPN Access Server dd-wrt.com - Basic Wireless Settings dd-wrt.com - Wireless access point Setup Wi-Fi VLANs with DD-WRT on RT-AC3200 Factory install: First-time installation on a device Default Router Login Password For Top Router Models (2021 List) You may wish to copy/paste your network diagram here:

3/4

I FORWARD

s

16SecurityDDwrtFirmware.md

7/23/2021

Notes scratch area for any notes during your planning/setup

4/4

16SecurityDisinformation.md

7/23/2021

Security Essentials - Disinformation If You Can't Remove It, Bury It For most of us, no matter how much time we spend removing our data from the internet, there is always some that either cannot be removed or that keeps resurfacing as data brokers buy, sell, trade, and steal new blocks of our information. One of the most effective ways to battle that last little bit of personal exposure, is to feed the data brokers disinformation. The goal is to associate incorrect data points with your real name, address, phone number, and email addresses. Some call it is muddying the waters, others poisoning the well, but really it is just feeding the data jackals tainted personal information.

1.1 Disinformation Strategy Here is the general formula that is recommended for this stage of your privacy campaign. Be creative, but keep in mind that these core concepts. Do Not Commit Fraud -- First and foremost we are not recommending that you defraud anyone or lie in legally binding circumstances. Do not using disinformation with government officials or documents. Use Data Scam Tactics Against the Brokers -- Most amazing "deals" and offers of discounts or easy money are scams to collect and then market your personal information. We want to turn the tables and use these tactics to fee the data brokers disinformation. Common examples are things like grocery store value cards, raffles/sweepstakes, free publications, and anything free on the internet really. Section 1.2 provides some specific examples that have proven to be effective. One Piece of Real Information -- The entire strategy hinges on associating one piece of real information, say your phone number, with pieces of disinformation. For example, I sign up for a value card at a store. I give them my real name, but my address, email, and phone number are incorrect. They will sell that information and it will start to show up down the road on people search sites such as Intelius, Spokeo, Pipl, etc. In turn, you will eventually see it in Google results if you have a fairly unique name. Do Not Commit Identity Theft -- Never use another person's exact details without consent. Do not pretend to be another real person as this could be a crime. When you choose incorrect addresses and phone numbers collect them from places like post offices or libraries. These types of addresses tend to be accepted by online databases and yet use of them will not interfere with another real person's life. Using addresses that do not exist at all will work in some scenarios, but many online signups will not accept them if they detect that it is not a valid address. Think Like a Hunter -- Our number one rule of security & privacy holds true for this stage of our campaign: think like the opposition. Think of the data we use when we are running an OSINT operation on a target. Keep in mind the things that make investigations frustrating such as addresses that have many tenants, common names, discrepancies in middle names and ages, etc. This is your chance to start foiling all future attempts to successfully execute reconnaissance on your life. Opsec -- Operational security should be forefront in your mind as you conduct your disinformation campaign. Many of the sites we use will be looking at your IP address, cookies, browser fingerprint, and anything else that they can possibly glean from your session. Consider using a clean privacy respecting browser, script blockers (uBlock Origin), and VPN. 1/5

16SecurityDisinformation.md

7/23/2021

Addresses -- While disinformation email addresses and phone numbers are easily created, mailing addresses can be tricky. If you are in the US the best address to use is a post office as they have a policy to accept mail for the homeless and extra junk mail is a drop in the bucket for them to process. Libraries, shelters, and other public service buildings are also commonly used, just be cautious not to create undue burden on any private organizations by getting them spammed with junk mail.

1.2 Disinformation Sources The following are some disinformation targets that other privacy practitioners have reported success with using to spread disinformation. The specific examples are to get you started, but the real power is in finding your own gems by utilizing your search skills and creativity. Google Dork Examples webform "catalog request" webform "online raffle" "free signup" "signup for free" free online dating signup free account ancestry General Categories Value-Card & Coupon Sites Job Hunting Sites Ancestry Sites Publication Deals Surveys & Online Quizzes No Cost Kroger LinkedIn Learning Online Sweepstakes Booking.com Amazing Registry The Knot Bed, Bath, & Beyond PennySaver ClassifiedAds.com FreeClassifieds.com Carnival Wordpress 2/5

16SecurityDisinformation.md

7/23/2021

Superpages.com MerchantCircle.com The Real Yellow Pages Yahoo! Small Business Bing Places for Business Some Cost Wired Magazine Subscription DiscountMags.com The Krazy Coupon Lady Sites Purportedly Blocking VPN Cabela's Kroger CraigsList Resources IntelTechniques - Personal Data Removal Workbook Privacy, Security & OSINT Show Episode 101 Basic Disinformation & Covert OSINT Accounts Privacy, Security & OSINT Show - Episode 103-Intermediate Disinformation, Reputation Mgmt, & Usenet Archives Privacy, Security & OSINT Show - Episode 105-Advanced Disinformation & Telephone Archives

1.3 One-Tab Bookmarks https://www.google.com/search?newwindow=1&source=hp&ei=tCGSX_jcIWV0PEPo6WxyAY&q=webform+%E2%80%9Ccatalog+request%E2%80%9D&oq=webform+%E2%80%9Ccata log+request%E2%80%9D&gs_lcp=CgZwc3ktYWIQA1CwogFYsKIBYOqmAWgBcAB4AIABVogBVpIBATGYAQ CgAQKgAQGqAQdnd3Mtd2l6sAEA&sclient psy ab&ved=0ahUKEwj4hrfWuMnsAhXlCjQIHaNSDGkQ4dUDCAg&uact=5 | webform "catalog request" - Google Search https://www.google.com/search? newwindow 1&hl en&source hp&ei ziGSX6qWOpez0PEPpfKn0AM&q free+account+ancestry&oq free+account+ancestry&gs_lcp=CgZwc3ktYWIQAzIFCAAQyQMyBggAEBYQHjIGCAAQFhAeMgYIABAWE B4yBggAEBYQHjIGCAAQFhAeMgYIABAWEB4yBggAEBYQHjIGCAAQFhAeMgYIABAWEB5Q-1pY1pgnWJoAHAAeACAAUmIAUmSAQExmAEAoAECoAEBqgEHZ3dzLXdpeg&sclient=psyab&ved 0ahUKEwiqtYDjuMnsAhWXGTQIHSX5CToQ4dUDCAg&uact 5 | free account ancestry Google Search https://www.google.com/search? newwindow=1&hl=en&source=hp&ei=0CGSX7XuILKu0PEPrNSvqAs&q=%22signup+for+free%22&oq= %22signup+for+free%22&gs lcp CgZwc3ktYWIQAzIHCAAQyQMQCjICCAAyBAgAEAoyAggAMgIIADIIC AAQFhAKEB4yBggAEBYQHjIICAAQFhAKEB4yBggAEBYQHjIICAAQFhAKEB5Q8psBWPKbAWDeogFoAHAAeAC AAUqIAUqSAQExmAEAoAECoAEBqgEHZ3dzLXdpeg&sclient=psyab&ved=0ahUKEwi1luHjuMnsAhUyFzQIHSzqC7UQ4dUDCAg&uact=5 | "signup for free" Google Search https://www.google.com/search? newwindow=1&hl=en&source=hp&ei=0iGSX8_XENHI0PEPn8WBqAU&q=free+online+dating+signup &oq=free+online+dating+signup&gs_lcp=CgZwc3ktYWIQAzIJCAAQyQMQFhAeMgYIABAWEB4yCAgAE 3/5

16SecurityDisinformation.md

7/23/2021

AgQDRAeUJDxAViQ8QFgj cBaABwAHgAgAFuiAFukgEDMC4xmAEAoAECoAEBqgEHZ3dzLXdpeg&sclient psy-ab&ved=0ahUKEwjPiMvkuMnsAhVRJDQIHZ9iAFUQ4dUDCAg&uact=5 | free online dating signup - Google Search https://www.kroger.com/account/create/ | Kroger https://www.linkedin.com/learning/ | LinkedIn Learning: Online Training Courses for Creative, Technology, Business Skills http://www.online-sweepstakes.com/ | Online-Sweepstakes.com - The web's premier sweepstakes and contest directory and community. https://join.booking.com/ | Booking.com https://www.amazingregistry.com/create-registry | Create Your Free Gift Registry AmazingRegistry.com https://www.theknot.com/gs/wedding-websites | Wedding Websites - Free Wedding Websites The Knot https://www.bedbathandbeyond.com/store/giftregistry/createRegistryForm | Create a Wedding & Bridal Registry | Bed Bath & Beyond https://www.pennysaverusa.com/item/new | PennySaver | Post Your Free Classified ad! https://www.classifiedads.com/post.php | Post a Classified Ad https://www.freeclassifieds.com/ | Free Classifieds - Buy or Sell anything for free, freeclassifieds.com! https://carnival.honeymoonwishes.com/ | Carnival Honeymoon Registry https://wordpress.com/ | WordPress.com: Create a Free Website or Blog https://www.google.com/search?client=firefox-b-1-d&q=namecheap | namecheap Google Search https://www.namecheap.com/ | Buy domain name Cheap domain names from $1.37 Namecheap https://www.merchantcircle.com/signup\#step=stepOne | Deals, Quotes, Coupons, Advice from Local Merchants - MerchantCircle.com https://getstarted.thryv.com/free listing yp/ | Free Scan: see how you look online. Verify the accuracy of your listings. https://smallbusiness.yahoo.com/local | How to create your Business Listing? \| Yahoo! Small Business https://www.bingplaces.com/ | Bing Places for Business https://subscribe.wired.com/subscribe/wired/127693 \| WIRED Magazine Subscription https://www.discountmags.com/ | Cheap Magazine Subscriptions | The Best Discount Magazines & Deals - DiscountMags.com https://thekrazycouponlady.com/deals/magazines | Magazines The Krazy Coupon Lady https://www.cabelas.com/shop/en | Cabela\'s Official Website - Hunting, Fishing, Camping, Shooting & Outdoor Gear https://www.kroger.com/ | Kroger : Shop Groceries, Find Digital Coupons & Order Online https://seattle.craigslist.org/ | craigslist: seattle-tacoma jobs, apartments, for sale, services, community, and events https://inteltechniques.com/data/workbook.pdf | IntelTechniques Extreme Privacy Workbook workbook.pdf https://soundcloud.com/user-98066669/101-basic-disinformation-covert-osintaccounts | Stream 101-Basic Disinformation & Covert OSINT Accounts by The Privacy, Security, & OSINT Show | Listen online for free on SoundCloud https://soundcloud.com/user 98066669/103 intermediate disinformation reputation mgmt-usenet-archives | Stream 103-Intermediate Disinformation, Reputation Mgmt, & Usenet Archives by The Privacy, Security, & OSINT Show | Listen online for free on SoundCloud https://soundcloud.com/user 98066669/105 advanced disinformation telephone 4/5

16SecurityDisinformation.md

7/23/2021

archives | Stream 105 Advanced Disinformation & Telephone Archives by The Privacy, Security, & OSINT Show | Listen online for free on SoundCloud

5/5

16SecurityEncryptedContainers.md

7/23/2021

OSINT Essentials - Using Encrypted Containers Data-Level Security The days of securing data with walls are over. The more reliable solution for most scenarios is encrypting the data so that if someone does reach it, they cannot use it. It never hurts to have a physical security layer, but when it comes to data encryption is key. This lesson is an introduction to encrypting data at rest, such as on a computer or drive. Whether you work in the intelligence field or in another vocation, you almost certainly handle and store data that has some level of sensitivity. In our personal lives there is financial, family, and pattern of life data. Most of you are OSINT "hunters" so you are familiar with how valuable personal and professional information can be. First, we will look at how to make individual encrypted containers for use on just about any drive or workstation. Then we will review options for implementing full disk encryption on Mac, Linu , and Windows. When you are done you will have the knowledge and tools to protect any portion of your data. There remains other attack vectors, such as data in transit, but that is why we also will have upcoming lessons on the latest techniques for encrypted data transfer and communications. [WARNING]{.ul}: Keep a copy of your encryption key in your safe and password manager. If you lose it, you are out of luck and will lose your data.

1.1 Building an Encrypted Container The encryption software that we will be using for this less on it VeraCrypt due to it being open-source and available for Mac, Linux, and Windows. There are other encryption options and we will discuss some platform specific applications in the forthcoming sections on full-disk encryption. If you already have an encryption application or process in place, consider this just another option. If you do not, then please onsider downloading VeraCrypt and following along. VeraCrypt Downloads Veracrypt Guide The use case for encrypted container is pretty straight forward. We want to create a password protected container(s) on a drive so that if an unauthorized person gains access, they will not be able to view, steal, or taint our files. The advantage of encrypted containers vs full disk encryption is flexibility and compartmentalization. You might even choose to do both, encrypting say your laptop, but then have additional encrypted containers on the laptop for especially sensitive files. When you laptop gets stolen, the laptop data will be safe and at worst you are out the hardware versus having your data used against you or your organization. The steps of the developer's manual are quite good and these steps are just a condensed version of the official steps" STEP 1: Download and install VeraCrypt, launch VeraCrypt by double-clicking the file VeraCrypt.exe or by clicking the VeraCrypt shortcut in your Windows Start menu STEP 2:

1 / 12

16SecurityEncryptedContainers.md

7/23/2021

Click Create Volume (marked with a red rectangle) STEP 3: In the Wizard window, choose where to create VeraCrypt volume. A VeraCrypt volume can reside in a directory or a drive partition, choose one and click 'Next' STEP 4: Choose a standard or hidden VeraCrypt volume and click 'Ne t' STEP 5: Choose where you wish the VeraCrypt container ("volume") to be created. "Note that a VeraCrypt container is just like any normal file. It can be, for example, moved or deleted as any normal file. It also needs a filename, which you will choose in the ne t step." Click Select File and browse to the location you want to use STEP 6: IMPORTANT: "Note that VeraCrypt will not encrypt any e isting files (when creating a VeraCrypt file container). If you select an existing file in this step, it will be overwritten and replaced by the newly created volume (so the overwritten file will be lost, not encrypted). You will be able to encrypt e isting files (later on) by moving them to the VeraCrypt volume that we are creating now." Select the desired path where you wish the container to be created in the file selector. Type the desired container file name in the Filename bo and click 'Save' STEP 7: In the Volume Creation Wizard window, click Next. STEP 8: Choose AES for encryption and click 'Next' STEP 9: Choose the size of your container and click 'Next' STEP 10: Enter a good, long, passphrase, enter it in your password manager and/or security notebook and slick 'Next' STEP 11: "Move your mouse as randomly as possible within the Volume Creation Wizard window at least until the randomness indicator becomes green. The longer you move the mouse, the better (moving the mouse for at least 30 seconds is recommended). This significantly increases the cryptographic strength of the encryption keys (which increases security)" Click 'Format' 'VeraCrypt will now create a file called MyVolume.hc in the folder specified in Step 6. This file will be a VeraCrypt container (it will contain the encrypted VeraCrypt volume). Depending on the size of the volume, the volume creation may take a long time" 2 / 12

16SecurityEncryptedContainers.md

7/23/2021

Click 'OK' STEP 12: You now have an encrypted container, click 'Exit' "In the remaining steps, we will mount the volume we just created. We will return to the main VeraCrypt window (which should still be open, but if it is not, repeat Step 1 to launch VeraCrypt and then continue from Step 13.)" STEP 13: Select a drive letter from the list that you want to assign to the volume once it is mounted (when we are done it will show up like a removable drive in e plorer) STEP 14: Click 'Select File' STEP 15: Browse to the container file (created in Steps 6-12) and select it. Click 'Open' STEP 16: In the main VeraCrypt window, click 'Mount' and the Password prompt will appear STEP 17: Type your passphrase (created in Step 10) STEP 18: Select the PRF algorithm that was used during the creation of the volume (AES in our case). "If you don't remember which PRF was used, just leave it set to "autodetection" but the mounting process will take more time." Click 'OK' VeraCrypt will now attempt to mount the volume FINAL STEP: We have just successfully mounted the container as a drive letter. Some additional notes from the developers guide: "The virtual disk is entirely encrypted (including file names, allocation tables, free space, etc.) and behaves like a real disk. You can save (or copy, move, etc.) files to this virtual disk and they will be encrypted on the fly as they are being written. You can also browse to the mounted volume the way you normally browse to any other types of volumes. Note that VeraCrypt never saves any decrypted data to a disk it only stores them temporarily in RAM (memory). Even when the volume is mounted, data stored in the volume is still encrypted. When you restart Windows or turn off your computer, the volume will be dismounted and all files stored on it will be inaccessible (and encrypted)." 3 / 12

16SecurityEncryptedContainers.md

7/23/2021

"If you want to close the volume and make files stored on it inaccessible, either restart your operating system or dismount the volume. Select the volume from the list of mounted volumes in the main VeraCrypt window (marked with a red rectangle in the screenshot above) and then click Dismount (also marked with a red rectangle in the screenshot above). To make files stored on the volume accessible again, you will have to mount the volume. To do so, repeat Steps 13-18.

1.2 How to Create and Use a VeraCrypt-Encrypted Partition/Device Instead of creating file containers, you can also encrypt physical partitions or drives (i.e., create VeraCrypt device-hosted volumes). To do so, repeat the steps 1-3 but in the step 3 select the second or third option. Then follow the remaining instructions in the wizard. When you create a device-hosted VeraCrypt volume within a non-system partition/drive, you can mount it by clicking Auto-Mount Devices in the main VeraCrypt window." Full Disk Encryption Mac Mac has FileVault built in and we will use that in this example 1. Open 'System Preferences' (press Alt+F2 and then CMD+L) 2. Open 'Security & Privacy' in the top row of icons 3. Click on the 'FileVault' tab 4. Read the warning and select 'Turn On FileVault' 5. Select the non-iCloud recovery key option and select 'Continue' 6. Copy your security key to your password manager and your security notebook (note: do not store your security key in the virtual machine that it is securing, that may seem obvious but just a reminder) 7. Select Continue and restart your Mac 8. When prompted enter your passphrase to unlock your encrypted Mac Full Disk Encryption Linux In this course we are mostly going to be using Linux within a VM so our lesson here covers our default steps of adding encryption to our Ubuntu virtual machine. I am including a link below to longer instructions for full disk encryption on standalone (non VM) Ubuntu. VM Encryption Method 1: VirtualBox has an option to encrypt the 'guest' machine from the management menu 1. First make sure you understand side affects and limitations caused by Vbox encryption: https://docs.oracle.com/en/virtualization/virtualbox/6.0/admin/diskencryption.html#:~:text=Oracle VM VirtualBox enables you,VirtualBox and other virtualization software. 2. Create your VM as outlined in the Ubuntu VM lesson or to your own pecifications 3. With your virtual machine turned off, select it in VirtualBox and open 'Settings' 4. The first category is General, select the fourth tab which is 'Encryption' 5. Check the Enable Encryption box and choose AES encryption 6. Enter a good passphrase and save it in your password manager and/or security notebook 7. Select OK 8. Here is how it looks on VirtualBox on Mac and PC (the example is Mint, but Ubuntu will look the same): 4 / 12

16SecurityEncryptedContainers.md

7/23/2021

5 / 12

16SecurityEncryptedContainers.md

7/23/2021

6 / 12

16SecurityEncryptedContainers.md

7/23/2021

Encryption Method 2: 1. The virtual machine creation steps are available in the Virtual Machines section of the training. 2. Once you get to the Ubuntu installation steps of the process you will end up at this wizard:

7 / 12

16SecurityEncryptedContainers.md

7/23/2021

8 / 12

16SecurityEncryptedContainers.md

7/23/2021

3. Click Install Ubuntu 4. Select your keyboard layout of choice -> Continue 5. Select normal installation

Continue

6. Now you are at the screen related to encryption

9 / 12

16SecurityEncryptedContainers.md

7/23/2021

10 / 12

16SecurityEncryptedContainers.md

7/23/2021

7. Select 'Erase disk and install Ubuntu' and select 'Encrypt the new Ubuntu installation for security' and then select 'install now' 8. It will prompt you for a security key, enter a passphrase and save to your password manager and/or security notebook 9. Continue with the VM creation steps as outlined in the Ubuntu VM lesson Additionally, if you wish to set up a hardware token for authentication/decryption, here are instructions for pair a YubiKey with an encrypted Ubuntu VM: https://blog.mimacom.com/fde with yubikey/ The non VM Ubuntu encryption steps are a little involved but fairly straight forward: https://help.ubuntu.com/community/Full Disk Encryption Howto 2019 If you are using a different distro of Linu just Google steps based on the distro and build. Full Disk Encryption Windows 1. Open File E plorer

right click your system drive (usually C) where Windows 10 is installed, then click

'Turn on BitLocker' 2. Create a passphrase that is long but that you can remember and then write it down in your password manager and your secure notebook (remember this lives in your firesafe or another very safe location) and hit ne t 3. Choose to print your recovery key and place the printout in your secure notebook (you may also choose to type it into your password manager) and hit ne t 4. Choose 'Encrypt Entire Drive' and hit next 5. Choose 'new encryption mode' if that option is available and hit ne t 6. Check the 'Run BitLocker system check' box and hit Continue 7. Double check that you have your passphrase ready and Restart your PC at the prompt 8. When prompted enter your passphrase to unlock your PC 9. Your drive is still being encrypted and you can see the status by right clicking on your windows drive (usually C) and clicking on 'Manage Bitblocker' (You can use your computer while it chugs away encrypting your drive) 10. Your drive is encrypted when the manager says it's done and then you are set. Don't lose your recovery key. If desired you can also encrypt individual and removable drives with BitLocker, but we prefer VeraCrypt for that purpose because it is supported on Mac and Linux as well. If you choose to use BitLocker for containers, follow this guide: https://www.groovypost.com/howto/encrypt flash drive sd card windows 10 bitlocker/

1.3 One-Tab Bookmarks https://newsabc.net/veracrypt-professional-tricks-for-the-encryption-tool/ | VeraCrypt: professional tricks for the encryption tool NewsABC.net https://www.hawaii.edu/askus/1816 | Encryption using VeraCrypt :: ASK https://www.veracrypt.fr/en/Beginner%27s%20Tutorial.html | VeraCrypt - Free Open source disk encryption with strong security for the Paranoid https://www.howtogeek.com/108501/the how to geek guide to getting started with 11 / 12

16SecurityEncryptedContainers.md

7/23/2021

truecrypt/ | How to Secure Sensitive Files on Your PC with VeraCrypt https://proprivacy.com/privacy-service/guides/veracrypt-how-to-basics | VeraCrypt & how-to basics - ProPrivacy.com https://archive.codeplex.com/?p=veracrypt | VeraCrypt - CodePlex Archive https://blog.elcomsoft.com/2020/01/a comprehensive guide on securing your system archives-and-documents/ | A Comprehensive Guide on Securing Your System, Archives and Documents | ElcomSoft blog https://techjury.net/blog/how-to-encrypt-your-hard-drive/#gref | How To Encrypt Your Hard Drive? [Ultimate 2020 Guide] https://linuxinsider.com/story/the-case-against-full-disk-encryption-86774.html | The Case Against Full-Disk Encryption | LinuxInsider https://www.groovypost.com/howto/encrypt-flash-drive-sd-card-windows-10-bitlocker/ | How to Encrypt a USB Flash Drive or SD Card with Windows 10 https://docs.microsoft.com/en-us/mem/intune/protect/encrypt-devices | Encrypt Windows 10 devices with BitLocker in Intune - Microsoft Intune https://resources.infosecinstitute.com/category/certifications-training/securingwindows ten/data security in windows 10/how to use bitlocker in windows 10/ | How to use BitLocker in Windows 10 (with or without TPM) https://www.lifewire.com/how-to-use-windows-bitlocker-4771937 | How to Use BitLocker in Windows 10 https://www.trentu.ca/it/services/user guides/enabling bitlocker with windows 10 | Enabling BitLocker with Windows 10 - Information Technology - Trent University https://www.digitalcitizen.life/encrypt-system-partition-bitlocker | How to encrypt a system partition with BitLocker in Windows 10 https://null byte.wonderhowto.com/how to/mac for hackers enable full disk encryption-protect-your-data-0173789/ | Mac for Hackers: How to Enable Full Disk Encryption to Protect Your Data « Null Byte :: WonderHowTo https://www.amsys.co.uk/quick-tip-open-system-preferencesquickly/#:~:text Open%20System%20Preferences%20using%20Keyboard,to%20the%20main%20 System%20Preferences | Quick Tip: How to open System Preferences quickly https://support.apple.com/en-us/HT204837 | Use FileVault to encrypt the startup disk on your Mac - Apple Support https://book.cyberyozh.com/encryption of virtual data on virtual machine virtualbox/#:~:text=Open%20the%20program%2C%20select%20the,be%20decrypted%20before %20loading%20it | Encryption of virtual data on virtual machine VirtualBox https://help.ubuntu.com/community/Full_Disk_Encryption_Howto_2019 | Full Disk Encryption Howto 2019 Community Help Wiki https://help.ubuntu.com/community/ManualFullSystemEncryption | ManualFullSystemEncryption - Community Help Wiki https://blog.mimacom.com/fde-with-yubikey/ | Full Disk Encryption with YubiKey https://docs.oracle.com/en/virtualization/virtualbox/6.0/admin/diskencryption.html #:~:text=Oracle%20VM%20VirtualBox%20enables%20you,VirtualBox%20and%20other%20virtu alization%20software | 2.29. Encryption of Disk Images https://www.freecodecamp.org/news/how-to-install-ubuntu-with-oracle-virtualbox/ | How to install Ubuntu on VirtualBox

12 / 12

16SecurityIOS14.md

7/23/2021

Impacts from the IOS 14 Update IOS 14, as with previous updates, brings with it some good and some bad. There are some improvements regarding notifications on potential privacy impacts of applications accessing your data and at the same time there may seem to be more ways that your phone is asking to use your data. For the most part, it is not that it is accessing more data, but rather it is finally asking instead of just taking behind the scenes. All that said, more settings results in even more need to review every entry to ensure that we are not unwittingly giving anything away. If you read not further just remember one key concept: with any update just methodically review each of your phone settings categories and most choices are logical. For those who want more specific recommendations, below are some recommended changes.

1.1 Changes We Care About Should you update? Yes, because we want the security patches from any IOS updates. New features and settings to be aware of: BT/WiFi on reboot -- If you have Bluetooth or Wi-Fi turned off, after updating these will likely default to be back on. If you are particularly sensitive about your phone touching your home infrastructure, you might consider completing the update in a different environment. Exposure notifications (Covid19) -- This is disabled by default (for now), do what is best for your own threat model, but from a privacy perspective this is best left off. Keep an eye on this one as in future updates Apple could be required to have this default to enabled.

Default browser -- This can be changed from Safari to Chrome/Firefox/Duckduckgo, (not Firefox Focus yet). Even the third-party browsers use Apple webkit, so it is still not perfectly compartmentalized. You can still use Firefox focus manually, it just won't open links by default from apps, but we want to avoid clicking on links anyway. 1/7

16SecurityIOS14.md

7/23/2021

Mic & cam notification -- There is now a notification icon on the top left of your phone screen if they mic or camera are being accessed by an application. It is still a good idea to use a small sticker to cover your front facing camera if you want to be certain that it is not capturing you without consent. Software controlled indicators are never as reliable as physical controls and we like layers of protection. Again, it all depends on your threat model and what level of peace of mind you desire.

Copy/Paste Notification -- Similar to the mic and camera notifications, you now receive a message if an application copies or pastes data from your "clipboard" or temporary memory. All in all, these new awareness features are a benefit and there is really no downside.

2/7

16SecurityIOS14.md

7/23/2021

Limited Photos- There is a new option to share only selected photos. This gives you more granular control over application control to images and moves away from the old "all or nothing" access.

3/7

16SecurityIOS14.md

Precise Location Settings

7/23/2021

Privacy

Location Services

Precise Location IOS14 defaults to a "precise"

location when it comes to applications accessing your location data, but you toggle this so that it uses an appro imate location. Go through each application and check the settings. It is recommended that you leave each set to "never" with Precise Location set to off. Then you can toggle access on as needed. This makes it a conscious choice to do so and reduces the chances of applications continuing to use your location in the background. Local Network Access -- A new notification makes you aware of applications requesting access to your local network. An e ample is if you use Signal it will likely cause this notification to pop up. This is normal, we just have more visibility into what was already happening. A general best practice is to deny access unless you need it. If you have a problem with that specific application down the road, you can always revisit that access setting and a possible solution, but we want to be restrictive as a baseline and then only loosen up our access control as necessary. I know we have many Signal users and in that case the access is for adding additional devices: SignalCommunity - iOS 14 Local Network alert

4/7

16SecurityIOS14.md

7/23/2021

Random MAC address -- You can now change your MAC address when you join or reconnect to a Wi-Fi network. This is primarily of benefit when you connect to third party or public networks. It would be best not to connect to those types of "dirty" networks, but if you choose to do so, MAC address randomization is somewhat helpful in preventing tracking.

1.2 Settings 5/7

16SecurityIOS14.md

7/23/2021

We believe the best approach is to review all settings after any major update, but here are some specific recommended settings to review and/or change: 1. Settings

Apple ID

2. Settings

Privacy

Password & Security Location Services

System Services

Turn them all off (e cept for possible: SOS,

find my iPhone) 3. Settings > Privacy > Location Services > Disable on all apps You can come back in and turn it on temporarily as needed if you choose 4. Settings > Privacy > Analytics & Improvements > Turn them off 5. Settings > Privacy > Advertising > Turn them off 6. Settings > Privacy > Research Sensor & Usage Data > Turn it off 7. Settings > General > Background app refresh > Turn off Except for text messages

1.3 Some Issues to Be Aware Of Firefox Focus is not supported as an option when setting your default browser. It will be added soon but for now you are stuck with plain jane Firefox. As with previous major updates, some of you setting may be "reset" to default so make sure to review all of your phone settings for any changes that were not yours by choice. For example, your default browser may be set to safari or your email client to Mail. The new option of "precise location" under location services should only be used as needed and consider whether you actually need an exact location for the purpose intended. There is no benefit to giving the application in question more specific data that it needs to provide the service intended.

1.4 Third Party Security Applications If you are using applications such as "Lockdown" to increase your privacy or security, you may be wondering if the security improvements in IOS 14 make those applications redundant. Lockdown and other applications that protect your connection and data integrity remain beneficial and if you used them before you will likely benefit from continuing to do so. A typical setup is using the free version of Lockdown paired with ProtonVPN (this means you will need the proton vpn protocol set to IKEV2 in the proton application). Although IOS14 has come with privacy improvements, third party security measures such as software firewalls and VPN add additional layers of protection. Do what is best for your threat model and level of concern. Lockdown Apps on the App Store ProtonVPN app for iOS PIA VPN For iOS Bitwarden Password Manager on the App Store

1.5 Resources 6/7

16SecurityIOS14.md

7/23/2021

The iOS 14 Privacy and Security Features You Should Know (Wired), 2020 Privacy, Security & OSINT Show Episode 189 iOS 14, Usenet, and Self Publishing iOS 14 MAC randomization privacy feature may cause Cisco enterprise network issues (AppleInsider), 2020 iOS Support - Signal Community

7/7

16SecurityLANPlanning.md

7/23/2021

Security Home Network Plan v.11.2020

1.1 Network Planning Template This is just an optional template to assist with penciling out a basic network plan. I encourage you to complete your plan in whatever fashion works for you, but for those of you desiring a structured approach, feel free to use this template or customize it to meet your needs and particular security situation. Device Inventory As with any other assessment and planning process we first need to account for the devices that will be connecting to our network and categorize them by risk and sensitivity. There can be as many categories in your list as you like, but keep in mind that each category will end up being it's own network segment. My categories are only one example of a common setup to get you started thinking through your own environment.

1/4

16SecurityLANPlanning.md

7/23/2021

2/4

16SecurityLANPlanning.md

7/23/2021

If you are struggling to get started categorizing your devices, think about the users in your environment. Devices used by kids/guests, cheap "smart devices", and then everything that you use for professional or family business. The goal is that we don't want your guest's Android phone, or your Samsung TV, to be able to talk to the MacBook containing your finance spreadsheets or that unpublished novel you are writing. Preparation Checklist (list make/model) Firewall (optional): Firmware Updated Admin Credentials Changed Router: Firmware Updated Admin Credentials Changed Stock Firmware Replaced (OpenWRT, DDWRT, etc) Access Point: Firmware Updated Admin Credentials Changed Additional Hardware: Firmware Updated Admin Credentials Changed

1.2 egmentation Plan There are many different possibilities when it comes to subnetting your network. Here I am providing just one, common option for setting up three subnets for the purpose of isolating devices by risk/sensitivity. 192.168.8.0/24 Guest Network 192.168.9.0/24 IOT Network 192.168.10.0/24 Private Network You may have additional segments or use a different schema, but the overall concept is to set up separate subnets for each of our segments. For the most part, Guest, IOT, and Private will be restricted from talking to one another. There are additional measures to further isolate these segments from one another and there are also methods of creating limited paths of communications, but that is beyond the scope of this guide. I should note, subnetting alone does not completely isolate the segments. We will also want to set up "virtual LANs" if our router supports that feature. The difference between the two is complicated, but we want both if possible.

1.3 Additional Resources

3/4

16SecurityLANPlanning.md

7/23/2021

You may wish to copy/paste your network diagram here: Notes Scratch area for any notes during your planning/setup

4/4

16SecurityNetworks.md

7/23/2021

Security Essentials Designing a Secure Network v.11.2020 Note: This is the introductory module for what will be a series on building a more secure home network. This is the high level plan and it will be followed by detailed lessons on the individual network layers and components. This is the "why" but stay tuned for more specific information on the "how". There is not one way to do this. There are many opinions regarding the best approach and combination of equipment and configuration. Look at this as general best-practices with recommended options on how to implement them rather than hard and fast rules. Taking Control of Your Network For most people, a home network is something turn key, often installed by a 3rd party and seldom attended to. Our network is a critical pathway into our digital life, and we need to implement some layers of protection if we want to be avoid being an easy target. The guide is a high level plan for customizing your digital infrastructure to better suit your security and privacy needs. To make this task easier we will break our home network into layers and discuss some key concepts in shoring up our defenses. Additional lessons will cover each layer in more detail and in some cases with more advanced options if you choose to take your security posture to the ne t level. This is more of a "do it yourself" lesson than it is an academic review. That being said we do need to review some concepts up front that lay the groundwork for understanding our points of vulnerability. I will keep these e planations and instructions in simple, easy to digest language, so apologies to our engineers and infosec readers if the content here seems simplified, but it is intentional. (i.e.: when I use the term layer it is in the generic sense and not as a technical reference to the OSI stack) I will say again, this is not the only approach and the aim here is to strike a balance between security, cost, and sustainability.

1.1 Breaking it Down Into layers Layer one -- Digital Egress: Whether via hardline or wireless, you have a device that connects to an internet service provider. In most cases this is a modem and receives its outside connection via cable, fiber, satellite, or WiFi. This device is most often provided and configured by your internet service provider. It is primary purpose is linking your internal network with the carrier's network. Layer two - Firewall: This is the gatekeeper and uses a set of rules to decide which data enters and leaves your network. Layer Three - Router: This is the device(s) that manages the traffic on your network. It is not uncommon for ISPs to provide a single device that act. Layer Four -- Wireless Access Points: Access points transmit and receive radio signals that carry your data connection between devices. In effect it is an invisible wire, but with potential compromises to speed, reliability, and integrity. Layer Five -- Devices: This is the computerized hardware that connects wired or wirelessly to your network.

1/9

16SecurityNetworks.md

7/23/2021

Layer Six -- Software: This is the device(s) that manages the traffic on your network. It is not uncommon for ISPs to provide a single device that act. Depending on your setup these layers may be handled by any number of devices. For e ample, a single laptop connected to LTE via a wireless hotspot is a situation where a single device is responsible for layers 1-4 and the laptops layers 5 6. A more typical setup is a cable modem provided by the ISP that also serves as router, firewall, and wireless access point. These "all-in-one" devices tend to be the worst offenders in regard to network security vulnerabilities.

1.2 Mapping it Out To start out it is always beneficial to have a plan. First map out your current network and then map out a plan for a more secure and "segmented" network. You can do this simply with a pencil and note pad or use one of the many free network-diagramming sites/programs. A recommended simple solution for creating network maps is https://draw.io which can be used in a browser or downloaded and used as a desktop application. A typical home network:

2/9

16SecurityNetworks.md

7/23/2021

What we want:

3/9

16SecurityNetworks.md

7/23/2021

1.3 Segmentation The diagram above can look a little complicated at first glance, but really it is based on the basic concept of segmentation. Do not worry about replicating the exact setup in my plan, but rather focus on compartmentalizing your network based on three factors: 1. Who are the most vulnerable users? 2. What are the most vulnerable devices? 3. Which devices have the most sensitive data touching that network? To start out with we will make lists separating our sensitive data from our vulnerable users and devices. Your lists should have specific line items, anything that will touch your network, whether it be a human or a device. Risky Users

Risky Devices

Sensitive Devices/Data

Guests

IOT -- "smart devices"

Workstations 4/9

16SecurityNetworks.md

7/23/2021

Risky Users

Risky Devices

Sensitive Devices/Data

Kids

Security Cameras

Servers/NAS

Spouses

Online Entertainment Devices

Backups

Roommates

Promiscuous Mobile Devices

Private Mobile Devices

Co workers

Work/School Provided Devices

The idea of segmentation is to group entities together bases on their sensitively and vulnerability. We don't want more vulnerable devices having access to more sensitive data so we are going to "segment" them in separate zones on our network. This is similar to the concept of using virtual machines to compartmentalize our case work. It is a prophylactic measure that allows us more granular control over device security. When you have one local network, all managed by one device, all of your devices and data sets tend to have the same level security. If this is a low level your private data is at risk and if it is a high level, you will sacrifice functionality on devices that would not otherwise warrant the constraints in place. An example is trying to use Netflix behind VPN. If everything on your network has the same security settings, some items might not work at all. So, our goal here is to draw up a plan where we have portions of our networks with varying levels of security suited for our different needs. We want a very secure connection for our sensitive devices and a less restricted connection for our convenience devices. It is of course theoretically more secure to put everything under the strictest of security rules, but what I have found is that people tend to weaken the security standards over time if they are too restrictive across the board. In my second diagram we have separate "segments", like branches on a tree, for the different categories of devices, which I think of as IOT, dirty, and secure. Your categories may differ based on use case and lifestyle. Based on your threat-model you may have more restrictive categories. Here is an explanation of my segments: Segment #1 -- Internet of things (IOT) These are the cheap internet connected devices that tend to have extremely poor hardware and software security: thermostats, Amazon devices, TVs, smart lights, sprinkler systems, and security cameras. Those are just a handful of examples. If it is a cheap device that connects to the internet, it likely belongs on this list. This includes more expensive devices that have "smart" connectivity as a secondary feature. Segment #2 -- Guest Segment I prefer to keep guests completely separate from our private devices and data, so they have their own segment. Segment #3 -- Household/Everyday This segment is for schoolwork, casual browsing, mobile devices that connect also to networks outside the home (dirty devices), etc. Segment #4 -- Secure Segment This is for hard wired desktops, network attached storage (NAS), and any other systems/devices that handle our more sensitive data storage and traffic. In this plan, the security measures increase from the least secure: segment #1 to the most secure: segment #4. This model assumes that there is an additional non-segment #5 which is devices that do not connect to the network at all, but rather have an isolated connection. For example, I connect my work laptop to a MiFi rather than my home network. I mention that as a reminder not to constrain your security posture by ruling out alternatives to connecting to your home network. After all, the most secure device is one that is not 5/9

16SecurityNetworks.md

7/23/2021

connected at all which seems crazy in the modern era, but I have a couple of devices that are only used offline, for very specific functions where security is paramount and connectivity is non essential. Physical vs Logical Segmentation An e ample of physical segmentation would be putting each segment behind its own firewall or router. Logical segments are defined by network addressing or VLANs (virtual LANs) so often multiple segments are hosted on a single hardware router. The router restricts traffic based on rules whereas on the physical segment the firewall filters and enforces all traffic into and out of that subnet. Complete physical segmentation is not often practical due to the increase in appliances needed. Segmenting by subnetting alone is not sufficient for our security purposes, so ideally, we will segment our subnets and also define them as VLANS. This can all be a little confusing, but in the end, we want to use VLANs (virtual LANs) if our hardware supports them.

1.4 Software/Firmware Once you have your new network plan/map, you will need to decide what software or services will manage the traffic on your network. The following are the typical functions that we need to establish and examples of recommended software that meet our requirements. We will start at the point of egress into our home (ISP connection) and work our way in to the individual devices. Internet Service -- This is your service provider, examples include cell carriers, cable companies, fiber companies, and satellite internet companies. You will not likely have firmware customization options when it comes to a cable or fiber modem. Firewall Software -- This training will include lessons using pfsense as a firewall management solution. Router/WAP Firmware -- Depending on your make/model of router and your use case, this may be the manufacturers firmware or often we recommend replacing it with something like OpenWRT, DD-WRT, or Tomato. For our example we will use OpenWRT. On-Device -- These are your on-device security services such as client-side VPN, anti-malware, network traffic analysis, software firewalls. Little snitch and Glasswire are examples of on-device security software/services.

1.5 Hardware Once you have your new network configuration planned out, you will need to decide which hardware you are going to use to accomplish your desired level of segmentation. For this I recommend taking a triaged approach by creating a list of resources: Existing hardware -- Your current routers and access points may be sufficient for retaking to handle certain tasks on your new, more secure, network. A common e ample is flashing an old wireless router with a new firmware and using it as a wireless access point (WAP) for your security cameras and other IOT devices. Internet Service -- If you are cable or fiber you likely lease your modem from the carrier. We would prefer to own our device and have more control over its configuration. This also tends to be a cost savings long term. Firewall Hardware

A hardware firewall is preferred versus using the firewall function that is baked into

most consumer routers. We recommend a Protectli vault or something similar (Discounted purchase options can also be found on the Protectli site HERE. This is an affiliate link to support Michael's site and is not tied to my course. Much of this content is borrowed from his books so supporting his efforts seem appropriate.) 6/9

16SecurityNetworks.md

7/23/2021

Router/WAP Hardware -- Your current router may be fine depending on what it supports. Ideally, we'd like a router that natively supports Open WRT so that we can get rid of the manufacturers firmware and gain more control over our routers and access points. Wired Infrastructure -- Consider running CAT-5e or CAT-6 wires for stationary devices. Why spend the time dealing with wireless security and reliability issues, if you can have a solid physical connection? Ethernet cable is cheap and establishing "cable runs" in your home is a great long-term investment that will save you time and hassle in the long run. For the most part we use wireless for convenience, not for security or performance benefits. Convenience is almost always the enemy of security. Relying on a wireless connection for something that could be wired introduces more attack surface and performance variables. Hardware is the area of your plan most affected by budget. If you are able to buy new equipment you will have the most flexibility, whereas many of us end up using a combination of new and repurposed hardware. Like everything else in this course, it is not an all or nothing scenario. Any measures taken that improve our privacy and security are a benefit to us and we all have limitations on time and budget. In the forthcoming modules in this series I will be using a combination of new and e isting equipment.

1.6 Hardware Recommendations Choose the best hardware to suit your budget and threat model. That being said, I know that sometimes when I start a new project in unfamiliar territory, I like to have recommendations regarding equipment and supplies, a shopping list if you will. These are only recommendations, and each comes with pluses and minuses. Modem Hardware: If possible, we would like to use our own modem rather than the one provided by our service provider. This is not an option for everyone, and your options will depend on your internet service provider. The goal is to have full control over all of the devices in our network and not be limited by a provider-configured modem. If this is not an option for you, do not worry, the other steps on this "network remodel" will still improve your security and privacy. My recommendation is to do research based on your provider to see what options and equipment are available and recommended by other users. Start with Google and a search similar to:

7/9

16SecurityNetworks.md

7/23/2021

Firewall Hardware: Protectli Vault with the following minimal specs: Memory: 4GB Storage: 32GB Wi-Fi: None BIOS: Coreboot If you have home internet speeds over 200mbps, choose the 4 port or 6 port. If your home internet speed is over 250mbps, choose the 6-port.https://protectli.com/ (If you want to support IntelTechniques.com purchase it here at a small discount) Router Hardware: First of all if you want absolutely the best option for your situation, grab a cup of coffee and settle in for some research on https://forum.openwrt.org/c/hardware-questions-andrecommendations/13. There are many solid options but here are two good picks if you want some reliable recommendations. Supported devices: https://openwrt.org/toh/start High-end recommendation: https://www.turris.com/en/omnia/overview/ Mid-range recommendation: https://www.linksys.com/us/p/P-WRT3200ACM/ WAP and Travel Routers: I used a GL.iNet Slate in my VPN demos, but there is a good list options at https://bestforconsumer.com/best router for openwrt reviews/. We will cover router options in depth in the router module which will come later in this series as we build out our project network. Wiring: Shielded Cat6 or 6a if you have long runs (Cat7/8 is expensive and overkill for most people), I picked up mine from Monoprice. Your two options are premade lines or bulk Cat cable and a connector kit (for adding the plugs after cutting your lengths). Depending on how much lines you have to pull, how custom you want your runs, and whether you plan to do this again, it may be cheaper to buy premade cables versus cutting and making your own. The flip side is that if you make your own the lengths will be exact and also you will learn a skill. Another name for Cat cable is Rj45 Rj45 kit Bulk or Individual Cat6/6a Shielded E ample of crimper, cutter, and passthrough connectors Flush cutters Rj45 Wiring Diagram (color order) A word of warning about cable selection for DIY projects. Some lessons learned when installing hard lines: Cheaper cable sometimes comes at the cost of ease of use during installation (infle ibility, cheap coating, no shielding, indistinguishable pair markings, etc.) If making your own cables, use pass-through connectors and a flush-cutter to make your life much easier I do not install boots on my connectors because I hate them (the little connector covers)

8/9

16SecurityNetworks.md

7/23/2021

If you plan to add security cameras or other networked gear to your infrastructure, you can utilize any e tra cabling supplies to run data or low-voltage runs (we will cover this in a future module on physical security)

1.7 Additional Resources Segmentation Article OpenWRT project site OpenWRT Tutorial WRT Router Reviews WRT Router Reviews Cabling Guide OpenWRT Travel Router WRT Comparison Crimping Example Video A Guide to Do-It-Yourself Network Segmentation Iptables command - DD-WRT Wiki Home Network Design - Part 2 - Black Hills Information Security homelabbity Segmenting your networks with pfSense - YouTube Use The Free QRadar CE to Monitor your Home's Network (flows) - YouTube 2020 Getting started with pfsense 2.4 Tutorial: Network Setup, VLANs, Features & Packages - YouTube OpenWrt Project: Quick start guide for OpenWrt/LEDE installation OpenWrt Project: Factory install: First-time installation on a device (18) Latest Installing and Using OpenWrt topics - OpenWrt Forum OpenWrt Project: Table of Hardware: Firmware downloads Virtual Private Network -- Roll Your Own Network Online emulator website to demo OpenWRT LuCI, DD-WRT, Gargoyle, Tomato, TP-Link, Asus, Linksys, D-Link, Belkin, Cisco SB, Mikrotik, Netgear and Sonicwall wireless router firmware GUI | The 8th Voyager ddwrt devices - Google Search Supported Devices - DD-WRT Wiki Subnetting != Segmentation The Difference Between VLANs and Subnets - Component

9/9

16SecurityPhysicalSecurity.md

7/23/2021

Physical Security at Home v.11.2020

1.1 Revisiting Threat Models Before we dive into solutions, take a moment to consider your threat model. What is the most likely physical security compromise to affect your home and family? What are some less likely threats that if they were to occur would be extremely damaging? Now create a list of actionable steps to address the likely threats followed by a second list of long-term approaches to the less likely, but more serious scenarios. For most of us, the primary concern when it comes to physical security in our homes is crime. Geography and differences in culture may affect the crime trends in your area, but I will use typical US scenarios for my examples. These are generalizations, but statistically property crimes are the mostly likely incidents to affect most people at home. Common trends currently in my jurisdiction are package theft, mail theft, occupied burglaries, and vandalism. As I write this we are still living with the COVID pandemic which has affected crime trends in a few ways: people are ordering more goods by mail, people are home more making occupied burglaries more likely (most burglars prefer that you are not home to avoid confrontation), and an increase in vandalism due to emotion, frustration, or boredom. Regarding automobiles, I am seeing an increase in stealing car parts versus the entire vehicles. This is partially because vehicles are becoming more complicated to steal and because certain vehicles use parts that can be scrapped for easy cash (i.e.: catalytic converters stolen to hock precious metals).

1 / 13

16SecurityPhysicalSecurity.md

7/23/2021

1.2 Developing a Home Security Strategy As with everything else we do, making a plan will improve the overall results of our home security makeover. In my example I will share what I have done at my own home to address the most likely crimes to occur in my area. Just as with our digital security campaign, we will never be 100% secure, but the key is to not be low hanging fruit. Take the general concepts and apply them to your own threat model. Think outside the box and be creative in your approach. For context, I live a in a middle-class suburban neighborhood with a fairly high property crime rate due to proximity to some rougher parts of our city. I break my security down into categories by purpose. Your specific chosen solutions will likely differ, but the overall categories are probably going to be consistent for each of us. 2 / 13

16SecurityPhysicalSecurity.md

7/23/2021

1.3 Deterrents I am a firm believer that establishing deterrents to prevent crime is the best return on investment. Once an incident occurs, often the damage is done so we would like to prevent it all together if possible. In order of effectiveness: Be Home -- Most thieves and burglars prefer to hit targets where the residents are not home to avoid confrontations. There are of course excepts such as home invasion robberies, but those are fairly rare. The most dangerous situations are when criminals end up in a confrontation in a home which they think is empty. They may panic and commit a violent crime that was not their original intention. In short, we want our home to always appear occupied. When possible, lights on, TV on, and a vehicle in the driveway. These things are not always possible and come with some related costs/downsides, but they do go a long way to dissuading burglars. Dogs -- Even small dogs can contribute to our overall awareness when people approach our homes, but medium to large breed dogs can be a fantastic deterrent against burglaries. No burglar is going to risk dealing with dog if they can just move on to another less protected home. If you do not or cannot have a dog, consider placing a large, mangled chew toy on the front lawn or porch of you home. Either get one from a friend with a dog or buy one new and then run it over with your car a few times to make it look used. I find this to be more subtle and effective than "Beware of Dog" signs. Dogs are also nice when solicitors or strangers come to the door as sometimes these visits are actually scouting efforts to pick out easy targets. Visibility -- Burglars and thieves are looking for targets where they can kick in a door or pry open a window without being seen by neighbors or people passing by. Improve lighting around entry points. Motion lights are great and encouraged, but keep in mind that most residential burglaries happen during the day while car prowls tend to happen at night. Removing foliage or other obfuscation in front of your home can improve visibility, but at the cost of privacy so there is a balance to be sought there. Walk around your property and think about how you would break into your home or how you would steal the tabs off your car. If you have a very private back entrance to your home, that is likely your number one physical security vulnerability. Neighbors - Nosy neighbors can be annoying when it comes to privacy, but they are great for accosting would-be thieves. The viability of this measure will depend on the proximity and overall relationship between you and your neighbors, but if you do have close and agreeable neighbors, it is not bad at all to create an understanding that you all will keep an eye on the neighborhood. Nothing is better than having neighbors who will wave a slow driving car or offer a passerby assistance with finding an address. Criminals do not like neighborhoods where the residents are paying attention and aware of their surroundings. Cameras -- I see the primary role of cameras being a deterrent. Yes, it can be helpful for piecing together what happened after the crime, but at least in my jurisdiction, you are not likely to get your stuff back and almost nothing will happen to the perpetrators even if they are caught. Therefore, we want our cameras visible as another reason for the enemy to move on and pick a different target. I prefer cameras with LED lights that draw the eye of anyone entering the property, especially ones that blink when they detect motion. Red security camera light flashing and motion light activating, illuminating that giant mangled dog chew on the porch is my ideal greeting for late night visitors.

3 / 13

16SecurityPhysicalSecurity.md

7/23/2021

Alarms -- I am not a fan of silent burglar alarms as the response is almost always too slow to catch anyone and the likelihood of false alarms can lead to fines on top of the recurring service cost. I do like audible alarms, even though most people these days do not pay attention and assume they are false. The point of any alarm should be to interrupt the crime in progress and encourage the perpetrator to flee. Again, criminals do not like attention being drawn to them and ideally, they will panic and leave prior to doing much damage. Signage

Again I do not like security systems in general because they tend to create false alarms

and/or a post incident response after the damage is already done. However, there is not really a downside to adding branded security signage to your property. These can be ordered online or made yourself if you are crafty. Audible Alerts -- An additional layer can be the use of motion or beam activated audible warnings. These are usually like the bell/sound that you hear when entering a convenience store. You can purchase units that play an audible tone when a beam is broken (such as across a driveway) or movement occurs in range of a sensor. Quite common are PIR (Passive Infra Red) sensors which can even be built out yourself at home using mail order kits or a Raspberry PI paired with a few YouTube tutorials. Avoiding Enticements

Just as we want visual deterrents, we also want to avoid encouraging the

targeting of our residence. For example, I have investigated burglary rings which targeted homes with shoes on the front porch. We later discovered that the criminals were targeting households of Asian descent because they believed people from that cultural group were more likely to store large amounts of cash and jewelry in their homes. Understanding criminal motivations and regional culture can help us identify and avoid drawing attention to our homes as potential high-value targets.

1.4 Barriers Physical impediments are probably the oldest and most straight forward security measure. Locks -- First of all, no one is going to pick your locks. That is just not the likely path of least resistance into your home. That being said they might "bump lock" your back door. This is a much simpler way to defeat a cheap lock and one that requires less time, preparation, and expertise. The perpetrator uses a generic cut key blank for the most common locks and once in the lock hits them with a shoe or other blunt object until the lock pins bounce into place and snap the door is open. This is not terribly common, but it does happen, so we do want to avoid super cheap locksets. I prefer a good high-grade standard lock over a "smart lock" and I like physical security that I can fully control and simple tends to weather the test of time better than fancy gadgets. What is Lock Bumping – How to Stop It Door Frames -- Kicking in poorly constructed doors is a common method of gaining access to a home. Having some experience knocking down doors, I can tell you that it is usually the door frame that fails. We want a door frame constructed of real wood or metal, and which is affixed to the framing with a significant number of 3" leg screws. This is a common weak point in physical security because contractors tend to use insufficient, cheap hardware when securing door frames. Replacing the screws affixing your door frame is a relatively low-cost investment and easy weekend project. Deck or French doors can also be a weak point. Ensure that they have a deadbolt latch that affixes the doors to the top and bottom of the frame when not in use. 4 / 13

16SecurityPhysicalSecurity.md

7/23/2021

Windows -- Although not the preferred point of entry, windows are certainly a weak point in our security. Many burglars avoid them because they tend to be noisy and can lead to injury/complications. Newer windows are more likely to be shatter resistant, have multiple layers or glass, or contain a film that makes removal of the glass difficult. Probably the most susceptible windows are those in concealed areas at the back of a home or adjacent to a door with a thumb-lock. If I can pop out a panel on a glass French door or a decorative side window to access an interior thumb lock, that is a good point of entry. Building codes in many places require thumb-locks on the interior side of deadbolts for egress during a fire, but that is not great for doors that have adjacent windows. I do like the use of narrow pieces of wood or dowels as physical interior blocks to keep windows from being opened. These are easily removed by those inside the house in an emergency but are an e tra obstacle for anyone on the outside trying to force the window latch. Safes -- Most residential burglars do not have the time or tools to defeat a properly installed safe. Make sure the safe is either very heavy/bulky or that it is affi ed to the structure with bolts that are only accessible internally. An inexpensive firesafe from a big box store is most likely to be defeated if it can be removed intact from the premise. Hides

When someone breaks into your home, they are going to immediately check medicine

cabinets for prescriptions, common areas for purses/wallets, dressers for cash stashes, and then nab any obvious small electronics or appliance such as power tools and laptops. They will also look in closets and under beds for firearms. They are not going to have much time to hunt around so having your safe or other valuables in an area that is not easy to access or notice, will be beneficial. Use e isting obfuscated nooks to store your more precious items or if you are so inclined you can create "hides" such as DIY hidden compartments. These do not have to be super fancy or complicated, but it can be a fun project to build your own secret cubby to store valuables. 20 Secret Doors and Clever Hiding Places Note: Firearms should always be secured in addition to being hidden, with trigger locks at the very least.

1.5 Awareness Awareness requires a combination of diligence, tradecraft, and technology, that order. Gadgets are not a replacement for pay attention to your surrounds or maintaining good habits. Situational Aweness -- Universal across all security disciplines is the subtle art of paying attention and listening to your gut. If the guy knocking on your door looking for his lost dog creeps you out, then he's probably up to know good. If the car circling the block with no apparent purpose doesn't end up stopping to pick up an Uber fare, then maybe it was scouting for burglary targets. Just making friendly eye-contact with people as they move through your neighborhood can go a long way to make it feel neighborly to people from the community and yet make it undesirable for people who wish to move unnoticed during a scout. When I am in the field doing surveillance, nosy and inquisitive people are the worst. They make it very uncomfortable for anyone trying to observe patterns of life in a neighborhood. It doesn't mean you have to be rude to strangers, just be visibly alert and aware of what is going on. Crime Trends and Time of Day -- Most crimes on the exterior or your home or in the street will happen in the evening and early morning hours. Most burglaries and attempts to gain illegal access to your home will occur during what would be normal business hours. The exception are organized fraud operations, which may target you while you are obviously home. 5 / 13

16SecurityPhysicalSecurity.md

7/23/2021

Sensors & Alerts -- Most security and camera systems now come with alerting features that can notify you if someone is at your door or on your property. Ironically, these devices often come at the cost of some personal privacy due to the poor hardware security and even poorer privacy of smart device manufacturers. There are ways to mitigate some of these privacy vulnerabilities and there are also some DIY self-hosted options, but they will not be as easy or smooth to setup. I will address this issue in the ne t section regarding cameras as those are the most common source of alerts these days. In regards to simple, reliable, and private sensors that do not connect to the internet, I like driveway sensors that generate a bell or chirp when crossed by someone entering the curtilage of your property: https://www.amazon.com/driveway-alarm/s?k=driveway%2Balarm Cameras -- Although my primary purpose for cameras is as a visual deterrent, they can also be handy for perimeter awareness or post incident intelligence. For e ample, if you choose to have an internet connected system, it may notifiy when a package is dropped off and then you will also be able to go back and review the footage to see what happened if that package is no longer there when you get home. As mentioned earlier the downside of most internet connected systems is that they follow the IOT/cloud business model of poor privacy, poor hardware security, but convenient and low cost of adoption. This, more than any other area of security, is going to be one where approaches may differ vastly based on threat models and privacy concerns. This is a huge topic and I will be publishing another lesson specific to video security techniques. In the mean time, I recommend really narrowing down your priorities between wants and needs: Do you need remote access and real time alerts? Do you need to place cameras in areas that are private or sensitive? Are the cameras primarily for awareness while away from home or while in the home? What are your expectations in regards to the evidenciary value of the footage? It is my belief that there is a balance to be struck between security and privacy when it comes to security cameras and more often than not we sacrifice more privacy than is necessary to achieve our desired level of security. There are a few basic rules to follow if you are new to security cameras: If it is cheap, it is almost certainly not secure Camera systems are typically either analog or IP. Analog just a video signal and low voltage power supply over a wired connection. IP is digitally encoded video that can be sent over a wired or wireless network connection. Some analog systems have a network connection at their base station or NVR/VMS (network video recorder/video management system). Older systems from big box stores (Swann, Lore , etc) tend to be analog and newer cloud based systems such as Arlos tend to be IP based. Whatever route you go, remember your network security basics: change all default credentials to something unique and strong, assume any device with a lens and/or mic can be hacked, and have redundancies in place for when devices or data storage fail. If you must have internet connected cameras: place them on the e terior of your home, aimed out from your home in the directions mostly like to be used for access and avoid capturing anything that gives away your location or identity such as your license plate, street signs, or house number. Place them on a segmented network to prevent access to your sensitive data and devices. In short, expect them to get compromised. I can see very little benefit to having cameras on the interior of your home. The privacy risk just doesn't justify the limited security benefits.

1.6 Evidence Collection 6 / 13

16SecurityPhysicalSecurity.md

7/23/2021

It is nice to be able to go back and review camera footage following an incident at your home. Did FedEx really deliver that package to your porch as they reported? Who rang your doorbell in the middle of the night and ran off? When in the middle of the night did your car get prowled and what did the perpetrators look like? That is all interesting information and there is a chance that it could be useful to the police following an incident. Now the bad news. If you get prowled, burgled, or robbed, footage or not, you will not likely get your stuff back and the perpetrators, even if caught, will not likely see much justice (at least not in the US). Investigating property crimes are low on the priority list for most agencies and currently most agencies are having their budgets significantly cut. I don't mention this to be discouraging, but rather to make sure we are controlling expectation when set goals for our security strategy. As someone in law enforcement in the US, I would not have evidence collection as my top priority. Things may be very different in other parts of the world, but I firmly believe that your efforts are best spent on deterrence and prevention versus evidenciary capture and collection. Note: should a violent or other non property crime occur at your home, video evidence could be very useful to law enforcement. Again, my recommendations here are based on the crimes most likely to affect the most people and to strike a balance.

1.7 Specific Scenarios This section has some specific examples of tactics that may be used to address some of the more common trends in residential crime. The recommendations above cover our overall bases for things such as residential burglary, but there are a couple of current trends in crime that I want to address more specifically. Package Theft -- Package and mail theft are off the charts due to the pandemic. People are ordering more deliveries to their homes while also being home more often, which makes package theft a lower risk undertaking than a full burglary. Some viable options for prevention: Have packages delivered to the post office or other secure location For regular mail, the best solution is to move to using a PO Box or CMRA. This provides an option for parcel delivery as well, making it a great solution if you can afford it. Visible cameras on your porch or other delivery zone, as a deterrent this may or may not stop some thieves Purchase a secure parcel container for your home. The 5 Best Parcel Boxes to Buy in 2018 Build a DIY solution to make your packages less obvious to thieves and/or more difficult to retrieve from your porch. Be creative, it is about reducing chances of theft, not so much about becoming invulnerable. My solution: The package pit is an 8-foot deep narrow wooden box with thick foam in the bottom mounted next to my porch. Deliveries are dumped in which means they are out of sight and it takes small person with climbing skills to fetch them back out (in my case a scrappy 10-year old). Have fun with brainstorming solutions and try to think outside the box. Car Prowls/Auto-Theft -- Thieves may not even want the whole car or the contents of the center console. They may be after your catalytic converter or other auto parts. 7 / 13

16SecurityPhysicalSecurity.md

7/23/2021

Obviously do not leave visible valuables or bags in your vehicle, even if just running into a store for a minute. Most prowlers are looking for easy smash and grabs, crime of opportunity. The one time you leave your laptop or firearm in your ca for just a few minutes will be the time that someone smashes out you window and runs off with your bag. I have seen this happen many, man times to both people in the community and to colleagues. Consider a lockbox or car safe if you need to leave any valuables in your vehicle when parked unattended https://www.amazon.com/Trunk Safe/s?k Trunk%2BSafe or similar (make sure to attach it to the vehicle frame or other permanent affixture. Consider an ignition kill switch to prevent vehicle theft: https://www.amazon.com/s? k ingnition%2Bkill%2Bswitch Park in well lit areas and consider installing motion lights and visible cameras over your parking area. Vandalism/Property Damage

These can be crimes of opportunity but tend to be someone with an a e to

grind or a person who just does not like whatever category they think we fit in. Cameras and lighting do well to dissuade these types of crimes. The perpetrators are less likely to be career criminals and are likely more concerned with being identified. I will add that with everyone wearing masks currently, it makes anonymous criminal action much easier to commit and harder to solve using camera footage. I have one camera at the street in front of my home, shooting across the only easy access to my property. This camera is very visible, and should you break the threshold of my driveway at night a motion light trips while two more cameras start blinking at you. Someone wanting to do damage to my home or vehicles will need to be pretty committed to proceed past that point. The most common significant property damage crimes tend to be to vehicles so if you can park in a garage great. If parking indoors is not an option, the measures you take to prevent car prowls will serve you well against more property damage. Arson - This is very uncommon but extremely dangerous when it does happen. This is a less technical discussion and more just a commonsense reminder to lower your risk. Arson also tends to be a crime or either emotion or opportunity. If you are the sole intentional target, then it is someone who really is willing to kill you and yours. That is one of the scenarios where video evidence will be important and may only be available if stored or backup up offline (i.e.: cloud services). This is a very unlikely crimes so I do not think you should necessarily change your entire strategy to suit this scenario, but it is just something to keep in mind. Some arsons occur literally because some idiot wanders by and sees something to light on fire or maybe there is a homeless person who starts a fire to stay warm. The type of scenario may depend on how urban your situation is. The best things we can do to deter arson is to reduce opportune combustibles on our property. That is a pretty good idea anyway, but many of the arsons I have seen involved materials that were already on site prior to the culprit arriving. Even if they do bring a gas can or other ignition source, we should not provide any further fuel if we can help it.

8 / 13

16SecurityPhysicalSecurity.md

7/23/2021

Again, the same visible deterrents of motion lights, cameras, and clear lines of sight will reduce the chances of this type of crime just as it will the others.

1.8 Self-Assessment Just like our digital privacy campaign, the best thing you can do is take a walk into your property from the street and think about how you would burgle you. If you really wanted to hurt this person, take their valuables, or otherwise do harm to them, how would you plan your crime? What route would you take into the property? What door or window would you bust open? What valuables would you go for in the limited time you are interrupted? There is no way that we can possible address all the different challenges that you may face in putting together a security plan. After doing a "scout" print out a property map from local tax records or from some of the mapping resource we shared during our OSINT module covering maps. Use that map to sketch out a plan to reinforce the most vulnerable and likely paths of entry with lighting, visual deterrents such as cameras, and reinforced doors/windows.

1.9 ample Coverage ketch/Plan Do not over complicate your planning process. A simple legal pad and pencil is all you really need to sketch out your plan, but if you prefer you can use something like Draw.io or a sketching application. Start from scratch or download a satellite image.

9 / 13

16SecurityPhysicalSecurity.md

7/23/2021

10 / 13

16SecurityPhysicalSecurity.md

7/23/2021

Note: additional sketches may reflect other measures such as signage, points of entry, etc. Consider adding a physical security section to your security/privacy binder.

1.10 Home Defense This is not a lesson on what to do if someone breaks into your home while you or a family member are there. That is a much bigger topic and is beyond the scope of our preventive measures. In such a scenario every person needs to decide for themselves the best course of action to protect themselves and their loved ones using a reasonable and necessary level of force. I do however want to mention a couple of considerations, which are purely how we approach this issue in our household. Once in a fight for your life you cannot go back in time to train. Everyone in my home has some degree of defensive tactics training and we talk through how we would react to different scenarios. We do not dwell on this or make it an area of paranoia, but I know from my LE work that in a crisis you will fall back on the training and planning you drilled into yourself prior to that moment of crushing adrenaline and potential panic. 11 / 13

16SecurityPhysicalSecurity.md

7/23/2021

Firearms are a lousy option for home defense in my opinion. Rounds go through drywall very effectively and the risk of friendly fire in close quarters is too high for my liking. Unless everyone in the house trains for armed close quarters combat and you are certain where everyone is always, the chances of safely deploying a firearm during an incident in your home is low. My household has multiple non lethal options available to encourage unwanted guests to depart. If we were to have an incident in our home the goal is to disrupt the act, draw attention/aid, buy time, and make staying very undesirable. Specifics are beyond the scope of this lesson, but if you research non lethal measures that fend off large predators in the wild, many of those tools are equally effective on humans. Above all else the important thing is to have a plan. If the untrained members of your household do not have a well-established plan, they will struggle to react in a moment of panic. This does not mean freaking out your family and putting everyone in a constant "code red" state of readiness. We plan for these the events just as we do floods, earthquakes, or any other low-frequency critical incident.

1.11 Additional Resources How-to Guide - Using a Cheap wireless Driveway sensor & Raspberry Pi to trigger BI, 2014 What is Lock Bumping – How to Stop It What is Lock Bumping and How Can You Prevent it?, 2019 8 Security Measures To Prevent Lock Bumping, 2015 20 Secret Doors and Clever Hiding Places, 2015 How to keep packages safe from box bandits, 2019 Amazon - home security signs ZoneMinder iSpy Axis Site Designer

1.12 Physical Security Checklist You do not need to do all these things. This is just a list to get you started and to give you some things go consider. Deterrents: Indications of very large dogs Cut back foliage and other things blocking sight lines Visible Cameras Alarm/Security Signage Audible motion/beam sensors Barriers: Improved "bump resistant" locks Reinforced door frame with 3" leg screws Windows barred, shatter resistant film Safe and/or "hide" for valuables Firearms secured to trigger locks Empower neighbors to greet/challenge visitors Awareness: Teach family members to be aware of their surroundings and to trust their instincts Nosy neighbors 12 / 13

16SecurityPhysicalSecurity.md

7/23/2021

Beam and motion sensors across driveways and likely points of access Camera systems with motion alerts Evidence: Cameras with offsite/redundant storage Cameras with onsite storage in a secure/hidden location Know the retention schedule of your recordings and area of coverage, regularly check that your equipment is operational and recording Notes scratch area for any notes during your assessment

13 / 13

PRIVACY AND SECURITY 101 GETTING STARTED PROTECTING YOUR PRIVACY

These are some basic steps to get you started on your privacy/security campaign. It is not an all-or-nothing deal. Some steps may not fit your lifestyle, but even small day-to-day measures make a difference. These steps are mostly non-specific due to rapidly changing technology trends and it is up to each of us to do some homework regarding our own array of devices and services. Making lists of the devices, accounts, and people close to us (innercircle) allows us to methodically secure privacy vulnerabilities. Some of the most common platforms have resources listed on the device & account Checklist. Assessment – Make offline “audit” lists of all internet connected devices, social media accounts, and family members – use a binder or paper notebook (paper is hard to hack) All devices that connect to the internet All accounts that have an internet login Your inner circle – immediate friends and family who have access to your private data and/or who you are linked to online Online Footprint – “Google” your name and employer. Print the first two pages of results and include this in your binder as the “low hanging fruit” of personal data. Devices – Review security/privacy settings on all internet connected devices, make sure devices are not using default or short passwords Cell phones/Tablets – review all security settings and permissions for apps, avoid free apps, review geolocation permissions Computers – Keep your operating-system updated, use a non-admin account for day-to-day use, avoid biometrics, (recommended tools: https://inteltechniques.com/links.html) Back-up important files and consider using full disk encryption https://ssd.eff.org/en/module/what-should-i-know-about-encryption Review and tweak default privacy settings https://www.wired.com/story/how-tocheck-app-permissions-ios-android-macos-windows/ When connecting to public networks such as hotels, always use a VPN (virtual private network) https://ssd.eff.org/en/module/choosing-vpn-thats-right-you Internet of things such as Amazon Echo, Nest thermostat, routers, security cameras, etc. Change default logins, no microphones or lenses in private areas of the home, refer to DAC Checklist or search on Duckduckgo for recommended security settings.

Accounts – Social media such as Facebook/Twitter as well as everything from Netflix to online banking…. anything with an internet login Use a long, unique passphrase for each account (20+ characters) and store these in a password manager such as https://www.lastpass.com/ or a paper notebook - never reuse passphrases Enable 2-factor authentication on all platforms that support it https://twofactorauth.org/ Move to secure email, calls, and messaging - Protonmail, Sudo, and Signal Review security and privacy settings on social media accounts. The DAC Checklist covers the most common platforms, but remember to use your online research skills for up-to-date information. (i.e.: twitter privacy settings from the last month https://duckduckgo.com/?q=important+twitter+privacy+settings&df=m&ia=web) Start working through http://backgroundchecks.org/justdeleteme or https://www.accountkiller.com. Remember to edit sensitive posts prior or to closing accounts to hopefully overwrite the data. Inner Circle – Hackers will often target family and friends to get at your data Ask family to never “tag”, use your real name, or otherwise reference you in postings Do not reference your line of work online and ask family to also be considerate of your professional privacy Educate your household and provide them with tools such as password managers As a family stop handing over real email addresses and phone #’s to businesses and platforms – use throw down contact details such as MySudo. Share stories from class to drive home the dangers of improperly managed social media, mobile apps, and IOT devices. Focus on informed use and awareness. Online Footprint – How easy is it to find your personal data online? Google your name and employer: “Jenny Bishop” AND Seattle Police The first page of results is the low hanging fruit regarding your online exposure. Our goal is to push any addresses, phone numbers, or other personal information off that first page of results Set up a google alert using the same name and employer keywords https://www.google.com/alerts (paste in: “Jenny Bishop” AND Seattle Police” If you want to take a deeper look into your exposure, hunt yourself using the tools at https://osintframework.com Red Team – Pair up with a trusted friend/colleague and hunt each other using Google and the inteltechniques.com tools, share results only with each other and securely (i.e.: if you are going to use email to communicate vulnerabilities ensure the you are end-t0-end encrypted, a good option is for both parties to be on Protonmail)

Removals/Opt-Outs – Some data brokers will remove your information if you ask correctly. Get started with the top 10 data brokers: https://inteltechniques.com/data/workbook.pdf Use temporary email addresses and phone numbers for correspondence with data brokers. https://mysudo.com or https://dnt.abine.com A paper notebook works well for storing and logging your correspondence, some of which will be old-school paper letters. Misinformation: sign up for value cards and other “freebies” using one piece of real information and the rest misinformation (i.e.: real name, fake address, fake phone). This is to start populating Google with incorrect personal details. Do not use a real person’s identity, just a mix of false info. Never give false information to gov agents or to defraud anyone. We only use this technique for non-legally binding sign-ups such as value cards. Additional Steps and Resources – Consider freezing your credit: https://inteltechniques.com/freeze.html Following #Privacy and #Security on Twitter will show you some of the latest news and tips: https://twitter.com/search?q=%23privacy%20%23security The Privacy, Security, & OSINT podcast is great way to get weekly updates and insights during your morning commute or other downtime https://inteltechniques.com/podcast.html The Michael Bazzell series of books cover both offense and defense. Even if you are only interested in security measures, understanding what can be used against you is eye opening: https://inteltechniques.com/books.html When connecting to public networks such as hotels, always use a VPN (virtual private network) https://ssd.eff.org/en/module/choosing-vpn-thats-right-you The most important links from Michael's privacy training and books are available here: https://inteltechniques.com/links.html The Michael Bazzell series of books cover both offense and defense. Even if you are only interested in security measures, understanding what can be used against you is eye opening: https://inteltechniques.com/books.html Start your own binder using these checklists and the free workbook or alternatively the Moleskine 18-month-weekly-notebook-planner-black makes for a good log.

Privacy Checklist| 2021

Devices MOBILE APPLE IOS - HTTP://WWW.APPLE.COM/PRIVACY/MANAGE-YOUR-PRIVACY/ o HTTPS://WWW.IMORE.COM/PRIVACY-NOW

ANDROID SECURITY AUDIT - HTTPS://WWW.COMPUTERWORLD.COM/ARTICLE/3012630/ANDROID/ ANDROID-SECURITY-AUDIT.HTML AT&T- HTTPS://WWW.ATT.COM/ECPNIOPTOUT/INITIATECPNIFORM.ACTION VERIZON - HTTPS://SMARTPHONES.GADGETHACKS.COM/HOW-TO/STOP-AT-T-AND-VERIZON-FROMSHARING-YOUR-LOCATION-AND-SEARCH-DATA-WITH-ADVERTISERS-0139678/ T-MOBILE - HTTPS://SUPPORT.T-MOBILE.COM/DOCS/DOC-5685

COMPUTERS WINDOWS - HTTPS://ACCOUNT.MICROSOFT.COM/PRIVACY o BASIC - WINDOWS 10 PRIVACY TOOL - HTTPS://WWW.THEWINDOWSCLUB.COM/PRIVATEWIN10-ADVANCEDWINDOWS-10-PRIVACY-TOOL (OPEN SOURCE) o ADVANCED - HTTPS://fdossena.com/?p=w10debotnet/index_1903.frag MAC – HTTPS://WWW.APPLE.COM/PRIVACY/ o BASIC - HTTPS://LIFEHACKER.COM/HOW-TO-MAKE-YOUR-MAC-AS-SECURE-AS-POSSIBLE-1829531978 o ADVANCED - HTTPS://GITHUB.COM/DRDUH/MACOS-SECURITY-AND-PRIVACY-GUIDE ANTI-MALWARE (WIN & MAC) o

HTTPS://WWW.MALWAREBYTES.COM/MWB-DOWNLOAD/

LINKS TO RECOMMENDED TOOLS HTTPS://INTELTECHNIQUES.COM/LINKS.HTML EFF PRIVACY/SECURITY GUIDES HTTPS://SSD.EFF.ORG/EN “SMART” DEVICES (IOT) SECURITY CAMERAS - HTTPS://WWW.LIFEWIRE.COM/SECURE-YOUR-IP-SECURITY-CAMERAS-2487488 FITBIT - HTTPS://HELP.FITBIT.COM/ARTICLES/EN_US/HELP_ARTICLE/1294 STRAVA - HTTPS://SUPPORT.STRAVA.COM/HC/EN-US/ARTICLES/360034758331-YOUR-PRIVACYDEFAULTS-WHEN-YOU-CREATE-A-STRAVA-ACCOUNT MICROSOFT OFFICE - HTTPS://ACCOUNT.MICROSOFT.COM/PRIVACY XBOX - HTTPS://SUPPORT.MICROSOFT.COM/EN-US/HELP/4482922/XBOX-ONE-ONLINE-SAFETY-ANDPRIVACY-SETTINGS-FOR-PARENTS-AND-KIDS ALEXA, NEST, ETC.

o NO DEVICES WITH MICS OR CAMERAS IN PRIVATE AREAS o ISOLATE AMAZON DEVICES FROM YOUR MAIN NETWORK, SET UP AN “IOT” WI-FI ROUTER O HTTPS://WWW.AMAZON.COM/ALEXAPRIVACYSETTINGS

Privacy Checklist| 2021

Accounts

(MOST POPULAR PLATFORMS)

ACCOUNTS – GENERAL BEGIN REMOVING YOUR DATA - HTTPS://INTELTECHNIQUES.COM/DATA/WORKBOOK.PDF START CLOSING UNNECESSARY ACCOUNTS - HTTP://BACKGROUNDCHECKS.ORG/JUSTDELETEME AND HTTPS://WWW.ACCOUNTKILLER.COM SET UP TWO-FACTOR WHERE AVAILABLE - HTTPS://TWOFACTORAUTH.ORG/ E-COMMERCE/WEB HOSTING AMAZON - HTTP://WWW.AMAZON.COM/GP/HELP/CUSTOMER/DISPLAY.HTML?NODEID=551434 EBAY - HTTP://PAGES.EBAY.COM/HELP/ACCOUNT/PRIVACY-SETTINGS.HTML

VENMO - HTTPS://VENMO.COM/LEGAL/US-HELPFUL-INFORMATION EMAIL AND VOICE COMMUNICATION GOOGLE MAIL - HTTPS://PRIVACY.GOOGLE.COM/TAKE-CONTROL.HTML OUTLOOK.COM - HTTPS://PROPRIVACY.COM/EMAIL/GUIDES/CAN-YOU-KEEP-MICROSOFT-OUTLOOK-SECURE SKYPE - HTTPS://SUPPORT.SKYPE.COM/EN/SKYPE/ALL/PRIVACY-SECURITY/PRIVACY-SETTINGS/ YAHOO - MAIL HTTP://NAKEDSECURITY.SOPHOS.COM/2013/01/08/YAHOO-MAIL-HTTPS-SSL/ MUSIC

PANDORA - HTTPS://HELP.PANDORA.COM/S/ARTICLE/INFORMATION-ABOUT-PRIVACY-ONPANDORA-1519949298664?LANGUAGE=EN_US

SPOTIFY - HTTPS://SUPPORT.SPOTIFY.COM/US/ARTICLE/SPOTIFY-PRIVACY-SETTINGS/PLAIN SOUNDCLOUD - HTTPS://SOUNDCLOUD.COM/PAGES/PRIVACY PHOTO AND VIDEO SHARING FLICKR - HTTP://WWW.FIGHTCYBERSTALKING.ORG/PRIVACY-SETTINGS-FLICKR/ YOUTUBE - HTTPS://SUPPORT.GOOGLE.COM/YOUTUBE/ANSWER/157177?HL=EN VIMEO - https://vimeo.zendesk.com/hc/en-us/articles/224817847-Privacy-settings-overview PRODUCTIVITY MICROSOFT OFFICE - HTTPS://WWW.TECHREPUBLIC.COM/ARTICLE/HOW-TO-VIEW-YOUR-PRIVACY-SETTINGSFOR-MICROSOFT-OFFICE-365/

DROPBOX - HTTPS://WWW.DROPBOX.COM/HELP/SECURITY EVERNOTE – HTTPS://EVERNOTE.COM/PRIVACY/POLICY-5-25-2018

SEARCH ENGINES BING - HTTPS://SUPPORT.MICROSOFT.COM/EN-US/HUB/4457207/MICROSOFT-PRIVACY GOOGLE - HTTPS://SAFETY.GOOGLE/PRIVACY/PRIVACY-CONTROLS/

Privacy Checklist| 2021 STARTPAGE - HTTPS://STARTPAGE.COM/DO/PREFERENCES.PL?LANGUAGE_UI=ENGLISH YAHOO - HTTPS://POLICIES.YAHOO.COM/US/EN/YAHOO/PRIVACY/INDEX.HTM DUCKDUCKGO PRIVACY SEARCH ENGINE - HTTPS://DUCKDUCKGO.COM/PRIVACY SOCIAL NETWORKS FACEBOOK - https://www.facebook.com/help/325807937506242/ INSTAGRAM - HTTP://HELP.INSTAGRAM.COM/116024195217477 TWITTER - HTTPS://SUPPORT.TWITTER.COM/ARTICLES/20169886 SNAPCHAT - HTTP://WWW.WIKIHOW.COM/STAY-SAFE-ON-SNAPCHAT GOOGLE+ - HTTPS://PRIVACY.GOOGLE.COM/TAKE-CONTROL.HTML (Google + deprecated 2019) LINKEDIN - HTTPS://www.linkedin.com/help/linkedin/answer/66

Meetup - https://help.meetup.com/hc/en-us/sections/360004946151-Account-privacy PINTEREST - HTTPS://HELP.PINTEREST.COM/EN/ARTICLES/EDIT-YOUR-ACCOUNT-PRIVACY REDDIT - HTTP://WWW.WIKIHOW.COM/INCREASE-REDDIT-PRIVACY TUMBLR - https://tumblr.zendesk.com/hc/en-us/articles/115011611747-Privacy-options

WEB BROWSERS FIREFOX - HTTPS://SUPPORT.MOZILLA.ORG/EN-US/PRODUCTS/FIREFOX/PROTECT-YOUR-PRIVACY GOOGLE CHROME - https://www.consumerreports.org/privacy/how-to-use-google-privacy-settings/ SAFARI - HTTPS://SUPPORT.APPLE.COM/GUIDE/SAFARI/PRIVACY-SFRI35610/MAC INTERNET EXPLORER - HTTP://WINDOWS.MICROSOFT.COM/EN-US/INTERNET-EXPLORER/PRODUCTS/IE-9/FEATURES/INPRIVATE

Inner Circle

(PROTECTING THE PEOPLE CLOSE TO YOU)

IMMEDIATE FAMILY (SPOUSE, CHILDREN, PARENTS, ETC.) CLOSE FRIENDS CO-WORKERS PATIENCE AND REASONABLE EXPECTATIONS - BE GRACIOUS, UNDERSTANDING, AND LEAD BY EXAMPLE STAY INFORMED AND CONTINUE LEARNING o o

https://inteltechniques.com/links.html (CHECKOUT THE BLOG, PODCAST, & BOOKS) https://inteltechniques.net (ONLINE PRIVACY, SECURITY,& OSINT TRAINING)

VULNERABILITY = DEVICES + ACCOUNTS + THE PEOPLE CLOSE TO YOU

16SecurityPrivateDomains.md

7/23/2021

Purchasing a Domain Privately v.11.2020 Purchasing a domain is typically a process fraught with issues for those of us concerned about generating online records containing our personal or financial data. One of our forums users posted some advice on a hosting company that served her/him well from a privacy perspective so I took that advice and paired it up with an OSINT strategy that Michael shared on today's podcast (Nov 13, 2020). Michael shared a tactic of purchasing previously owned domains, creating email addresses with those domains, and then using those emails to establish covert accounts on difficult platforms such as Facebook. Podcast episode: https://soundcloud.com/user 98066669/195 email reputation qr scanning Our members advice: 2020 04 23 18:16:09 HGriffin Re: Namecheap "I just spoke with Annette at Hosting Matters. She tells me they can accommodate folks like us. Go ahead and use a VPN, a prepaid card, a burner phone, and a CMRA billing address at signup. Just put a remark in the comment bo along the lines of "I want to sign up privately without disclosing my personal information." Then if their billing system flags it as fishy, Annette and her coworkers will unflag it and process the transaction. https://hostmatters.com/ I've been a happy customer of theirs since 2005 (I have 5+ separate domains hosted there). Their customer support is top notch, and their prices are quite reasonable." So using Michael and HGriffin's advice I set out to purchases a recently e pired domain with some e isting breach data history. My privacy strategy was to use the following to make my private domain purchase: Name: Alias PMB/CMRA: https://americasmailbo .com/ Burner Email: https://web.mysudo.com/ Burner Phone: https://web.mysudo.com/ Payment: https://privacy.com/home Environment: I worked in a Firefox container, with uBlock Origin running, and on a ProtonVPN connection. You may choose alternate VPN, burner email, phone, and mailing address providers. The domain and hosting in my demo was purchases through https://hostmatters.com/. The domain name was selected from: https://www.e pireddomains.net/deleted domains/ I checked available domains against breach data at: https://dehashed.com If you are checking against offline breach data as well use the ripgrep command: rg

a

F

i

N

domain.com Note: the key to working past any fraud declines on your purchase is to include a note reflecting your status as a privacy professional/enthusiast. As HGriffin purported, the customer service is fast and they resolved my 1/2

16SecurityPrivateDomains.md

7/23/2021

payment issues in an hour without my having to forgo any of my privacy protections. It is normal and appropriate for them to block your initial purchase. When you see the status as "cancelled", click on support and submit a ticket asking them to review your private purchase. Maybe even name drop Annette.

2/2

16TelnyxVoip-210918-205256.md

12/28/2021

Telny Voip

Telnyx Voip Create a free account at refer.telnyx.com/zrfmo. This link provides $20 in credits. Create a free account at refer.telnyx.com/zrfmo. This link provides $20 in credits. Provide a custom domain email address (business address, not Gmail, etc). If prompted for purpose, choose “SIP Trunking”. Leave the telephone number field empty. Click “SIP Connections” from the side menu. Click the “+ Add SIP Connection” button. Enter the name you wish to have for your connection (I chose “linphone”). Enable “Credentials” as the “Connection Type”. Copy the username and password automatically generated. Click “Save and finish editing”. Click “Numbers” in the left menu. Enter a location, click “Search for numbers” then “Add to cart” for your number. Click the “Cart” in the upper left. Under “Connection or Application”, select your connection previously created. Click “Outbound Voice Profiles” then the “Edit” icon next to “Default SIP Profile”. Click “Add Connection/Apps to Profile and select your connection. Click “SIP Connections” in the menu, then the “Outbound Option” button next to your created connection. Enter your assigned telephone number in the “Caller ID Overide”, then click “Done Editing”

Linphone (optional) Open the Linphone application and select the “Assistant” then “Use a SIP Account”. Enter the username previously provided; the display name of your chosen VOIP telephone number; “sip.telnyx.com” (US) as the SIP address; password previously provided, and “TCP” as the protocol.

1/1

16SecurityuBlockOrigin.md

7/23/2021

Security Essentials - uBlock Origin v.2.2021 Intro and Use Case Our recommended script blocker for Chrome and Firefox is uBlock Origin. Do not confuse this for uBlock which is not the same e tension, and which additionally has privacy issues. It does a fairly good job blocking adds and malicious scripts from the get go, but it will serve you much better with a little tuning and an understanding of the interface.

1.1 Installation Installation is straight forward and as simple as adding the extension to your Browsers. We recommend adding it to both Firefox and Chrome. It is one extension which I add to all of my browsers independent of their use case. It is important to make certain that you get the correct version of this extension from the official source: GitHub - ublock-origin There are links to the extensions or you may use these links: Firefox Add-ons - uBlock origin Chrome Add-ons - uBlock origin Note: If you are Brave user, the chrome extension should work fine as Brave is Chromium based and many users add uBlock Origin to increase blocking on Brave. Building a better Internet: Brave and the future of ad blockers

1.2 Configuration & Tuning

Tuning uBlock Origin is the trickiest part of getting the most out of it. Once installed click on the icon in your extensions bar and below are some recommended steps/settings. 1. Select Dashboard on the bottom right of the pop-up 2. On the Settings tab select I am an advanced user 1/4

16SecurityuBlockOrigin.md

7/23/2021

3. Select “Filters” and review the data sets, enabling them as you like, although the default setting is sufficient for most people (you could stop here and be in fairly good shape) 4. Close the menu and select the uBlock Origin icon in your extensions bar again, now it will include an advanced interface. You will see a list of any scripts attempting to load on that the page you are browsing, and you can now modify the blockers for that page or globally.

5. 6. Note: Clicking on the large blue power button disables UO for that site completely (ctrl-clicking it will disable it for just that page) 7. The two columns to the right of the list of scripts represent your granular control. Right Column = The site you are on Middle Column = Apply settings globally Left Column = List of scripts on the current page 8. Each cell of the columns can be cycled from gray to red. Gray = default level of blocking Green = unblocked (only visible in the lar left sliver column)

Red = strict blocking 9. You can target individual elements for blocking using the zapper and picker buttons.

Zapper = Temporarily block this element          2/4

16SecurityuBlockOrigin.md

7/23/2021

Picker = Set an ongoing rule to block that element 10. To reset your settings back to default 1. Set the entire middle column to gray 2. Select dashboard on the lower right 3. Select “My Rules” tab 4. In the second Column Temporary Rules select all of the text and delete it 5. Click on “Save” and then “Commit” 11. Here is a good video on advanced settings. It is a little dated so the options and layout have changed somewhat, but it is still a good explanation. How to use uBlock Origin Advanced User Mode 12. Michael discusses blocking Google Analytics specifically in the February 12th, 2021 podcast episode (#206): Privacy, Security & OSINT Show - Episode 206-Website Analytics Concerns & Solutions

1.3 Other Blocker Options Here are some additional tools for blocking scripts and trackers. Firefox Add-on - Privacy Badger EFFs Privacy Badger (some people like to use this along with UO, but I find I have more issues with PB breaking sites, it seems more aggressive Lockdown Tracker Blocker for iOS Android Firewall/Tracker Blocker Analytics blocker for pfsense firewalls Raspberry Pi network firewall/Tracker blocker

1.4 One Tab Bookmarks https://www.techrepublic.com/article/how-to-use-ublock-origin-and-privacy-badgerto-prevent-browser-tracking-in-firefox/ | How to use Ublock Origin and Privacy Badger to prevent browser tracking in Firefox TechRepublic https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/?src=featured | uBlock Origin – Get this Extension for 🦊 Firefox (en-US) https://github.com/gorhill/uBlock#ublock-origin | gorhill/uBlock: uBlock Origin An efficient blocker for Chromium and Firefox. Fast and lean. https://www.maketecheasier.com/ultimate-ublock-origin-superusers-guide/ | The Ultimate Superuser's Guide to uBlock Origin - Make Tech Easier https://privacyinternational.org/guide-step/3392/install-ad-blocker-chrome-andderivatives ublock origin | Install an ad blocker on Chrome (and derivatives) uBlock Origin | Privacy International https://12bytes.org/articles/tech/firefox/ublock-origin-suggested-settings/ | uBlock Origin Suggested Settings – 12Bytes.org https://mekineer.com/information technology/20 0 ublock origin extension | Ublock Origin: Easy Instructions for Gratified Web Surfing \[Health and Tech Hacks by Mekineer\] https://www.technipages.com/how-to-unblock-a-web-page-element-with-ublock-origin | How to Unblock a Web Page Element With uBlock Origin Technipages https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/ | uBlock Origin – Get this Extension for 🦊 Firefox (en-US) 3/4

16SecurityuBlockOrigin.md

7/23/2021

https://chrome.google.com/webstore/detail/ublock origin/cjpalhdlnbpafiamejdnhcphjbkeiagm?hl=en | uBlock Origin - Chrome Web Store https://brave.com/ | Secure, Fast & Private Web Browser with Adblocker | Brave Browser https://community.brave.com/ | Brave Community https://brave.com/learn/best-ad-blocker/#building-a-better-internet-brave-and-thefuture-of-ad-blockers | What is the Best Ad Blocker? | Brave Browser https://github.com/gorhill/uBlock/wiki/Advanced-user-features | Advanced user features · gorhill/uBlock Wiki https://www.bleepingcomputer.com/forums/t/673424/can-ublock-origin-block-trackinganalytics/ | Can Ublock Origin block tracking analytics? - Anti-Virus, AntiMalware, and Privacy Software https://www.youtube.com/watch?v 2lisQQmWQkY&feature youtu.be | How to use uBlock Origin to protect your online privacy and security | uBlock Origin tutorial 2018 YouTube https://gizmodo.com/ | Gizmodo | We come from the future https://addons.mozilla.org/en US/firefox/addon/privacy badger17/?src homepage collection-featured | Privacy Badger – Get this Extension for 🦊 Firefox (en-US) https://apps.apple.com/us/app/lockdown-privacy/id1469783711 | Lockdown Privacy on the App Store https://play.google.com/store/apps/details?id eu.faircode.netguard&hl en US&gl US | NetGuard - no-root firewall - Apps on Google Play https://protectli.com/kb/how-to-setup-pfblockerng/ | How to Setup pfBlockerNG Protectli https://pi hole.net/ | Pi hole Network wide protection

4/4

VOIP SMS App Guide Note: These steps were taken directly (verbatim) from https://inteltechniques.com/sms.html and were created by Michael and training member Mishaal (https://www.operationprivacy.com).

If you have been following the steps in Extreme Privacy, you might possess VOIP telephone service through Twilio or Telnyx. In the book, I offer ways to push SMS text messages to email, but that does not allow you to send messages. The following steps create your own self-hosted SMS web app which allows you to send and receive SMS text messages through unlimited Telnyx and/or Twilio telephone numbers within any platform (Windows, Mac, Linux, iOS, Android, browser, etc.). You will need to obtain access to Twilio and/or Telnyx as explained within Extreme Privacy, 3rd Edition. Once your accounts are created, verified, and configured for VOICE as explained in the book (but not configured for SMS!), conduct the following. The process is lengthy, but only needs completed once. You will need to dedicate an uninterupted hour for this tutorial. First, you need to create a database which will hold all of the message content. You can use the free version of MongoDB for this. Think of this as the storage for your text messages to which only you have access. Open a new tab and navigate to http://www.mongodb.com/ Click "Start Free" Enter email, name, and password Confirm verification email Begin the onboarding process Leave "Organization" information as-is Enter "VOIP" as the "Project Name" Click "Continue" Select the "Free Basic" tier and click "Create" Accept all default options Click "Create Cluster" Allow cluster to be created (1-3 minutes) Click "Browse Collections" Click "Add My Own Data" Enter a unique "Database Name" Enter a unique "Collection Name" Click "Create" Click the leaf in the upper-left to return to your dashboard Click on your project Click "Connect" Click "Allow Access From Anywhere" Click "Add IP Address" Enter a username and password for the database (no special chars) Click "Create Database User"

Click "Choose a Connection Method" Click "Connect using MongoDB Compass Click "I have MongoDB Compass" Copy the "connection string" into a text document or password manager Click "Close" Enable 2FA at https://account.mongodb.com/account/profile/security Next, you need a host for your web app. For this, you can use a free version of Heroku. Think of this as the website which will execute the software for your daily use. Navigate to https://www.heroku.com/ Click "Sign up for free" Enter mandatory details Click "Create free account" Confirm verification email Click "Accept" Click profile icon in upper-right Click "Account Settings" Click "Billing" Click "Add credit card" (no charge made, just provides additional credits) Enter credit card or Privacy.com card Provide any random billing details if using Privacy.com Click "Save Details" Pause card if using Privacy.com (prevents any future charges) Click the upper-left icon to return to the "Dashboard" Click "Create New App" Provide any "App name", which must be unique Click "Create App" If you do not see your app details, click the logo in the upper-left and select your app Click the "Settings" tab Click "Reveal Config Vars" Enter "BASE_URL" in the "KEY" field Scroll down and copy the URL in the "Domains" section (https://xxx.herokuapp.com/) Paste the URL in the "VALUE" field under the "Config Vars" section Click "Add" Enter "DB" in the "KEY" field Paste the MongoDB "connection string" copied previously into the "VALUE" field Replace "password" with the password created for the database in the previous MongoDB steps Be sure to remove the brackets (< >) around the password! Click "Add" Enter "COOKIE_KEY" in the empty "KEY" field Enter 20 random characters in the "VALUE" field Click "Add" Enable 2FA at https://dashboard.heroku.com/account Next, you need a free Github account which you can copy or "fork" the app itself into. This will

synchronize with the app host. Open a new tab and navigate to https://github.com/ Click "Sign up for Github" (or log into your account) Follow any prompts to enter email, password, and username Confirm verification email Navigate to https://github.com/0perationPrivacy/VoIP Click "Fork" in the upper right If prompted, create a new repository called "VoIP" Click "Fetch upstream" in upper-right If available, click "Fetch and merge" (this is a redundant step) Enable 2FA at https://github.com/settings/security Return to the Heroku browser tab Click the "Deploy" tab Click the Github option (middle) Make sure you are logged into your Github account Click "Connect to Github" Click "Authorize Heroku" Click the "Deploy" tab In the Github section enter "VoIP" (case-sensitive) and click "Search" Click "Connect" next to the result Click "Enable Automatic Deploys" Click "Deploy Branch" Click the "Settings" tab Scroll to "Domains" Copy the URL, such as https://xxx.herokuapp.com Navigate to that URL, which is the link you will access for this app Optional: Bookmark it on desktop for future use Optional: Create a mobile "home screen" shortcut You can now launch your new web app within any browser by navigating to the URL mentioned above (https://xxx.herokuapp.com). If necessary, refresh the browser until you see the login page. Next, you must configure each Telnyx or Twilio number you wish to use within this app. Click "Sign Up" to create a new account Enter a unique username Enter a secure password Click "Sign Up" Log into your new account Click the dropdown menu and select "Add New Profile" For Telnyx numbers: Click the Telnyx option Enter a "Profile" name as desired (ex: the phone number being used) Enter your Telnyx API key available within the Telnyx Dashboard Click "Get Number"

Choose the desired number within the dropdown menu Click "Save" then "OK" For Twilio numbers: Click the Twilio option Enter a "Profile" name as desired (ex: the phone number being used) Enter your Twilio SID and Token available within the Twilio Dashboard Click "Get Number" Choose the desired number within the dropdown menu Click "Save" then "OK" Repeat the process of creating a new profile for each number you own.

Once you have your account created, you should consider disabling new accounts. This prevents someone from creating an account within your app and using your online resources. This is optional, but encouraged. Return to https://dashboard.heroku.com/apps Select your app Click "Settings" Click "Reveal Config Vars" In the "KEY" field enter "SIGNUPS" In the "VALUE" field enter "off"

Click "Add" Next, you need to make sure your new web app does not "sleep" after inactivity. You can use a free version of Uptime Robot to ping your new web app every 20 minutes with the following steps. Navigate to https://uptimerobot.com/ Click "Register for Free" Provide any name, email, and password Confirm verification email Optional: Navigate to https://uptimerobot.com/dashboard.php#mySettings Optional: Select the 2FA checkbox and enable 2FA Return to the dashboard Click "Add New Monitor" Change "Monitor Type" to "HTTP(S)" Apply "Friendly Name" of "VOIP" Provide URL of your Heroku App used previously Change "Monitoring Interval" to "20 minutes" Click "Create Monitor" Click the "Create..." button again Finally, you should apply updates every week, especially while bugs are fixed and features are added, with the following steps. Navigate to https://github.com/ Sign into your account Select your app (fork of the original) Click "Fetch upstream" in upper-right If available, click "Fetch and merge" If you like this app and want to see the full roadmap become a reality, please consider donating to the project developer at https://www.operationprivacy.com/donate. Copyright © 2009-2021 IntelTechniques.com All Rights Reserved

16SecurityVPN.md

7/23/2021

Security Essentials - VPN Protecting Our Connections Virtual private networks (VPNs) are a key tool in both our offensive and defensive work. We are going to steer away from getting too technical, but rather focus on key concepts that help us understand how to properly integrate VPNs into our work and personal privacy campaigns.

1.1 VPN Explained Virtual Private Networks provide two primary services in supporting our privacy and security. First, they mask our IP address to prevent sites and services from tracking our data traffic back to the true origin. The second benefit is encapsulating our traffic in an encrypted tunnel so that is protected from interception. Depending on your threat model one or both may be a top priority in protecting your online activity. Here are two common threats that are likely foiled by VPN: 1. IP Obfuscation -- During investigations I sometimes go to private domains run by malicious actors who are also sophisticated enough to pay attention to their visitor traffic. If they use an IP logger or other tactic to identify my connection, they will see the IP address of my VPN provider rather than my true native IP address. This will protect me from counter-surveillance/attack and reduces the risk of "burning" my investigation by giving the target intelligence as to who I am. 2. Encrypted Tunnel -- Many internet service providers analyze their users' traffic and log all of your browsing behaviors and activities. If you run a VPN they will have great difficult in reading your traffic as it passes through their servers as it is all encrypted. You will sometimes see "proxies" mentioned alongside VPNs. Proxies are similar in that we are routing our connection through one or more servers in order to mask our IP address once we connect to our final destination. What VPNs have that proxies do not is the encrypted tunnel protecting our data from interception. We rarely use proxies alone because often the content of your internet traffic is enough to identify who you are and potentially do you harm.

1.2 Implementing VPN So how do we work VPN into our infrastructure, whether it be a single laptop or an entire home network? There are two primary approaches that we typically employ: client bases VPN applications and VPN services hosted on a network device. Each of these approaches have associated benefits and complications. VPN

Client Based

This is the most common implementation of a virtual private network due to its easy setup and fle ibility. This is the method that most vendors support and recommend. Your VPN provider will provide you with you with an application and straight forward and simple installation instructions. There are a couple of functions and limitations that we should keep in mind when setting up our client-side VPN. 1. Most users only use their VPN occasionally so that leaves traffic exposed when it is not in use.

1/6

16SecurityVPN.md

7/23/2021

2. Application based VPN is not already running when your operating system boots up. Even if you configure it to connect at startup, there was a brief instant where your computer can connect to the internet outside of the VPNs protect. For example, a Windows PC will "beacon" Microsoft servers each time it boots up and share some information from your system. 3. Applications crash and have other technical hiccups. If you VPN has a glitch or fails, your true IP address may be exposed in the middle of a browsing session or investigation. 4. We can mitigate these issue to an extent using the "kill switch" function on your VPN application. Most reputable VPNs have a kill switch toggle. VPN

Network Appliance

If you have hardware that supports it, VPN can also be installed on a network appliance to provide protection for all of your devices. The strategy is to set up an encrypted tunnel on your firewall or router so that all of your devices are protected. This also reduces the likelihood of e posure during bootup or due to the glitches which can disrupt desktop VPN applications. Keep in mind these protections all rely on proper installation and configuration.

2/6

16SecurityVPN.md

7/23/2021

3/6

16SecurityVPN.md

7/23/2021

Figure 1.1 VPN Desktop App vs Network Appliance

1.3 Considerations & Additional Resources VPN Companies

There are some good VPN companies, but there are many, many completely sketchy

VPNs and resellers out there. Just do a Google search for VPN reviews and you will see thousands of marketing sites trying to peddle second rate or completely fraudulent VPN under a light veneer of fake product reviews. The best place to get real information and privacy ratings on VPNs is SafetyDetectives. Hardware -- If you plan to use a desktop or mobile client, hardware is not really an issue. Our recommended VPNs provide client applications for Mac, PC, IOS, and Android. If you choose to configure VPN on your firewall or router, a couple of decent hardware options are: 1. Private Internet Access (PIA) 2. ProtonVPN 3. ProPrivacy - Best VPN Routers TOR -- Some people use TOR (The Onion Router) in place of a commercial VPN. Although TOR will provide some obfuscation, it is not my method choice. We will discuss TOR in more depth during our Darknet lessons, but our primary issues with using it for privacy/security are: 1. Most people only use TOR via the TOR browser so all of their activity and connectivity outside of that session is e posed and unprotected. It is possible to install TOR at the network level, but it can be a little tricky and finicky to manage. 2. The bigger issue I have with TOR is that you are routing your connection through several crowdsourced hosts. Although your traffic is encrypted on much of it's journey, the beginning and end of the journey is most often completely subject to interception. Even the TOR project itself recommends encrypting your own traffic prior to using TOR for privacy. Plainte t over Tor is still plainte t

1.4 Sample Router VPN Configuration There are many different hardware configurations that you can use to implement VPN at the router level. Here is one example which details the steps for setting up VPN on a GL-inet Slate router. This is a very inexpensive travel router which Michael has mentioned previously on the podcast and in his privacy books. There is a new travel router model set for release this month and we will be testing and reviewing it soon: 4/6

16SecurityVPN.md

7/23/2021

https://www.gl-inet.com/products/gl-mt1300/ Quick steps for configuring VPN on the gl-ar750 Slate travel router: 1. Configuring the Slate as a VPN router 2. Power on the Slate 3. Reset the Slate by holding the reset button for ten seconds and allowing a reboot 4. Connect a computer or mobile device to the Slate via Wi-Fi 5. Navigate to 192.168.8.1 using your browser 6. Provide a new secure password 7. Select: Wireless > 2.4G WiFi > Modify 8. Rename the SSID to something more private. Change the security password to something longer and more secure 9. Click Apply 10. Repeat the process to rename and secure the "5G WiFi" 11. In the Slate portal, click on Upgrade

Download

Install

12. Navigate to https://docs.gl inet.com/en/3/app/openvpn/ 13. Apply the appropriate vpn settings for your provider 14. Click the "Enable VPN Policy" toggle and enable the remaining two toggles 15. In the Slate portal, navigate to "VPN" then "Internet Kill Switch" 16. On the OpenVPN Client tab you can change your server choice to reconnect to a different region 17. Verify that you have connectivity to the internet using your browser https://inteltechniques.com/logger/ http://ifconfig.me/ip https://www.privateinternetaccess.com/pages/whats my ip/ https://dnsleaktest.com/ https://protonvpn.com/support/vpn ip change/ Michael's VPN guide and affiliate links: https://inteltechniques.com/vpn.html ProtonVPN PIA VPN I only include these so that if you are going to pick up these products anyway, IntelTechniques.com will get a small cut for referring you. No one should feel pressured to use these, but these little bits of revenue help support the podcast and some of the other free resources that Michael produces. 5/6

16SecurityVPN.md

7/23/2021

1.5 One-Tab Bookmarks https://app.diagrams.net/ | draw.io - diagrams.net https://www.privateinternetaccess.com/helpdesk/guides/windows/windows-installingthe-pia-app | PIA Support Portal https://protonvpn.com/support/protonvpn setup guide/ | Setup Guide for new users ProtonVPN Support https://protonvpn.com/support/installing-protonvpn-on-a-router/ | How to install ProtonVPN on your router - ProtonVPN Support https://protonvpn.com/support/vpn router ddwrt/ | How to setup ProtonVPN on DD WRT routers - ProtonVPN Support https://protonvpn.com/support/watch-netflix-with-vpn/ | How to safely watch Netflix with ProtonVPN - ProtonVPN Support https://blog.torproject.org/plaintext over tor still plaintext | Plaintext over Tor is still plaintext | Tor Blog https://www.safetydetectives.com/best-vpns/ | VPN Comparison by That One Privacy Guy https://proprivacy.com/router/comparison/best vpn routers | 5 Best VPN Routers | How to Install VPN on router ( or buy pre-flashed) https://www.flashrouters.com/vpn-types/protonvpn | Buy ProtonVPN WiFi VPN Routers DD-WRT Routers | FlashRouters https://www.gl inet.com/products/ | Products GL.iNet GL.iNet https://www.gl-inet.com/solutions/vpn/ | VPN on Router - GL.iNet https://docs.gl-inet.com/en/3/app/openvpn/ | OpenVPN - GL.iNet Docs https://www.youtube.com/watch?v=XlXr8Qd63GM | How to Set Up an OpenVPN Client on GL.iNet Routers YouTube https://docs.gl-inet.com/en/3/release_notes/ | Firmware Releases - GL.iNet Docs https://walkingdroid.com.au/travel-router-glar750s/ | Travel Router GL.iNet GLAR750S Slate | Review by WalkingDroid https://blog.cloudflare.com/dns resolver 1 1 1 1/ | Introducing DNS Resolver, 1.1.1.1 (not a joke) https://inteltechniques.com/logger/ | IntelTechniques.com | OSINT & Privacy Services by Michael Bazzell | Open Source Intelligence http://ifconfig.me/ip | ifconfig.me/ip https://www.privateinternetaccess.com/pages/whats-my-ip/ | Whats My IP Address | Private Internet Access VPN Service https://dnsleaktest.com/ | DNS leak test https://protonvpn.com/support/vpn ip change/ | How to check that my IP address has been changed? - ProtonVPN Support https://www.privateinternetaccess.com/pages/buy-vpn/ | Anonymous VPN Service from Private Internet Access, the only proven no-log VPN https://protonvpn.com/?url id 0&utm campaign ww all 2a vpn gro aff partners_program&utm_medium=link&utm_source=aid-tune-1519&utm_content=6&bestdeal | ProtonVPN: Secure and Free VPN service for protecting your privacy

6/6

16SecurityWFH.md

7/23/2021

Security Essentials - Working Remotely Breaking it Down by Threat Vectors Most security risks working from home (WFH) or other remote locations fall into one of three categories: connections, devices, and services. For e ample, while joining a Zoom conference call you might be using your home WiFi on an employer provided laptop. We will look at how to participate in meetings and other common tasks while reducing impact on our security and privacy. The key concept to apply to every remote work situation is compartmentalization. Always take steps to isolate professional data from personal devices and vice versus.

1.1 Your internet Connection Although some employers might provide a MiFi or other cellular connection for use while working from home, most will expect you to use your own residential internet connection. The level of threat caused, and level of mitigation required, depends on the type of work you do, but certain best practices apply across the board. Highly Sensitive Work -- Any work that deals with highly sensitive materials or exposes your devices to advanced threats has no business being conducted on a home network. An example from my own line of work is online undercover investigations. That type of work will only ever be conducted on non-personal hardware and via dedicated covert connection such as MiFi purchased with a backstopped account. VPN -- Using an entirely separate internet connection is preferable, but not realistic for many of you. The next best thing is using a Virtual Private Network (VPN). This is software that provides an encrypted tunnel of internet communication between your device and another network. There are two common setups that people use for remote work: 1. Employer VPN on Work Laptop -- This is typically a VPN application that is installed on a work laptop by your employer. When the laptop connects to your home internet, the VPN software establishes a tunneled connection to your employer's network. The advantage is that data is protected both from other data on your network, but also from being intercepted elsewhere as it travels through the internet. Most IT shops will configure the VPN so that it automatically connects as soon at the laptop has an internet connection, and that is preferred. If you are stuck initiating the VPN manually, there is a chance you will forget and start doing work without isolating the data from your own personal network traffic, such as your kids streaming Netflix. 2. Employer VPN on Personal Computer -- Some employers expect you to use your own computer to connect to their VPN service. Once you are connected you have a browser or application window that gives you control of a computer that is "on-site" and on the employer network. This is a common setup for employees who only occasionally work from home. The down sides of this setup are obvious. You must put the employer's software on your personal computer, and you are relying on that application to isolate your work from your personal data. There is much more room for error, such as thinking you are working in the VPN window, but accidentally entering company data into personal email. Even worse you might mistakenly enter a personal communication into your work VPN window. This can lead to embarrassment or even a data breach.

1/5

16SecurityWFH.md

7/23/2021

3. Employee Provided VPN on a Personal Computer -- Your employer might refuse to provide hardware and VPN service all together, or maybe you are a contractor responsible for your own infrastructure. In either scenario, you should consider getting your own commercial VPN service. Private Internet Access is a good, affordable VPN service for most people, if you do not already have one. Now if you repurpose your old laptop, put a fresh operating system on it, and install your VPN, you will have a dedicated work from home machine with a dedicated and isolated internet connection. Consider activating the kill-switch feature which will prevent the laptop from connecting if the VPN is not actively protecting your connection.

1.2 Workstations Employer Provided Workstation - If you are provided with a work laptop by your employer, it is likely preconfigured, and you may not have administrative rights. This leaves little room to customize your security measures. In that scenario your efforts are best spent controlling your connection as covered in the section about. If you are allowed administrative privilege If the later is true we need to be even more concerned about mixing any of our home infrastructure with their network and data. Dedicated Personally Owned Workstation -- If you are a freelancer or you have the option to configure your own dedicated workstation, our standard recommendations for PCs and Macs apply. Dial the layers of protection up or down depending on your threat level. If you have already isolated the connection being used from your home network, the next most important step is non-technical. Where operational security most often breaks down when it comes to dedicated machines is the user's discipline in restricting "work" to that machine and personal tasks to other devices. Personal Workstation -- Using a personal workstation for work is never advised. Performing personal and professional business on the same device will always lead to cross-contamination. If you have absolutely no choice, here are some recommendations to limit exposure. 1. Download VirtualBox and create a virtual machine on your computer (refer to the extensive information in our OSINT training if you are not experienced using VMs). Most enterprises use Windows and you can download a temporary developer version for free: https://developer.microsoft.com/enus/microsoft-edge/tools/vms/. This will be your disposable, temporary work computer. A little virtual workstation sandboxed inside your personal computer. The VM is a prophylactic layer between your work and personal data. 2. Inside your new Windows VM, install your VPN software and enable the kill switch. This will make it so that your VM can only connect through the encrypted tunnel. 3. Tune, update, and customize your VM as appropriate. In 180 days, your license will be up and you can make a new one after transferring any needed files to a backup drive. A Note for Public Sector Personnel -- In addition to other security and privacy concerns, those of us working in Law Enforcement, the Military, or other government jobs needs to keep public disclosure and discovery laws in mind. In most jurisdiction in the US, any activity on agency equipment is subject to disclosure and likewise doing case work on your personal equipment and accounts may in fact open them up to a FOIA request or disclosure order in court. Compartmentalize as all times: work tasks on work equipment, personal tasks on your own accounts and infrastructure.

1.3 Conferencing 2/5

16SecurityWFH.md

7/23/2021

This has become one of the biggest shifts in how we get work done, with online conference sessions replacing live meetings for staff that would have normally met in person. Below are the most popular platforms, known security issues, and some tweaks for reducing the privacy impacts on your home. Aside from Wire, you are pretty much universally at the peril of your host. If they establish security minded meeting settings on the back end, you will be in OK shape. Some general best practices apply across the board. When given various connection options we prefer in the order of most to least private: How to Connect: (In order of most to least private) 1. Call in using a cellular connection provided by a burner sim card, 2. Call in using a VoIP number such as MySudo, 3. Connect using a browser only, 4. use a browser extension, 5. install an application on your workstation or mobile device. Although I like connecting via a call, I do not like connecting to the call via an app on mobile due to the amount of data these applications typically collect and send. I will note that while calling in is good for you, on some platforms doing so decrypts portions of the session for everyone else. Video: be aware of your surroundings but consider disabling video in your settings and physically covering the camera with a blind. Some laptops now have a physical shutter to disable the camera, but some gaffer's tape will do in a pinch. Gaffer's tape is like duct tape, but it does not leave adhesive behind on the surface it is attached to. Screen Sharing: If you are hosting and share your screen, clean your desktop prior the meeting. Disable notifications and unneeded applications from the task manager. No one needs to see that private message that will invariably pop up in the middle of a presentation. 1. Wire -- Lesser known but secure. If you only need teleconferencing for four people or less consider using the trial version of Wire which is open source, well encrypted, and has a good track record. The primary limitation with Wire is scale, you are mostly stuck at four for video and 10 for audio conferencing. This is a great option for secure te t and chat with family and friends. 2. Zoom

Popular and less secure. Due to its ease of use and being free, Zoom has become

overwhelming popular during the recent "stay at home" era. If you have kids, they are likely on Zoom for school and friends are probably inviting you to hang out socially there as well. Let us look at the security issues and then some solutions. Known Security Issues Improperly configured sessions allow for uninvited users to "zoombomb" the meeting. Zoom encrypts communications, but they hold the decryption keys. If you add dial in attendees, the encryption is broken. Settings to increase security if you must use Zoom: Zoom's own security recommendations for creating meetings: https://zoom.us/docs/doc/Securing Your Zoom Meetings.pdf 3/5

16SecurityWFH.md

7/23/2021

Zoom's Privacy Policy: https://zoom.us/docs/en-us/privacy-and-security.html Zoom's Security Whitepaper: https://zoom.us/docs/doc/Zoom-Security-White-Paper.pdf Prevent "Zoom bombing" (uninvited guests): https://blog.zoom.us/wordpress/2020/03/20/keep uninvited guests out of your zoom event/ or as a video: https://www.youtube.com/watch?v=p1IMmOujc9c 3. Webex -- More secure than zoom with a higher price tag. Very well established in the corporate world and secure if configured properly. Quite e pensive at scale. Cisco has much more e perience with security at scale than some other platforms. Encryption: The host must log into the meeting settings and enable end-to-end encryption. There is a plan that includes the option of end to end encryption with a limitation on features available. As with other platforms, the level of privacy is dependent on the settings established by the host. 4. GoToMeeting -- It performs similarly to zoom although with fewer features. The encryption is not endto end, but most others are not either. The host's options for allowing or restricting sharing, recording, etc. are typical. It is the same company as LogMeIn which has had some security issues in the past. 5. Skype -- Microsoft has better security and more muscle behind security than some of the other offerings. Skype is on the way out and is being replaced by Teams and other O365 offerings. Skype's encryption varies greatly based on the type of communication and the setup of the various people involved. 6. Microsoft Teams

Teams has better encryptions than Zoom and most other corporate platforms,

although it is not exactly end-to-end in most scenarios. I do like that they are up front about the encryption and list out common security threats on their Teams privacy policy page. I have quite a bit of experience with Teams and the most serious security issues are user generated such as clicking on phishing links or malicious messages. 7. Google Meet

You get what you pay for. Standard Google: works well, but not if you like privacy.

There is no end-to-end encryption and Google gobbles up all metadata surrounding your sessions. If you absolutely must use it, join with a burner account over VPN and a privacy browser such as Brave.

1.4 Filesharing If you are already on an enterprise platform such as Office 365 you are likely tied into some type of secure file sharing with the usual privacy caveats of an enterprise software suite. If you are in the MS Office ecosystem, just make sure you are up to speed on the process for sharing files outside of your organization. For individual filesharing on a smaller scale I like Firefox Send. With end to end encryption, it is best free option although you are limited in file size and number of downloads unless you associate a Firefox account. We recommend not using a Firefox account unless you absolutely need the extra features. Although Mozilla cannot access the encrypted contents of the transferred file, you would be associating meta and session data to a profile. Signal has good encryption and is a great option for smaller file sizes (100mb or less). 4/5

16SecurityWFH.md

7/23/2021

Wire is preferred for secure messaging overall but limits you to 25MB per file.

1.5 Productivity Office Productivity Suites - Most of you will already be tied into the office suite that you employer provides. If you must do work on a personal device and access Office 365, do so via a browser rather than installing the applications. Use Firefox with containers to do so or Brave if you prefer a Chrome experience minus the Google data mining. If you have to use Google docs you are stuck because Google will be soaking up all of your activity regardless but isolating the session into a Firefox container will help a bit. If you need your own office productivity suite consider using Libre Office. It is free and open source. It is not perfect, but widely used and vetted by the community. It supports word processing, spreadsheets, and most other features that one would want from an office suite. Text Editors - Finally, for a basic text editor, I like Notepad++ and Atom. Notepad++ is only available for Windows and Atom is available for Windows, Mac, and Linux. If you are on Linux you have many other options and may choose to just use Vim which is a standard on that platform. If your only experience with text editors is "notepad", any of these options will take care of your needs and then some. If you are doing any work on code, the options mentioned here are fantastic with support for markdown and various other formats. Atom even supports limited collaboration on documents, but I do not recommend it as it uses WebRTC which has been known to result in session vulnerabilities. Atom is by far the "slickest" experience but does collect some usage data. If you are not working with code and do not need the formatting, consider moving on to my Standard Notes recommendation in the next section. Digital Notebooks - When I must use O365, I use the heck out of OneNote, which is a powerful hierarchical notebook. When I want to do research and not share it with Microsoft, I use Standard Notes which lacks some of the capabilities but it is very private. It lacks some of the power, but all the basics are there and even a degree of collaboration. It is also available for Mac, Windows, Linux, mobile, and web. Standard Notes is hard to beat.

1.6 Old chool For our most sensitive work we fall back on the three most secure forms of communication and documentation: meeting in person, phone calls, and paper. If it does not need to be digital, why take on the security hassles and risks brought on by involving electronic storage, 3^rd^ party applications, and/or the internet. Sometimes an actual conversation is not only more private, but also more productive.

5/5

Travel Packing List Jason’s Travel Rules • • • • •

• •

• •

• • • •

These are just my personal travel rules. Your own may vary. Carry-on backpack never leaves my sight and is in direct contact with my person (sitting on plane or airport I loop a leg through one of the shoulder straps) Laptops and external drives are encrypted (VeraCrypt or BitLocker) to ensure against data exposure if stolen or lost I never, ever, put anything non-disposable into airline seat pockets or anywhere that lends to a possibility of leaving it behind I have a dedicated pocket on my travel backpack for my ID/Vax/Cash/boarding pass pouch (https://niteize.com/runoff-waterproof-pocket) and things such as the wet wipes. This pocket is easily accessible while the bag is at my feet (on the plane )and is also easy to toss items into as I make my way into the TSA checkpoint. My travel pouch with my ID/Vax etc is attached to my bag with a thin cord so that it cannot be left behind if it were to fall out of it’s pocket. I often do work while on the plane so a privacy screen is necessary https://www.amazon.com/laptop-privacy-screen/s?k=laptop+privacy+screen These are not perfect but do reduce the chances of someone shoulder surfing. When on the move or in uncontrolled environments I often have earbuds in but not playing anything. This lowers the chances of people trying to talk to you, but I want to be able to hear my surroundings for general situational awareness. The exception is when dealing with services, such as checking in or buying a coffee. I do not use devices or have headphones in while getting assistance because that is rude. For on the plane, I have noise cancelling headphones and a long playlist of downloaded, chill ambient music. This is so I can concentrate while working on the plane. I have a paper notepad/notebook handy. Although I use this for notes during class prep etc., it is also handy these days for communications because with masks and loud planes it can be easier to just have. “Diet-coke please, thank you!” ready to go on the front page for easy communication with flight staff. For internet in hotels, I use my cellular data plan via my phone hotspot or my MiFi most of the time. If I do decide to use hotel WiFi for example if I have poor LTE service, I connect my travel router (with built in VPN). My luggage tags have a working burner phone number (MySudo VOIP) I printout boarding passes, maps, directions, etc. because I like paper vs apps. Paper documentation is primary with digital on my phone as backup. In my carryon bag I typically have two laptops, 2+ phones, multiple battery packs/chargers. Even with TSA-precheck status this will sometimes get you pulled out of line when the x-ray sees stacked items so I have these items in their own draw string bag for easy removal/inspection. Airport TSA processes vary so they don’t always have you remove devices before x-ray.

Carry-on Bag Full disclosure, I over-pack both as a personality quirk but also because I believe in having redundancy across the board. Thus, I have at least two of almost everything, including travelling with two laptops, which may seem extreme, but I can't risk flying across the country for a three day class, only to have my training laptop die. That necessitates a heavier duty and larger carry-on bag than most of you may travel with. I don't put anything sensitive or valuable in my checked bags when I do check bags. Current bag https://tripleaughtdesign.com/shop/fast-pack-litespeed/ (note: this bag is heavy, I tend to favor ruggedness and capacity over weight efficiencies so it is not for everyone) My previous bag I made myself and prior to that I used something similar to https://www.timbuk2.com/products/1006-spire-laptopbackpack-20 which was great in the category of being cheaper and lighter. I just outgrew the capacity and wanted something more modular.) Customizations - My travel bag has some additional modular pouches added to support carrying phones, documents, and water bottles in an accessible fashion. Also, my youngest wove paracord around my bag handles in a fashion that it can quick release to be used as a laundry line or for any other cordage needs. Clear ID/Covid Pouch - I have a weatherproof clear pouch with my vax card, passport card, proof of auto-insurance, blood type, emergency cash, etc. This pouch is attached to my travel bag which never leaves my side. If you ever leave my travel bag in my room, this is one of the items that gets moved to whatever smaller bag I'm taking with me. I also keep a digital copy of my vax card on my phone. Laptop 1 PC (Charged and updated) AC Power Adapter Mouse Spare Batteries USB-C adapter (USB-A, HDMI, Ethernet, similar to https://us.anker.com/collections/hubs-anddocks/products/a8383?variant=37438604968086) Cooling Riser (this is a DIY 1/2" lift for the back of the laptop to increase cooling during live classes, you can also just rest the back edge of your laptop on the edge of a notebook or anything that lifts it about 1/2 inch to allow better air flow, assuming your fan intake or exhaust are on the bottom of your laptop) Protective bag/sleeve (for my main laptop I actually use a cleat bag similar to https://www.amazon.com/adidassackpack/s?k=adidas+sackpack as they are rugged, have a zipped pocket for accessories and once at my destination I can use it for a grocery run or hiking around, Adidas makes them with nice thick cords, avoid any with thin ties/cords)

Laptop 2 Mac (Charged and updated) AC Power Adapter Thunderbolt Adapter (USB-A, HDMI, Ethernet, similar to https://us.anker.com/collections/hubs-anddocks/products/a8371?variant=37438484938902) Light protective sleeve Clerical Notebook Pencils/Pens Post-its Reading Glasses Travel Misc. Cash for Tipping Two Cell Phones MiFi Hotspot Noise Cancelling Headphones (Wired/Wireless Capable) Ear-buds (Wired) USB-C/USB-A Batter Pack Roll up water bottle Medications, personal health items Wet wipes (wipe down airline seats/trays, etc.) Purell Bottle (travel size, attached to backpack) Eye drops, lip balm, facial tissue pack Fisherman's Friend (this is more of a pro-tip for public speaking, we have trips where we talk all day for multiple days, lozenges help when your voice starts to fail) External Storage Pouch (this stays with me at all times and the drives are connected by a carabiner, avoid having individual small drives that can get lost, encrypting these drives with VeraCrypt or BitLocker is highly recommended) 4TB SSD with sample breach/leak data (primarily combo lists such as COMB but also hash data, whois data, etc.)(I like the SanDisk extreme drives https://www.westerndigital.com/c/portable-drives) 16G USB C/A drive with any pptx and any visual assets (this is for a scenario where a client needs me to run presentations from their gear vs my own) Smaller USB-C/A flash drives, such as a sample case drive (I like SanDisk drives that have both a USB-C and USB-A connector built in https://www.westerndigital.com/solutions/usb-drives)

YubiKey (https://www.yubico.com/) USB-C to USB-C cord for SSD drives Travel Wear - I walk/hike a lot on almost every trip so I travel in comfortable athletic type clothing and shoes. I tend to dress in layers because I will walk whenever I can vs taking public transportation or ride shares so I have to be equipped for being out in the elements. Travel Hoodie (I used to favor the Flint & Tinder 10 year hoodies but the cuffs don't hold up over time, so American Giant is my current favorite) Ball Cap and Watch Cap (depending on weather at my destination) Light Gloves Running Shoes Checked Baggage or Carry-on (non-essential gear, I don't put anything sensitive or essential in checked bags) Adapter Bag USB-C to USB-C USB-C to USB-A Dumb HDMI Splitter (some venues have A/V systems that don't play well with HDMI from laptops, a cheap splitter sometimes overcomes HDMI DRM issues such as the venue's system blocking your laptop video signal, most people probably don't need this but we work in large venues with a higher likelihood of audio-video challenges. https://www.amazon.com/hdmi-splitterhdcp-bypass/s?k=hdmi+splitter+hdcp+bypass or similar) Bluetooth/WiFi pptx clicker Lightning and micro usb adapters Extra zip and Velcro ties Extra pens/pencils, post-its Alkaline Batteries (for mouse/flashlight) https://www.carryology.com/utility/the-best-tech-pouches-and-organizers-toedc/ examples of good accessory pouches Hotel Accessory Bag o o o o o o

AC/USB power extension cord/adapter Lightning/magsafe charging adapter for phones mini-duct-tape, zip ties Gl-inet travel router (https://www.gl-inet.com/products/) Small single AA flashlight HDMI cable (for making the hotel TV my second monitor for working in the evenings or playing movies/shows from my laptop)

Formal Business Trips o Bag of choice Henty Co-Pilot (if you travel with formal attire these bags are amazing https://henty.cc/product-category/travel/) They make for good carry-on or checked bags. o Suit (this is actually essential, but it also takes up a lot of room so I do check my suit depending on how long my trip is and what else I need to cart along with me)  Pro-Tip: If you check your formal attire bag at the airport, have your sizes in your phone or notebook in case your bags get lost, in a pinch you can find a specialty or department store and buy some better than nothing business attire for your event, if you know your sizes this will be easier. o Dress Shirts (one for each event, plus at least one spare) o Tie, Belt. Dress socks o Dress shoes (small scuff kit) o Repair Kit (small sewing kit, small lint roller, attire travel stain removal wipes, this kit plus socks and belt fit into dress shoes for efficient packing) Personal Gear o Personal Hygiene Bag (toothbrush, eye drops etc.) o Depending on the trip I may add a multi-tool or Swiss-army knife to my checked bag (be prepared to lose this if you have to carry on all bags on a future leg of the trip) o Sunglasses o Personal Clothing/Attire o Creature Comforts (i.e.: orthopedic pillow, whatever book I'm reading at the time, etc.) o More Mini-duct Tape

(Example of preferred garment bag which can be carried on or checked)

(Travel Carry-on Unloaded, note: AC power adapters are typically moved to checked bag)

17Backups_done_right.md

1/12/2022

Backups Everyone needs a backup of their data. Be it a natural disaster, a clumsy misconfiguration or other human error, theft, or other malicious attacks such as ransomware your data is always at risk. This is a quick writeup about general things to consider around backups, and some suggested ways of achieveng a backup scheme that fits you.

Understanding 3-2-1-1 backups For proper redundancy, any piece of important data should exist in three copies, on at least two different kinds of media, where at least one is offline, and at least one is off-site. Out of the three copies one will be the "production copy" sitting on your computer (the original). In addition to this one there should be two backups. Out of all three copies you should have at least two different types of media, meaning SSD vs HDD vs LTO-tapes vs DVDs/BluRays. The purpose of two different types of media is they are effected differently by natural phenomena such as floods, fires and radiation. So do take that into consideration and don't choose to only have "magnetic media" like only HDDs and LTO-tape. Even though they will very have different tolerances, their common weakness will still be radiation and magnetism. Out of the three copies, at least one should be offline. This is to prevent two of the most prevalent risks: 1. Ransomware that encrypts your data (most likely avoided by keeping your devices up to date), and 2. Human error changing the production copy, and then the next backup routine screws up the online backup due to this human error. Out of the three copies at least on should be off-site. This is in case your primary location is hit by some sort of disaster. Chance is that if your house burns down, then both production copy and any backups in that house is gone. Note that the offline copy CAN ofcourse be the off-site copy, but more often than not people have their offsite copy be an automated backup to a cloud solution - so great against fire or flood, but no good to protect against human error or ransomware.

Prioritize and centralize (information management) The key to having a good backup routine that you can actually live with and implement in such a way that it is managable - is to centralize and prioritize your original data. Having three laptops and two PCs in the house, where you have multiple copies of files depending on the need from one week to another. Sometimes you might import photos from your camera on the laptop, other times you do it on the desktop PC. Data is everywhere and you have no defined plan of what goes where although this is a scenario where you could still backup all those machines, that is still alot of "wasted backup storage". First, prioritize which files you really need/want to back up. I always use the family photos as an e ample, simply because it is one of those things no insurance company will ever help you get back (or give you any money for its loss for that matter). After that might be intellectual property or other writings of your own (also impossible to reclaim on insurance). And of course if you run a business any and all documentation regarding your business should be properly backed up for the sake of business continuity if anything were to happen with the original data. As a step of prioritize you can also try to score how important different types of data are to you. The one's I've mentioned here are what I would give top priority, whilst other things such as my library of ripped CDs would get a much lower priority since I still have the originals and could just rip them again. Second, centralize the storage of your prioritized files to the e tent it is possible for you. There is no harm in having the files on many computers, but that should not be due to haphazardly chosing where to store files, it should if so be intentional and as part as your backup scheme. So the best way is to chose one centralized location where 1/2

17Backups_done_right.md

1/12/2022

you have the "original files", and have that as you source of backup. This can be one specified desktop PC, it can be in the cloud from a cloud provider (if your privacy and security threat model allows it), or it can be on an external drive or a NAS. Once centralized, start making your first full backup to a media of choice - where e ternal HDDs are a common and great choice due to ease of use and price/TB. Then define for yourself how often you should do full backups, incremental backups, a new offsite backup, a new backup to different media and go on from there.

One suggested scheme Make one full backup to an external HDD, encrypt the drive with your software encryption of choice, or a hardware encrypted drive if you splurge and find one with enough capacity. Either way - make sure to save you passphrase somewhere safe. Make another full backup to 25GB highquality BluRay-disks, using 7zip to divide your folder into proper 25GB chunks, with encryption and parity. I've found BluRays to provide a very robust media that can take a beating (the DataLine ones are very scratch resistant), and though they might be more expensive per GB than LTO-tape the initial investment in a BluRay-burner compared to a tape-drive is nothing Take one of those copies and store in another location. Repeat at desired intervals. I have centralized on a NAS (UnRAID). I do BluRay-drives two times a year for family photoss, documents/writing produced by myself, legal contracts and receipts (financial), and four times a year I write to an encrypted external HDD all the things I previously mentioned, but also stuff from my defined "lower prioritized data". I've chosen not to take the cost of backing up my ripped Plex-library (at least not to begin with), simply because I know I can do it again and I know that I've found a way to automate most of it. Although I can very much understand chosing to do that simply due to the time it takes to rip, convert, and sort a library of CDs, DVDs and BluRays.

Backing up computers There are many ways of backing up your whole computer and I recommend looking into imaging software if your computer with its programs and configuration is an integral part of your business and how you make money. Personally, I've removed all storage of files off of my laptops and desktops and have all data on a NAS. That way if a computer goes it is just programs and applications and the OS all of which is someting I can set back up again from scratch without it affecting my living. I do use TimeShift on my Linuxenvironments, but I don't rely on it (and so I haven't tested it)

Test! A backup scheme is only worth something if you are successful in recovering the files from the backup you made. ALWAYS TEST YOUR BACKUPS. NB - there are many ways of doing backups. These are just some considerations I find worth mentioning based on my experience.

2/2

17Considering_a-NAS .md

1/12/2022

To NAS or not to NAS Network Attached Storage (NAS) is just that - an external storage device that has been connected to a network, and made available to computers on that local network.There are many reasons why you might want, or need, a NAS, but there are a few things you should consider before you go out to buy one. Disclaimer - this is just my opinion based on my e periences and the choices I ended up making for my own devices. Differing opinions are welcome, and if anyone has anything to add I hope they will drop me a DM or make an additional writeup with their own considerations. TL;DR / BLUF: If you need e ternal storage of several terabytes, that should be available from several computer (maybe to backup several computers), you want the storage to be self-hosted, you don't mind that the device has a fi ed location in the house and not easily movable due to its size and need for connectivity & power, and maybe you want the storage to have some redundancy - then NAS is a great option for you. Recommended options are Synology and QNAP for out of the bo solutions, and UnRAID or TrueNAS/FreeNAS for a home-built server. NAS solutions like those from NetGear and Western Digital are strongly recommended against. Although those are reputable brands, NAS is not really their speciality and their previous lineups/products have proven to have security issues that they chose not to fi or do anything about. E.g. early version of WD MyBook/MyCloud devices were found to have a hardcoded backdoor (hardcoded username and password, unchangeable and same on all devices) And then the long version...

Consider your usecase / device type Your usecase and reasoning for wanting a NAS should be the key factor when deciding what to buy, and whether to buy a NAS at all. Maybe another external storage device might suffice. You are in need of additional storage, that is a given, but that could possibly also be solved with a non-NAS external hard drive, thumb drive or memory card. When is one the better option?

Memory cards Fitting for: single computer complete backups, backups of prioritized folders to hide somewhere (per MBs examples) or for "transport". If your usecase is backup for a single computer, and the computers drive is less than 256GB, then a microSD or SD memory cards are great options. You will be able to get memory cards that are 512GB and 1TB as well, but the price is going up significantly at this point. As the time of this writing, most places the microSD cards are more competitively priced than their SD-brethren. Regardless of whether you go for SD or MicroSD, do go for a reputable brand (e.g Kingston, SanDisk, Samsung) and make sure you get one that is at least rated Class 10 (this has to do with read/write speeds). After Class 10 there is no Class 11, but they differentiate between UHS-I or UHS-II for instance. If in doubt, just read the specifications to see what the read and write speeds actually are. If you want to save a buck, then it IS perfectly ok to get a cheaper slower card - your backups will just take longer. The quick write speeds are mandatory if you use it for a very high-res camera, because it would pause between each exposure until writing to the card is done. In the backup scenario, it is up to you to consider what is acceptable to you. If you make incremental backups like with TimeShift (Linux) or TimeMachine (Mac), then you probably won't notice much of a difference except for during the first full 1/4

17Considering_a-NAS .md

1/12/2022

backups. I went for a microSD-card in an aluminium card adapter that sits flush with my laptop. It takes scheduled incremental and full backups of my linu machine. Many laptops have SD or MicroSD card slots, so it is the perfect choice for a "continuous backup"-drive.

USB thumbdrives Fitting for: same usecases as for memory cards USB thumb drives can be found in many form factors, from nano-drives to classic "pen drives". Even though they fit the same use cases as memory cards, they come in form factors more fitting to keep in your pocket or on your keychain without breaking. They are also usually cheaper per GB. They can also be found with hardware encryption which means you have a few extra possibilities. With hardware encryption you can create a bootable USB that is also full-disk encrypted (even boot sector). One can argue this differs little from installing a live-booted OS on a regular drive, and then encrypting the partition with all the data - and that is pretty much true. The difference would be that with hardware encryption you can't even see that it is a live boot USB (so for a very few subset of users, this might be a requirement - e.g. you live in a totalitarian regime of sensorship where having a live boot USB with Tails is considered proof you are a spy. Or ofcourse if you indeed are a spy, you would want the hardware encrypted model). I still recommend going for reputable brands, and not getting knock offs from China - unless it truly is a use-and-dispose-of kind of usecase. Recommended options here are Corsair Survivor for good quality rugged pendrives, UK-made iStorage Datashur for hardware encrypted devices (they keep different ranges at different price points, but if you have business requirements delivering to government entities they have FIPS 140 certified devices and devices approved by different entities to hold classified information), and SanDisk Cruzer Fit is a fair nano-option although in the nano-formfactor there are quite a few options available. Last thing to consider on thumbdrives is USB-generation and the transfer speeds they provide. Live booting an OS is recommended from a fast device, and if you buy a 1TB device it would usually be more important with speeds than if you buy a 16GB device (you are obviously transferring a lot more data).

External HDD / SSDs Fitting for: backups of several computers, holding large datasets or a large amount of files that you can't fit on a main PC, storage needs that surpass the TeraByte and it needs to be portable or somewhat portable. 2.5 inch vs 3.5 inch 2.5 inch means USB-power will suffice and hence easier to use on-the-move where you don't access to a power outlet. Of course the smaller form factor also means it will take less space in your bag. 3.5 inch will need external power, but there are two clear advantages: 1. They are available in much larger storage capacities at better price points per TB, 2. Statistically spinning harddrives are less prone to fail on their 3.5 inch models than their 2.5 inch counterparts. I recommend 2.5 inch if it is important to use on the move, and 3.5 inch if large storage capacity is more important. SSD vs HDD There are two clear advantages to SSD over HDD: 1. An SSD usually has at least four times the read/write speeds of an HDD, 2. no spinning parts means it is the best option on the move since you won't have to worry about mechanical failure due to rustling during transport. The HDD's advantage is that it will be available in much larger storage capacities, and once again (like with 3.5inch, which basically all are HDD) at a 2/4

17Considering_a-NAS .md

1/12/2022

much better price point per TB. External HDDs can easily be found in storage capacities up to 16-18TB at the moment, whilst e ternal SSD usually cap at 2 4TB. For e ternal SSDs I recommend either Samsung or Lacie. For external HDD I recommend Lacie Rugged for 2.5 inch formfactor if > 5TB is not required and if you need it on the move. For larger capacities I recommend either WD Elements (aka EasyStore in some stores) and the Seagate Expansion - both are 3.5inch and require extra power. Rugged drives and hardware encrypted drives For rugged drives at a good price point I recommend the Lacie Rugged (maybe Mini) range. They are great external HDDs that can be easily found with a fair price up to 4 or 5 TB in capacity. They are still HDDs, but I've found their ruggedness to "be enough" as long as you keep it in hand luggage during travel and are aware of how you treat it. For instance - on of the most vulnerable times for an external HDD to be moving around is while it is actually in use and spinning. So using it on a moving train or in a car is no problem, but try to lay it flat on a surface and make sure that the device is actually ejected and spun down before you actually pick it up. For hardware encrypted I will once again recommend iStorage devices. They deliver both HDDs and SSDs. Be aware that they are still quite pricey though.

NAS is my thing - let's get to it Fitting for: storage available for several computers in the house at the same time making it easier for backups or to centralize storage, where you need

10 18TB, and/or need redundancy in your storage due to the

importance of the contents (family photos or maybe business continuity reasons). Out of the box solutions There are many vendors with out-of the box solutions like WD, TerraMaster, Buffalo, and even NetGear have some, but the biggest names in the business is without a doubt Synology and QNAP. These latter two is the ones I recommend for out of the box solution due to its large community, high quality devices, and a big range of devices to fit your specific need. Both vendors deliver in both "box-format" (miniITX/barebones tower) and in a "rack-format", and they deliver with regards to both how many drives it fits and with regards to the horsepowers delivered by the hardware. They can be set up as "just a 'NAS'", or you can go in the application store to get stuff like NextCloud or maybe install VMs on it. They are very easy to set ut with different kinds of redundant options (RAID levels), and they even have models for m.2 SSDs and with internal GPUs. The biggest con to Synology and QNAP is that they try to enroll you in their respecitve environment with their own vendor-specific accounts, but if you are not that technical and not able or willing to roll your own NAS then they are without a doubt excellent solutions. Rolling your own This is a bit more technical than out of the bo solutions, but there are some options that are still quite easy and have large communities for support. UnRAID

Like the name says, it is NOT RAID. Meaning it does not rely on a RAID-controller and not on the RAIDtechnology for redundancy. You can still have redundancy by having parity drives at the cost of slower write speeds, which can be remedied by SSD cache drives. So even though it is an obvious con to have slower write speeds with UnRAID, there is this one clear advantage to avoiding the RAID-model. So if a drive should 3/4

17Considering_a-NAS .md

1/12/2022

happen to fail in UnRAID (and you don't have parity, or the parity drive went at the same time) then what you lose is that single drives content. If you have a RAID corruption and the RAID fails (due to too many drives failing, past your point of tolerance according to the RAID-level you chose) then the WHOLE array is gone. UnRAID has a wide range of community applications where you can run containerized applications that are somewhat sandboxed, but they still share access to the same hardware. It can also run VMs where you dedicate parts of your hardware to that VM. If you are going with UnRAID I would recommend just paying for the PRO version from the start. Another con would be that you can't build an array of SSDs in UnRAID, if that is a requirement of yours for e treme speeds (a very rare requirement). This can be remedied for applications that need the speed by either utilizing a cache-drive SSD, or to add an SSD in a pool that is outside of the parity protected array. FreeNAS / TrueNAS

If you want to roll your own, but want a classic RAID with the possibility for redundancy but also boosted speeds (compared to UnRAID where you will have slower speeds) with striping - then TrueNAS is a great option. It is easy to install, pretty easy to use - although a bit less so than UnRAID, but also has a large community you can lean on. Also here you will have great many options of running applications and VMs. TrueNAS will be more similar to an Enterprise NAS system, than that of UnRAID. Hyper V/Windows Server ProxMox or similar

Going full in on running your own server, with a hypervisor and role-based VMs on top of that. Well, if you are that technically enclined then Hyper V is Microsofts hypervisor that they've made available for free, and ProxMox is the open-source Linux solution that will give you the same options. If you go for this option - you are technically way past where I am going to pretend that I can help you. So please, if you are one of these people - make a writeup of how you run your server and what services you've chosen for yourself and why. Hardware when rolling your own

Traditional PC hardware, just like when building an office or gaming PC, can be used when rolling your own RAID/UnRAID-solution. Second hand Enterprise-grade servers are also great if you need have high-availability or high redundancy needs. Server hardware will give you the possibility for redundant power supplies, and ECC RAM (error correcting RAM to counteract random bit-flips). I've had great experience with the smallbusiness range from HP, namely their MicroServers, where I've tested both the Gen 7, Gen 8 and Gen 10. It has some enterprise functionality like a proper HP RAID-controller, a proper backplane that probably supports hot swapping as long as your drive does (haven't tested or checked though), possibility for network management (iLO), but it lacks other enterprise functionailties like redundant power supplies. The microservers are not very powerful devices if you plan to run alot of VMs, but if all you need is a NAS for storage and backup purposes - then it is a pretty good device. Jason is planning an example hardware build on UnRAID, where many of the hardware considerations probably will be a part of the video.

4/4

GHunt OSINT Tool Set Up and Usage Written by: Chris Kindig GHunt is a command line tool written by mxrch that combines several different techniques to mine additional information on Gmail addresses, Google Docs, YouTube accounts, and Gaia IDs (Google ID numbers). Setup of this tool requires slightly more effort on the part of the user that a simple git clone. Below I’ve listed steps to install and set up GHunt using Linux command line (VM, or WSL), and either the Chrome or Firefox browsers. I will also assume you’ve already installed git and Python 3. Installation* Open terminal in your environment of choice, and switch to the directory you wish to install the tool (cd ~/Downloads/Programs/, etc.). Then type: git clone https://github.com/mxrch/ghunt

After the clone is finished change to the GHunt directory by typing: cd ghunt

Then download and install the requirements by tying: sudo -H pip install -r requirements.txt –I

Setting Google Cookies Before you can begin using the tool you must provide a number of session cookies that allow GHunt to both simulate a browser, and query a number of Google API endpoints. There are a couple of different ways to provide the cookies. Each method requires navigating to accounts.google.com, and logging into a covert Google account. As the creator suggests you should use an account that you do not log into often, otherwise you may need to grab new cookies every time you try to use GHunt. Method 1): Browser Extensions The creator has also made companion browser extensions to easily pull the cookies in both Chrome and Firefox. They are available at the following links: https://chrome.google.com/webstore/detail/ghunt-companion/dpdcofblfbmmnikcbmmiakkclocadjab https://addons.mozilla.org/en-US/firefox/addon/ghunt-companion/

*Note this portion is already included in the OSINT Book 9 steps.

OSINT Technique: Clandestine LinkedIn View Often to see a person-of-interest’s LinkedIn page OSINT investigators will use a “sock puppet” account on LinkedIn to view the page. This can notify the person-ofinterest that your account has viewed their page if the correct notifications are on for the targeted account. Additionally, it may risk a “sock puppet” account being flagged by LinkedIn. Below is a method to view a LinkedIn profile through clandestine means. The method will require four simple steps. Step One – Boolean search string for person-of-interest Navigate to Google and enter the simple Boolean string “target name” site:linkedin.com. For this example, I will use a search for a generic name “Michael Johnson” site:linkedin.com. This produces multiple results but I will select the first result just for this example.

Step Two – Copy Link After acquiring the desired result from LinkedIn via Google, do NOT click on the URL link but instead right click on the result and select “Copy Link” (browser language may vary but the URL address should be copied).

You now should have the profile page of your person-of-interest without notifying them that you viewed their profile page on LinkedIn.

OSINT Investigations Using Loveawake.com Contributed by: Haddon Fields This brief tutorial write up is how to identify and use Loveawake for OSINT purposes. What is Loveawake.com? Loveawake is a dating site starting by a Russian entrepreneur, and boasts more than 1.5 million users worldwide. The site has a large collection of profiles from all over the world, with a large collection in Russia, Ukraine and Eastern Europe. The site also has user profiles in the U.S., Canada, U.K. and nearly every country in the world. The site has search selections in nearly every major city in the world and does not require an account sign up to search for other users on the site. Users can include profile photos and profiles without photos can be screened out in the search feature. Profile photos can be searched in image search engines. The global nature of the site coupled with searchable data makes Loveawake a potentially valuable search resource. Like all social sites, fake profiles established by the site to boost user numbers is a possible concern and hindrance for OSINT research requiring further vetting and verification. Loveawake denies adding fake profiles and users can report alleged fake profiles. Loveawake.com nomenclature Each user profile has a site nomenclature which displays as: loveawake.com/profile/username. This makes the site nomenclature ideal for Boolean/Google Dorking searching. The site also provides username, age, location, Zodiac sign (for identifying potential DOB range), last login, and verification status. The site also allows users to add their height and weight along with a preferred age for a potential romantic interest. Users may also provide answers to questions listed on the site and provide a bio. Profession and Interests are also present and fillable by users. Photos As noted the site allows and encourages users to put photos onto their profiles. There can be several photos on a user profile uploaded by the user. Multi-photo profiles are more likely to be legitimate profiles, though that is an assumption about site usage.

Photos can be downloaded and ran through multiple image search engines like TinEye, PimEyes, Google Image Search and Yandex. Randomized Example I selected two randomized Loveawake examples with URL’s at: https://www.loveawake.com/profile/Emily1er/ and https://www.loveawake.com/profile/ruby11/. Emily1er is stated to be in the Ardee, Ireland area and Ruby11 is said to be in the Seattle, Washington area in the U.S. The profile for Emily1er:

Note the following useful OSINT information about this profile for “Emily1er”: • • • • • •

Page header has biographical information The URL nomenclature has the user name “Emily1er” Relationship status is listed Geolocation is provided Age and Zodiac sign is provided Full photo is posted

Page Header Search A review of the text in the page header bio (hover cursor over page header to reveal) provides searchable text. This may or may not match the profile and is likely not indexed. However, an exact Google search is still worth doing to rule out any duplication or representation on another site.

Username Search A search of Whatsmyname.app for the username Emily1er had 3 results for that username on Etsy, Quizlet and Roblox. Etsy had: https://www.etsy.com/people/Emily1er. This resulted in a page name for an “Emily Rudd” but no other confirming information. The other two sites, Quizlet and Roblox, were inconclusive. Age Range Search The given Zodiac sign for Emily1er is Gemini with a date of birth range from May 21 to June 20. This could be useful for verification purposes on sites that populate dates of birth (or breach data).

Profile Photo Search A search in Tineye was negative. A search in Yandex for the profile photo for Emily1er resulted in the following:

There are multiple photos that match the Loveawake profile photo. A review of site results that match the photo from Yandex are:

The name “Raya Hope” shows up and when clicked on leads to a Pinterest page for Rayahope.com.

A search of Rayahope.com reveals the following:

The initial photo from Loveawake for Emily1er appears to be taken from Raya Coleman from her sites. The rayahope.com site has links to Ms. Coleman’s Instagram, Facebook, YouTube, Pinterest and TikTok all of which can be explored for more information and collection. Whether Raya Coleman is using the alias Emily1er or if the site has a fake profile remains to be seen but the photo comes from Raya Coleman’s sites. Results were best located by a Yandex search as opposed to a text based username search. Further open source search sites like TruePeopleSearch of Cyberbackgroundchecks and other open data searches may be able to compare the age and DOB with what is provided on Loveawake. The second profile example, Ruby11, is below.

The profile for Ruby11:

Note the following useful OSINT information about this profile for “Ruby11”: • • • • • •

Page header has biographical information The URL nomenclature has the user name “Ruby11” Relationship status is listed Geolocation is provided Age and Zodiac sign is provided Full photo is posted

Page Header Search A review of the text in the page header bio (hover cursor over page header to reveal) provides searchable text. This may or may not match the profile and is likely not indexed. However, an exact Google search is still worth doing to rule out any duplication or representation on another site.

Username Search A search of whatsmyname.app had 69 results for the username “Ruby11”. Reviewing some of the results from Tinder, Reddit and Replit provided the presence of those usernames. Replit even provided the name “Ruby Clarke” while the Tinder result @ruby11 had the photo of a male named “Dan”. Age Range Search The given Zodiac sign for Ruby11 is Virgo with a date of birth range from August 22 to September 22. This could be useful for verification purposes on sites that populate dates of birth (or breach data). Profile Photo Search

https://tineye.com/search/673a632b3f279eb90f21755be7a13db97f684223?sort=scor e&order=desc&page=1 A search of profile photos in Yandex provided the following results:

Scrolling through the Yandex results showed where the photo shows up on other sites. There are a couple pertinent pages with results. A Pinterest page has the following above photo on the Pinterest page:

The photo appears to be associated with actress Tatyana ALI. An additional search confirms:

This is a photo of Tatyana ALI and likely a false profile set up by the Loveawake site or a potential fraudster. A check on Tatyana ALI’s DOB is 1/24/1979 which does not match the Zodiac sign for Virgo (8/22 – 9/22). Photo Metadata A metadata search of the Emily1er photo posted to Loveawake did not appear to provide any information in ExifTool or Jimpl, the programs used to search for metadata. A metadata search of the Ruby11 photo posted to Loveawake did not appear to provide any information in ExifTool or Jimpl, the programs used to search for metadata. However, other metadata tools may find more information. Additionally a search by code inspection is possible and may reveal more information. This would include any Google Analytics user ID that may be uncovered and tracked back to other sites.

Google Dork/Boolean A simple Google search would be site:loveawake.com username or “@username” or other useful Boolean operators if coming TO loveawake.com. The inurl operator would also work. Searching a geolocation would also be useful and a review of the Zodiac date range would be useful in cross referencing with other OSINT information collected. There are likely other useful operators that could be used. Final Thoughts As demonstrated above, there are several results that might be useful for OSINT and digital investigators and should be included in an OSINT or privacy search. In the two examples searched, the profiles appear to be fake profiles. This is important for vetting and verification in an OSINT search but also for privacy when users are legitimately searching for a potential romantic partner and seeking to remain safe online. The value of Loveawake is in the fact that there is no registration information required to search the site as opposed to many of the other dating apps, many of which require use on a mobile device and may not have a desktop feature. The international range of Loveawake is also valuable. Information that may be present includes name, username, Zodiac sign (DOB range), age, biographical information, geo-location, last login and verification status. Users may also provide answers to listed site questions and include profession and interests. Best practices appear to be focused on photo search/reverse image search tools, specifically Yandex. Searches by username provided multiple other pivots that did not appear to be the profile-of-interest. However, such information could be a valuable resource for pivoting into other sites for investigation.

Misdirection Mode: Obscuring Personal Cell Phone Carrier Through Voicemail Manipulation Presented By Haddon Fields Purpose This brief tutorial focuses on protecting your cell carrier provider through manipulating your custom voicemail greeting. While intended as a privacy and disinformation tactic there are OSINT applications in identifying a cell carrier when direct telephone contact is warranted. Standard Cell Carrier Voicemail Wireless carriers provide a standard voicemail that a customer can use. Typically, a wireless customer can select “standard” or “default” voicemail which will result in a carrier supplied voicemail greeting. Alternatively, a customer may also create a custom greeting for their voicemail. Each carrier has a slightly different standard or default greeting. As such, the cell carrier that one uses can be identified from the standard voicemail greeting. For example, if one is a Verizon Wireless customer and uses the standard Verizon Wireless voicemail greeting when someone calls and gets that voicemail the standard verbiage, tone and cadence of the message can give away that the cell phone is a Verizon cell phone. Voicemail Manipulation Technique When setting up a personal cell phone voicemail navigate to your voicemail on your phone and select “Custom” (iPhone). You may also use the voicemail setup app for your phone (Android). Navigate to listed YouTube videos (listed at end of this tutorial) that contain multiple carrier standard voicemail greetings. For example, if you have cell service through T-Mobile you may select Telco or Verizon or

whichever voicemail service you prefer for example. Record that greeting and use as your voicemail greeting. When someone calls and the call goes to voicemail, they will hear a different carrier voicemail greeting than your own actual cell carrier. This is for misdirection and obfuscation purposes. OSINT Application The OSINT application comes from direct contact and identifying the standard voicemail greeting from the cell carrier. If policy allows contact this would be a supplement to any Google Boolean search, custom search engine run, or cell carrier lookup tool used and can confirm those findings. List of Cell Carrier Standard Voicemail Greetings Below are collected standard voicemail greetings that could be used for the misdirection technique: The Voicemail Greeting Channel – multiple uncommon and minor cell phone carrier standard voicemail greetings: https://www.youtube.com/channel/UCsC15uhrjwTHepeA_s4HnFQ/vide os Verizon Standard Voicemail https://www.youtube.com/watch?v=gbstL189F4Y AT&T Standard Voicemail https://www.youtube.com/watch?v=3X9Nh5OrQok T-Mobile Spanish Voicemail https://www.youtube.com/watch?v=iGB1yIwGdN0 Talk Mobile https://www.youtube.com/watch?v=_Gza1eJKDuQ

Mazuma Voicemail https://www.youtube.com/watch?v=ah2Slpr9t7E Virgin Voicemail https://www.youtube.com/watch?v=6xmw_0HxOM4 Vodafone Voicemail https://www.youtube.com/watch?v=lRUwTR58c5E Tesco Voicemail https://www.youtube.com/watch?v=B_NzHzI-5KY

17OSINTAustralianResources.md

7/23/2021

OSINT Australian Resources Contributed by training member "hz"

People Search Australian Person Lookup Australian Public Records Early Australian Census Records National Archives of Australia Missing Persons Australia White Pages (AU) People Search (Australia) Ancestry Australia Australian Military Service Records Australian War Memorial

Business Search ABN Lookup ASIC Connect White Pages Yellow Pages Reverse Australia Search Frog True Local

Registered Professions LicensedTrades Conveyancer check Multiple (NSW) Ta practitioners 1. Ta practitioners 2. Doctors: Medical board Australia Doctors: Allied health Licensed Building Professionals (ACT) Rate My Teachers

Obituary Search The Ryerson Index Herald Sun mytributes Australian Cemeteries Index Rookwood Cemetery Find a Grave

Property Search Planning Alerts OnTheHouse

Archives & Newspapers NSW State Archives VIC Government Open Data Research Data Australia National Library of Australia Websites Our Digital Island National Library of Australia Newspapers.com

Vehicle Search NSW Licence Plate Search VIC Licence Plate Search QLD Licence Plate Search WA Licence Plate Search SA Licence Plate Search NT Licence Plate Search ACT Licence Plate Search TAS Licence Plate Search

Misc NSW Unclaimed Money ACMA Register of Radiocommunications Licences Australian Court Data Credit Check Get Credit Score Finder Credit Check Live Camera Feeds Live View of Sydney Harbour Live View of Quay West Sydney Sydney Cameras Live Watch Live Survelliance Online Australia EarthCam AU Live Traffic Cameras Traffic Live NSW QLD Traffic Cameras Traffic Cameras Australian Job Search Sites Australian Defence Force Recruiting Australian Government Job Search Seek Australia Jora Australia NSW Government Job Search QLD Government Job Search VIC Government Job 1/2

17OSINTAustralianResources.md

7/23/2021

Search TAS Government Job Search SA Government Job Search NT Government Job Search WA Government Job Search ACT Job Search All Jobs Australia Australian Public Service Job Search CareerOne Australia GradConnection Australia Indeed Australia Job Seeker Australia SpotJobs Australia THEunijobs Australia Salon Staff Australia OneShift Australia CareerJet Australia ArtsHub Australia GlassDoor Australia Gumtree Jobs Australia Neuvoo Australia Australian Dating Sites Tinder eharmony RSVP Plenty of Fish Elite Singles Match OKCupid Bumble Oasis Note: credit to DFW1N for some of these resources

2/2

17OSINTInvestigationsUsingStocktwits.md

7/23/2021

This brief tutorial write up is how to identify and use Stocktwits.com for OSINT purposes. What is Stocktwits.com? Stocktwits is a New York based social network for investors and traders. The platform started on Twitter in 2008 and since moved to their own platform. They have 3 million registered users. They have a desktop application and app for iOS and Droid. Stocktwits Sign Up User sign up asks for: Full Name; Email Address; Username; and then password. Stocktwits Data & Privacy Policies The privacy policy can be found at: https://stocktwits.com/st/privacy. Stocktwits notes that if you activate the app through a cell device they will collect your mobile phone number. If you email the site they will keep your contact information and correspondence. The site notes that they log data including IP addresses but they claim to not associate an IP address with any other PII. Additionally, the site privacy policies note: [Affiliates.]{.ul} Stocktwits may share personal information with our current and future affiliates, meaning an entity that controls, is controlled by, or is under common control with Stocktwits. Our affiliates may use the personal information we share in a manner consistent with this Privacy Policy. [Other Users.]{.ul} Your full username and your image (if you decide to upload one) for which you registered on Twitter are displayed to people in the Stocktwits network to enable you to connect with people on Stocktwits, as specified in your privacy settings on Twitter. Certain actions you take may be visible to other users of the Services. For e ample, your posts will appear in other users' feeds and your profile information will be accessible to other users. You acknowledge that by sharing posts or adding information to your profile you make the information shared available to other users and that Stocktwits cannot control and shall not be responsible for any use other users make of such information. We may share your content on our YouTube, Instagram, Facebook, Twitter, Medium, Vimeo, YouTube, or LinkedIn page. [Personal Information.]{.ul} E cept as otherwise stated in this Privacy Policy, we will not, without your permission, sell, publish, or share your personal information to third parties for their marketing purposes. Stocktwits Usernames Stocktwits, like Twitter, uses the @ symbol and that is searchable on the main page of the website. Usernames can also be found in the URL nomenclature as stocktwits.com/username. This is a searchable feature via a Boolean Google/operator search. For OSINT purposes, the username can be replicated in any username search practice. Searching Usernames on Stocktwits The main website page has an option at the top to search by either stock ticker symbol or username. If searching for an individual who has noted a stock you may search that stock ticker and see if that individual has posted about that stock or search by username. Stocktwits "Real" Names 1/3

17OSINTInvestigationsUsingStocktwits.md

7/23/2021

Besides the username and @ feature, users of the site can add their own "real" name. For example, the publicly facing Stocktwits user, AnneMarieTrades, also posts her real name, Anne Marie Baiynd. The profile for AnneMarieTrades also lists information about the user and links to the user's personal website, geolocation by country, and time on the platform. Additionally, there is a profile picture for this user and the profile picture notes the user is a "plus" user meaning the user pays a monthly or annual fee for expanded membership benefits including the ability to conduct advanced searches for other usernames and members. The monthly plus package starts at $7.99 a month. Followers/Following Like Twitter, Stocktwits will display publicly other Stocktwits users who are following a user page under the "Followers" and "Following" tabs. Using our same user e ample from above, the nomenclature looks like: https://stocktwits.com/AnneMarieTrades/following https://stocktwits.com/AnneMarieTrades/followers Liked/Watchlist/Ideas Stocktwits also has a feature showing that will show what posts have been liked by a user and what stocks the user has on a "watchlist" and an "ideas" tab. Ideas can be filtered by post, links or charts. Using our same user e ample from above, the nomenclature looks like: https://stocktwits.com/AnneMarieTrades/ideas https://stocktwits.com/AnneMarieTrades/watchlist https://stocktwits.com/AnneMarieTrades/liked Geolocation Users can note what city or area that are in and this is located on the user page with a geo-location tag underneath their name and username. Profile Photos The site allows and encourages users to put profile photos on their page. This can be real photos of the "Posher" or whatever image one would like. This is much like Facebook or Twitter in approach. Stocktwits Cashtag Like Twitter, Stocktwits uses a stock ticker feature called a "cash tag". This is the $ symbol followed by the company stock ticker. For e ample, Apple Inc. is $AAPL. If you search for a specific stock ticker you will need to use the dollar symbol before in the search bar. Stocktwits Rooms Stocktwits also offers an option for more focused discussion on topics. This is similar to a chat feature or a Reddit page. It does require signup to access those rooms. There are two types of rooms: public and premium. Premium appears to require an application to the site to start. Public is available to any registered user. Premium rooms can offer content and then charge for information. Using the above e ample, Stocktwits user AnneMarieTrades notes in her profile a link to a Stocktwits premium page, PREMIUM TRADES. The nomenclature is: [https://stocktwits.com/r/PREMIUM TRADES/]{.ul}. In the above user e ample, AnneMarieTrades is a moderator of PREMIUM TRADES. 2/3

17OSINTInvestigationsUsingStocktwits.md

7/23/2021

Premium room pages appear to largely all have a monthly fee for access after a free trial. Premium pages also appear to have a customizable banner much like Facebook or Twitter in addition to a profile picture. Public rooms do not appear to have a banner. OSINT collectable data Data readily collectable from publicly facing pages appears to be: Username "Real" name Profile photo Geo-location Linking websites Length on the site Interests Posts, charts, graphs Following/Followers Liked posts, watchlist of stocks, ideas URL's for each Links to premium and public rooms Data acquired from the site can be pivoted to other searches, especially username, "real" name, profile photo and geo location. Established OSINT strategies can be applied per the needs of the investigator. Google Dork/Boolean As noted above, there are several results that might be useful for OSINT and digital investigators and should be included in an OSINT or privacy search. Information that may be present includes geo-location, links to other websites, profile photos, username, and even real name and could be a valuable resource for pivoting into other sites for investigation. Operators can be used for all.

3/3

17OSINTPoshmark.md

7/23/2021

OSINT Investigations Using Poshmark.com Contributed by IntelTechniques member Haddon Fields This brief tutorial write up is how to identify and use Poshmark.com for OSINT purposes. What is Poshmark.com? Poshmark is a U.S. based social marketplace for new and secondhand clothes for men, women, children, pets, brands and more. It is an e commerce platform started in 2011 and boasts 70 million registered users in the U.S., Canada and Australia. The website has both desktop and mobile application. The desktop site appears to be public and not require registration in order to search. It is a publicly traded company under the stock symbol POSH. Poshmark.com did suffer a data breach around August 2019 which included name, username, gender, city data, email, passwords and clothing size. This data may be floating around in a breach collection site if one was included to search for it. Poshmark.com nomenclature Each social media/marketplace site has some kind of URL nomenclature for identifying users. Facebook for example is facebook.com/username while Twitter is twitter.com/username such as twitter.com/jackdorsey. Poshmark is slightly different in that the username follows the nomenclature “closet” then the username. A “Posher” (the word used for an individual who sells on Poshmark as a user on the platform) example would be poshmark.com/closet/username. Poshmark Usernames A “Posher” can choose whichever username they would like (if it is available) and also use another name. Like Twitter, the Posher” can be identified by the @ symbol. For e ample, a Posher might be @manishchandra (the founder of Poshmark). Some “Poshers” appear to have a username that is more like a brand but use their own name on their page separately. Like Twitter, a Posher can be tagged on the site by other Posher s . Poshmark “Real” Names Besides the username and @ feature, “Posher’s” can also use another name, including a real name, on their page. For e ample, a @ handle may be the name of the Poshmark page or store but it could have a full name or partial name located above their @username on the page. Followers/Following Like Twitter, Poshmark will display publicly other “Poshers” who are following a Poshmark page under the “Followers” and “Following” tabs. The nomenclature (randomly selected) looks like: https://poshmark.com/user/kitikats_kloset/followers with the “Following” page (randomly selected) looks like: https://poshmark.com/user/beewhoyouare/following. Note that for those pages the URL changes from /closet to /user then includes the username (beewhoyouare in the above “Following” example). Meet Your Posher feature

1/3

17OSINTPoshmark.md

7/23/2021

Poshmark has a feature where one can dig deeper into the seller’s page. This Poshmark feature is called “Meet Your Posher (MYP). Manish Chandra s MYP page is: https://poshmark.com/listing/Meet your Posher Manish 59730e57ae61452102210daa. We can see from the URL that the MYP pages nomenclature changes from /closet to /listing and then includes listing/meet your posher usernamefirstname randomizedlettersnumbers. The first name of a user’s name appears to be used in the MYP feature then is accompanied by a randomization of letters and numbers. The MYP feature can be found on the page of a “Posher” under the About tab found on the right hand side of the page. The MYP page also may include photos provided by the Posher and can include comments from other “Poshers” to that individual seller. Geolocation “Posher’s” can note what city or area that are in and this is located on the user page with a geo-location tag underneath their name and username. Photos The site allows and encourages users to put photos in the Poshmark page. This can be real photos of the Posher or whatever image one would like. Additionally, a background banner can be selected. This is much like Facebook or Twitter in approach. Photos can also be found in the Meet Your Posher page and can include real photos uploaded by the Posher”. Randomized Example I selected two randomized Poshmark pages of sellers at https://poshmark.com/closet/anasaldierna and https://poshmark.com/closet/ddrake3790 to evaluate what OSINT information could be used and collected from a “Posher”. As noted, the /closet provided the name of both Posher s pages. The name Saldierna is used on the /closet/anasaldierna page as the name with the username tag being @anasaldierna. It is reasonable that that Posher s name is Ana with last name Saldierna. A search on WhatsMyName.app located a Tumblr page for Anasaliderna. This also connected to the Poshmark page and appears to be a secondary site for Anasaldierna. Additionally, it appears that the user is located in Greer, South Carolina. The About page notes Pinterest, Tumblr (identified by the WhatsMyName.app run) and Twitter page. This Posher also appears to have attended Yale University. Poshmark also notes the age of the account; this account was opened in August 2015. This Poshmark user did not appear to have the Meet Your Posher feature. When reviewing the /closet/ddrake3790 for OSINT on the Poshmark page there is more information about this user available. The user handle “ddrake3790” appears unique. A run on Whatsmyname.app located a Pinterest, Twitter, Venmo, Snapchat, Wanelo, Cash.App and a Periscope page (https://www.periscope.tv/@ddrake3790) under that same handle. This Periscope page noted the full name Derek Drake and noted that this Posher” graduated from Oral Roberts University in Oklahoma. The Poshmark page notes the name as “Derek” and the geo-location is Broken Arrow, OK. This “Posher” has an About page at https://poshmark.com/closet/ddrake3790/about me which also noted attendance at Oral Roberts University and that the account has been active since December 2016. Derek Drake has the Meet Your Posher feature enabled under URL https://poshmark.com/listing/Meet your Posher-Derek-584e1d9dae6145f59e184188. This page provides a fuller picture of who one may reasonable assume is Derek Drake. The page also gives an update of when the photo was updated (December 11). The

2/3

17OSINTPoshmark.md

7/23/2021

two Poshmark pages are slightly different and the main useful difference is the MYP feature vs. not having the MYP feature but having links to other social media. Photo Metadata I grabbed a photo from the Derek Drake Poshmark page and ran it in Jimpl looking for metadata. Jimpl noted a date of 2012-1-25 for the photo with the profile creator listed as Little CMS on an Apple device. This may be a rarityas I tested a few images from Poshmark on Jimpl and Jeffrey’s Exif Viewer; location data appears wiped from the Poshmark page. Reviewing the code for /closet/ddrake3790 page I did locate that the site appears to be using Google Authenticator with a unique token. I compared the ddrake3790 page with both a nonexistent page and with the closet/anasaldierna page and the anasaldierna page had a different token for the Google Authenticator. This may be of interest for those OSINT investigators who handle code and can connect that to something else though that is beyond the scope of this brief tutorial. Google Dork/Boolean A simple Google search would be site:poshmark.com AND username or @username or other useful Boolean operators. Knowing that there was a valid Poshmark account for Ddrake3790 I ran the site operator and located in the first several results items for sale by Derek Drake on Poshmark. Running the @ddrake3790 handle in Google I located the Twitter account for Derek Drake (also found in the Whatsmyname.app run) which also collaborated his geo location and noted where he appears to work in Oklahoma. There are likely other useful operators that could be used. As demonstrated above, there are several results that might be useful for OSINT and digital investigators and should be included in an OSINT or privacy search. Information that may be present includes geo-location, links to other social media accounts, photos, username, and even real name and could be a valuable resource for pivoting into other sites for investigation.

3/3

17SecurityGhosteryBrowserExtension.MD

7/23/2021

Ghostery Browser E tension Contributed by IntelTechniques member Haddon Fields 1. Ghostery is owned by Cliqz International GmbH a German company. Cliqz had its own web browser which is now defunct. It was a fork of Firefox. Firefox invested as a minority investor in the company which then purchased Ghostery in 2017. It appears they turned their web browser focus into Ghostery Dawn after shutting down their web browser in April 2020. 2. Ghostery was started in 2010. Ghostery has a Github page at: https://github.com/ghostery 3. Perhaps due to it being in Beta but you have to sign up for a Ghostery account. I also found that every time I opened the browser they made me sign in to the account. It was annoying. No 2FA was available, which is strange anyway in order to use a browser. 4. Account set up has fields for an email and name is optional but Ghostery wants an account. They note the following about account set up and information they collect: “If you choose to create a user account we will collect an email address and name where provided. This data’s use is limited to: (i) syncing your settings across our products (ii) serving as your login credentials so you can access save functionality in addition to access to our device protection app, Midnight (iii) communicating directly to you through your email address in order to give you information about our products, updates and upgrades. The privacy policy notes: IP-addresses are solely collected for geolocation purposes but only on Zip Code level or above (for example city, county, continent) to improve the GPP and our products. We never store IP addresses.” 5. Per the privacy policy Ghostery does collect: “web browser; operating systems; language; GPP being used; opt-in settings to share Tracker information with the Company; when an installation, upgrade, or uninstallation occurs; whether the extension or application is active, engaged, or logged-in by you (and associated frequency), and other product-specific telemetry for basic actions or settings. We also collect pings regarding attribution of our own internal marketing efforts and basic Ghostery subscription information, such as what interval subscription is detected.” 6. Ghostery is open source and the app itself has been an add-on to block scripts and trackers in several browsers such as Chrome, Firefox and others. 7. Snowden had advised and recommended Ghostery as a plug in to use for privacy purposes in 2014. 8. I used the email address I initially provided to access the Beta version. This was a forwarding email and I received the account setup email without issue. I did not provider a name which was optional. The email came and you had to verify the account. 9. The business model appears to offer pricing plans for added features so the only business model isn’t just freeware. 10. It looks and feels like Firefox; you can add Mozilla addons in the Ghostery Browser, which is Ghostery Search/Dawn/Glow – it isn’t totally clear what the name actually is that they are using for their private search browser. 11. Like customizing FF you have to go through and check or uncheck various settings such as camera access, microphone access, location settings. 12. Addons come via Mozilla so Ublock Origin, Multicontainers, Disconnect – the usual addons are available. However, some of the usual FF addons won’t operate in Ghost Mode in the browser. I could not get Multicontainers to work with Ghost Dawn/Glow. This is an issue for me. 13. In terms of search functionality – I did not find anything different or better that you might find in FF. I’m open to trying new browsers and seeing how they work compared to others but my experience is that it isn’t anything different than what already exists and the UX is not great. 1/2

17SecurityGhosteryBrowserExtension.MD

7/23/2021

14. I like the emphasis on privacy and I like that there is a business model but this seems to be just an e tension of the Ghostery ad blocker/tracker and offers little in terms of functionality. 15. When you set up your search engine to use in the browser – Ghostery Glow (which is or isn’t Dawn? They weren t clear) is one option but you have to pay for it if you want to use it. The basic plan was $5 a month. You can select other search engines but the only other one I would consider would be Startpage. There wasn t the ability to select DDG but they had Bing and Yahoo. 16. I downloaded what information they had on me that was available and the categories they provided were: Email address; Email validation; First Name; Last Name; Date Created and Time Created. All that they had was the email I used to register, if it was validated (yes), and date/time account was created. Whatever else they collect in their privacy policy they didn t provide (which may be bad) but they also didn’t show any search history (which may be good). 17. This is what Ghostery says they offer in their pay plan below. I think that because it is in Beta there is a lot that isn’t settled even in terms of nomenclature.

2/2

Misdirection Mode: Using Biopage/Landing Page Sites for Disinformation Campaigns Presented By Haddon Fields Purpose This brief tutorial focuses on using biopage and landing page sites for disinformation campaigns. The primary focus of this technique is for an additional and active layer of privacy through disinformation although there are secondary search applications for OSINT purposes. Biopages and landing page sites are similar as a landing page is a one-page site with information about an individual, company or product. This tutorial will largely focus on biopages though the applications are the same for a landing page. What is a Biopage/Landing Page Site? A biopage landing page site is a website specifically designed to provide easy to access biographical information about an individual or a company. Commonly a biopage will link social media accounts, address, phone numbers and email addresses. A username will often be in the URL which for OSINT purposes is useful for URL manipulation besides collectable information about social media sites, phone and email. A landing page siteis similar and is often a one-page site with information about an individual, company or product. Search Engine Optimization (SEO) Search Engine Optimization is the practice of improving the quality and quantity of traffic to a website or a web page, usually with a focus on getting organic (unpaid) traffic to a website. This is accomplished through several methods including Keyword Optimization, Backlinking, On-Page SEO, Technical SEO, Site-Mapping and other techniques.

Domain Authority (DA) Domain Authority (DA) is a search engine ranking score developed by Moz that predicts how likely a website is to rank in search engine result pages (SERPs). DA scores range from one to 100, with higher scores corresponding to greater likelihood of ranking. (Definition by Moz.com). DA establishes the legitimacy and reputation of a website. For biopage purposes, websites that have a higher DA are better disinformation choices because they are more likely to be indexed by the various Search Engine indexing bots (Google, Bing, etc.). A list of biopage sites are at the end of this tutorial but if one was inclined to check the DA of any website it is recommened to use multiple SEO DA checking tools. Moz, Ubersuggest and Ahrefs (https://moz.com/free-seotools and https://neilpatel.com/ubersuggest/ and https://ahrefs.com/website-authority-checker) all have tools that can be used for DA purposes. Moz offers a Chrome extension that will automatically check for DA and PA (Page Authority, a metric that measures the rank of specific pages on a website), a spam ranking for the domain and a few other tools for SEO purposes. Such tools have OSINT applications. DA will not always match between the various tools to check for DA so looking at two or more DA checking sites for the ranking of a site and averaging the score will give you a better sense of what biopage sites to consider using for disinformation purposes. Indexation Crawling or indexing a site is the process of a Googlebot, Bingbot or other web spider finding a website and uploading the site information to the collection of sites indexed and available on the internet by search engines. One of the challenges for using a biopage landing site is that the biopage

sites we’re using for disinformation aren’t owned by the user just as a user doesn’t own Facebook but may have a page on Facebook. If a website owner has exampledomain.com, the webmaster for the domain can go to the Google Search Console (GSC) with a Google account and request that the Googlebot index the site exampledomain.com. With a biopage site the domain is owned by another company. For example the site krawl.me, per whois.com, is a Go Daddy domain with a registrant stateof Fatih and registrant country of TR (Turkey). This can certainly effect SEO rankings in the US and overall. However if a biopage site is popular or has a higher ranking it is more likely that the disinformation page will eventually get indexed which is the goal. One can tell if a page is indexed with a Google Boolean search and check results. For example, the operator site:inteltechniques.net provides nine results in a Google search. While that is a small amount of results it does indicate that the site is indexed by Google. A specific page could also be completed in the same fashion to confirm if a site is indexed or not. One could also use Google Search Console (GSC) and check the Coverage page in GSC or use the URL Inspection Tool in GSC if you were domain owner. However, when conducting OSINT searches especially ones using Boolean operators (such as the inurl: operator), biopage websites should be found in a Google search (when indexed). This can also be accomplished through URL manipulation and understanding how a biopage site orders their username nomenclature. For example, a site such as Carrd has a URL structure of username.carrd.co while into.bio uses into.bio/username. Site Signup Requirements Different sites require different pieces of information in order to use. Understand that nothing is ever free so use of these “free” sites really means paying with the information you provide. However, many sites allow

and do not block a forwarding email service such as a domain provided by Simple Login. A Simple Login (or chosen forwarding service) designated email can be used with a forwarding email to wherever one would like (Protonmail, Tutanota, CTemplar or Gmail even though that hinders our privacy goals). Some sites a user can login using Facebook, Twitter, Github or Gmail. It is recommended to not use those accounts and tie them with a biopage site though that could be done. Some sites will require a phone number; a burner Mint SIM kit could be used for those purposes but there are more biopage sites that do not require a phone number. Some sites offer 2FA, some do not. A long, strong and randomized password (preferably created in a password manager) is recommended and some sites put a cap on password length. It is recommended to focus firstly on sites with a higher DA and secondly sites that do not require phone number or where sign up is only available with a FB, Twitter, IG, Github or Google Account. Disinformation Example Let’s use the site Carrd.co as a test site. Real data has been obscured to protect the site user. • DA: Carrd.co has a DA of 87 per Ahrefs and 71 per Moz. This is a high ranking DA and a preferred disinformation site. • URL Nomenclature: In setting this page up note the nomenclature used in the URL (username ryan*********.carrd.co. Additionally the page title is Ryan ******** and is prominently displayed. • Profile Photo: A profile picture can be uploaded. This photo is searchable using a reverse image search technique (Yandex; Google Images; TinEye, PimEyes, etc.). A royalty free image from sites like Pixabay or Unsplash can be used which can add to the misdirection. • Background Photo: A background photo can be selected, ideally one associated with the false address to “sell” the address better. A

royalty free image from sites like Pixabay or Unsplash can be usedwhich can add to the misdirection. • Real Name/False Address – False Name/Real Address: This technique can be used and a home address can be supplied with an alias name or real name with a false address. False addresses can be taken from Zillow or Redfin for lots or land parcels that have been for sale for a long time, usually in rural areas, that have an address assigned but no owner or house on the property. • Phone Number: A false number can be displayed. The “Rick Roll” number is used in this example and now associated with the user. • Keyword: Keywords can be added for search purposes and we can “keyword” stuff the page. • Links: Links to other biopages/landing sites can be supplied including an email address which can be a false email or one that leads nowhere. Any email address supplied should be assumed to be eventually connected with the user, especially when a site is indexed.

List of potential Biopage Landing Page Sites

https://swiftcv.com/ Notes: Sign up with Twitter, Google or Github Ahrefs DA: 43 Moz DA: 22 https://about.me/ Notes: Needs sign up with either FB or Google Ahrefs DA: 91 Moz DA: 92 https://carrd.co/ Notes: Email signup Ahrefs DA: 87 Moz DA: 71 https://www.xing.com/ Notes: German site similar to LinkedIn Ahrefs DA: 94 Moz DA: 92

https://tilda.cc/ Notes: Email signup; will ask for phone number; used to build a landing page website Ahrefs DA: 94 Moz DA: 86 http://www.somebody.io/ Notes: Email signup Ahrefs DA: 45 Moz DA: 36 https://www.flowcode.com/page Notes: Email signup Nomenclature: flow.page/username Ahrefs DA: 76 Moz DA 55 https://kleap.co Notes: Have to start building before any kind of signup is presented Nomenclature: username.kleap.co Ahrefs DA: 17 Moz DA: 14 https://into.bio/ Notes: Email signup Nomenclature: into.bio/username Ahrefs DA: 5 Moz DA: 5

https://dryft.me Notes: Facebook-like; uses QR code to link to Dryft page; Email signup Nomenclature: dryft.me/d/username Ahrefs DA: 3 Moz DA: 4 https://solo.to Notes: Email signup Nomenclature: solo.to/username Ahrefs DA: 76 Moz DA: 52 https://extended.bio/ Notes: Email signup Nomenclature: Need to sign up first Ahrefs DA: 19 Moz DA: 2 https://personalli.com/ Notes: Email signup Nomenclature: Need to sign up first Ahrefs DA: 1 Moz DA: 10 https://krawl.me/website-builder Notes: Email, PW signup Nomenclature: username.krawl.me Ahrefs DA: 1 Moz DA: 12

https://bio.link/ Notes: Email signup Nomenclature: bio.link/username Ahrefs DA: 72 Moz DA: 40 https://boomla.com Notes: Email signup Ahrefs DA: 41 Moz DA: 17 https:mylinkon.cloud Notes: Email signup Ahrefs DA: 0 Moz DA: 0 https://clink.bio Notes: Email Signup Ahrefs DA: 1 Moz DA: 0 Domain Authority Checker Sites Below are Domain Authority sites to check DA of any site. The higher the number the higher the ranking and the more legitimate a site is considered. https://moz.com/free-seo-tools https://neilpatel.com/ubersuggest/ https://ahrefs.com/website-authority-checker

Personal VPN Personal VPN By shoewind1997 - Nov 2021

Intro This guide will walk you through setting up your own OpenVPN server on a remote server that you alone can use. It is meant for a privacy enthusiast with a good OpSec, comfortable with Linux and web technologies, and familiar with common privacy techniques (e.g. VOIP numbers, VMs, forwarding email addresses, etc).

Why? Security and privacy works best in layers. You should already have a good commercial VPN in place, ideally on router/firewall level and active all the time. However, as more people use and misuse these services, they may get flagged as fraudulent or risky. Having your own, private VPN exit point guarantees an extra layer of protection and uniqueness, especially if you use an off-the-beaten path provider.

Requirements VirtualBox with a disposable OS (e.g. Ubuntu, with randomized MAC address) Connection to public wifi (e.g. library, restaurant) Cryptocurrency (around $50-100) Disposable or anonymized email address, preferably using your own domain VOIP phone number that can receive SMS (e.g. Google Voice) An address that corresponds to your internet connection (e.g. if you are connecting to a network in LA, it should be somewhere in LA)

Steps 1. Using your VM, connect to public wifi 2. Choose a VPS host that offers payments via crypto. Some options include (RamNode) [https://ramnode.com/], (Cinfu)[https://www.cinfu.com/], (SecureDragon)[https://securedragon.net/], (OrangeWebsite)[https://www.orangewebsite.com/vps.php] and others. 3. Sign up for an account using your email, local address, and SMS-capable phone number. If you followed the steps so far, and can verify your email and phone, your account should not get flagged. If you are on VPN, or if you sign up with an address that doesn't correspond to your IP, or if your email address is of a blatantly throw-away sort, you may get flagged and your account closed.

4. Select your VPS server location and flavor (e.g. Ubuntu) and choose a cryptocurrency payment option. If possible select an annual plan for ease of maintenance. 5. Send your payment, preferably via Monero. For an extra layer of privacy, use another currency and exchange it anonymously into Monero via a service like (SwapSwop)[https://swapswop.io/]. 6. Wait for your approval. Once your server is online, connect to the service page and make sure TUN/TAP is turned on. 7. Connect to your server via SSH and follow one of the guides for installing OpenVPN server, such as (this one from DigitalOcean)[https://www.digitalocean.com/community/tutorials/how-to-set-upand-configure-an-openvpn-server-on-ubuntu-20-04]. A few points worth mentioning: You should generate and sign your certs on a different machine, e.g. a local Linux box. If you do not have one, create a VM and keep it just for that purpose. You will need a way to copy files to and from there but no network access is required. On your VPS server, make sure you lock down your OpenVPN server to user nobody / group nobody , set up a restrictive firewall, and do not run any other processes. Further, make sure

you use a non-root user for your operations and implement a strong random password. If you do not want logs of your connections set verb 0 and log /dev/null in your server.conf file You may need to set LimitNPROC=infinity in openvpn-server@ due to container restrictions on most VPS providers If you set push "redirect-gateway def1 bypass-dhcp" in your server.conf and are getting issues accessing your LAN, consider adding pull-filter ignore redirectgateway in your client.ovpn file

Default UDP port is 1994. If you wish, you can set it to something else, like 443. This can help if your firewall/network has restrictive access rules. 8. Once you signed your certs and generated your OVPN file, copy it over to your client machine and connect via OpenVPN software. 9. You should see a stream of bytes in and out. Go and test your connection on (DNS Leaks) [https://www.dnsleaktest.com/] and IP reputation sites to make sure your IP and DNS addresses are what you expect them to be. 10. Set a reminder for a renewal of this service as you paid with crypto and it cannot auto-renew. 11. Periodically log in to your server and update the software (e.g. sudo apt update && sudo apt upgrade )

Recap If you followed all the steps, you now have an effective extra layer of privacy because: You are connecting to a commercial VPN, followed by a private VPN You are the only owner/client of that private VPN and it should receive less scrutiny

You paid with private crypto source without revealing your identity You created an account with fictitious name, email, phone, and address not tied to you You created an account using IP not connected to you

17SecuritySecure-private-cryptocurrency.md

7/23/2021

Secure & Private Cryptocurrency Guide by shoewind1997 Last update: July 14, 2021 The goal of this guide is to provide suggestions on how to interact with cryptocurrency in a secure and private manner. I will discuss the following aspects: Short Summary Setting up a local cryptocurrency server Setting up a local, hardware backed wallet Private deposits to the wallet Private payments from the wallet Things to avoid Other considerations Note: This is a technical guide and requires a degree of comfort with hardware tinkering, Linux/command line interface, and a privacy/security mindset.

Summary Can't be bothered to read the whole guide? Here is the super short summary. Why should I care? Because cryptocurrency has a potential to become an alternative to fiat currency with added benefits of privacy due to its decentralized nature, non-government origin, and ability to transact anonymously Need a secure way to store your cryptocurrency? Get a hardware wallet - I recommend BitBox02 because it's fully open source, Swiss made, allows for multiple coin types, and has full node support (i.e. you can connect it to your own Bitcoin server). Ledger is another popular option and it has a bit more adoption with altcoins (e.g. ADA, XMR). However its application is closed source, its password is limited to 8 numeric characters, and its servers containing customer data have been compromised before. Don't trust other servers/providers with your crypto? Set up your own. The easiest way at this time is a ROCKPro64 SBC. It is 64 bit, 6 cores, PCIe 4x, USB3, Gigabit Ethernet. Set up Armbian and install your node/wallet/server apps. RaspiBolt on Raspberry Pi 4 is another decent option. Want to fund your wallet but not fond of sending your PIIs to a private company (as per KYC)? Use a Bitcoin ATM (e.g. Bitcoin ATM Radar) and accept a significant fee for depositing cash Use a P2P exchange (e.g. HodlHodl, Bisq, LocalCoinSwap, etc.) and either accept prices significantly above current exchange level or put out a Buy Offer and wait for someone to accept it.

1/7

17SecuritySecure-private-cryptocurrency.md

7/23/2021

Biggest things to avoid: Placing all your trust in an exchange (including providing personal documentation, credit card information, actual funds/wallet) Using a software wallet with a recycled password, without 2FA or some additional security measure

Local server / full node Why? Let's assume you are using a hardware wallet. It stores your private keys but not your cryptocurrency. You are relying on its associated software and its provider to manage your funds. That is a lot of trust to give to a single party. Your wallet provider sees your cryptocurrency balances, broadcasts your transactions, and suggests your fees. It also runs an access gateway to cryptocurrency network (e.g. Bitcoin), validates transactions, and enforces consensus rules. In short, it knows everything about your cryptocurrency activity. Over time it can learn a lot about you in the real world based on your transactions. Further, legal actions or rogue employees could turn this information to other parties. The solution is to run a local Bitcoin (and potentially other cryptocurrency) full node. This way you can verify your transactions and contribute to the distributed, de-centralized ideal of cryptocurrency systems. At this time, there are few cryptocurrency appliances, such as DAppNode and Avado. ShiftCrypto is working on BitBox Base, and while it is convenient to use a pre-made device, you have something to gain by going through the process yourself: a deeper understanding of how things work and knowledge that the system has not been compromised by malicious actors.

Hardware Because of relatively low computational requirements, this server will not require high powered hardware. An old laptop/desktop may do, or even a single board computer (SBC) like Raspberry Pi4 or ROCKPro64. I recommend the latter because it offers a 64-bit processor and a PCIe/SATA interface, allowing for more space/computing power to run multiple services. If you go the ROCKPro64 way, consider getting a quality power supply, case, good fan (e.g. Noctua), and a compatible SATA controller (see suggestions here). Regardless of other hardware, a fast SSD drive is highly recommended and perhaps even essential, as read/write speed will matter considerably more than processing power or memory usage. An e tra drive (HDD or SSD) is a good measure for backup.

Software Operating system Armbian. I suggest installing ATS for fan control and enabling SWAP especially if you plan to run more than one service at the same time. Note: ZRAM and ZSWAP should not be enabled on Armbian at the same time see here. 2/7

17SecuritySecure-private-cryptocurrency.md

7/23/2021

Cryptocurrency software For Bitcoin you can generally follow RaspiBolt guide. Main substitutions focus on using ARM64 variants of packages (Raspberry Pi is not truly 64 bit as of yet, but ROCKPRO64 is). You may also wish to update auth settings that have recently transitioned away from specifying a username/password in config file to having a one line cookie/token. The above guide will walk you through installing Bitcoin Core, Lightning Network daemon, Electrum Server, and Block E plorer. For Ethereum, the simplest way may be to obtain a pre-made image for ROCKPro64 such as EthereumOnARM Alternatively, install your favorite 1.0 client (e.g. Geth) and 2.0 client (e.g. Lighthouse) yourself on your Armbian image. For example, you can follow a guide such as this one to install and run Geth. Note that for Ethereum, you need a SSD and a larger one (1TB+) at that. HDD will not work. Note that it may be too much for ROCKPro64 to handle Bitcoin, Ethereum 1.0 and Ethereum 2.0 networks. Consider setting up separate appliances for these nodes/networks.

Make your wallet use your node Once you have your local node running, make sure to point your wallet (e.g. Electrum or MetaMask) to your address. If you can, use your own node address exclusively without any others. If that's not an option, set your node as the primary one before all others. For example, in Electrum Wallet you can pass a command line option --oneserver and then --server your.address:port:s to force it to just use one server - yours. In MetaMask you can specify your Ethereum server and set it as default (see example here).

Local wallet Hardware wallets Your wallet is in essence a digital signature. Anyone who has access to it can get to your funds. Therefore, it is important to secure it with a good password. However, this may not be sufficient if your system is compromised (e.g. via a keylogger or other malware). Hardware wallets mitigate this risk by keeping the private key in secure storage on chip without making it available in readable form to the operating system.

Funding (input) KYC risks Most respected services online will require you to pass KYC process, which will entail passing your name, DOB, address, phone, government ID, and a photo/video of yourself with a unique identifier. This will be stored for at least 7 years. If/when that service gets hacked, this information may leak out. Further, your purchases from that service will be tied to your account/name/wallet unless you purposefully obscure it by tumbling or other means. This service will know about your purchasing or investing habits. It may choose to hold your assets hostage or even confiscate them if your account appears suspicious. At some point, you may be requested to pay taxes on gains.

3/7

17SecuritySecure-private-cryptocurrency.md

7/23/2021

KYC upsides The upside of passing KYC verification with a trusted service is you will likely get the fastest e change at a rate that is close to market. Also, you can purchase and withdraw very large amounts without significant delay. For majority of people this outweighs the risks. For certain privacy conscious segment this will not be acceptable and they will choose one of the private options below.

Funding (input) Quick overview of entry/exit options Option

Privacy

Expense

ATM

High

High

P2P

Medium¹

Medium

Fiat on-board

Medium²

Medium

E change

Low

Low

¹ Depends on the other party. As of 2021, it is common to see sellers requiring ID/selfie/other verification methods before proceeding ² As of 2021, most fiat on-board service require KYC/ID if you purchase over a certain limit (e.g. $100) or if you trigger a suspicious transaction (e.g. using a VPN, masked credit card, etc.) ATMs Perhaps the most anonymous method of buying crypto is via Bitcoin ATMs. Note that these will require a phone number that can receive SMS. Also, their rates will likely be 20% and higher than market rate. However, you can walk in with cash and a destination wallet address and come out with crypto. P2P Another potentially anonymous way of obtaining crypto is in person. If you know someone who is willing to sell, you can meet, e change cash for crypto, and see the transaction reflected in your account. Of course, this requires a degree of trust in the other party. This type of transaction carries a physical risk. One step removed from this is digital P2P via an online service like HodlHodl, Bisq, or LocalCoinSwap. One e tensive list of P2P e changes is here. Some offer escrow for e change process, others rely on reputation system. Almost all will have rates significantly (e.g. 30%+) above current market rates. If you have time, some platforms like Bisq will allow you to put out a Buy offer at your desired rate (e.g. market + 3%) and see if there are any takers. Note that withdrawing your funds from these systems is not always simple. Exchanges It is likely that those wanting to transact significant amounts of fiat will not be able to escape transacting with an exchange. The fees for anonymous options increase substantially and risks begin to outweigh the benefits.

4/7

17SecuritySecure-private-cryptocurrency.md

7/23/2021

If that's the case, consider choosing an exchange that is reliable, reputable, and preferably located outside of the reach of your own country and its partners. For e ample, for North Americans, Swiss crypto e changes present an attractive option because they may be less willing to comply with other countries requests for account holder's info. However, do your own diligence and decide on an appropriate service provider for your needs. Just because it's hosted in country X (e.g. Switzerland) does not automatically make it secure and private. Fiat on-boarding services A variety of services exist that allow you to purchase crypto with a credit card. An aggregator such as Fiat2Cryp.to will let you preview the prices of various services and transact on your choice. While it may seem a great opportunity for some anonymity (e.g. using a gift credit card or a masked one), all the current services require you to provide identification before allowing the transaction through. Alternatives exist, such as Ramp but they require other forms of verification, such as logging in to your bank account - and likely confirming via a service like Plaid.

Payment (output) E iting out of crypto / selling for fiat is similar to buying, with an added caveat of ta es. If you have purchased your crypto via an exchange with KYC rules, if you have not obscured your holdings in some way, and if you are e iting via an e change with KYC rules, understand that these transactions will be logged, connected to you, and likely lead to tax implications in the future. Depending on the state of crypto market, selling your holdings via P2P with a slight markup could be one of the most effective alternatives. Also, consider the possibility of holding your crypto and then using it for goods and services as adoption of it increases.

Things to avoid Coins in an exchange One of the main tenets of crypto is custody over your money, like holding digital gold. Having your coins in an exchange negates that along with introducing other issues and risks, all in the name of convenience. An exchange is a private entity and it may choose to deny you access to your funds for a variety of reasons. Or it may get hacked or suffer a hardware malfunction. In any of these cases either your private info or your crypto or both may be compromised. I suggest you use an exchange to buy your crypto and then immediately transfer it out into a secure hardware wallet. Software wallets Software wallets (as independent desktop apps, mobile apps, browser plugins etc.) offer great convenience. You are only a password/fingerprint away from being able to transact. However, if your software/hardware malfunctions, you lose your device, or it gets hacked - your crypto is gone. The latter might seem unlikely, but remember that any device connected to the internet opens itself up for exploration and exploitation from people all around the world. A hardware wallet, while not a panacea especially if used incorrectly, will at the very least require the attacker to have physical access to the device before being able to withdraw funds. Even if you keep your software wallet in an encrypted container (e.g. VeraCrypt) on a secure drive (e.g. FileVault or BitLocker), if your system is compromised a malware/keylogger can pick out all of those 5/7

17SecuritySecure-private-cryptocurrency.md

7/23/2021

passwords and eventually get access to your wallet. Address recycling For the sake of convenience, you will see people post a singular crypto address online (e.g. for tips from readers). This is strongly discouraged by Bitcoin standards and any good wallet application will generate a new address for every transaction, whether sending or receiving. When doing so you keep your level of privacy higher, as movement of funds becomes more challenging to follow. Just like password recycling, re use of crypto addresses will increase your chances of being identified. Password recycling This is an obvious one for most people but still bears repeating. Do not re-use your password especially when it comes to protecting your funds. If someone gets access to your wallet, don't make it easy for them to look up your common passwords in breach data and unlock it that way. Electronically storing your backup/seed phrase Your seed phrase allows you to recover access to your wallet even if you lose it. This applies to both hardware and software wallets. As with the section on software wallets, be aware that storing your backup/seed phrase electronically (e.g. KeePass) leaves a potential vector of attack if someone manages to compromise your system. Write down your backup on paper and store it offline in one or more secure locations.

Other considerations Backups Backups are important, especially when it comes to digital finance. I highly encourage you to backup not only your wallet's seed phrase but also your record of transactions (including sending/receiving addresses), credentials for accessing exchanges/P2P/trading services, and any documents related to your holdings. If you choose to run a full node, consider a periodic backup of blockchain data to avoid downtime in case of hardware failure. Succession planning While it is just as important as backups, succession planning is little talked about when it comes to crypto. Because it aims to be a superior store of value, crypto may one day replace fiat currency, meaning that your holdings can be a part of your legacy. However, unlike cash, currency in the bank account, or stocks/bonds, its a new asset that is entirely digital and you are its custodian. So, make sure you write a clear and detailed set of instructions on how to access your crypto. You can place an object such as hardware wallet or a USB key in your trust. Combined with your instructions, your successor should then have a way to use your crypto. If you have multiple successors/trustees, it is prudent to have multiple hardware wallets. Likewise, if you wish for 2+ individuals to make decisions about your crypto holdings, you may choose to use multi-sig options to require 2+ wallets acting in unison for any transaction to occur. NFTs As blockchains expand beyond just financial stores and hold other assets (such as NFTs), it becomes even more important to use a hardware wallet and practice good OpSec. As of 2021, you can hold digital content on ETH blockchain, but in the not too far future it may also include identification and ownership proof (e.g. title to a house, vehicle, land, etc). Keep it safe and provide clear instructions for access to your successors. 6/7

17SecuritySecure-private-cryptocurrency.md

7/23/2021

7/7

SEO Tools for Investigations: Checking Backlinks Presented by Haddon Fields What is SEO? SEO is an acronym that stands for “Search Engine Optimization”. It is the tools, methods and practices to get a website ranked higher in search engines such as Google. Typically the top 5 results on any keyword search receive 75% of the “clicks” and in order to get ranked higher (in the top 10 results/page 1 of results) a website can make changes to their site and pages. These changes can include adding backlinks or links from other sites that have a high Domain Authority and relevance; adding a robots.txt page; adding a sitemap for search engines; and removing dead pages and links among many other methods.

What is a backlink? A backlink is a link from one webpage to another webpage. These are also called “inbound links”, “incoming links” or “one-way links”. It is important because search engines such as Google consider a backlink a “vote” of confidence from one webpage to another. If a domain has a higher Domain Authority (DA), the site with the higher DA can boost the website with the backlink on it. For example, if the NY Times ran an article with a link to inteltechniques.com that would have a tremendous boost in search engine results because the NY Times has a high DA and Inteltechniques has a lower DA.

Linkchecker Tools There are multiple sites that offer free tools to check the backlinks of sites. Moz also has several tools beyond DA and PA tools; link explorer will require account registration. See https://moz.com/link-explorer. Most sites have free tools and do not require account registration. Ahrefs also has a tool found at: https://ahrefs.com/backlink-checker. Additionally one may also use: https://neilpatel.com/backlinks/ https://smallseotools.com/backlink-checker/ https://websiteseochecker.com/backlink-checker/

https://monitorbacklinks.com/seo-tools/backlink-checker https://www.thehoth.com/backlinks-checker/ The reason why one might check multiple tools is to get a collected sense of rank and ratings. They may also capture different links. Paid tools – or tools that require account registration – that are top quality include Uber Suggest and SEMRush. They are found online at: https://neilpatel.com/ubersuggest/ and https://www.semrush.com/. These tools also offer other SEO tools that are useful for online investigations but are beyond the scope of this tutorial.

OSINT Investigations Use Cases: Understanding how backlinks work is important because it links sites AND the people behind the sites together. It is a valuable tool for digital investigations simply because knowing which sites are referring to each other establishes a digital connection between those sites. This can be important in due diligence investigations, business OSINT, journalism, misinformation identification or identifying common owners of sites. Scenario: you have a medical clinic under investigation. This investigation could be for kickbacks, services not rendered, corruption, insurance fraud, illicit referrals, violating financial disclosure rules or any other sort of financial crime. During the investigation you run the website URL in a backlink checker. Checking the results of a backlink checker run you notice that Clinic A also has some links to Clinic B, which on the surface is unrelated. Looking through treatment notes and bills you notice that there are referrals from Clinic B to Clinic A. You check the Secretary of State records and notice there is an organized LLC that owns Clinic A and a different one owning Clinic B. Searching on those records you find a MD who owns Clinic A also is a part owner of Clinic B. Searching the websites you note that there is no disclosure of duplicative ownership. In many states this is illegal and can result in all bills paid in referral to be exposed to recovery for failure to disclose a financial relationship between ownership of one clinic and another.

This technique could also be used to connect body shops, retailers or any number of businesses and persons together through checking links. Such techniques could result in uncovering illicit activity such as kickbacks, illegal referrals, money laundering schemes or other criminal and civil related actions.

Randomized Example I selected a randomized example using the inteltechniques.net domain and ran the site in Ahrefs linkchecker tool found at: https://ahrefs.com/backlink-checker. At the time of check, there are 1133 backlinks with 187 referring domains. There are multiple sites linking back to inteltechniques.net and some boast of having logins to the site that should be put under further scrutiny. This is part of the value of checking backlinks beyond criminal concerns. Checking for sites that are unlawfully using or accessing your site is also an important application.

Final Thoughts While not often discussed in investigative circles, checking backlinks can be useful tools to gauge how websites are interconnected and referring one to another. Understanding those connections can be a very valuable piece of information when conducting investigative interviews also. Witnesses claiming to not know a business, clinic or organization but referring to that website would require further explanation and investigation. It would also call into question the testimony being provided by the interviewee and should prompt an interviewer to ask more detailed questions. Additionally, for site owners checking what site is linking back to your site can also show what sites may be doing something inappropriate or unlawful by having access to your site when not authorized. As a general investigative principle, all findings should be pursued and vetted to rule out innocent persons and the above commentary should not be taken as legal advice or an imputation of guilt upon anyone.

SEO Tools for Investigations: Domain Authority & Page Authority Presented by Haddon Fields What is SEO? SEO is an acronym that stands for “Search Engine Optimization”. It is the tools, methods and practices to get a website ranked higher in search engines such as Google. Typically the top 5 results on any keyword search receive 75% of the “clicks” and in order to get ranked higher (in the top 10 results/page 1 of results) a website can make changes to their site and pages. These changes can include adding backlinks or links from other sites that have a high Domain Authority and relevance; adding a robots.txt page; adding a sitemap for search engines; and removing dead pages and links among many other methods.

What is Domain Authority (DA) and Page Authority (PA)? Domain Authority (DA) is the value put upon a site and where it ranks in terms of relevance, quality and reputation. It is a ranking score developed by Moz and ranks from 1-100 with 100 being the highest. Page authority (PA) is the same in terms of relevance, quality and reputation ranking but associated with a specific page. For example, Amazon.com has a DA of 96/100 which is exceedingly high. It is a trusted and relevant source. It would be very difficult for a competitor to overcome Amazon with that high of a DA.

Domain Authority & Page Authority Tools There are multiple sites that offer free tools to check the DA and PA of a site. https://moz.com/domain-analysis is one source to use and will report the results back for a site. Ahrefs also has a tool found at: https://ahrefs.com/websiteauthority-checker. Additionally one may also use: http://www.dachecker.org/ https://websiteseochecker.com/domain-authority-checker/ https://smallseotools.com/domain-authority-checker/

The reason why one might check multiple DA and PA tools is to get a collected sense of the DA and PA ranking. They all may offer a slightly different ranking and score. Moz – the maker of DA and PA – offers an extension that can be added to a browser if one is inclined to do so. It can be downloaded at: https://moz.com/products/pro/seo-toolbar. Paid tools – or tools that require account registration – that are top quality include Uber Suggest and SEMRush. They are found online at: https://neilpatel.com/ubersuggest/ and https://www.semrush.com/. These tools also offer other SEO tools that are useful for online investigations but are beyond the scope of this tutorial.

Checking Indexing Considering Google is still the world’s largest search engine with more than 40 trillion pages in their index, it is worth understanding if a site is even indexed with Google. Lower ranking sites are less likely to be indexed or indexed correctly. A simple Boolean search in Google to manually check indexing would be: Site:exampledomain.com If Google returns results for the site, the site is indexed by Google (the same principle works for Bing but this tutorial will focus on Google). Additionally, one could use web tools to do this such as: https://www.linkody.com/en/seo-tools/google-index-checker https://www.rankwatch.com/free-tools/google-index-checker/ https://smallseotools.com/google-index-checker/ https://www.prepostseo.com/google-index-checker

OSINT Investigations Use Cases: Understanding the Domain Authority and Page Authority of a website is a valuable tool for digital investigations simply because knowing a site’s ranking helps to understand how traffic is driven to the site and how customers are finding the site.

Scenario: you have a business under investigation. This investigation could be for kickbacks, money laundering, illicit referrals, insurance fraud or any other sort of financial crime. During the investigation you conduct investigative interviews of individuals who have claimed to have used this hypothetical business. Asking the interviewees how they found the business is an important question; an investigator will want to know this and build a list of other potential witnesses to call. If your interviewee tells the investigator “Oh I just Googled it” but the Domain Authority score is 3, it is unlikely and improbable that the interviewee would be able to find the hypothetical business simply via a Google search. The site may not even be indexed or indexed correctly, which is why checking if a site is indexed is an important step. If the interviewee tells you that they “Googled” the business but the DA is low or the site not indexed, a follow up question would be “what keywords did you use to search that in Google?” which should shed some light on the interviewee’s answer or provide an opportunity to press for more information. Page Authority questions can be used in a similar manner. A question of “How did you find your doctor/attorney/mechanic/banker/dog groomer” and they say they “Googled” for them but the PA is low or not indexed that should prompt follow up questions. The follow up questions should also ask for specific keywords that were searched and lock in their statement. Such line of questioning could result in uncovering illicit activity such as kickbacks, illegal referrals, money laundering schemes or other fraud related actions.

Randomized Example I selected a randomized example from expireddomains.net in the domain name http://balkanauto.me. The domain is set to expire 2/20/2022. A Boolean operator search of site:balkanauto.me resulted in no return in Google which indicates the site is not indexed. An index check using web tools also confirmed no indexing of the site. A DA search using web tools on that domain name returned a DA score of 1, the minimal DA score.

As a side note, if one were to buy a used domain for email purposes in order to have more “credibility” with setting up online accounts that appear to scrutinize Protonmail, Tutanota, CTemplar or Runbox email accounts, one should look for a domain name that has a much higher DA as that is seen as more reputable and established.

Final Thoughts While not often discussed in investigative circles, DA and PA can be useful tools to gauge how people are finding websites and searching for them. Understanding the DA and PA score can be a very valuable piece of knowledge to have when conducting investigative interviews. Witnesses claiming to find a business or clinic or organization via a Google search yet the site has a low DA, this would call into question the testimony being provided by the interviewee and should prompt an interviewer to ask more detailed questions. In the randomized example of BalkanAuto.Me if someone were to state in an investigative interview that the found the retailer through a Google search, that should call into question any prior relationships to the retailer and prompt an investigator to dig deeper and ask a more strategic question. This would also serve to cause the investigator to consider the honesty of the interviewee and any involvement by the interviewee with the suspect business. As a general investigative principle, all findings should be pursued and vetted to rule out innocent persons and the above commentary should not be taken as legal advice or an imputation of guilt upon anyone.

The Retail Equation Author: Gustov1 This member write-up provides tips for obtaining your personal report from data-broker Retail Equation, as discussed in podcast episodes #250 and #251 (https://inteltechniques.com/podcast.html). https://www.reddit.com/r/retail/comments/69rqte/ the_retail_equation_how_to_get_them_to_delete/ The Retail Equation: How to get them to delete your file! Return fraud is a serious issue that is responsible for billions of dollars in retail loss each year. It negatively impacts the economy by increasing prices, threatening job security and forcing retailers to impose strict return policies like no receipt, no return rules. Now many large retailers use a third party "return authorization service" that is called "The Retail Equation". The system operates behind the scenes and collects your information when your ID is swiped. There is a file created for each individual recording your purchase and return activity. Each time your ID is swiped while returning something with or without a receipt the system saves all the info to your file which is used to determine if your future returns are accepted or not. You can actually go to their website and request a copy of your activity report and dispute any thing you don't like. • The frequency of returns • Return dollar amounts • Whether the return is receipted or non- receipted • Purchase history TRE's system records and calculates the following information: Each time to decide if your return will be accepted or denied TRE claims that discrimination is not used while making decisions so factors like your: • Age • Gender • Race • Nationality • Physical characteristics • Marital status are NOT considered during the authorization process. Although the system sounds like the perfect solution for the return fraud problem it seems like there is a problem with the "equation" itself. Judging by the Better Business Bureaus page on The Retail Equation and many other websites there are a lot of PO'd consumers. The BBB rates them at 2.78 out of 5 stars which is surprisingly still a B but surely on the low end. There are also 88 complaints on TRE I actually read quite a few and it looked like a lot of people had issues with privacy because they keep records of everything. They record your ID, address, phone number, your credit/debit cards and your purchase and return activity. Some felt discriminated against not because of race, age, gender, etc.. only because they are immigrants that have no form of ID that is accepted by TRE to even return. Multiple complaints stated that when you call the phone number everybody is rude and none of them are helpful. The center is actually outsourced to India like most and they barely speak english all they seem to say is "there is nothing we can do for you", and "you are pretty much out of luck". I finally did some research to see if there was a way to actually find some resolution if you have a problem and it turns out that you can email them or post mail them also. While I was looking on the BBB page it seemed like the best way to get a resolution was to make a complaint yourself on them. A couple people actually got them to erase their whole profile and allow non receipted returns for a period of time. I actually thought it was pretty funny but I guess if you demand that they erase your profile they

will actually do just that. I think that I might give it a shot my self. Its not really good to have a database that possibly makes you look like a thief. ---------------------------https://www.complaintsboard.com/the-retail-equation-return-denied-c1195039 ---------------------------A nice video regarding The Retail Equation by OPEN Forum https://www.youtube(.)com/watch?v=c2-DtzE6mKg 11% returns are considered fraudulent ---------------------------https://www.consumerfinance.gov/consumer-tools/credit-reports-and-scores/consumer-reportingcompanies/companies-list/retail-equation/ The Retail Equation The Retail Equation monitors and reports to merchants retail product return and exchange fraud and abuse. The Retail Equation is owned by Appriss, Inc. Contact this company to request your report • • •

The company will provide one free report if you request it. Requesting copies of your own consumer reports does not hurt your credit scores. For companies required to provide the information in your report for free annually upon request, they must do so within fifteen days of receiving your request.

theretailequation.com The Retail Equation P.O. Box 51373 Irvine, CA 92619-1373 (800) 652-2331 ---------------------------Archive.org https://web.archive.org/web/20150515000000*/theretailequation.com

LinkedIn Results Chris Hanks Director of Data Science at The Retail Equation Irvine, California https://www.linkedin.com/in/chris-hanks-39189350/ Dave Justus https://www.linkedin.com/in/dave-justus-8a2b8b/ CFO+ | Board | Investor Orange County, California, United States The Retail Equation Sep 2004 - Feb 2016 Irvine, California PE-owned predictive analytics firm and market leader in optimizing revenue and margins and identifying and preventing fraud and abuse in a SaaS subscription business model. Sold to Norwest Venture Partners in 2011. Sold to Insight Partners and integrated into Appriss, Inc. in 2015. This business has been re-branded as Appriss Retail (https://apprissretail.com/). • Served as the #2 executive for over 11 years while driving 10x enterprise value growth through two M&A exits to top tier PE firms.

Chris Hanks https://www.linkedin.com/in/chris-hanks-39189350/ Director of Data Science at The Retail Equation Irvine, California, United States ---------------------------Appriss Retail https://apprissretail.com 6430 Oak Canyon Drive Suite 250 Irvine. California 92618 949-262-5100 https://losspreventionmedia.com/business-directory/appriss-retail/ Appriss Retail, a division of Appriss, Inc., provides artificial intelligence-based solutions to help retailers protect margin, unlock sales, and cut shrink. With more than 20 years of retail data science expertise,

the company’s Software-as-a-Service (SaaS) platform generates advanced analytical insights and realtime decisions that drive action throughout the organization, including loss prevention, operations, finance, and marketing. Performance-improvement solutions yield measurable results with significant return on investment among retail store, ecommerce, and inventory functions. Appriss Retail serves a global base of leading specialty, apparel, department store, hard goods, big box, grocery, pharmacy, and hospitality businesses in more than 150,000 locations (brick and mortar and online) in 45 countries across six continents. Appriss Retail conducts independent research and shares that information directly with the retail industry as well as working with associations including the National Retail Federation, the Loss Prevention Foundation, the Loss Prevention Research Council, the Retail Industry Leader’s Association, Retail Council of Canada, and ORIS Forums. In December each year the company publishes its Consumer Returns in the Retail Industry Report which is available for download, and is the only industry report to monetize the impact of consumer returns on the industry and state-level economies. In the early summer, Appriss Retail sponsors the National Retail Security Survey (NRSS) with produced by the NRF and the University of Florida. Predict and Shape Shopper Behavior Appriss Retail optimizes retailers’ revenue and margin by shaping behavior in every consumer transaction. The company’s solutions use predictive analytics to turn each individual shopper’s purchase or return into a more profitable experience. This yields immediate financial payback, increasing store comps by as much as 2 percent, with significant return on investment. The company’s solutions create sizable new sales at the return counter, while also building customer loyalty, and prevent fraudulent and abusive returns, reducing return rates, and improving shrink. Optimizing Revenue in all Consumer Transactions Appriss Retail draws from the expertise of PhD statisticians and a wealth of retail transactional history to develop its optimization solutions. A pioneer in the use of statistical models to reduce return fraud and shrink, the company uses sophisticated predictive analytics to identify incentives most likely to keep consumers shopping after making a purchase or legitimate return. Viewing information in real-time, and predicting behavior at an individual level, permits all retail transactions to be optimized to meet revenue, margin, or product sell-through objectives. Profit Protection Retailers worldwide use Appriss Retail solutions to significantly mitigate losses related to fraud, theft, and operational/systemic breakdowns. The solutions provide immediate insight into the retail organization’s most critical data, allowing them to make informed decisions to reduce shrink, improve profitability and achieve rapid returns on investment. Appriss Retail solutions provide a comprehensive analytical view of user actions and process inefficiencies across a variety of retail risk areas including: point-of-sale, returns, supply, inventory, finance, pharmacy, and human resources. Data Integration

When the customer can shop any channel, anywhere, decision making depends on universal access to data in real-time and instantaneous analysis of that data. To give retailers the competitive edge they need, Appriss Retail developed a cloud-based data integration platform that pulls data from all sources within the retail organization, including the very edge of the business. The platform benefits retailers in two ways. First, it offers a unified customer experience across channels and geographies, giving them access to real-time inventory levels and other information that drives purchase decisions. Second, it puts one 360-degree view of customer, inventory, product, price, and location data at employees’ fingertips. The data integration platform is system agnostic and can inform macro systems such as inventory, analytics, CRM, as well as store-level systems such as staffing and till management. Appriss Retail's Email Format first initial last [email protected] Appriss Cloud API location/login https://apis.apprissretailcloud.com/contactus.asp If you are an APIS User experiencing logon issues please contact your company APIS Administrator Appriss Retail - Main Office: 6625 West 78th Street Suite 280 Minneapolis MN 55439 Office Number: 1-888-777-0586 FREE Email:[email protected] https://apis.apprissretailcloud.com/ ---------------------------https://www.linkedin.com/company/appriss-retail/ Appris LinkedIn users https://www.linkedin.com/search/results/people/?currentCompany=%5B%2224795035%22%5D&origin =COMPANY PAGE CANNED SEARCH&sid=.%3Ax Reduce risk. Remove friction. Reimagine your consumer experience. At Appriss Retail, we help retailers realize the best consumer experience while maximizing profit. Our data science-driven solutions empower our retail partners to make real-time decisions that remove friction from the shopping journey and reveal new opportunities for engagement – on everything from returns and rewards to people and products. Designed to meet the needs of each brand. Engineered to evolve as retailers grow. Built to reduce risk, turn gaps into gains, and generate more revenue across multiple channels. Appriss Retail is a division of Appriss Inc, for more information about Appriss Retail, visit https://apprissretail.com. ----------------------------

http://www.thelpportal.com/content/solution-providers/resource-guide/business/ Appriss Retail, 120 Leman Street, London E1 8EU www.apprissretail.com Telephone 0207 430 0715 Appriss Retail helps retailers cut shrink, fight fraud, protect margin, and unlock sales opportunities. The company provides predictive analytics in a Software-as-a-Service environment to specialty, apparel, dept. store, big box, grocery, pharmacy, and hospitality organisations. The solutions typically provide financial payback in one to six months. ---------------------------Retail PDF https://f.hubspotusercontent10.net/hubfs/2880767/Appriss Retail December 2020/pdf/Sell-MoreLose-Less-During-Retail-Recovery-ebook.pdf ---------------------------Integrated with Genetec Security center to review retail theft video https://www.genetec.com/press-center/press-releases/2018/08/genetec-and-appriss-retailintergration-enables-retailers-to-correlate-video-with-transactions About Apriss Retail Appriss Retail provides artificial intelligence-based solutions to help retailers protect margin, unlock sales, and cut shrink. With more than 20 years of retail data science expertise, the company's Softwareas-a-Service (SaaS) platform generates advanced analytical insights and real-time decisions that drive action throughout the organization, including operations, finance, marketing, and loss prevention. Its performance-improvement solutions yield measurable results with significant return on investment among retail store, ecommerce, and inventory functions. Appriss Retail serves a global base of leading specialty, apparel, department store, hard goods, big box, grocery, pharmacy, and hospitality businesses in more than 100,000 locations (brick and mortar and online) in 45 countries across six continents. For more information about Appriss Retail, visit https://apprissretail.com. ---------------------------https://www.consumerfinance.gov/consumer-tools/credit-reports-and-scores/consumer-reportingcompanies/companies-list/retail-equation/ Contact this company to request your report • • •

The company will provide one free report if you request it. Requesting copies of your own consumer reports does not hurt your credit scores. For companies required to provide the information in your report for free annually upon request, they must do so within fifteen days of receiving your request.

The Retail Equation P.O. Box 51373 Irvine, CA 92619-1373

## UnRaid Operating System https://www.unraid.net/ | UnRaid Homepage **Advanced/Experimental**

Note: There are many ways to set up network attached storage or a home server. I am only providing one path and I will be explaining my choices in lay terms. I am also by not means an expert. This is only my second UnRaid build and I am not a network engineer or systems specialist. If you see choices or steps that can be improved please let me know on our Matrix chat. Likewise, if you are new to OSINT and/or new to the training you may want to set this lesson aside until you are further on your journey. We occasionally like to tackle experimental or more advanced topics and it is not expected that everyone replicates our efforts. Even if it doesn’t apply to your mission directly, there might be a concept that you can make use of now or down the road.

### Use Case MacOS, Windows, and Linux are the operating systems that we typically utilize in the training. UnRaid is a special operating-system that we are going to discuss as it is a good option for hosting virtual machines, network attached storage (leak, breach data), and possibly additional applications that we wish to self-host on our local network. This is an advanced option and although most of you will not build out your own UnRaid server, I think it is useful to see how it might fit into our OSINT workflow and in some cases also support our security/privacy efforts. In my case, I am going to use the newly built workstation that we constructed in the previous hardware modules and use it to host: • • •

Multiple virtual machines A network share containing my collection of breach/leak data (which we use for our defensive security audits) Containers for self-hosting applications such as encrypted notebooks for documentation

Some reason I chose UnRaid for this use case: • • • • • •

Easy installation, configuration, and management Data redundancy (backups) for critical data sets Active community (this helps with troubleshooting It is used by other OSINT professionals in our community and came highly recommended The licensing if you choose the pro version is inexpensive and persistent (no recurring cost) It can be used “headless” which means that once set up on the network we can remote into it from other workstations. Thus, it can be mounted on the network and run from a location other than our office and it does not need its own peripherals (monitor, keyboard, etc.).

For the remainder of this lesson, I will refer to it as a server, because that is more my use case. When complete this computer will live in my workshop, have no keyboard/monitor of its own, and host data

and virtual machines that will be accessed over the local network. For example, as long as it’s on the same network I can connect to the server via my laptop and run breach data queries without having to host the breach data on my laptop. The data and processing power to search it will be a network resource hosted on this small server.

###Hardware For more detailed information on my hardware choices please see the previous workstation build lessons, but I do want to address storage choices specifically. One of the most common uses for UnRaid is as network attached storage due to its support for what are called parity drives. This means we can install one or two very large drives that backup the data on our smaller drives on the server. I should also note that the hardware below is for the purposes of recording this demo. When I am complete I will be combining my array with drives from my prototype UnRaid server that I created a few months ago. I wanted to show building this out from scratch which is why I am not using that other server for this lesson. The hard-drive setup for my build is as follows: 1. 14 TB Parity Drive (this is the data backup and must be larger than any single drive that you wish it to backup, so if your largest array drive is 12 TB, then your parity drive must be no smaller than 12TB and ideally larger) 2. 2 x 256 Gig Cache Drives (these fast drives are used for short term storage that reduces slowdowns caused by the parity drive(s). They don’t hold any long term data. 3. 4 x 3 TB HDD Mechanical Drives These are the drives where I will host anything that I want backed up by the parity drive. Specifically in my case my breach/leak data. 4. 2 TB NVMe Drive Very fast drive for hosting VMs and containers that do not require being backed up. This drive will not have redundancy. I am trading redundancy for speed. I am making some trade-offs with this drive strategy. For example, I am choosing to have a very fast NVMe drive for hosting short term OSINT VMs with a caveat that its data is NOT protected by the parity drive. I could also create VMs on the 3 TB mechanical drives that would be backed up only they would be much slow. I like having both options, fast and risky AND slow and safe. A good video covering and explaining disc strategies for UnRaid: https://www.youtube.com/watch?v=X0hX1cDP 1w The presenter in that video also provides a link to a spreadsheet with some possible drive configurations:

You can view his spreadsheet here: https://docs.google.com/spreadsheets/d/1hA2NCoUCYJv0Wm dm26J44Srr6yex4tg-TTsOyEVIY/edit#gid=2120316295

My build is most similar to the following from his spreadsheet although I only have 1 parity drive and my cache and array drives are smaller:

My setup:

Cache 256G SSD 256G SSD

Parity 14TB HDD

Array 3TB HDD 3TB HDD 3TB HDD 3TB HDD

Unassigned 2TB NVMe

Write Cache

Parity

Data Storage

VMs Applications

Reminder: When done with this demo I will be adding additional drives to increase total array size and parity size (18TB) so my use of 3TB here was purely because I had some on hand that were not being used. A good video by Spadeinvaderone on using fast drives for multiple drive pools: https://youtu.be/jgRSr7yBZfs Drive configuration and management is the lions share of work we will do in setting up our server. In this module we only touch on the basics and initial setup so if you intend to become a full time UnRaid user it is recommended to check out the massive collection of videos at https://www.youtube.com/channel/UCZDfnUn74N0WeAPvMqTOrtA and also do your own research for additional guides and lessons.

### Initial Configuration Official Setup Guide: https://wiki.unraid.net/Articles/Getting Started#Initial Setup Key Steps (very concise steps meant to accompany the video example)

1. If you have your Unraid server connected to your network, when you boot it up you will see the assigned IP address on the boot screen. 2. You can get to the GUI screen from a browser on a workstation that is on the same local network by typing in the assigned IP from step one or by entering http://tower/login 3. The default login is root with no password. 4. If you are prompted create a strong unique passphrase and also put that in your password manager. 5. Follow the prompts to either start a free 30 day trial or to add a purchased Unraid license key. 6. Once on the main screen select the Main tab and then you will be able to assign your attached drives as parity, array, pool, or unassigned. 7. Once drives are assigned it will take Unraid a long time to set up the drives, plan on hours depending on drive size and speed. 8. Once Unraid sets up the drives click on each one and before you use it, you will likely need to scroll down the page and check the box to format that disc so that it can be used. 9. Once our disk drives are setup and formatted we can start the array and our basic setup is complete. 10. For you USB flash drive that holds your Unraid operating system we want to secure it so click on it under Boot Device -> under SMB security settings change export to “No” and security to “private”. This is to prevent others on your network from being able to edit the contents of your OS drive. 11. You may wish to backup your OS flash drive (remember it contains your license for Unraid). To do so click on the flash drive again and at the top of the Flash Device Settings select “Flash Backup”. Backup your flash drive file to a safe location (not on the same server). Remember to update this backup occasionally if you make major changes to your server. 12. Click on the Settings tab and then Scheduler a. Under parity check enable it and set it to run at least once a month (this basically checks our parity disk for errors) b. Under Mover Settings consider having it run once a day, but at a time of day when you are not active (such as sleepy time or while you are typically off-site) https://forums.unraid.net/topic/85104-solved-understanding-what-the-mover-is-doing/ 13. Back under the Settings tab, select Disk Settings. If you auto-start says no, change it to yes so it auto-restarts if the server shuts down for some reason.

### Adding Shares Shares are good option for storing large data sets such as breach or leak data that we may want to be able to access from multiple workstations and virtual machines on our network. 1. Select the Shares tab from the top menu 2. Rename the share something logical such as “breachdata” or similar. 3. The default settings are fine for a start, but in our demo we want to enable “Use Cache” so that we can improve our speeds by leveraging the fast, short term cache drives.

4. Most settings have descriptions built in and remember, like most powerful operating systems there are many, many changes you can make to settings and we are only covering the basics. It is highly encouraged that you do additional research and build up your Unraid knowledge. 5.

6. Click on Add Share to complete the share. 7. Once added, look under the SMB Security Settings and consider changing the Security to secure or private. 8. Next go to users and create a user login that is authorized to access the share. Give this user a good unique password and add these to your password manager. This is purely to add a layer of security to this share so that we can control who can access it from the local network. Click Add when you are done. I often will use the username “osint” because this is for use with my OSINT virtual machines, but if you do so please use a unique passphrase. 9. Now you will see an entry at the bottom of the page for that share called SMB User Access where you can assign access rights to that user. I prefer to give my user read/write access. 10. Now your share is set up and should be mountable for any computers that have access to the Unraid server on your local network. On Windows you will find it under the network devises in Windows Explorer or you can map the drive by right clicking on Windows Explorer and selecting “map network drive”. Your share will have an address similar to \\tower\breachdata although it depends on if you changed the server name and/or the name of your share (\\servername\sharename). If you do mount the drive to one of your Windows machines, make sure to check the box for auto-reconnect. When you connect it will ask for the user login created above in step 8. 11. Advanced: If you have large data sets on your Windows workstations that you want to now move to your Unraid shares (such as breach data), I recommend using Robocopy to transfer the data. There are many guides online which cover using Robocopy. a. https://docs.microsoft.com/en-us/windows-server/administration/windowscommands/robocopy b. For example, in my test environment I used the following command to move large sets from a Windows workstation over to my Unraid share which Ive mounted as drive Z: i. robocopy G:\\breachsets Z:\ /Z /E Great video by Spaceinvaderone discussing shares: https://www.youtube.com/watch?v=ZOzW01lrzpM

Great video by JaunMTech discussing basic setup and shares: https://www.youtube.com/watch?v=2CbObOuOEuA

### Adding Virtual Machines Adding basic virtual machines is straight forward, but for more advanced concepts and steps please check out the series by Spaceinvader One: https://www.youtube.com/watch?v=57tWqMecTr4&list=PL6MCtOroZNDDz61KrezJhhSlpKYGd--60 1. Select the VMS tab 2. Click on Add VM, this will give you several default options 3. In most cases for OSINT we are going to select to build an Ubuntu VM that will be compatible with our OSINT tools and customizations 4. After selecting Ubuntu you will get a new page with many choices that will somewhat depend on your use case and hardware. See the video lesson for my choices. a. Rename the VM to osint b. Assign CPU cores, I am assigning four on my server c. Assign memory but never go above half your total memory, 8gigs should be plenty d. Primary vDisk Location: select the drives where you want to your VM to live. I prefer to put my VMs on a faster disk drive such as my SSD or NVMe disks. If you have predesignated a drive for your VMs, then select that drive. e. For isos select the Ubuntu image on your “isos” share. (if you don’t already have an isos share directory you can create one under the shares tab at the top of the web interface) f. If you need to add an ubuntu iso file to that share directory you can browse to it in terminal and use wget to download the latest version of Ubuntu: i. wget http://www.releases.ubuntu.com/20.04/ubuntu-20.04.4-desktopamd64.iso ii. That is the latest release as of 2-26-2022, you may want to check http://www.releases.ubuntu.com/20.04/ and replace the url with the latest build for ubuntu desktop g. Select Create 5. As long as you are not trying to do anything fancy, such as passing through video cards, you should be set for basic VM use.

### Plugins 1. (optional) Create a burner account on the unraid.net community page https://forums.unraid.net/ 2. Read through https://forums.unraid.net/topic/38582-plug-in-community-applications/ 3. Install the community app plugin https://unraid.net/community/apps 4. Activate app store in Unraid a. Open the Plugins tab b. Choose install plugin

c. Paste in: https://raw.githubusercontent.com/Squidly271/community.applications/master/plugin s/community.applications.plg d. Click on install and how you will have an Apps tab 5. Now you can research useful community built plugins: a. https://www.youtube.com/watch?v=cZTWC z9rKs | Unraid: 20 Must Have Plugins (2021 Edition) https://wiki.unraid.net/My Servers | Recommended Plugin https://www.youtube.com/watch?v=O1Uge6fKAlM | Video showing plugin overview https://wiki.unraid.net/Spaceinvader One#Part 3: The My Servers Plugin 4 Great Features in 1 Great Plugin.21 | Great video series cover the basics

### Articles, Videos, & Guides https://www.youtube.com/watch?v=ZAPgY4N9txE | How to Migrate Unraid from One Server to Another - YouTube https://www.youtube.com/watch?v=2CbObOuOEuA | How to set up Unraid - 2021 Guide - YouTube https://www.youtube.com/c/SpaceinvaderOne/search?query=vms | Spaceinvader One - YouTube https://www.youtube.com/watch?v=RD6OWYJOIzU | An introduction to VMs in Unraid and what to do first - YouTube https://www.youtube.com/watch?v=pb0yEpB2DiQ | Unraid Nas Home Server Build | Complete Guide 2021 - YouTube https://www.youtube.com/watch?v=e0lyuoRMYkA | 36TB Budget NAS Server Build Unraid Build Guide YouTube https://www.youtube.com/watch?v=cZTWC_z9rKs | Unraid: 20 Must Have Plugins (2021 Edition) YouTube https://www.youtube.com/watch?v=rokY1i6SA5A | Unraid: How to Install Community Applications Store (2021) - YouTube https://unraid.net/blog/new-users-blog-2 | Unraid | New Users Basics Blog #2 https://www.youtube.com/watch?v=QGa3uA7-QOQ | Ubuntu Server Install UnRAID - YouTube https://unraid-guides.com/ | Unraid Guides: The Ultimate Home NAS Solution https://forums.unraid.net/topic/96895-ultimate-unraid-dashboard-uud/ | Ultimate UNRAID Dashboard (UUD) - User Customizations - Unraid https://www.reddit.com/r/unRAID/search/?q=guide&restrict_sr=1&sr_nsfw= | reddit.com: search results - guide

https://www.youtube.com/watch?v=IWNypK2WxB0 | Authelia | The Ultimate Guide To Install and Configure (2022) - YouTube https://linustechtips.com/topic/1265866-planning-first-home-server/ | Planning first home server Servers and NAS - Linus Tech Tips https://mitchross09.medium.com/how-i-self-host-my-own-sites-and-applications-with-unraid-dockerauthelia-and-cloudflare-1f0d8e6f8912 | How I Self Host My Own Sites and Applications With Unraid, Docker, Authelia, and Cloudflare. | by Mitch Ross | Medium https://squidly271.github.io/forumpost0.html | unRaid App List https://www.spxlabs.com/blog/2021/2/23/unraid-ryzen-server-build-2021 | Unraid Ryzen Server Build 2021 — SPX Labs https://wiki.unraid.net/Spaceinvader_One#Part_3:_The_My_Servers_Plugin__4_Great_Features_in_1_Great_Plugin.21 | Spaceinvader One - Unraid | Docs https://wiki.unraid.net/Spaceinvader_One#Part_2:_Unraid_6.9__Install_.26_Setup_a_New_Server_or_Upgrade_an_Existing_One | Spaceinvader One - Unraid | Docs http://tower/Plugins | Tower/Plugins https://forums.unraid.net/topic/107761-mount-unraid-share-inside-a-unraid-ubuntu-linux-vm-on-samesystem/ | Mount Unraid Share inside a unRaid Ubuntu Linux VM on same System - General Support Unraid https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/robocopy | robocopy | Microsoft Docs https://forums.unraid.net/topic/85104-solved-understanding-what-the-mover-is-doing/ | (SOLVED) Understanding what the mover is doing? - General Support - Unraid https://www.youtube.com/watch?v=O1Uge6fKAlM | The My Servers Plugin - 4 Great Features 1 Great Plugin ! - YouTube https://wiki.unraid.net/My_Servers | My Servers - Unraid | Docs https://unraid.net/community | Unraid | Our Welcoming Community https://forums.unraid.net/ | Forums - Unraid https://unraid.net/community/apps | Unraid | Community Apps https://forums.unraid.net/topic/38582-plug-in-community-applications/ | [Plug-In] Community Applications - Plugin Support - Unraid https://www.greghilston.com/post/how-to-add-cache-drive-to-unraid/ | cache drives

Workstation Build Plan.md

12/30/2021

Workstation Build Plan v12.2021 Warning - There is always risk with building your own gear. Risk that it will not work out, warranties may be voided, frustrations may be had. Make sure that you are willing to accept those risks if you decide to build your own workstation. These days, especially with the issues around sourcing components, there is nothing wrong with just buying a prebuilt PC. The following is a rough plan for building a workstation or small server for hosting breach data and virtual machines. If your use case is a general OSINT workstation the build steps will be similar and that use case will be discussed as well in the video walkthrough. This module is aimed at users who are new to building out their own computers so the pace may be on the slow side for anyone experience doing their own builds. As always, we are presenting examples for how things can be done, but this is not intended to be received as the best or only way to proceed.

High Level Decisions Use Case: In my example I have chosen components that will work well as either a mid-high end workstation OR a home/small business server. I went this route because I will be using it to host virtual machines and breach data as a server, but the same hardware could be repurposed to be a relatively powerful workstation six months from now if I chose to do so. Specific hardware decisions will be explained in detail throughout the accompanying video lessons. Operating System: Depending on your use case you will likely be installing Windows, a Linux distribution, or in my case unRaid (this is a more advanced option for setting up network attached storage/ home server.) While it is possible to create a home spun Mac build such as a "hackintosh" that is not advisable unless you really know what you are doing, and it is beyond the scope of this module. The sample hardware choices will support Windows, Ubuntu, and/or unRaid just fine and those are the paths I will discuss and reference in the videos. Here are some short guides to installing Windows, Linux, or unRaid on a fresh workstation. Windows 10 (or 11 if you choose): https://docs.microsoft.com/en-us/windowshardware/manufacture/desktop/install-windows-from-a-usb-flash-drive?view=windows-11 https://www.xdadevelopers.com/how-to-install-windows/ Ubuntu Linux: https://ubuntu.com/tutorials/install-ubuntu-desktop#1-overview UnRaid: https://wiki.unraid.net/Articles/Getting_Started https://wiki.unraid.net/Articles/Getting_Started#Quick_Install_Guide https://www.youtube.com/watch?v=7uOUOXbjoJo&list=PL6MCtOroZNDC2wTXNnQETJukjnaK2iR5d https://www.youtube.com/watch?v=kgnD4gSz4PA&list=PL6MCtOroZNDBFZIh70Ctl0bFJbImhx4rd&index=8 https://wiki.unraid.net/Building_an_unRAID_Server#Hardware Power, Heat, & Noise: A consideration when building computers is not only what they will be used for, but also where they will live. If sitting under your desk noise might be an issue and that might affect your choices in cooling and fans. If you are going to run the system 24/7 as a server then power consumption might be an issue and affect your choices in power supply, motherboard, and processor. If it is going to be a high end 1/8

Workstation Build Plan.md

12/30/2021

workstation that is heavily taxed with tasks, then maybe you need sheer computing power more than you need it to be quiet and efficient. There is a balance there. In my e ample I will be erring on the side of processing power and capability over efficiency. My server will be located in an area where noise from the fans is not a huge issue, nor is dissipating heat.

Hardware/Component Choices The two primary concerns when selecting build components are capability and compatibility. We want the end product to support our use case (i.e.: enough ram to run VMs, enough drive space and drive speed to support breach data storage and search). We definitely don't want to randomly select parts that may not work together. I will share my choices below for a capable "pro-sumer" level OSINT workstation, but primarily pay attention to the categories. I wanted the flexibility to also use this workstation to host breach data and VMs as a server so my specific components may be more than you need if you are just planning to use this as a desktop. If you are new to building PCs a very helpful site in determining compatibility is https://pcpartpicker.com/. Set up a burner account, make it private, and this will help you select parts, find prices, and plan your build. It is also a good place to look at other builds, although most will be focused on gaming. A note on graphics cards: Supply chain issues made worse by the crypto-mining industry has made graphics card prices ridiculous and it can be hard to find affordable cards. Some people are buying prebuilt systems just to scavenge the graphics cards. For a server or OSINT workstation we probably do not need much for graphics power unless we plan to do things like brute force passwords. Thus, in my build I am using an old card I have laying around, but I recommend considering getting a motherboard with built in graphics capability. I'll discuss this in the videos in more depth. Primary Components CPU: This is your workstations brain, and your primary choices are Intel or AMD. My last few systems have been AMD, but really these days either option tends to be fine. I used to always go Intel but AMD has closed the gap on most fronts and tends to be a little better power/cost ratio. The most important thing is that you pick a CPU, ram, and Motherboard that are compatible. CPU models and features can get quite complicated so I will add a couple of guides for further research. https://www.tomshardware.com/reviews/best-performance-cpus,5683.html https://www.anandtech.com/show/11891/best-cpus-for-workstations https://www.digitaltrends.com/computing/amd-vs-intel/ https://www.rockpapershotgun.com/how-to-install-a-cpu CPU Cooler : Some CPUs come with coolers and others do not. The coolers that come with CPUs are not great but may be just fine if you don't plan to ta your system too much. These days I tend to use liquid coolers such as the one in my build. They are not terribly expensive and tend to be better than what you get in that off the shelf CPU bo . https://www.tomshardware.com/reviews/cooling buying guide,6105.html https://www.techsiting.com/how-to install a cpu cooler/ Thermal Compound: This is paste that you will use to mount your CPU on your motherboard. It is cheap and helps with cooling efficiency. Arctic Silver is a very popular brand. https://www.youtube.com/watch? 2/8

Workstation Build Plan.md

12/30/2021

v=Bp6N1Wk-PxE | How to apply thermal paste Motherboard: This is the toughest component to select. There are so many options and several factors to consider. I will talk about this quite a bit in the video. PCPartpicker will help you with compatibility, but it will pay off to read up on chip sets. The motherboard ties everything together so it needs to support your chosen CPU, ram, and video card. Also pay attention to whether it has onboard graphics (GPU) if you choose to go that route. Other considerations are does it support outputs that you need such as USB-C. It can get pretty complicated figuring drive support, PCI lanes, etc. so I recommend that once you pick a CPU, your time is then spent research boards. If this is overwhelming look at PCPartpicker and see what boards others have used for their builds. The board I selected in my build is fairly high end but will support a use case of a performance workstation or a home server. https://www.tomshardware.com/reviews/motherboard-buying-guide,5682.html https://www.neogamr.net/how-to-choose-a-motherboard/ https://www.minitool.com/backup-tips/how-to-choose-a-motherboard.html Servers: For servers and high productivity workstations, for example anything where you might be running multiple VMs, working with video etc., may benefit from additional processor threads and PCI lanes. The following articles may help those wishing to understand cores, threads, PCI-e lanes and other factors that might affect a productivity workstation or server. For middle of the road OSINT workstations, we do not need to pay as much attention to the potential bottlenecks created by available cores, threads, and lanes https://www.cgdirector.com/guide to pcie lanes/ https://forums.tomshardware.com/threads/cores vs threads-explained.3460905/ Memory: Your RAM is important because that is your computers short term memory. RAM is especially import for things like running virtual machines. Servers also tend to be RAM hungry. Make sure to get RAM is that is compatible with your motherboard. PCPartpicker will help with that or use manufacturer sites such as https://www.crucial.com/articles/about memory/is my ram compatible with my motherboard. In any new OSINT Workstation build I want 32 or 64 gigs of ram. For laptops I try to get at least 16, but 32 is better. One upgrade to consider when selecting ram is ECC or error correcting ram. It is more e pensive, and you would want to make sure it is supported by your motherboard, but for a server or heavily taxed system it has some benefit. For standard workstations it is probably overkill and not worth the cost. https://tedium.co/2021/01/06/error correcting code memory history/ | ECC Memory Graphics Card (GPU): There is a huge issue with sourcing graphics cards currently due to supply chain issues and the impact of crypto-currency miners driving prices up. Cards are about 5x what they cost four years ago. If you are just using your workstation as a server or for OSINT, I recommend either picking a motherboard with on board video or repurposing an older card from a previous system. If you are not working with video, such as editing, gaming, or cracking passwords you probably do not need a high end card. If you do want to buy a decent video card one of the best ways to get one currently is through Newegg’s shuffle: https://www.newegg.com/product shuffle. A powerful card these days can cost more than the rest of your entire system so if you don't need it, don't buy it. https://www.pcgamer.com/why-you-still-cant-buy-a-graphics-cards-according-to-a-supply-chain-expert/ I don’t recommend building a password cracking rig currently, but if you are determined: https://www.pentestpartners.com/security blog/how-to build a password cracking rig during a worldwide 3/8

Workstation Build Plan.md

12/30/2021

chip-shortage/ Storage: For data storage we have three main options and in the video lesson I will explain in more detail how I use each and why. Drive Configuration: You will want to have a plan on how you will configure your operating system and storage to suit your use case. For example, maybe you put your operating system on a fast NVME drive, but have additional, cheaper HDD drives which you use to store large data sets such as breach data. NVME This is the fastest drive type currently and is perfect for your operating system (C drive) or other data that you want to be super-fast. Some people use these for applications they want to be high performance such as video editing, VMs, or smaller sets of breach data. SSD The second fastest option, this is perfect for hosting your virtual machines and smaller breach data sets. This is cheaper than NVME but faster than HDD. NVME and HDD do not have moving parts so they can also be a bit more resilient over time. No mechanical parts to fail. HDD This is a traditional mechanical drive. It is the cheapest, loudest, and often slowest option, but available in high capacities and the best cost/capacity ratio. We typically use these for our large bulk storage. https://unihost.com/help/nvme-vs-ssd-vs-hdd-overview-and-comparison/ UnRaid Drive explanations: https://www.youtube.com/watch?v=X0hX1cDP_1w https://www.youtube.com/watch?v u3zqCIsLL08 *UnRaid will have an additional drive, typically a USB drive, with the unRaid license and operating system on it. https://wiki.unraid.net/Building_an_unRAID_Server#Hardware Case/CPU Cooler: Your case will most likely come with fans and in addition to that you will be installing a cooler for your CPU. There are many options and the cooler that came with your graphics chip may be just fine. For those wanting more capable cooling or control over noise, water cooling may be a good option as I used in my build. For case cooling, remember if you have fans in the front and back of your case, you want one set to pull air in and the other to push air out. Flip one set of fans to change the direction of the air flow. https://www.tomshardware.com/reviews/cooling buying guide,6105.html (this topic was also mentioned earlier as the cooler compatibility is affected by both your CPU and case choices.) For the case formfactor is what matters most. Make sure that your case is a size that will accept your chosen motherboard. Aside from that make sure that it will fit your other components such as video card and drives. Also pay attention to what ports it has, such as USB-C support. Also, will it support your chosen cooler. Some water coolers require certain amounts of space and mounting. Note: The case I chose in my sample build was for the purpose of filming the build. It is not the case I'd recommend for most people. Also, if you are looking to build a server for home or small business, I recommend looking into the Rosewill brand of server cases or research some communities such as https://www.reddit.com/r/HomeServer/. Server cases often have support for holding more drives and some have features such as "hot swap" which make it easier to replace drives. https://www.pcmag.com/news/buying-a-pc-case-20-terms-you-need-to-know https://red-dotgeek.com/types of computer cases form factors/ Power Supply: Power supplies are rated for wattage, reliability, and noise. PCPartpicker will help you gauge the required wattage of your system, but I recommend adding at least 100watts above the requirement if not 4/8

Workstation Build Plan.md

12/30/2021

more. https://www.newegg.com/insider/how-to-choose-a-pc-power-supply-buying-guide/ Peripherals For peripherals I typically use what I already have laying around from previous systems, but you may choose to order fresh gear. Monitor: Make sure to pick up a monitor that is supported by your video card or video outputs on your board. Most cards/boards/monitors have both HDMI and DisplayPort, but there are some variations which may affect which video cables you need. https://www.pcmag.com/how-to/hdmi-vs-displayport-which-shouldi-use-for-my-pc-monitor Keyboard/Mouse: For stationary workstations I recommend wired keyboards and mice. No sense dealing with wireless and battery life if you don’t need to. For keyboards pay attention to environment. Do you need a quiet keyboard or do you prefer "clicky" keys? https://www.tech21century.com/different-types-of-computerkeyboards/ External Storage: For any external drives ensure that the connection type is supported by your workstation. For example, some drives are made for thunderbolt 3 which is perfect for a Mac whereas most Windows boxes support USB with the newer versions using USB-C. External storage will typically be bottlenecked in regard to speed based on the connection type. https://www.monkeyusb.com/blogs/news/usb-explained-all-the-different-types-of-usbcable-and-what-they-re-used-for

Jason’s Sample Workstation/Server Build: https://pcpartpicker.com/user/GobBluth/saved/#view=R7RpBm Component Selection Price CPU AMD Ryzen 9 5900X 3.7 GHz 12-Core Processor $514.98 CPU Cooler Corsair iCUE H150i ELITE CAPELLIX 75 CFM Liquid CPU Cooler $158.99 Thermal Compound ARCTIC MX 4 4 g Thermal Paste $20 Motherboard Asus ROG Crosshair VIII Dark Hero ATX AM4 Motherboard $449.99 Memory Corsair Vengeance LPX 64 GB (2

32 GB) DDR4 3200 Memory $269.99 Video Card *** My build used an e tra card I

had laying around, if you get a system with onboard video that should suffice for most server/OSINT needs*** Storage Samsung 980 Pro 2 TB M.2 2280 NVME Solid State Drive $329.99 Case Cooler Master MasterFrame 700 ATX Full Tower Case $192.98 Power Supply Corsair RM (2021) 850 W 80+ Gold Certified ATX Power Supply $109.99 Additional Storage: I am "shucking" mechanical drives from cheap e ternal hard drives that you can often find on sale at Amazon, Bestbuy, etc. A good site for tracking good deals on external drive is: https://shucks.top/ and an overview of shucking: https://www.ifi it.com/Guide/How+to+Shuck+a+WD+Elements+E ternal+Hard+Drive/137646. This has worked well for me but understand there is some gamble, and you are voiding warranties. External Storage Western Digital ELEMENTS 14 TB External Hard Drive $249.99 External Storage Western Digital easystore 12 TB External Hard Drive $229.99 External Storage Western Digital easystore 12 TB External Hard Drive $229.99 5/8

Workstation Build Plan.md

12/30/2021

Monitor: I am using an extra pre-existing monitor and my system will run "headless" most of the time. There is an e planation of that in the video lessons. My Build Total: $2736.88

Build Steps 1. Identify your use case 2. Research component choices starting with CPU, Motherboard, and Ram 3. Choose a case (make sure it will fit your motherboard and components) 4. Verify that your components are compatible and order them. 5. Plan your drives and if you choose to shuck external drives, do so. 6. Prepare your work area, set up your case, assemble any needed tools 7. Install the motherboard and power supply unit (PSU) into your case 8. Install the ram 9. Install the CPU 10. Install the CPU cooler 11. Install any hard drives 12. (optional) Install your graphics card (this is unnecessary if you have on board video) 13. Attach power-supply cables to your motherboard, CPU, drives, etc. Verify that everything is properly seated (attached to your motherboard) and tidy up any messy cables. 14. Attach a monitor to your onboard video port or your graphics card video port. 15. Attach a usb mouse and keyboard to your motherboard. 16. Insert your operating system boot disc. 17. Turn on your system and force it to boot to the usb drive. These keys vary somewhat by manufacturer, but typically it is the Esc, Delete, or an F-key. This site lists common keys by manufacturer: https://www.disk-image.com/faq-bootmenu.htm 18. Once successfully booted to your usb drive, follow the instructions to install the operating system. These steps will vary depending on your operating system of choice.

Tips, Tricks, & Resources https://www.youtube.com/watch?v PXaLc9AYIcg | Sample PC Build Video Guide https://www.wired.com/story/how-to-build-a-pc/ | Build Guide Wired https://www.techradar.com/howto/how-to build a pc | Techradar Build Guide https://www.crucial.com/articles/pc builders/how to build a computer | General Build Guide https://onsitego.com/blog/productivity-pc-build/

UnRaid Articles, Videos, and Resources https://wiki.unraid.net/Articles/Getting_Started#Quick_Install_Guide | Articles/Getting Started - UnRaid | Docs https://unraid.net/ | UnRaid | Unleash Your Hardware https://www.youtube.com/watch? v=kgnD4gSz4PA&list=PL6MCtOroZNDBFZIh70Ctl0bFJbImhx4rd&index=9 | UnRaid 6.9 - What is it and What's New? YouTube https://www.youtube.com/watch? v=7uOUOXbjoJo&list=PL6MCtOroZNDC2wTXNnQETJukjnaK2iR5d | Building a 10 core unRaid server from start to finish Pt 1 Hardware install YouTube https://shucks.top/ | Shuck 'em if you got 'em https://www.ifixit.com/Guide/How+to+Shuck+a+WD+Elements+External+Hard+Drive/137646 | How to Shuck a WD Elements E ternal Hard Drive iFi it Repair Guide https://www.youtube.com/watch?v 9W3 uOl4ruc | How to Fix the 3.3V Pin Issue in White Label Disks Shucked from Western Digital 8TB Easystore 6/8

Workstation Build Plan.md

12/30/2021

Drives - YouTube https://www.youtube.com/watch?v=X0hX1cDP_1w | UnRaid storage & operation basics parity, cache, & your data YouTube https://docs.google.com/spreadsheets/d/1hA2NCoUCYJv0Wm_dm26J44Srr6yex4tg-TTsOyEVIY/edit#gid 2120316295 | UnRaid Storage Basics Google Sheets https://www.youtube.com/watch? v=e0lyuoRMYkA | sample unRaid build https://www.youtube.com/watch?v=2CbObOuOEuA | unRaid installation steps video https://www.youtube.com/watch?v Xekv2Y2mmfQ | Drive Shucking Steps WD Elements https://www.youtube.com/watch?v=pMudTWoMvsY | Drive Shucking WD Easystore

OneTab Links (for those who want to import all pages displayed in the overview video) https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/install-windows-from-a-usbflash-drive?view=windows-11 | Install Windows from a USB Flash Drive | Microsoft Docs https://www.xdadevelopers.com/how-to-install-windows/ | How to install Windows 10 on a new PC in a few quick and easy steps https://ubuntu.com/tutorials/install-ubuntu-desktop#1-overview | Install Ubuntu desktop | Ubuntu https://wiki.unraid.net/Articles/Getting_Started | Articles/Getting Started - Unraid | Docs https://wiki.unraid.net/Building_an_unRAID_Server#Hardware | Building an unRAID Server - Unraid | Docs https://www.youtube.com/channel/UCZDfnUn74N0WeAPvMqTOrtA | Spaceinvader One - YouTube https://pcpartpicker.com/ | Pick parts. Build your PC. Compare and share. - PCPartPicker https://www.anandtech.com/show/11891/best-cpus-for-workstations | Best CPUs for Workstations: June 2021 https://www.digitaltrends.com/computing/amd-vs-intel/ | AMD vs. Intel: Who You Should Go With in 2021 | Digital Trends https://www.rockpapershotgun.com/how-to-install-a-cpu | How to install a CPU | Rock Paper Shotgun https://www.tomshardware.com/reviews/cooling-buying-guide,6105.html | How to Buy the Right CPU Cooler: A Guide for 2020 - Tom's Hardware | Tom's Hardware https://www.techsiting.com/how-to-installa-cpu-cooler/ | How to Install a CPU Cooler? - TechSiting https://www.youtube.com/watch?v=Bp6N1Wk-PxE | How To Apply XTM50 High Performance Thermal Paste - YouTube https://www.tomshardware.com/reviews/motherboard-buying-guide,5682.html | How to Buy a Motherboard: Chipset, Socket & Form Factor Explained | Tom's Hardware https://www.cgdirector.com/guide-to-pcie-lanes/ | Guide to PCIe Lanes: How many do you need for your workload? https://forums.tomshardware.com/threads/cores-vs-threads-explained.3460905/ | [SOLVED] - Cores vs Threads Explained.. | Tom's Hardware Forum https://www.crucial.com/articles/about-memory/is-my-ramcompatible-with-my-motherboard | What RAM is Compatible with my System? | Crucial.com https://tedium.co/2021/01/06/error-correcting-code-memory-history/ | Should Regular Computers Use ECC Memory, Too? https://www.pcgamer.com/why-you-still-cant-buy-a-graphics-cards-according-to-a-supplychain-expert/ | Why you still can't buy a graphics card according to a supply chain expert | PC Gamer https://www.pentestpartners.com/security-blog/how-to-build-a-password-cracking-rig-during-a-worldwidechip-shortage/ | How to build a password cracking rig during a worldwide chip shortage | Pen Test Partners https://secure.newegg.com/identity/signin?tk=b767ea_5e7232057f114897905030fe2bd17cc721277 | Newegg.com Sign In https://unihost.com/help/nvme-vs-ssd-vs-hdd-overview-and-comparison/ | NVMe vs SSD vs HDD - Overview and Comparison - Unihost.FAQ https://www.youtube.com/watch?v=X0hX1cDP_1w | Unraid storage & operation basics - parity, cache, & your data - YouTube https://www.youtube.com/watch? v=u3zqCIsLL08 | Speed Up Your UnRaid Write Performance! SSDs - YouTube https://wiki.unraid.net/Building_an_unRAID_Server#Hardware | Building an unRAID Server - Unraid | Docs https://shucks.top/ | Shuck 'em if you got 'em https://www.pcmag.com/news/buying-a-pc-case-20-termsyou-need-to-know | Buying a PC Case: 20 Terms You Need to Know | PCMag https://red-dot-geek.com/typesof-computer-cases-form-factors/ | 9 Types of Computer Cases (With Pictures) https://www.newegg.com/insider/how-to-choose-a-pc-power-supply-buying-guide/ | How to choose a PC power supply - Newegg Insider https://www.reddit.com/r/HomeServer/ | /r/HomeServer 7/8

Workstation Build Plan.md

12/30/2021

https://www.pcmag.com/how-to/hdmi-vs-displayport-which-should-i-use-for-my-pc-monitor | HDMI vs. DisplayPort: Which Should I Use for My PC Monitor? | PCMag https://www.tech21century.com/different types of-computer-keyboards/ | 12 Different Types of Computer Keyboards Explained (with Pictures) https://www.monkeyusb.com/blogs/news/usb e plained all the different types of usb cable and what they re-used-for | USB Explained: All the Different Types of USB cable – ..::Quality USB Type C Cable & More ::.. MONKEYUSB®™ https://pcpartpicker.com/user/GobBluth/saved/#view R7RpBm | GobBluth Saved Part Lists - PCPartPicker https://www.ifixit.com/Guide/How+to+Shuck+a+WD+Elements+External+Hard+Drive/137646 | How to Shuck a WD Elements E ternal Hard Drive iFi it Repair Guide https://www.cnet.com/tech/computing/this-is-how-you-build-your-own-pc-powerhouse-at-home-from-cputo nuts/ | This is how you build your own PC powerhouse at home, from CPU to nuts CNET https://carolinanewsandreporter.cic.sc.edu/how-to-build-a-budget-gaming-pc/ | How to build a budget gaming PC | Carolina News and Reporter https://www.pcgamer.com/uk/pc build guide budget gaming pc/ | Budget gaming PC build guide: create a cheap gaming PC | PC Gamer https://cdn.mos.cms.futurecdn.net/kLu2Q er KFfuSAPwpowFJ 970 80.jpg.webp | kLu2Q er KFfuSAPwpowFJ 970-80.jpg.webp (WEBP Image, 970 × 546 pixels) https://siliconcomputer.in/portfolio-item/computerhardware/ | Computer Hardware

Silicon Computers https://www.pcgamer.com/uk/pc build guide budget

gaming-pc/ | Budget gaming PC build guide: create a cheap gaming PC | PC Gamer https://www.businessinsider.com/how to build gaming pc step by step guide 2016-12#ne t up installing the-cpu-cooler-which-well-cools-the-cpu-14 | How to Build Your Own Gaming PC: STEP-BY-STEP GUIDE https://www.cnet.com/a/img/bvC33eNOdnc4AeM6ChnZHJj7fn4 /2019/11/23/4e21a4ae cab6 4ea5 ace9 c3d8603ff017/all-parts.jpg | all-parts.jpg (WEBP Image, 3840 × 2160 pixels)

8/8

OSINT Cheat-Sheet Investigative Resources - Fall 2020

.NET

Methodology | Preparation | Execution | Documentation Pre-Operational Considerations

Workspace & Tools

Ethical and Legal Assessment

Clean/Secure Workstation

Deliverables and Scope

Clean/Secure Connectivity

Time and Resource Constraints

Fresh Research Accounts

Exposure/Risk Factors

Clean Browser w/Extensions

Adversary Sophistication

Collection Tools

Communication and Sit-reps

Documentation System

Control Expectations

Storage/Archiving Solution

Investigative Steps

OSINT Tools & Resources

Knoll Your Tools

OSINT.team

Define The Question

OSINTBrowser.com

Document Your “Knowns”

osintframework.com

Set Up Collection

osinttechniques.com/osint-tools.html

Query, Sweep, and Pivot

aware-online.com/en/osint-tools/

Consolidate Findings

intelx.io/tools

Complete Reporting and Archive

Tab Management https://www.one-tab.com/ (Local Storage Only) Simple Tab Management/Export For Chrome and Firefox http://www.gettoby.com/ (Account Bases w/Sync) Thumbnailed Tab Management For Chrome and Firefox https://chrome.google.com/webstore/detail/graphitabs/dcfclemgmkccmnpgnldhldjmflphkimp?hl=en GraphiTabs - Tree View of Tabs

https://clusterwm.com/ Simple Tab Manager w/Export (Sync Premium Offered) https://chrome.google.com/webstore/detail/tabs-outliner/eggkanocgddhmamlbiijnphhppkpkmkl Outline Format, Export, Sync

https://www.gettabli.com/ Simple, Private (offline-storage only) Tab Management

Link Analysis/Visualization https://www.paterva.com/buy/maltego-clients.php Maltego CE and CaseFile https://vis.occrp.org/ Create Link Charts - Organized Crime & Corruption Project https://gephi.org/ http://www.automatingosint.com/blog/category/gephi/

Useful Browser Extensions https://www.onenote.com/clipper Screen Capture and Tag (One-Note Users Only) https://getfireshot.com/ Screen Capture and Annotation (as image or pdf) https://github.com/ssborbis/ContextSearch-web-ext Context Menu Search Menu http://www.osintbrowser.com/ OSINT Bookmarks https://github.com/az0/linkgopher/ Simple Link Extraction https://github.com/marklieberman/downloadstar Firefox - Download all items in a webpage that match a pattern https://github.com/mozilla/multi-account-containers#readme Firefox - Multi-Account Containers (Compartmentalization) https://github.com/mozilla/multi-account-containers#readme Firefox - Multi-Account Containers (Compartmentalization) https://webrobots.io/ Scrape YP, Yelp, Ebay, Amazon, etc. Save as Excel or CSV

My Workstation Setup https://www.xmind.net/ Mind Mapping - Free and Paid Versions https://medium.com/@raebaker/using-lampyre-for-basic-emailand-phone-number-osint-e0e36c710880 (Lampyre) http://www.visualsitemapper.com/ Domain Mapping https://www.draw.io/ https://github.com/michenriksen/drawio-threatmodeling https://github.com/woj-ciech/Danger-zone Link IPs, Domains, and Email Addresses https://www.mindmup.com/ Mind Mapping - Free and Paid Tiers https://www.nodexlgraphgallery.org/Pages/Registration.aspx Powerful Graphing Client - Free and Paid Tiers

Workstation - Win 10, PIA/ProtonVPN, Chrome/Firefox, Vbox, Buscador/Kali, Nox/Geny, Hunch.ly, UC Cable/Mifi, Keypass, Malwarebytes, Glasswire Mobile - iPhone, MySudo, Signal, Wire - Android, burner, unlocked, on Mint sim kit Email/Payments - Prontonmail, GMX, Fastmail, Blur, 33mail, Privacy.com, Vanilla Visa Office Software - Libre, OneNote, Notepad++, CherryTree, Standard Notes, Paper notebook, Teams/Slack/Mattermost/Rocket Alt-Hardware: MacBook Air, Atom Text Editor, VMware Fusion, Chrome/Firefox, Little Snitch Hypervisors: Virtualbox, Buscador Linux, Kali Linux, Genymotion, Nox

Google Operators Remember we can string multiple operators together Limit results to those from a specific domain site:apsite: ple.com Quotes indicate search for exact term “red rider BB “ ” gun” AND OR * ( ) $ cache: filetype:

AND is deprecated & no longer functions Search for term A, term B, or both. A pipe symbol is the same as OR. gun OR rifle is the same as gun | rifle Wildcard for words in a phrase that you don’t know wish * a star Group a set of words/operators separately (gun | pistol) ammo Exclude results including this word chicago baseball -cubs Search for a certain price “apple watch” $299 Most recent cached version of a domain cache:boston.gov Only search for specific filetype, ext: works the same filetype:pdf “confidential” or ext:pdf “confidential”

related:

Search for sites related to a domain related:sony.com

intitle:

Find pages with a term in the page title intitle:sabotage

inurl:

Find pages with a term in the url inurl:private

around(x) info: Adv. Search

Find pages with terms in X words proximity of each other microsoft (7) surface Sometimes shows related pages, cache date etc. info:chicago.gov https://www.google.com/advanced_search

More Operators: https://ahrefs.com/blog/google-advanced-search-operators/

DuckDuckGo

Bing Operators Most of the Google operators work in Bing ( )

Just like Google, terms or operators grouped in parenthesis are processed together and separate from other conditions All Bing searches are treated as AND searches unless you specify OR between terms goat OR pig OR cow Exclude results with a specific term(s) the – symbol also works boat NOT (raft OR ship) Return pages from a specific region(s) dogs (loc:GB OR loc:FR) Weight results in favor of a term prefer:tomato plum apple

OR NOT loc: prefer: near:x

Words in x proximity of each other red near:4 blue

ip

Finds sites hosted on an IP address ip:208.43.115.82

site/domain:

Filter for specific domain type site/.gov confidential

feed:

Finds RSS feeds based on search terms feed:osint

Bing Adv.

info:https://www.lifewire.com/bing-advanced-search-3482817

Yandex Most standard Boolean operators work (Google operators) such as site: and “quotes“

Adv. Search lang:

Results about cats or dogs

"cats and dogs"

Results for exact term "cats and dogs". If no results are found, we'll try to show related results.

cats +dogs

More dogs in results

cats filetype:pdf dogs site:example.com Cats -site:example.com intitle:dogs inurl:cats

PDFs about cats. Supported file types: pdf, doc(x), xls(x), ppt(x), html

Similar to filetype mime:docx gdpr

date:

Page modified date bombing date:20180416 Similar to site: but adding a * to the end of the url pulls up any docs sharing that url url: Alice url:en.wikiquote.org/wiki/*

url:

Special Operators: https://yandex.com/support/direct/ keywords/symbols-and-operators.html

Baidu Most standard Google Operators work on Baidu

Adv. Search In English Search Tips

http://www.baiduinenglish.com/ https://www.seomandarin.com/baidu-search-tips. html

Consider using a proxy or VPN to appear in the target region

Pages about cats, excluding example.com Page title includes the word "dogs" Page url includes the word "cats"

Adv. Search Colossus Occrp

Startpage makes Google requests on your behalf (privacy)

UK

Search Tips

https://www.baidu.com/gaoji/advanced.html

Other International

Pages about dogs from example.com

Int. Search

Adv. Search

icon in the search bar

mime:

Startpage Operators

Click the

Language filter ccn lang:fr

DuckDuckGo handles some operators a little differently

Cats dogs

MS retired Bing’s advanced search page

Most standard Google operators work https://www.startpage.com/en/advanced-search. html https://support.startpage.com/index.php?/Knowledgebase/List/Index/1

https://www.alexa.com/topsites/countries http://www.searchenginecolossus.com/ https://data.occrp.org/ http://www.searchenginesindex.com/ https://investigativedashboard.org/databases/

Twitter Don’t forget Google - “site:twitter.com keyword” Advanced https://twitter.com/search-advanced Search Toolset

http://tweetbeaver.com/

User Report

https://tinfoleak.com/

Analytics

https://socialbearing.com/

Analytics

https://analytics.mentionmapp.com/

Analytics

https://foller.me

Analytics

http://twiangulate.com/search/

Older Posts

http://staringispolite.github.io/twayback-machine/

Search

https://snapbird.org/

Followers

https://doesfollow.com

Video

https://twdown.net/

Visualization

https://treeverse.app/

Profile Changes https://spoonbill.io/ Mapping

https://onemilliontweetmap.com

Offline Tool

drive:/tools/twitter.html

https://help.twitter.com/en/rules-and-policies/ twitter-law-enforcement-support#19

Legal Requests

Snapchat User Search

https://somesnapcode.com/

User Search

https://www.snapdex.com/

Loc Search

https://map.snapchat.com

User Search

http://www.searchenginesindex.com/

https://storage.googleapis.com/snap-inc/privacy/lawenforcement.pdf

Facebook Warning: Many of these tools may not function correctly as Facebook continues to kill graph search capabilty.

FB Expand

http://com.hemiola.com/bookmarklet/

Messenger

https://www.messenger.com/

Mobile View FB Videos

https://m.facebook.com/ https://www.facebook.com/watch

Video Download https://www.fbdown.net/index.php https://www.tubeninja.net/how-to-download/faceVideo Download book http://netbootcamp.org/facebook.html NetBootcamp (Warning: Netbootcamp.com does run tracking scripts)

Research Tools User -> ID

http://www.researchclinic.net/facebook/ https://lookup-id.com/

(lookup-id.com runs some tracking scripts)

Graph Search

https://inteltechniques.com/menu/pages/facebook. tool.html (Reminder FB Graph Is Broken as of 8/2019)

Graph Search

http://socmint.tools/graph.htm

Graph Search

https://peoplefindthor.dk/

Graph Search Graph Search Graph Search Graph Search Graph Search

https://pitoolbox.com.au/facebook-tool/ https://searchisback.com/ https://whopostedwhat.com/ https://www.uk-osint.net/facebook.html https://github.com/sowdust/searchbook

Graph Discussion

https://inteltechniques.com/blog/2019/08/02/ the-privacy-security-osint-show-episode-133/

Legal & Privacy

https://www.facebook.com/safety/groups/law/ guidelines

Instagram User/Tag Search

https://www.yooying.com/search

Reddit

User/Tag Search

https://www.social-searcher.com/

Don’t Forget Google - site:reddit.com keyword

Hashtag Search

https://tagboard.com/

Topic Search

https://www.reddit.com/search?q=keyword

User Search

https://www.reddit.com/user/username

Analytics

https://pushshift.io/api-parameters/

Archives

https://web.archive.org/web/*/https://www.reddit.com/ user/username

Offline Tool

drive:/tools/communities.html

TikTok https://www.ticktick.com

Username Format https://tiktok.com/@username

Search

https://www.osintcombine.com/tiktok-quick-search

Search & Downhttps://vidnice.com/ load How To Android Downloader

https://www.wikihow.tech/Find-Friends-on-Tik-Tok-onAndroid https://en.savefrom.net/download-from-tiktok

Video Caputre

https://airmore.com/watch-tik-tok-pc.html

Legal Requests

https://www.tiktok.com/en/law-enforcement

Analyze Followers Location Search Search

https://hypeauditor.com/ https://www.osintcombine.com/instagram-explorer

https://mulpix.com/

Media Capture

https://downloadgram.com/

Media Capture

https://instasave.xyz/

Downloader

https://www.4kdownload.com/products/product-stogram

Profile Pic

https://instadp.net/

Profile Pic

http://izuum.com/

Stories

https://storiesig.com/

Image/Video DL

https://instaview.me/

User/Hashtag

http://picdeer.com/

User/Hashtag

https://www.pictame.com/

Offline Tool

drive:/tools/instagram.html

Site Archives

Capture/Collection Tools

Searching pre-existing archives or requesting a capture

Although not open-source, Hunch.ly remains my go-to, safety-net & collection tool.

Wayback Machine

http://archive.org/web/

Archive Today

http://archive.fo/

How To - Bellingcat

https://www.bellingcat.com/resources/howtos/2018/02/22/archive-open-source-materials/ https://tech.co/news/tools-to-help-you-search-theHow To - Tech.co archived-internet-2018-06 Mass Archive https://github.com/motherboardgithub/mass_arScript chive

Photo/Image Search

https://hunch.ly/try-it-now https://hunch.ly//guides

Hunch.ly

Screen Capture https://getfireshot.com/ Extension ShareX (Win)

https://getsharex.com/

Annotation

https://www.diigo.com/

OneNote Clip Spiderfoot

Reminder: we do not upload sensitive photos to the internet

Search/Reverse https://www.bing.com/images/ Reverse Russia https://www.yandex.com/images/ Reverse Asia Search

http://images.baidu.com/ http://www.picsearch.com/

Twitter Search http://twipho.net/ Flickr

https://www.flickr.com/map

Exif

http://exif.regex.info/exif.cgi

Edit Detection http://www.errorlevelanalysis.com/

Hunch.ly’s Report Builder Is Great To Build Off Of

OneNote

Stolen Check

https://www.newocr.com/ www.stolencamerafinder.com/

Video Extension Youtube-DL

https://www.downloadhelper.net/ https://github.com/ytdl-org/youtube-dl

https://addons.mozilla.org/en-US/firefox/addon/ Extension video-downloader-profession/ https://www.techsmith.com/screen-capture. Screen Capture html https://archiving.witness.org/archive-guide/acVideo Archives quire/acquiring-raw-video-and-metadata/

Document Search Google “keyword AND ext:pdf OR ext:docx OR ext:txt OR ext.xlsx”

https://psbdmp.ws

http://www.findpdfdoc.com/

http://cryptome.org

https://www.base-search.net/

http://megasearch.co

https://psbdmp.ws

Maps/Locations https://www.osintcombine. https://www.google.com/maps com/social-geo-lens https://www.mapillary.com/

https://openstreetcam.org

https://ctrlq.org/maps/adhttps://livingatlas.arcgis.com/wayback/ dress/ https://www.gpsies.com/trackhttps://www.zillow.com/ List.do

https://www.onenote.com

Win Text Editor https://notepad-plus-plus.org/ Text Editor (win, Mac, Linux)

VSCode Paliscope Zotero

https://atom.io/ https://visualstudio.microsoft.com/ https://www.paliscope.com (Free Standard Ed for LE) https://www.zotero.org/

Private Notes

https://app.standardnotes.org/

Office Alternative

https://www.libreoffice.org/

OSINT Resource Lists

Basic Forensics https://fotoforensics.com/ Text Recog.

https://www.spiderfoot.net/

Documentation Tools

Search/Reverse https://images.google.com/ Search/Reverse https://tineye.com

https://www.onenote.com/clipper

Collections curated by my favorite OSINT experts: OSINT.Team Ph055a Bellingcat ToolKit Sprp77

https://osint.team/home (OSINT rocket chat group)

https://github.com/Ph055a/OSINT-Collection#ph055as-osint-collection https://docs.google.com/document/d/1BfLPJpRtyq4RFtHJoNpvWQjmGnyVkfE2HYoICKOGguA/edit https://drive.google.com/drive/folders/1CBcemFdorkAqJ-Sthsh67OVHgH4FQF05

Baywolf88

https://www.learnallthethings.net/osint-resources

Sector0355

https://medium.com/@sector035

Justin Nordine https://osintframework.com/ Start.me’s: Technisette Bruno Mortier Emmanuelle -Welch Travis Birch

https://start.me/p/7kxL6K/search-engines https://start.me/p/b56xX8/osint https://start.me/p/gyXexK/dating-apps-and-sites https://start.me/p/kx72n5/databases https://start.me/p/rxeRqr/aml-toolbox https://start.me/p/ZME8nR/osint

Technisette

https://technisette.com/p/tools

Phonexicum

https://phonexicum.github.io/infosec/osint.html#tools

i-intelligence PI Links

https://www.i-intelligence.eu/wp-content/uploads/2018/06/OSINT Handbook June-2018 Final.pdf https://diligentiagroup.com/due-diligence/101-investigative-links-for-digging-up-information-on-people/

Real Name

Email

“People” search engines

Don’t Forget A Basic Google Search “[email protected]”

TruePeopleSch https://www.truepeoplesearch.com/ Spokeo Thatsthem

https://haveibeenpwned.com/ (may be premium soon)

https://thatsthem.com/

Verify

https://tools.verifyemailaddress.io/

Verifalia

https://verifalia.com/validate-email

https://nuwber.com/ https://www.familytreenow.com/

PeopelByNm

http://www.peoplebyname.com/ http://ufind.name/

PublicRcrds

https://publicrecords.directory/

GoLookup

https://golookup.com/

PMR

http://publicemailrecords.com/name listings

Radaris

https://radaris.com/

Cubib

https://cubib.com/

ComLullar

http://com.lullar.com/

Yasni

http://www.yasni.com/

TabSearch

(make a free account)

HIBP

FamTreeNow UFind

https://hunter.io/

https://www.spokeo.com/

Adv Background https://www.advancedbackgroundchecks.com/

Nuwber

Hunter.io

https://www.zabasearch.com/

Mailtester

http://www.mailtester.com/testmail.php

FindThatEmail http://findthat.email/ AnyMailFinder https://anymailfinder.com/ EmailMatcher https://emailmatcher.com/ US Search

https://www.ussearch.com/search/reverseemail/

MetricSparrow http://metricsparrow.com/toolkit/email-permutator/ ThatsThem

https://thatsthem.com/reverse-email-lookup

Spokeo

https://www.spokeo.com/email-search

PsbDmp

https://psbdmp.ws/

HackedEmails OCCRP

https://hacked-emails.com/ https://data.occrp.org/search?q=gmail.com

Spytox

https://www.spytox.com/

Dehashed

https://dehashed.com/

Intelius

https://www.intelius.com/

Hashes.org

https://hashes.org/leaks.php

ZoomInfo

https://www.zoominfo.com/

Gravatar

FastPS

https://fastpeoplesearch.com/

ReverseGenie

PeekYou

https://peekyou.com/

ManyContacts https://www.manycontacts.com/en/mail-check

Webmil

http://webmii.com/

ComLullar

http://com.lullar.com/

CvGadget

https://cvgadget.com/

Offline Tool

drive:/tools/email.html

Classmates

https://www.classmates.com/

Basic Guide

https://www.blurbiz.io/blog/the-most-completeguide-to-finding-anyones-email

192 (UK) Offline Tool

https://www.192.com/ drive:/tools/username.html

https://knowem.com/checksocialnames.php?u=

NameChk

https://namechk.com/

NameCheckr

https://www.namecheckr.com/

http://www.reversegenie.com/searching=email

OSINT Flow Charts: https://www.dfir.training/osint

User Names Knowem

https://en.gravatar.com/site/check/

Classifieds Ebay Fatfingers Flippity

https://www.ebay.com/ http://fatfingers.com/default.aspx http://www.flippity.com/

NameVine

https://namevine.com/

Kijiji

UserSearch

https://usersearch.org/

SearchAllJunk

http://www.searchalljunk.com/

UserSherlock

http://usersherlock.com/

SearchTempest

https://www.searchtempest.com/

Soc Searcher

https://www.social-searcher.com/

NotiCraig

Tinder

https://www.gotinder.com/@user

Oodle

Amazon

https://www.google.com/search?q=site%3Aamazon. com+%22name%22

SocialCatfish

https://socialcatfish.com/reverse-username-search/

WhatsMyName

https://github.com/webbreacher/whatsmyname

Sherlock Offline Tool

https://github.com/sherlock-project/sherlock drive:/tools/username.html

https://www.kijiji.ca/

https://noticraig.com/ https://www.oodle.com/local/burien-wa/

Offerup

https://offerup.com/

Craigslist

https://craigslist.org

Offline Tool

drive:/tools/communities.html

Domains/IPs

Phone Numbers For phone #s consider gov/paid options (OSINT is limited)

Zaba

https://www.zabasearch.com/reverse-phone-lookup/

USPhoneBook https://www.usphonebook.com/ Twilio

https://twilio.com/lookup

TruePeopleSearch https://www.truepeoplesearch.com/#

Censys

https://censys.io

IntelX

https://intelx.io

Domaintools CentralOps Whoxy

https://www.domaintools.com/

https://centralops.net/co/

FoneFinder

http://www.fonefinder.net/

ThatsThem

https://thatsthem.com/

IPLocation

https://www.iplocation.net/

TrueCaller

https://www.truecaller.com/

DNSLytics

https://dnslytics.com/reverse-ip

https://www.whitepages.com/reverse-phone | Reverse Phone Lookup

Randhome

https://www.randhome.io/blog/2018/02/23/harpoon-an-osint-/-threat-intelligence-tool/

https://www.411.com/reverse-phone

CrimeFlare

http://crimeflare.org:82/

Carrier

https://freecarrierlookup.com/

Spyonweb

http://spyonweb.com/

Carrier

https://www.nationalnanpa.com/reports/reports cocodes.html

Carrier

https://carrierlookup.com/

SpyDialer

https://www.spydialer.com/

Searchbug

https://www.searchbug.com/tools/

Whitepages 411

Pub-DB

https://www.whoxy.com/

http://pub-db.com/

Whoisology

https://whoisology.com/

Visualping

https://visualping.io/

WatchThatPage

http://watchthatpage.com/

NumberGuru

https://www.numberguru.com/phone/

PentestTools

ReverseGenie

https://pentest-tools.com/information-gathering/ find-subdomains-of-domain#

http://www.reversegenie.com/

SharedCount

https://www.sharedcount.com/

YellowPages Spokeo

https://people.yellowpages.com/whitepages/?re=SP people search https://www.spokeo.com/reverse-phone-lookup

PhoneValidator https://www.phonevalidator.com/index.aspx CallerIDTest IMEI IMEI24 Sync Infobel

SmallSEO SimilarWeb Alexa

https://smallseotools.com/backlink-checker/ https://www.similarweb.com/ https://www.alexa.com/siteinfo/inteltechniques.com

https://www.calleridtest.com/

Hunter.io

https://hunter.io/

https://www.imei.info/

ViewDNS

https://viewdns.info/

https://imei24.com/phone base/ https://sync.me/ https://www.infobel.com/

Robtex Majestic D-Me Netcraft

https://www.robtex.com/?= https://majestic.com/ http://d-me.info/ https://www.netcraft.com/

DialingCode

http://www.dialingcode.com/

OpenCnam

https://www.opencnam.com/

DomainBigData https://domainbigdata.com/

TeleFoonGids

https://telefoongids.2link.be/

DNS Dumpster

https://dnsdumpster.com/

https://www.serviceobjects.com/developers/lookups/geophone-plus

Inteltechniques

https://inteltechniques.com/blog/2018/04/24/searching-subdomains-with-findsubdomains-com/

ServiceObjects WTNG

http://www.wtng.info/index.html

SeanLawson

https://www.seanlawson.net/2019/02/use-chromedeveloper-tools-view-masked-phone-numbers-forfree-people-search/

Offline Tool

drive:/tools/phone.html

Vehicles CarOwners NICB

https://carsowners.net https://www.nicb.org/vincheck

https://www.oreillyauto.com/ OReilly https://www.carvana.com/ Carvana CheckThatVIN https://checkthatvin.com/ctv#/home

CarFax

https://www.carfax.com/processQuickVin.cfx

VehicleHistory https://www.vehiclehistory.com/license-plate-search Offline Tool

drive:/tools/vehicles.html

IP6Locator

http://ipv6locator.net/

ViewDNS

https://viewdns.info/

Maxmind

https://www.maxmind.com/en/home

IP2Location

https://www.ip2location.com/demo/

IPFingerprints ThatsThem Netbootcamp Shodan Offline Tool

https://www.ipfingerprints.com/ https://thatsthem.com/reverse-ip-lookup https://netbootcamp.org/websitetool.html

https://www.shodan.io/ drive:/tools/ip.html

|

drive:/tools/domain.html

Gaming

Business & Organizations Google:

OpenCorp Rocketreach OCCRP

resume AND “real name”

https://opencorporates.com/ https://rocketreach.co/

https://data.occrp.org/

CorpWiki

https://www.corporationwiki.com/

Recruitin

https://recruitin.net/

Indeed

https://www.indeed.com/

CEOmail

https://ceoemail.com/

AihitData

https://www.aihitdata.com/

Glassdoor

https://www.glassdoor.com/Reviews/index.htm

LittleSis

https://littlesis.org/

OpenSanctions https://docs.alephdata.org/data-commons/sanctions Funding Univ. Enigma Angel

http://www.fundinguniverse.com/company-histories/ https://public.enigma.com/browse/collection/ corp-watch-company-subsidiaries/ https://angel.co/

RipoffReport

https://www.ripoffreport.com/

Sector035’s Guide

https://medium.com/@sector035/gathering-company-intel-the-agile-way-6db12ca031c9

LinkedIn site:linkedin.com inurl:pub -inurl:dir “at Microsoft” “Current” site:linkedin.com “Real Name” User Query

https://gitlab.com/initstring/linkedin2username

Email Query

https://github.com/pry0cc/GoogLinked

Breach Data

https://archive.org/details/LIUsers.7z

Offline Tool

drive:/tools/linkedin.html

Misc. Tools & Tricks Efficiency and Organizational Tools That I Use Better Windows https://www.voidtools.com/ File Search Synced Notes

https://www.onenote.com

Encrypted Coms https://signal.org/ Encrypted Coms https://wire.com/en/ https://protonmail.com/ (use the free tier for burner/ Encrypted Email seed accounts)

Hotkey Panel

https://www.elgato.com/en/gaming/stream-deck

NAS/Local Cloud https://www.synology.com/en-us Screen Capture https://www.techsmith.com/store/snagit Screen Capture Paper Notebooks Veracrypt Tech Issues

https://getfireshot.com/buy.php (pro supports multipage pdf) https://molskine.com https://www.youtube.com/watch?v=cxo8xosH TI Veracrypt containers are ideal for archiving cases or placing them on flash media for delivery to clients. https://stackoverflow.com/ Aside from Googling your tech issues, stackoverflow has discussion on just about any desktop or software issue.

Legal requests: https://www.search.org/resources/isp-list/

Discord Search

https://www.discordportal.com/

Discord Search

https://discordservers.com/

Discord Search

https://discord.center/

Discord Search

https://disboard.org/

Discord Search

https://discord.me/ https://support.discordapp.com/hc/en-us/articles/115000468588-Using-Search

Discord Search

Discord Capture https://dht.chylex.com/ | Discord History Tracker Twitch

https://www.twitchtools.com/

Fortnite

https://fortnitetracker.com/profile/search?q=

PSN

https://psnprofiles.com/search/

Mixer

https://www.lifewire.com/what-is-mixer-4156866

Steam

https://steamrep.com/ or https://steamid.uk/

Speed Tricks Saving a few seconds here and there adds up over time

Context Search https://github.com/ssborbis/ContextSearch-web-ext Add As Search Engine Default to Last Year

https://www.wired.com/2014/07/tip-week-chrome-sitesearch/ https://thepracticalsysadmin.com/defaulting-googlesearch-results-to-the-past-year/

CTRL+C:

Copy the selected item

CTRL+V:

Paste the selected item

CTRL+A:

Select all items in a window

CTRL+F:

Find Search Term

Virtual Machines Follow written steps verbatim when installing VMs

Virtualbox

https://www.virtualbox.org/wiki/Downloads

VBox Extensions

https://download.virtualbox.org/

Ubuntu LTS

https://ubuntu.com/#download

Kali Linux Tails

https://www.kali.org/downloads/ https://tails.boum.org/

Update Linux

apt-get update && apt-get upgrade

Update Youtube-DL

sudo -H pip install --upgrade youtube-dl

Common Error Make sure virtualization is enabled in BIOS settings Host Key Vbox Scale Issues

Win - Right Control Key Mac - Left Command Key host + f, to switch to full screen mode, if not yet, host + c, to switch to/out of scaled mode, host + f, to switch back normal size, if need

IntelTechniques https://inteltechniques.com/osintbook/ Book7 Links

Common Missteps

More OSINT Resources

Methodology is more important that tools or techniques because those things change. Invest in defining strong process.

https://docs.google.com/document/d/1BfLPJpRtyq4RFtHJoNpvWQjmGnyVkfE2HYoICKOGguA/ (Bellingcat Toolkit)

Failure to use non-OSINT approaches and strategies ie: social engineering (consider a friendly phone call)

https://github.com/Ph055a/OSINT-Collection (OSINT.Team Collection)

Are you signed into a live session for the platform you are querying? ie: make sure you are signed into FB in another tab

https://www.i-intelligence.eu/wp-content/uploads/2018/06/OSINT Handbook June-2018 Final.pdf (I-Intelligence Collection)

Including a space at the end when pasting a account ID or other keyword into a query form field.

https://www.osinttechniques.com/osint-tools.html

Do you have script blockers that might be preventing data from loading on a page? (ie:privacy badger, ublock, ghostery)

https://medium.com/@sector035 (@sector035)

Location. Your search results are being skewed by your perceived location, consider using VPN to “relocate”.

https://www.learnallthethings.net/creepyosint (@baywolf88)

Start looking at page source to see what is going on behind the scenes. If you only look at the gui, you are missing alot.

https://osintcurio.us/10-minute-tips/

Tenacity wins the day. Most answers are not going to fall into your lap. Patience and persistence above all else.

https://atlas.mindmup.com/digintel/digital intelligence training/index.html

Operational Security - Browsers

Operational Security - Windows

Browser, Session, and Site Tests

Recommended Tools For Windows Security

Device Fingerpint

https://panopticlick.eff.org/

Browser Fingerpint https://amiunique.org/fp Browser Fingerpint https://www.deviceinfo.me/ Browser Fingerpint https://browseraudit.com Browser Fingerpint https://browserleaks.com/ https://pixelprivacy.com/resources/browser-finBrowser Fingerpint gerprinting/

Browser Fingerpint https://detectmybrowser.com/ IP Leaks DNS Leaks Email Leaks Site Privacy Test

https://ipleak.net https://www.dnsleaktest.com/ https://www.emailprivacytester.com https://webbkoll.dataskydd.net/en/

Privacy Resources https://inteltechniques.com/links.html

Create Non-Privledged User

https://support.microsoft.com/en-us/help/4026923/ windows-10-create-a-local-user-or-administrator-account

Anti-Virus

https://www.microsoft.com/en-us/windows/comprehensive-security

Anti-Malware

https://www.malwarebytes.com/mwb-download/

Anti-Spyware

https://www.safer-networking.org/

Windows Privacy

https://ssd.eff.org/en/module/how-delete-your-data-securely-windows

Win10 Privacy

https://www.thewindowsclub.com/privatewin10-advanced-windows-10-privacy-tool

Win10 Privacy

https://fdossena.com/?p=w10debotnet/index 1903. frag

Check Your Microhttps://account.microsoft.com/account/privacy Soft Data Network Activity

https://www.glasswire.com/

Password Manager https://keepassxc.org/ Cleaner Cleaning Manually

https://www.bleachbit.org/download/windows https://www.makeuseof.com/tag/best-way-clean-windows-10-step-step-guide/

OSINT METHODOLOGY 101 B U I L D I N G A N E F F I C I E N T, R E P EATA B L E, A N D A RT I C U L A B L E P RO C ES S

Basic Investigative Steps 1. Set up your notetaking and data collection to track your work - paper notebook, One-Note, Hunch.ly, directory on an encrypted flash drive, etc. 2. List your investigative goals - full profile, locate for apprehension, identify associates, collect digital evidence, etc. (are you collecting intel or evidence for court?) 3. List your seed info - emails, phone numbers, names, etc. 4. Run all your paid and/or gov queries and use those to add to your seed information. If possible, get a hold of a booking or DOL photo for comparison while researching social media. 5. Run Accurint (Lexis-Nexis), TLO, or Clear reports. 6. Fire up Chrome with your plugins of choice - uBlock, https everywhere, json viewer, Fireshot, one-tab (or use your prebuilt custom OSINT VM) 7. If it is likely going to be a full investigation, I turn on hunch.ly and enter my “selectors” (keywords from seed info) 8. I do a quick Google search and check my people finder site of choice for that week. [“James McIntire” “Denver”] and the name through my custom offline tools. Use the custom tools page that matches your known identifier (see info) so if you have an email address, use Email.html. This first dive is a fast-moving search for low hanging fruit. 9. My typical order is email, real name, search engines, Twitter, Facebook, Instagram, phone number, and then the rest depending on what you have to go on. 10. I exhaust Google and my custom tools closing any tabs that return false positives or no useful results. Any page that is important I note any identifiers (account IDs, usernames, etc.) in my case notes and screen capture the page. 11. Screen captures are saved in the case directory and/or in a digital notebook such as OneNote. On a case with multiple targets create subfolders for each person of interest. 12. When I am done with my research I copy/paste pertinent information and identifiers into a profile or case report (for template examples see the documentation module). I embed or attach any pertinent screen captures, pdfs (such as LexisNexis reports), and photos (anything depicting the individuals, vehicles, or addresses). 13. I go over that report with the case detective or agent to explain my investigation and see if they have any questions. This is their opportunity to get clarifications and request additional intelligence. 14. My rough notes, workbooks, hunch.ly files, and/or cloned VMs are usually saved in an archive in case I need them for further investigation or court. The exceptions to this are missions such as intel gathering for operations, events, threat assessments, etc. A hunch.ly export might be burned to disc as evidence but be cautious of any unintended data that might have been inadvertently saved during that session. The VM backup should not go into evidence as it would divulge tradecraft. Treat it as an undercover laptop that you can refer to but avoid exposing it unless you are forced to (work with your prosecutor to fight this). If you do not need that VM for court, do not keep it (hording data comes with custodial responsibilities and potential liabilities). Develop a routine for housekeeping your case archives and investigative workstations. Your agency likely has retention policies and you should review them. 15. I make sure I have a fresh VM for the next case or crisis that comes up. I also make new accounts to have in pocket if any of my research accounts were burned. Better to prepare for the next case at the end of the previous and be ready to go at a moment’s notice. Not every mission justifies a VM, you’ll find your own workflow and threshold for deploying advanced tools. 16. Wash, rinse, repeat. Track successes to justify more equipment, staffing, and training. Note: My standard setup is an off-grid windows pc, on a UC cable modem or MiFi (VPN as appropriate). For quick checks such as events, threats, etc. I stay in windows and just use chrome/Firefox and my custom tools. This is for convenience and speed with less fuss when there is less of a need for compartmentalization, security, and/or anonymity. For investigations I typically use my custom OSINT VM and fresh research accounts. Quick utility vs. backstopped single purpose - use the right tool for each mission. If you don’t have a set of custom OSINT tools and VM, you will by the end of this training. We will build them together which means you will understand what they are doing and be able to keep them working even if Michael and I disappear.

ACCOUNT CREATION 101 B U I L D I N G A N E F F I C I E N T, R E P EATA B L E, A N D A RT I C U L A B L E P RO C ES S

Building Reliable Research Accounts This is a list of recommended steps for creating investigative/research social media accounts. These are largely based on feedback from our community and their experiences with having their accounts locked or suspended. Where applicable steps are in order of preference in regards to successfully avoiding security challenges. Equipment Setup – It may seem simple, but the equipment and connection you are on matters. 1. Avoid VPNs during account creation, most of their IP ranges are flagged 2. Mifi’s or dynamic IP devices work quite well for account creation 3. Public networks (Starbucks Wi-Fi) but be aware that you are being exposed and cross-correlated with other users on that network 4. Phone #- A real non-VOIP phone number will save you a lot of hassle, we recommend a $5 Mint sim card kit paired with an unlocked smart phone (mintmobile.com) 5. Online Footprint – “Google” your name and employer. Print the first two pages of results and include this in your binder as the “low hanging fruit” of personal data. Covert Accounts 1. We usually make FB, IG, and Twitter at once and tie them in as one covert profile. Each adds depth and verac ity to the others (intentional cross correlation). 2. Keep notes on your covert details either in a paper notebook or a digital format like a password manager or spread sheet, having your security requirements in mind. 3. If it is a sensitive or deep infiltration case make sure to compartmentalize this profile from the get-go (connec tion, browser, device (use VM to isolate), etc.) 4. Connection: a. no VPN during account creation, most VPN IP blocks are flagged b. Cellular data connections (MiFi’s) are good – dynamic/shared IPs c. Another technique is to get a free tier AWS EC2 or Digital Ocean VM and use it to make the account as then you will have an AWS IP, this is more advanced but works pretty well if you are comfortable with VMs and learning to navigate AWS. Some groups even run full investigative VMs on AWS, but again this is a more advanced setup that takes some work to sort out. d. Another advanced technique is to roll your own VPN thru AWS as the providers tend not to flag AWS https://github.com/StreisandEffect/streisand 5. Email Address: a. no Gmail, Hotmail, yahoo, or other top free mail (Gmx is an exception for now) b. Private domains work best, grab a Namecheap or GoDaddy domain and webmail for cheap and make a bunch of account with them c. GMX, Fastmail, and Protonmail addresses work ok, not as good as a private domain though 6. Phone #: a. You might get lucky and not get the phone number requirement, but also sometimes it won’t require it at first but then a couple hours or days in it will throw it at you as a security requirement b. No VOIP – most number blocks are flagged c. Mint test kits and an unlocked phone are a cheap way to get 7 days on a real number 1. Make sure you have Mint coverage in your area 2. https://www.mintmobile.com/ 3. You might then port the number over to google voice 4. Some groups buy these in bulk d. You can also use an extra # on a real account (i.e.: Verizon) and then port it over to google voice and then draw a new # for that Verizon account e. Some people will also use hotel phones and the like when traveling to roll accounts, but that is kind of a pain I think and a roll of the dice, that sort of taking advantage of public #s as you find them works fine for individuals but not so much orgs

ACCOUNT CREATION (CONT.) B U I L D I N G A N E F F I C I E N T, R E P EATA B L E, A N D A RT I C U L A B L E P RO C ES S

7. 8. 9. 10.

1.

2. 3. 4. 5. 6. 7.

Once we get into our new account, we do not leave it fallow, start making it feel real right away Choose a name that is generic, but not too generic a. i.e.: Nicky Robinson, Hunter Reynolds, etc. b. http://howmanyofme.com/ Name, gender, city, employer (school) should make sense, remember a real person at FB will likely look at your profile if it is reported as suspicious, we want to pass the smell test Profile/cover photo a. We don’t ever purport to be a specific individual without consent (i.e.: no identity theft) b. Pikwizard.com – Good source for free for anything licensed photos c. Pixabay.com is also decent d. Avatar makers are another option https://mashable.com/2007/09/12/avatars/#mn3Ph1PwgZqi e. fiverr.com – You can buy profile photos for cheap or anything else really…avoid buying bulk accounts, they are often locked, scams, or stolen f. I also like taking a pic from images.bing.com of a large crowd (road race, sporting event, concert), use the snip tool to crop it, and then post the still large group shot, it’s unclear who we are in the group and yet it’s the kind of content people post for profiles or banners because the internet is all about bragging g. Get creative – general rule is snip, crop, filter, logical pic choice Time to flesh out our profile by making some friends a. Join Groups – anything that has large groups that accept anyone b. Nerdy groups and pop culture are my favs: video games, cosplay (cause then costumed profiles make sense), etc. c. If you are doing a deep infiltration you may have to research your targets groups, don’t join her/his groups directly, join similar and work your way in slowly after you have some history d. Do some liking and commenting in groups for a day or two e. then https://www.facebook.com/find-friends/browser/ and let FB recommend friends. We never cold call friends anymore, we let FB tell who it’s already cross correlated with our profile. This reduces chances of getting flagged significantly. Posts: August 1st Facebook cut off all 3rd part app access except for messenger or FB pages. We formerly used IFTTT and WordPress to auto-post but they are broken for now. IFTTT still works for twitter. Avoid political chat and comments. Politics and social issues are high on the radar of the FB watchdogs due to the fake news and voter tampering concerns. Keep track of covert accounts in a spread sheet or better yet a password manager. Sim jacking Twitter accounts is very popular so use long passphrases even on your sock accounts and consid er 2-factor if they are mature or otherwise valuable accounts Know your agencies policies around things like friending and any levels of approval or documentation req- uired …and of course, we always use our powers for good so we always assume that our investigation will eventu ally see the light of day so make sure you are proud of how your activity will look in retrospect by an objective 3rd party in regard to reasonable and responsible

Note: This is purely anecdotal, but in addition to “getting into character” and making our accounts feel real, I suspect that there may be some value to occasionally clicking on ads and other content that the platform is pushing at you. This is not a privacy/security best practice, but there are detection algorithms that may favor revenue positive accounts. Again, this is just a theory.

REPORTING S A M P L E COV E R/FAC E S H E E T

LOGO HERE

Company/Org Name Section or Analyst Name

Open Source Investigative Profile Summary of Findings

Subject ID Name:

DOB:

Address:

Phone #1: Phone #2:

Employer:

SS#:

Vehicles:

Relatives:

Alternate Identities and Associations Email #1:

Email #2:

Email #3:

Email #4:

User Name:

UN #2

Facebook :

FB #

Twitter:

TW #:

Instagram:

IG #:

Photos/Video ☐Photos

Description

Source

☐Video

Attachments ☐ Excel Profile Report

☐ Link Analysis Report

☐ Data Source DVD

☐ Comprehensive TLO, Clear, Accurint Report

☐ Hunch.ly Archive

☐ Other: ____________________

☐ Photographs

☐ DOL/GOV Checks

SHORTCUTS & HOT-KEYS CO M P L E T I N G 1,000 S M A L L TA S KS A L I T T L E FA S T E R

Windows Shortcut Keys

Shortcuts for Mac

Windows Key + R: Opens the Run menu.

Command + X: Cut selected text and copy it.

Windows Key + E: Opens Explorer.

Command + C: Copy selected text.

Alt + Tab: Switch between open programs.

Command + V: Paste copied text.

Windows Key + Up Arrow: Maximize current window.

Command + Z: Undo previous command.

Ctrl + Shift + Esc: Open Task Manager.

Command + A: Select all items.

Windows Key + Break: Opens system properties.

Command + F: Open Find window to search text.

Windows Key + F: Opens search for files and folders.

Command + H: Hide windows of the front app.

Windows Key + D: Hide/display the desktop.

Command + N: Open a new document or window.

Alt + Esc: Switch between programs in order they were opened.

Command + O: Open a selected item.

Alt + Letter: Select menu item by underlined letter.

Command + P: Print current document.

Ctrl + Esc: Open Start menu.

Command + S: Save current document.

Ctrl + F4: Close active document (does not work with some applications). Alt + F4: Quit active application or close current window.

Command + W: Close front window.

Alt + Spacebar: Open menu for active program.

Command + M: Minimize the front window to the Dock.

Ctrl + Left or Right Arrow: Move cursor forward or back one word.

Command + Spacebar: Open Spotlight search field.

Ctrl + Up or Down Arrow: Move cursor forward or back one paragraph. F1: Open Help menu for active application.

Command + Tab: Switch between open apps.

Windows Key + M: Minimize all windows.

Command + I: Italicize selected text.

Shift + Windows Key + M: Restore windows that were minimized with previous keystroke. Windows + F1: Open Windows Help and Support.

Command + U: Underline selected text.

Windows + Tab: Open Task view.

Option + Command + Esc: Choose an app to force quit.

Windows + Break: Open the System Properties dialog box.

Shift + Command + Tilde (~): Switch between open windows.

Command + Q: Quit the app.

Command + B: Bold selected text.

Command + Semicolon (;): Find misspelled words in document.

Hold Right SHIFT key for eight seconds: Switch FilterKeys on and off. Shift + Command + 3: Take a screenshot. Left Alt + Left Shift + Print Screen: Switch High Contrast on and off.

Fn + Up Arrow: Scroll up one page.

Left Alt + Left Shift + Num Lock: Switch Mouse keys on and off.

Fn + Down Arrow: Scroll down one page.

Press Shift five times: Switch Sticky keys on and off.

Fn + Left Arrow: Scroll to beginning of document.

Hold Num Lock for five seconds: Switch Toggle keys on and off.

Fn + Right Arrow: Scroll to end of document.

Ctrl+Tab Switch Between Program Groups F11

Maximize Window

Finder Shortcuts

Ctrl+A

Select Text (Expanded with Windows 10)

Ctrl+C

Copy Text

Shift + Command + K: Open Network window.

Ctrl+V

Paste Text

Option + Command + L: Open Downloads folder.

Win+R, then type ‘cmd’

Command Prompt

Shift + Command + F: Open All My Files window.

Shift + Command + O: Open documents folder.

Tab

Autocomplete Folder or File Name

Shift + Command + U: Open Utilities folder.

Alt-Tab

Switch Between Open Applications

Option + Command + D: Show or hide the Dock.

Windows logo key + Tab

Task View

Shift + Command + N: Create a new folder.

Windows logo key + X Shutdown Your Workstation

Command + Delete: Move selected item to the Trash.

Windows logo key + L

Shift + Command + Delete: Empty Trash.

Lock Your Workstation

*www.quinnssmtbrand.com/windows-keyboard-shortcut/

SHORTCUTS & HOT-KEYS CO M P L E T I N G 1,000 S M A L L TA S KS A L I T T L E FA S T E R

Chrome Shortcut Keys Alt+Home Alt+Left Arrow Alt+Right Arrow F11 Esc Ctrl+(- or +) Ctrl+1-8 Ctrl+9 Ctrl+0 Ctrl+Enter Ctrl+Shift+Del Ctrl+Shift+B Ctrl+A Ctrl+D Ctrl+F Ctrl+O Ctrl+Shift+O Ctrl+H Ctrl+J Ctrl+K or Ctrl+E Ctrl+L Ctrl+N Ctrl+Shift+N Ctrl+P Ctrl+R or F5 Ctrl+S Ctrl+T Ctrl+U Ctrl+W Ctrl+Shift+W Ctrl+Shift+T Ctrl+Tab Ctrl+Shift+Tab Ctrl+Left-click Ctrl+Shift Left-click Ctrl+Page Down Ctrl+Page Up Spacebar Shift+Spacebar Home End Alt+Down Arrow

Description Open your homepage. Back a page. Forward a page. Display the current website in full-screen mode. Pressing F11 again will exit this mode. Stop loading the page or a download from loading. Zoom in or out of a page, "-" will zoom out and "+" will zoom in on the page. Pressing Ctrl and any number 1 through 8 moves to the corresponding tab in your tab bar. Switch to last tab. Reset browser zoom to default. This combination is used to quickly complete an address. For example, type "computerhope" in the address bar and press Ctrl+Enter to get https://www.computerhope.com. Open the Clear browsing data window to quickly clear private data. Toggle the bookmarks bar between hidden and shown. Select everything on a page. Add a bookmark for the page currently opened. Open the "find" bar to search text on the current page. Open a file in the browser. Open the Bookmark manager. Open browser history in a new tab. Display the downloads window. Moves your text cursor to the omnibox so that you can begin typing your search query and perform a Google search. Move the cursor to the browser address bar and highlight everything in it. Open New browser window. Open a new window in incognito (private) mode. Print current page or frame. Refresh the current page or frame. Opens the Save As window to save the current page. Opens a new tab. View a web page's source code. Closes the currently selected tab. Closes the currently selected window. This combination reopens the last tab you've closed. If you've closed multiple tabs, you can press this shortcut key multiple times to restore each of the closed tabs. Moves through each of the open tabs going to the right. Moves through each of the open tabs going to the left. Open a link in a new tab in the background. Open a link in a new tab and switch to the new tab. Open the browser tab to the right. Open the browser tab to the left. Moves down a page at a time. Moves up a page at a time. Go to top of page. Go to bottom of page. Display all previous text entered in a text box and available options on a drop-down menu. *Shortcut List Source: www.computerhope.com

SHORTCUTS & HOT-KEYS CO M P L E T I N G 1,000 S M A L L TA S KS A L I T T L E FA S T E R

Firefox Shortcut Keys F5 F11 Esc Spacebar Alt+Home Alt+Down arrow Alt+Left Arrow Alt+Right Arrow Ctrl+(- or +) Ctrl+D Ctrl+F Ctrl+H Ctrl+I Ctrl+J Ctrl+K or Ctrl+E Ctrl+L Ctrl+N Ctrl+O Ctrl+P Ctrl+T Ctrl+U Ctrl+F4 or Ctrl+W Ctrl+F5 Ctrl+Enter Ctrl+Tab Ctrl+Shift+Del Ctrl+Shift+B Ctrl+Shift+J Ctrl+Shift+P Ctrl+Shift+T Ctrl+Shift+W Shift+Spacebar Ctrl+Shift+Tab Ctrl+Left-click Ctrl+Shift Left-click Ctrl+Page Down Ctrl+Page Up Spacebar Shift+Spacebar Home End Alt+Down Arrow

Description Refresh current page, frame, or tab. Display the current website in fullscreen mode. Pressing F11 again will exit this mode. Stop page or download from loading. Moves down a page at a time. Open your homepage. Display all previous text entered in a text box and available options on drop-down menu. Back a page. Forward a page. Increase or decrease the font size, pressing '-' will decrease and '+' will increase. Ctrl+0 will reset back to default. Add a bookmark for the page currently opened. Access the Find option, to search for any text on the currently open web page. View browsing history. Display available bookmarks. Display the download window. Move the cursor to the search box. Move cursor to address box. Open New browser window. Access the Open File window to open a file in Firefox. Print current page or frame. Opens a new tab. View a web page's source code. Closes the currently selected tab. Refresh the page, ignoring the Internet cache (force full refresh). Quickly complete an address. Moves through each of the open tabs. Open the Clear Data window to quickly clear private data. Open the Bookmarks window, to view all bookmarks in Firefox. Open the Browser Console to troubleshoot an unresponsive script error. Open a new Private Browsing window. Undo the close of a window. Close the Firefox browser window. Moves up a page at a time. Moves through each of the open tabs going to the left. Open a link in a new tab in the background. Open a link in a new tab and switch to the new tab. Open the browser tab to the right. Open the browser tab to the left. Moves down a page at a time. Moves up a page at a time. Go to top of page. Go to bottom of page. Display all previous text entered in a text box and available options on a drop-down menu.

*Shortcut List Source: www.computerhope.com

INTELLIGENCE BRIEFING TEMPLATE Notes About This Briefing Template 1.

This template is intended to accompany the following materials,

T a r g e t

D o m a i n

without which some portions may appear confusing:

2.

1.

Domain Lesson Notes

2.

Domain Video Lesson

3.

Domain Report Template

4.

PTTX Template

The theme is very subdued, but you can change the overall theme and adjust the master slide by selecting View -> Slide Master

3.

If the animations are too busy for your use case, feel free to remove them. It is easier to remove functions than it is to add them back in, so animations were included in the provided default version.

4.

This is a generic template that requires customization to suit your own use case. Depending on your mission objectives you will certainly need to add, remove, or further customize pages and content.. This is meant to be a starting framework and is in no way meant to be used as-is.

5.

You are welcome to use this framework to build out your own templates. You are welcome to use those for professional purposes. Please do not repackage and “sell” our materials outside of preparing your own reports and presentations.

1

T a r g e t

D o m a i n

ICON ASSETS

Master Slide Components • Replace “Target Domain” (view -> master slide) • Fonts Used: Montserrat & Avenir Next

https://www.fontsquirrel.com/fonts/montserrat https://freefontsfamily.com/avenir-next-font-download-free/

• Icon #1: Main Profile • Icon #2: Attribution

• Icon #3: Link Analysis/Site Diagram

• Icon #4: Technologies/Identifiers/Traffic Analysis • Icon #5: Closing/Appendix 2

• Slide Number

T a r g e t

D o m a i n

Optional Cover Page #1

D o m a i n T a r g e t

Domain.com Investigative Profile & Vulnerability Assessment Prepared By: Sr. Analyst Gene Parmesan

5

November 14th, 2021

D o m a i n T a r g e t

Domain.com

Investigative Profile & Vulnerability Assessment Prepared By: Sr. Analyst Gene Parmesan

6

Mission Objectives The mission objective is the ask, the assignment, goal of the operation/engagement. This might be a vulnerability assessment, competitive intelligence gathering, or a criminal investigation into a malicious site. For the later a

T a r g e t

D o m a i n

typical primary objective is attribution. Who owns the site, who runs the site, and where can we put our hands on those people and that data? Mission priorities are typically set by the client or a supervisor, but they also may be selfgenerated. Regardless, early clarification of objectives assists in maintaining an efficient scope of operations.

Methodology This report has been prepared for and to the specifications of XXXXXX. The report contains both research data as well as analysis. All data was recovered from publicly available resources in a manner consistent with best practices and law.

Report Disposition: \\share\unit\case 7

T a r g e t

D o m a i n

Scope of Engagement

8

Site Map

Domain Registration

Historical Data

A visual representation of the

The most recent WHOIS record

Often, we can see non-privatized

domain structure and how it

which is available via many

registrant information by reviewing

connects to other sites, services,

online sources.

historical registration information

and infrastructure.

from previous years.

Attribution

Technologies

Vulnerabilities

Identify the domain owners and

What are the various sets of code

Open ports, vulnerable code,

operators. Where are they

and/or services used by the site?

breach data, and even

located, what accounts do they

This may be content management

reputation can be a critical

use, all of the OSINT things.

code, analytics services, or similar.

vulnerability.

Key Findings Key Finding #1

T a r g e t

D o m a i n

Key findings are the most important, at a glance, takeaways from the investigation/operation. You may wish to include an image that supports the #1 or multiple key findings.

Key Finding #2 Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Maecenas porttitor congue massa. Fusce posuere, magna sed pulvinar ultricies, purus lectus malesuada libero, sit amet

Key Finding #3 Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Maecenas porttitor congue massa. Fusce posuere, magna sed pulvinar ultricies, purus lectus malesuada libero, sit amet

Key Finding #4 Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Maecenas porttitor congue massa. 9

D o m a i n T a r g e t

Key Finding #1 Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Maecenas porttitor congue massa. Fusce posuere, magna sed pulvinar ultricies, purus lectus malesuada libero, sit amet commodo magna eros quis urna. Nunc viverra imperdiet enim. Fusce est Fusce est. Vivamus a

Risk/Impact/Urgency Discoverability

10

D o m a i n T a r g e t

Key Finding #2 Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Maecenas porttitor congue massa. Fusce posuere, magna sed pulvinar ultricies, purus lectus malesuada libero, sit amet commodo magna eros quis urna. Nunc viverra imperdiet enim. Fusce est Fusce est. Vivamus a

Risk/Impact/Urgency Discoverability

11

D o m a i n T a r g e t

Key Finding #3 Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Maecenas porttitor congue massa. Fusce posuere, magna sed pulvinar ultricies, purus lectus malesuada libero, sit amet commodo magna eros quis urna. Nunc viverra imperdiet enim. Fusce est Fusce est. Vivamus a

Risk/Impact/Urgency Discoverability

12

D o m a i n T a r g e t

Key Finding #4 Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Maecenas porttitor congue massa. Fusce posuere, magna sed pulvinar ultricies, purus lectus malesuada libero, sit amet commodo magna eros quis urna. Nunc viverra imperdiet enim. Fusce est Fusce est. Vivamus a

Risk/Impact/Urgency Discoverability

13

Domain.com

This is where you may choose to focus on one significant overall take-away. This may be a particularly significant exposure or vulnerability. This could also be a snapshot of the organization for context. For example, the image might be a capture of the main page or the about page. The verbal explanation might be covering the focus of the investigation, the general traffic and significance of the site and so on. It can be the punchline. This slide can also be moved further up in the deck or to the end.

Domain Profile » Domain.com » IP: 1.1.1.1 » ASN: AS19527 » NS: NS1.USM57.SITEGROUND. BIZ » NS: NS1.USM57.SITEGROUND. BIZ D o m a i n

» Registrar:

T a r g e t

» Host:

» Created: August 17th, 2015

» Registrant: Privatized 2020 » Owner: » Admin: » Historical Whois: » Assoc. Domain 1: » Global Rank: » Key Archive: » Reference 1: » Reference 2: » Port Exposure: » Technologies: » Emails: » Analytic IDs: » Critical Breach Data: » Reference:

15

Full Profile: \\share\unit\case#

Hosting Company Insert key hosting company data, typically obtained from sites like search.org. For example: https://www.search.org/resources/isp-list/

T a r g e t

D o m a i n

Optional: insert images of the hosting records.

ISP: Godaddy.com LLC GoDaddy.com, LLC Attn: Subpoena Compliance 2155 E. GoDaddy Way Tempe Arizona 85284 480-505-8800 (480) 624-2546 GoDaddy prefers service of legal process by fax. No email service will be accepted. "Emergency requests from law enforcement agencies are given expedited attention. If this request is an emergency, please send a fax to 480.624.2546 or an email to [email protected]”

16

T a r g e t

D o m a i n

Target Location Location data associated with the hosting or management of the domain or IP. This is often not directly reflective on the individual running the site.

Business Address OR Hosting Location Typically, this is the address and geographical intelligence for the physical servers. If we need to get our hands on the data by serving a search warrant or otherwise physically seizing the servers, where would we find them?

17

T a r g e t

D o m a i n

Hosting Geolocation

18

D o m a i n T a r g e t

Site Diagram 19

Registrar

Hosting

Subdomain

MX Server

Technologies

File Server

https://icann.org/epp#clientTransferPro- hibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhi- bited Domain Status: clientRenewProhibited https://icann.org/epp#clientRenewProhibited Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibi- ted Registry Registrant ID: Not Available From Registry Registrant Name: Registration Private Registrant Organization: Domains By Proxy, LLC Registrant

WHOIS Record

T a r g e t

D o m a i n

Domain.com WHOIS September 2016 "registrantContact": { "name": "Domain Administrator", "organization": "Endurance International Group West, Inc", "street": "10 Corporate Drive Suite 300", "city": "Burlington", "state": "MA", "postalCode": "01803", "country": "UNITED STATES", "email": "[email protected]", "telephone": "13604495900",

Source: https://whois-history.whoisxmlapi.com/ (URL of site providing historical WHOIS record) 22

T a r g e t

D o m a i n

Current DNS Records

23

A Records

AAAA Records

Flexential Colorado Corp. 63.247.140.44

No Records

MX Records Flexential Colorado Corp. 10 mail..domain.com

NS Records Flexential Colorado Corp. ns46.hmdnsgroup.com 23 ns45.hmdnsgroup.com 23

SOA Records

SOURCE

ttl: 14400 email: hostmaster.domain.com

https://securitytrails.com/domai n/domain.com/dns

Historical IP Addresses

T a r g e t

D o m a i n

2021-10-18 35.208.131.248 Mountainview, USA Google LLC

2020-5-20 37.60.252.212 Chicago - USA CHI-3

2019-1-8

109.73.263.220 Chicago – USA Ground Chicago

24

» IP history results for Domain.com. » ============== » IP Address Location IP Owner Last seen on this IP » 35.208.131.248 Mountain Google LLC 2021-10-18 » 37.60.252.212 Chicago - USA CHI-3 2020-03-05 » 109.73.236.220 Chicago - USA Ground Chicago 2019-01-08 » 50.87.216.65 Provo - USA Unified Layer 2018-02-18 » 50.87.237.96 Provo - USA Unified Layer 2017-02-14

Source: https://viewdns.info/iphistory/

Historical DNS 2021-10-18 35.208.131.248 D o m a i n

Mountainview, USA Google LLC

2020-5-20

T a r g e t

37.60.252.212 Chicago - USA CHI-3

2019-1-8

109.73.263.220 Chicago – USA Ground Chicago

» Hostname Type » lockdownyourlife.com » lockdownyourlife.com » lockdownyourlife.com » lockdownyourlife.com » lockdownyourlife.com 25

TTL SOA NS NS MX MX

Content 21599 ns1.siteground.net dnsad21600 ns1.siteground.net 21600 ns2.siteground.net 3600 mx10.mailspamprotec- tion.com 3600 mx30.mailspamprotec- tion.com

Source: https://viewdns.info/iphistory/

T a r g e t

D o m a i n

PORT STATUS PORT 21

PORT 80

File Transfer Protocol (FTP)

Hypertext Transfer Protocol

control (command)

(HTTP)[

PORT 22

PORT 110

SSH - Secure Shell (SSH),[11]

Post Office Protocol, version 3

secure logins, file transfers (scp,

(POP3)

sftp) and port forwarding

26

PORT 23

PORT 443

Telnet protocol—unencrypted

HTTPS - Hypertext Transfer

text communications

Protocol Secure (HTTPS)

Obfuscation ROBOTS.txt https://targetdomain.com/robots.txt

T a r g e t

D o m a i n

User-Agent: MJ12bot Disallow: / User-agent: * Disallow: /aboutAppC/ Disallow: /admin/ Disallow: /affiliateAppC/ Disallow: /affiliateControl/ Disallow: /appinterface/ Disallow: /appinterfaceAppC/ Disallow: /articlesAppC/ Disallow: /bandwidth/ Disallow: /BizBuilder/ Disallow: /build/ Disallow: /categoryAppC/ Disallow: /cgi-bin/ Disallow: /cgi-fy/ Disallow: /cgi-va/ Disallow: /cobrand/ Disallow: /cobrandAppC/ Disallow: /directMail/ Disallow: /data/ Disallow: /directoryAppC/ Disallow: /directory/ Disallow: /error/ Disallow: /firetest/ Disallow: /homeAppC/ Disallow: /joinAppC/ Disallow: /knowledgebase/allkey- words.cmp Sitemap: https://www.domain. com/sitemap.xml 27

Admin Panel https://domain.com/admin/

Open Service https://domain.com/BizBuilder

Historical Domain Registration 2019

2016

Registrant Details

Registrant Details

Registrant Details

Lorem ipsum dolor sit amet, consectetuer

Lorem ipsum dolor sit amet, consectetuer

Lorem ipsum dolor sit amet, consectetuer

adipiscing elit. Maecenas porttitor congue

adipiscing elit. Maecenas porttitor congue

adipiscing elit. Maecenas porttitor congue

massa. Fusce posuere, magna sed

massa. Fusce posuere, magna sed

massa. Fusce posuere, magna sed

ultricies

ultricies

ultricies

T a r g e t

D o m a i n

2021

28

2013

2012

T a r g e t

D o m a i n

2014

Registrant Details

29

Registrant Details

Registrant Details

Lorem ipsum dolor sit amet, consectetuer

Lorem ipsum dolor sit amet, consectetuer

Lorem ipsum dolor sit amet, consectetuer

adipiscing elit. Maecenas porttitor congue

adipiscing elit. Maecenas porttitor congue

adipiscing elit. Maecenas porttitor congue

massa. Fusce posuere, magna sed

massa. Fusce posuere, magna sed

massa. Fusce posuere, magna sed

ultricies

ultricies

ultricies

T a r g e t

D o m a i n

Attribution

30

Subject #1 Domain Owner

Subject #2 Site Administrator

Subject #3 Forum Moderator

This is typically who owns the domain per

This is the primary person who manages the

This could be a forum or any subsection of

current or historical registration (WHOIS)

site. In some cases, the owner and admin are

the site. Really any additional person of

data. This is not the registrar or a privacy

the same person. This person makes

interest such as a partner or additional

masking service. It is the true registrant of

changes to the content and controls the site

administrator. On a criminal case you may

the domain.

on a day-to-day basis.

duplicate this page for more accomplices.

Source

Source

Source

List of records supporting the identification

List of records supporting the identification

List of records supporting the identification

of this person of interest.

of this person of interest.

of this person of interest.

Optional: embedded links to pertinent

Optional: embedded links to pertinent

Optional: embedded links to pertinent

records

records

records

Persons of Interest

T a r g e t

D o m a i n

Subject #1 Domain Owner

Subject #2 Site Administrator Lorem ipsum dolor sit amet, consectetuer

Lorem ipsum dolor sit amet, consectetuer

Address

Address

12456 Turtle Ave.

124 La Tripe Street #45

Rocksberry CO

Vallyview CO

USA 44442

USA 44442

Phone

Phone +1 234 567 890

+1 234 567 890

+1 098 765 432

+1 098 765 432

Email [email protected] Linkedin.com/dummyaccount Facebook.com/dummyaccount @dummyaccount

Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Maecenas porttitor congue massa. Fusce posuere, magna sed pulvinar ultricies, purus lectus malesuada libero, sit

[email protected] [email protected]

amet commodo magna eros quis urna. Nunc viverra imperdiet enim. Fusce est. Vivamus a tellus. Pellentesque

Business/Blog

habitant morbi tristique senectus et netus et malesuada

Billions LLC

fames ac turpis egestas. Proin pharetra nonummy pede.

billiondollarbillions.com

Mauris et orci. 31

Email

Subject #1 Site Owner/Administrator Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Maecenas porttitor congue massa. Fusce posuere, magna sed pulvinar ultricies, purus lectus malesuada libero, sit amet commodo magna eros quis urna. Nunc viverra imperdiet

Address

T a r g e t

D o m a i n

124 Purple Street St. San Pedro CA USA 23456

Phone +1 234 567 890 +1 098 765 432

Email [email protected] [email protected]

Alternate Domain billiondollarbillions.com

Social Media Accounts Linkedin.com/dummyaccount Facebook.com/dummyaccount

32

@dummyaccount

33

T a r g e t

D o m a i n

T a r g e t

D o m a i n

Target Location Location data associated with the hosting or management of the domain or IP. This is often not directly reflective on the individual running the site.

Business Address OR Hosting Location Typically, this is the address and geographical intelligence for the physical servers. If we need to get our hands on the data by serving a search warrant or otherwise physically seizing the servers, where would we find them? 34

T a r g e t

D o m a i n

Additional Target Locations Address 1234 Schooner Tuna Lane Santa Maritz, CA 54362

Address 1234 Schooner Tuna Lane Santa Maritz, CA 54362

Address 1234 Schooner Tuna Lane Santa Maritz, CA 54362

35

T a r g e t

D o m a i n

Site Archives Sites such as archive.org, archive.today, or Google cache which may allow us to view historical or deleted content. It also provides a possible opportunity at passive reconnaissance (caveat Google cache is not completely passive recon as it often fetches images from the live site). Optional: Add image of capture to the left.

DATE: September 2020 DATE: May 2018 DATE: August 2016 DATE: September 2015 DATE: September 2012 (Optional: embed links to records) 36

T a r g e t

D o m a i n

Key Archive Image On this slide you may wish to add a screen capture or other image depicting the portion of an archive record that supports a key finding. You may duplicate this slide to include as many images to support key findings as is appropriate to your mission scope.

37

T a r g e t

D o m a i n

Key Archive Image #2 On this slide you may wish to add a screen capture or other image depicting the portion of an archive record that supports a key finding. You may duplicate this slide to include as many images to support key findings as is appropriate to your mission scope.

38

D o m a i n T a r g e t

Google Analytics

Addthis Lorem ipsum dolor sit amet, consectetuer

UA-7234138

adipiscing elit. Maecenas porttitor congue

Fusce posuere, magna sed pulvinar ultricies

massa. Fusce posuere, magna sed pulvinar ultricies

Doubleclick

Facebook App

Lorem ipsum dolor sit amet, consectetuer

Lorem ipsum dolor sit amet, consectetuer

adipiscing elit. Maecenas porttitor congue

adipiscing elit. Maecenas porttitor congue

massa. Fusce posuere, magna sed pulvinar

massa. Fusce posuere, magna sed pulvinar

ultricies

ultricies

Analytic Identifiers 39

Source: https://analyzeid.com/id/domain.com

T a r g e t

D o m a i n

TECHNOLOGIES

Analytics

Widgets

Optimizely

Google Fonts

Organizational Schema

Lorem ipsum dolor sit amet,

Lorem ipsum dolor sit amet,

consectetuer adipiscing elit.

consectetuer adipiscing elit.

Maecenas porttitor congue massa.

Maecenas porttitor congue massa.

Fusce posuere, magna sed

Fusce posuere, magna sed

pulvinar ultricies, purus lectus

pulvinar ultricies, purus lectus

malesuada

malesuada

Optimizely empowers companies to deliver more relevant and effective digital experiences on websites and mobile through A/B testing and personalization. https://trends.builtwith.com/analyt ics/Optimizely

40

Frameworks

Source: https://builtwith.com/?https://domain.com

T a r g e t

D o m a i n

TECHNOLOGIES

41

Content Delivery

Content Management

Email Hosting

CloudFront

WordPress

GoDaddy Email Hosting

Lorem ipsum dolor sit amet,

Lorem ipsum dolor sit amet,

Lorem ipsum dolor sit amet,

consectetuer adipiscing elit.

consectetuer adipiscing elit.

consectetuer adipiscing elit.

Maecenas porttitor congue massa.

Maecenas porttitor congue massa.

Maecenas porttitor congue massa.

Fusce posuere, magna sed

Fusce posuere, magna sed

Fusce posuere, magna sed

pulvinar ultricies, purus lectus

pulvinar ultricies, purus lectus

pulvinar ultricies, purus lectus

malesuada

malesuada

malesuada

Source: https://builtwith.com/?https://domain.com

SSL CERTIFICATES

T a r g e t

D o m a i n

44ab73120c4b36d32ca683148b62f3 3acd9911981ff144c9b417c171970 f1c18 Active 2020-12-21 03:11:21 — 2022-01-22 03:11:21 Subject DN: CN=* domainblah.com Issuer DN: C=BE, O=Global

Source: https://spyse/com/target/domain/domain.com

Domain2.com Shared SSL Certificate 44ab73120c4b36d32ca683148b62f3 3acd9911981ff144c9b417c171970 f1c18 Active 2020-12-21 03:11:21 — 2022-01-22 42

TECHNOLOGY VULNERABILITIES CVE-2021-39357

T a r g e t

D o m a i n

The Leaky Paywall WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via the ~/class.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 4.16.5. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled. Source: http://cve.mitre.org/cgibin/cvename.cgi?name=CVE-2021-39357

Technology Two Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Maecenas porttitor congue massa. Fusce posuere, magna sed pulvinar

43

D o m a i n T a r g e t

DATA LEAKS Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Maecenas porttitor congue massa. Fusce posuere, magna sed pulvinar ultricies, purus lectus malesuada libero, sit amet commodo magna eros quis urna. Nunc viverra imperdiet enim. Fusce est Fusce est. Vivamus a

Risk/Impact Discoverability

44

Breach Data Breach Name | Date of Breach Number of records present for the target domain Source:

T a r g e t

D o m a i n

Breach Name | Date of Breach Number of records present for the target domain Source:

Breach Name | Date of Breach Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Maecenas porttitor congue massa. Fusce posuere, magna

Number of records present for the target domain Source:

sed pulvinar ultricies, purus lectus malesuada libero, sit amet commodo magna eros quis urna. Nunc viverra

Breach Name | Date of Breach

imperdiet enim. Fusce est. Vivamus a tellus. Pellentesque

Number of records present for the target domain

habitant morbi tristique

Source:

Breach Name | Date of Breach Number of records present for the target domain Source:

45

T a r g e t

D o m a i n

BREACH DATA

46

Breach Name | Date

Breach Name | Date

Breach Name | Date

Size, date, and other details which add

Size, date, and other details which add

Size, date, and other details which add

context to the level of impact this

context to the level of impact this

context to the level of impact this

breach data has on our target.

breach data has on our target.

breach data has on our target.

Source:

Source:

Source:

Breach Name | Date

Breach Name | Date

Breach Name | Date

Size, date, and other details which add

Size, date, and other details which add

Size, date, and other details which add

context to the level of impact this

context to the level of impact this

context to the level of impact this

breach data has on our target.

breach data has on our target.

breach data has on our target.

Source:

Source:

Source:

T a r g e t

D o m a i n

REPUTATION VULNERABILITIES Article #1 Pertinent summary or quote Source:

Article #2 Pertinent summary or quote Source:

Article #3 Pertinent summary or quote Source:

47

RECOMMENDATIONS/ACTION ITEMS

T a r g e t

D o m a i n

Section One

48

Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Maecenas porttitor congue massa. Fusce posuere, magna sed pulvinar

Section Two Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Maecenas porttitor congue massa. Fusce posuere, magna sed pulvinar

Section Three

Section Four

Lorem ipsum dolor sit amet,

Lorem ipsum dolor sit amet,

consectetuer adipiscing elit. Maecenas

consectetuer adipiscing elit. Maecenas

porttitor congue massa. Fusce posuere,

porttitor congue massa. Fusce posuere,

magna sed pulvinar

magna sed pulvinar

DISCUSSION

This presentation and the associated reports have been prepared consistent with operational best practices and agency policy. The report contains both research data as well as analysis. The research data presented was collected from publicly available sources on the internet.

50

T a r g e t

D o m a i n

APPENDIX

Getting Started Tips

Tuesday, November 10th, 2020 8:14 PM

Using This Template 1. If you already know what you want to do with this notebook then delete this page and have at it. 2. The notebook is set up in a format of scratch sheet, summary, tab exports, and then individual sections by data type. 3. Use whatever you want and delete what you don't. 4. The scratch sheet is purposefully completely blank. I use this as a spot to quickly paste notes and content on the fly. I will use this to reference identifiers and URLs quickly. In the end it will be used as reference for my report but is not typically included with the report. 5. Some of the default categories in the checklist on the summary page are Gov/LE specific. Edit these to match your own mission, workflow, and data resources. 6. Anything to the right of the main page space is a note and should be deleted before exporting or printing, to prevent formatting issues. 7. Expand the cells on any tables as much as you need and as long as you are in the same OneNote frame (the light gray border) it should automatically nudge down the content lower on the template. 8. Files, such as photos and pdfs can be dropped onto the template and embedded within the frame or dropped to the side, below, or above it. 9. If you drop a document file onto your page and choose to have it "print" the file, you should do so outside the template frame as the embedded "printout" will likely mess up the formatting. Choosing to embed as a file works well within the frame or organized into a table within the frame. 10. Customize this however you like, share it with colleagues, but please do not sell or redistribute on the internet. The template represents tradecraft and I would like to keep it within our responsible community. 11. Below are some steps for investigators and analysts new to OSINT so feel free to skip past them if you are experienced.

This case notebook template was originally designed for Microsoft OneNote, but due to limitations placed on Mac/Linux OneNote users, we are providing the contents of that template in alternate formats. This Word format should allow for copy/pasting sections into a platform of you choosing.

Basic Investigative Steps 1. Set up your notetaking and data collection to track your work - paper notebook, One-Note, Hunch.ly, directory on an encrypted flash drive, etc. 2. List your investigative goals - full profile, locate for apprehension, identify associates, collect digital evidence, etc. (are you collecting intel or evidence for court?) 3. List your seed info - emails, phone numbers, names, etc. 4. Run all your paid and/or gov queries and use those to add to your seed information. If possible, get a hold of a booking or DOL photo for comparison while researching social media. 5. Run Accurint (Lexis-Nexis), TLO, or Clear reports. 6. Fire up Chrome with your plugins of choice - uBlock, https everywhere, json viewer, Fireshot, one-tab (or use your prebuilt custom OSINT VM) 7. If it is likely going to be a full investigation, I turn on hunch.ly and enter my “selectors” (keywords from seed info) 8. I do a quick Google search and check my people finder site of choice for that week. [“James McIntire” “Denver”] and the name through my custom offline tools. Use the custom tools page that matches your known identifier (see info) so if you have an email address, use Email.html. This first dive is a fast-moving search for low hanging fruit. 9. My typical order is email, real name, search engines, Twitter, Facebook, Instagram, phone number, and then the rest depending on what you have to go on. 10. I exhaust Google and my custom tools closing any tabs that return false positives or no useful results. Any page that is important I note any identifiers (account IDs, usernames, etc.) in my case notes and screen capture the page. 11. Screen captures are saved in the case directory and/or in a digital notebook such as OneNote. On a case with multiple targets create subfolders for each person of interest. 12. When I am done with my research I copy/paste pertinent information and identifiers into a profile or case report (for template examples see the documentation module). I embed or attach any pertinent screen captures, pdfs (such as LexisNexis reports), and photos (anything depicting the individuals, vehicles, or addresses). 13. I go over that report with the case detective or agent to explain my investigation and see if they have any questions. This is their opportunity to get clarifications and request additional intelligence. 14. My rough notes, workbooks, hunch.ly files, and/or cloned VMs are usually saved in an archive in case I need them for further investigation or court. The exceptions to this are missions such as intel gathering for operations, events, threat assessments,

etc. A hunch.ly export might be burned to disc as evidence but be cautious of any unintended data that might have been inadvertently saved during that session. The VM backup should not go into evidence as it would divulge tradecraft. Treat it as an undercover laptop that you can refer to but avoid exposing it unless you are forced to (work with your prosecutor to fight this). If you do not need that VM for court, do not keep it (hording data comes with custodial responsibilities and potential liabilities). Develop a routine for housekeeping your case archives and investigative workstations. Your agency likely has retention policies and you should review them. 15. I make sure I have a fresh VM for the next case or crisis that comes up. I also make new accounts to have in pocket if any of my research accounts were burned. Better to prepare for the next case at the end of the previous and be ready to go at a moment’s notice. Not every mission justifies a VM, you’ll find your own workflow and threshold for deploying advanced tools. 16. Wash, rinse, repeat. Track successes to justify more equipment, staffing, and training. Note: My standard setup is an off-grid windows pc, on a UC cable modem or MiFi (VPN as appropriate). For quick checks such as events, threats, etc. I stay in windows and just use chrome/Firefox and my custom tools. If I need to run a script, I do so from my Linux for windows terminal. This is for convenience and speed with less fuss when there is less of a need for compartmentalization, security, and/or anonymity. For investigations I typically use my custom OSINT VM and fresh research accounts. Quick utility vs. backstopped single purpose - use the right tool for each mission. If you don’t have a set of custom OSINT tools and VM, you will by the end of this training. We will build them together which means you will understand what they are doing and be able to keep them working even if Michael and I disappear. Triage/Approach Primary Question/Mission: Knowns: Deadline (Status/Completion): Point of Contact (Agent/Client):

Case Notes (scratch sheet) Tuesday, November 10th, 2020 5:27 PM

ROUGH NOTES AND PASTES (ACCOUNTS, URLS, IMAGES, ETC.

OneTab Exports Tuesday, November 10th, 2020 7:59 PM

EXPORTED ONETAB URL LISTS

Face-Sheet (Research Checklist)

Tuesday, November 10th, 2020 10:53 AM

DOE, John M

DOB: 01/01/2001

NOTES

EXPLANATION - DELETE THIS COLUMN

1

LE/GOV

FOR NON LE/GOV THIS SECTION CAN BE PAID TOOLS

2

AGENCY DECONFLICTION

IS ANYONE ELSE WORKING THIS TARGET

3

PHOTO

(DOL, BOOKING, SOCMED)

4

DOL RETURN

DEPT OF LICENSING STATUS

5

DOL ABSTRACT

DEPT OF LICENSING HISTORY

6

STATE AND NCIC CHECK

7

DOC STATUS

8

FOIL

STATE OFFENDER SEARCH

9

CCW

CONCEALED WEAPON PERMIT

WARRANTS AND WANTS DEPT OF CORRECTIONS STATUS

10

DISTRICT COURT

COUNTY COURT RECORDS

11

III

FULL CHIMINAL HISTORY

12

RMS

AGENCY RECORDS MANAGEMENT SYSTEM

13

NDEX

NATIONAL LE DATA EXCHANGE

14

COUNTY JAIL

15

ASSESSORS RECORDS

16

COUNTY RECORDS

17

MARRIAGE LICENSE

18

TLO/CLEAR/LEXIS NEXIS

19

SOCIAL SECURITY #

20

LAST KNOWN ADDRESS

BOOKING/INMATE SEARCH STATE TAX/PROPERTY COUNTY TAX/PROPERTY

PAID CREDIT DATA AGGREGATORS

21

EMPLOYMENT SECURITY

22

FINCEN

23

EBT

24

STATE UNEMPLOYMENT SYSTEM FINANCIAL/FRAUD STATE PUBLIC ASSISTANCE PROGRAMS BOOKING/INMATE SEARCH

OPEN-SOURCE 25

SEARCH ENGINES

26

REAL NAME

27

USERNAME

28

PHONE

29

TWITTER

30

FACEBOOK

31

INSTAGRAM

32

SNAPCHAT

33

LINKEDIN

34

YOUTUBE/TWITCH

35

DISCORD

36

TIKTOK

37 38 39 40

X

X = checked

NR NR = no record

Subject Summary Tuesday, November 10th, 2020 9:27 AM

NAME

Gender/DOB: Investigation: Key Identifiers:

Requesting Agent/Unit:

Case Summary

Case #: 2021-XXXXXX

Personal Details (Quick Reference) Target Full Name:

Age:

Home Address: Mailing Address:

Telephone: Email:

Telephone:

DOB:

Usernames:

Social Network Profiles Facebook:

Twitter:

Instagram:

Google:

TikTok:

Snapchat:

Reddit:

Pinterest:

Dating:

Home Address

Timeframe

Source

Phone Numbers Number

Timeframe

Social Media

Accounts

Type

Username

Email 1 Email 2

Source

URL

Notes

Notes

Email 3 Facebook Twitter Instagram Youtube WhatsApp Snapchat Pinterest Dating Tumblr Periscope TikTok Reddit Ebay

Employment Employer

Source

Notes

Criminal History Date

Source

Field Surveillance Date

Results

Description

Contacts, Community Ties Associates Affiliated Locations Affiliated Groups Associated Vehicles

Family Parents Siblings Spouse/sig Other Exes children

Domains Private Domain Date Last Updated Whois Data Domain Tools report

Forums Criminal Orgs Trade Groups Sport Teams

Hobbies/Gaming Genealogy Support Groups

Photo Sites Instagram Google Photos Facebook Photo Page Flickr Other

*(Add your own org/agency links below) LE/GOV CHECKS

DESCRIPTION

RMS

Case history

NCIC/DAIT

Search w/in CAD – Natl. Crime Information Center. FBI maintained pointer system to federal/state crim. hist. information

FORS

Search w/in CAD – Felon Offender Reporting System

DOC

Dept. of Corrections search

CCW

Search w/in CAD – concealed weapons search

DOL Abstract

Search w/in CAD Dept of Licensing

Regional

Search w/in CAD

DAPS/DOL

Driver and Plate search/Dept. of Licensing

LInX

Searches LE contact with individual throughout country

JEMS

Jail Electronic Mugshot search

DATE

NOTES

ALPR

On desktop. License Plate Reader search

Unit OneNote

Search violent offenders and gangs

JBRS

Jail Booking & Reporting System-search for inmate records

County Inmate Search

County inmate search - Jail Inmate Lookup System

LEADS Online

Phone number search, individual metric search, searches based on pawn shops & businesses

DomainBigData

Domain name, IP address, DNS server, whois investigation

RISS/DSIN

Search state, local, federal investigation data (vehicles, individuals etc)

County Inmate Indes

Inmate Search

LexisNexis/Accurint

Database on specific detailed information about individuals, businesses, phone numbers, addresses etc.

CLEAR

Premium Search

Assessors Records

Real Property Search

County Records

Searches County Records (marriage licenses etc.)

EBT

Can view account balance and card transactions. Need card # and PIN #

FINCEN

National Financial Search

Emissions test

Search for emissions test records and history by VIN or Plate #

Intelligence Distros E-mail distro lists

Courts Defendant Search

Search for cases associated w/a person’s name

County Property Search

search by address, parcel number, or click on a parcel. Get direct links to the County Assessor’s eReal Property report and the Districts and Development Conditions report

City Business License Search

Search for business license info

State Business License Search

Search business license info

Municipal Courts Citation Search

Search for citations

ISO Claim Search

Insurance claim fraud search

Jail Phone Calls CJIS/LEO/LEEP

Federal LE Resources

DNB

Dun & Bradstreet. Contact Fusion Center for inquiries

Uber Law Enforcement Response Team

Information can most easily be obtained with a subpoena, but they can also provide a variety of information about drivers and riders for investigations. [email protected]

Legal Requests

Search.org

Standard Gov/LE Checks Tuesday, August 25, 2020 9:28 AM

Criminal History Date

Source

Description

*(Add your own org and agency links below as these are merely placeholders to get you started. Links on the left, description and then Date and Notes for those who want to use it as a worksheet) LE/GOV CHECKS

DESCRIPTION

RMS

Case history

NCIC/DAIT

Search w/in CAD – Natl. Crime Information Center. FBI maintained pointer system to federal/state crim. hist. information

FORS

Search w/in CAD – Felon Offender Reporting System

DOC

Dept. of Corrections search

CCW

Search w/in CAD – concealed weapons search

DOL Abstract

Search w/in CAD Dept of Licensing

Regional

Search w/in CAD

DAPS/DOL

Driver and Plate search/Dept. of Licensing

LInX

Searches LE contact with individual throughout country

JEMS

Jail Electronic Mugshot search

ALPR

On desktop. License Plate Reader search

DATE

NOTES

Unit OneNote

Search violent offenders and gangs

JBRS

Jail Booking & Reporting System-search for inmate records

County Inmate Search

County inmate search - Jail Inmate Lookup System

LEADS Online

Phone number search, individual metric search, searches based on pawn shops & businesses

DomainBigData

Domain name, IP address, DNS server, whois investigation

RISS/DSIN

Search state, local, federal investigation data (vehicles, individuals etc)

County Inmate Indes

Inmate Search

LexisNexis/Accurint

Database on specific detailed information about individuals, businesses, phone numbers, addresses etc.

CLEAR

Premium Search

Assessors Records

Real Property Search

County Records

Searches County Records (marriage licenses etc.)

EBT

Can view account balance and card transactions. Need card # and PIN #

FINCEN

National Financial Search

Emissions test

Search for emissions test records and history by VIN or Plate #

Intelligence Distros E-mail distro lists Courts Defendant Search

Search for cases associated w/a person’s name

County Property Search

search by address, parcel number, or click on a parcel. Get direct links to the County Assessor’s eReal Property report and the Districts and Development Conditions report

City Business License Search

Search for business license info

State Business License Search

Search for business license info

Municipal Courts Citation Search

Search for citations

ISO Claim Search

Insurance claim fraud search

Jail Phone Calls CJIS/LEO/LEEP

Federal LE Resources

DNB

Dun & Bradstreet. Contact Fusion Center for inquiries

Uber Law Enforcement Response Team

Information can most easily be obtained with a subpoena, but they can also provide a variety of information about drivers and riders for investigations. [email protected]

Legal Requests

Search.org

For non-Gov/LE investigators, you can rebuild this with your own resources and links. For example, you can set up your worksheet based on your custom OSINT tools your own proprietary tools: 1. PAID TOOLS 2. SEARCH ENGINES 3. FACEBOOK 4. TWITTER 5. INSTAGRAM 6. USER NAME 7. REAL NAME 8. EMAIL ADDRESS 9. TELEPHONE NUMBER 10. DOMAIN NAME 11. IP ADDRESS 12. YOUTUBE 13. REVERSE IMAGE 14. REVERSE VIDEO 15. DOCUMENTS 16. PASTEBINS 17. LINKEDIN 18. MAPPING 19. COMMUNITIES 20. SOCIAL TRAFFIC

Proprietary Background Services Tuesday, November 10th, 2020 11:20 AM

Credit/Utility Checks Date

Source

Lexis/Clear/TLO Subject ID

[Paste your credit aggregator, Clear, Accurint, TLO, and any premium reports here]

Social Media Profile Tuesday, August 25, 2020 9:29 AM

Social Media

Accounts

Type

Username

Email 1 Email 2 Email 3 Facebook Twitter Instagram Youtube WhatsApp Snapchat Pinterest Dating Tumblr Periscope TikTok Reddit Ebay

Captures: [Drop in pdf or image captures]

URL

Notes

Phone Numbers

Tuesday, August 25, 2020 9:28 AM

Phone Records Number

Timeframe

Type (Cell/LL)

Carrier

Source

Notes

Records (CDRs, etc.):

Addresses Used Tuesday, August 25, 2020 9:28 AM

Home Address

Tax Data Parcel #: Legal Owner:

Photos:

Source

Former Addresses

Date Range

Roommates

Source

Primary Vehicle Summary

Tuesday, August 25, 2020 9:28 AM

Plate: State/Plate # VIN:

PLATE # XXXXXX Make

Model

Year

Color

Source: Unique Characteristics (decals, damage, etc.)

Registered Owner

Source

ALPR HITS Date/Time

Location

Photo

Notes

RMS HITS Date/Time

Location

Case #

Field Surveillance Date

Online Checks Type

Misc. Notes

Vehicle Movements and Observations

Y/N Checked

URL

Notes

Notes/Link

Associates - Friends Tuesday, August 25, 2020 9:28 AM

Insert link chart or list of associates Relatives Name

Association/Relationship

Social Media Accounts

Notes

Association/Relationship

Social Media Accounts

Notes

Association/Relationship

Social Media Accounts

Notes

Friends Name

Coworkers Name

Accurint/TLO/Clear Reports

Photographs & Images Tuesday, August 25, 2020 10:43 AM

Online Photo Preservation URL

Case#: XX-XXXXXX Capture Method

Storage Location

Photo Set #:

Case #:

Location:

Camera:

Date Photos Taken:

Photographer:

Notes:.

Notes:.

Notes:.

Notes:.

Photo Set #:

Case #:

Date/Time

Location:

Camera:

Date Photos Taken:

Photographer:

Notes:.

Notes:.

Notes:.

Notes:.

Images: [Drop Image or Bulk Image Files Here]

Video

Tuesday, August 25, 2020 10:43 AM

Online Video Preservation URL

Case#: XX-XXXXXX Capture Method

Storage Location

Video Recovery Notes Video Clips Set #

Date/Time

Case#: XX-XXXXXX Location

Equipment

Video Clips Set #:

Case #:

Location:

Equipment:

Date Video Captured:

Operator:

Notes:.

Notes:.

Date/Time

Notes:.

Notes:.

Video Clip Set #:

Case #:

Location:

Equipment:

Date Video Captured:

Operator:

Notes:.

Notes:.

Notes:.

Notes:.

Domain/IP

Tuesday, August 25, 2020 10:41 AM

Type of Site: (Forum, blog, etc.) Technology Used: (WordPress, Cloudflare, etc.) Whois Info Domain

Registrar

Owner

Contact Info

Connection

Source

Notes

Historical DNS

Associated Domains Number

Link Analysis: [Insert Link Chart or Use Draw Tools]

Employer or Business Tuesday, August 25, 2020 10:41 AM

Employer Business Name

Timeframe

Phone/Address

Business License

Records: [PDFs of corporate filings, public records, licensing, etc.]

Notes

Surveillance Notes Tuesday, August 25, 2020 11:01 AM

Surveillance Notes

Date:

Agent:

Time

Location

Notes

7:00am 7:30am 8:00am 8:30am 9:00am 9:30am 10:00am 10:30am 11:00am 11:30am 12:00pm 12:30pm 1:00pm 1:30pm 2:00pm 2:30pm 3:00pm 3:30pm 4:00pm 4:30pm 5:00pm 5:30pm 6:00pm 6:30pm

Follow-Up Log Tuesday, August 25, 2020 9:55 AM

Date

Time

Narrative/Notes

Case Report

Tuesday, November 10, 2020 4:36 PM

Insert a case-report template