Tag: Online Investigation

Posted on by

Understanding Cryptocurrencies: A Layman’s Guide

What Are Cryptocurrencies?

Imagine you have a virtual coin that exists on the internet. This coin is unique because it’s secure, and you can send it to anyone around the world without needing a bank. This is the essence of what a cryptocurrency is – a digital or virtual form of money that uses cryptography (a fancy word for secure communication) to make transactions safe and anonymous.

Essentially, they are strings of encrypted data representing units of currency, secured by cryptography. Unlike traditional currencies, they operate on a decentralized network of computers (nodes) without the need for a central authority.

The Magic Behind Cryptocurrencies: Ledgers

Now, how do we keep track of who owns what without a central authority like a bank? Here comes the concept of a ledger. Think of a ledger as a giant, digital notebook that records every transaction made with these virtual coins. Every time someone sends or receives cryptocurrency, that transaction gets added to the notebook.

Every cryptocurrency is a blockchain, a distributed ledger technology (DLT). A blockchain is a chain of blocks, where each block contains a number of transactions. Every time a cryptocurrency transaction occurs, it is broadcast to the network and, upon validation, added to a block. Once a block is filled with transactions, it is cryptographically sealed and linked to the previous block, forming a chain.

The ledger in the context of cryptocurrencies is a blockchain. This ledger records all transactions across a network of computers. Unlike traditional ledgers, blockchain is decentralized, meaning no single entity has control over the entire ledger. This decentralization ensures security and integrity, as altering any information would require overwhelming consensus from the network participants.

Public Ledgers: Everyone Can See, But Nobody Can Cheat

One might wonder, “Isn’t it risky to have all transaction records in a notebook that everyone can see?” Here’s the twist – although the ledger is public and anyone can view the transactions, the details of the people making those transactions are encrypted. Think of it as writing in a diary with a secret code that only you understand. This transparency helps ensure that everything is fair and that no one is cheating the system.

Blockchain ledgers are typically public. Transactions on the blockchain are visible to anyone who wishes to view them, yet the identities of the parties involved are protected through cryptographic techniques. Each user has a pair of keys: a public key, which is openly known and serves as an address to receive funds, and a private key, which is kept secret and used to sign transactions. This dual-key system ensures that while transactions are transparent, user identities remain confidential.

Making Transfers: A Peer-to-Peer Network

Transferring cryptocurrencies is like sending a secure email to someone. You simply choose how much to send, enter the recipient’s “address” (think of it as their email for cryptocurrency), and hit send. This transaction then gets verified by other users on the network (this process is called mining) and is added to the ledger. The beautiful part? There’s no middleman like a bank involved, making this process quick and relatively inexpensive.

Transferring cryptocurrency involves creating and signing a transaction with the sender’s private key and broadcasting it to the network. Miners or validators (depending on the consensus mechanism) then verify the transaction’s validity. This involves checking the digital signatures for authenticity and ensuring the sender has the necessary funds. Once verified, the transaction is added to a block, which is then added to the blockchain. This process typically takes minutes and bypasses traditional banking systems, offering a faster, more efficient method of transferring funds.

The Role of Consensus Mechanisms

A crucial aspect of cryptocurrencies is the consensus mechanism, a protocol that ensures all nodes in the network agree on the current state of the blockchain. The most common mechanisms are Proof of Work (PoW) and Proof of Stake (PoS). PoW, used by Bitcoin, involves miners solving complex mathematical puzzles to validate transactions and create new blocks. PoS, an energy-efficient alternative, selects validators in proportion to their quantity of holdings in the cryptocurrency to validate transactions and create blocks.

What is Bitcoin?

Imagine you have a digital coin that you can send to anyone over the internet. This coin is called Bitcoin, and it was the first of what we now call cryptocurrencies. Introduced in 2009 by an unknown person or group of people under the pseudonym Satoshi Nakamoto, Bitcoin offers a way to make transactions without going through banks.

How Does Bitcoin Work?

Bitcoin works on a peer-to-peer network, meaning that people can send and receive bitcoins directly without intermediaries. Every Bitcoin transaction is recorded in a public ledger called the blockchain. This ensures that you can’t spend bitcoins you don’t own, copies can’t be made, and transactions are secure.

Buying, Spending, and Mining

You can buy bitcoins through online exchanges or receive them as payment. Once you have bitcoins, you can spend them on a growing number of goods and services or save them as an investment. New bitcoins are created through a process called mining, where powerful computers solve complex math problems. When they solve the problem, they’re rewarded with new bitcoins. This process also secures the network and processes transactions.

Bitcoin and Blockchain Technology

At its core, Bitcoin is a collection of computers, or nodes, that all run Bitcoin’s code and store its blockchain. A blockchain can be thought of as a collection of blocks. In each block is a collection of transactions. Because all the computers running the blockchain have the same list of blocks and transactions and can transparently see these new blocks being filled with new Bitcoin transactions, no one can cheat the system.

Transactions and Security

Each Bitcoin transaction is broadcast to the network and ends up in blocks, where they are confirmed by miners through a process called Proof of Work (PoW). This process involves solving a computational puzzle that requires considerable processing power. The first miner to solve the puzzle adds the new block to the blockchain. This not only creates new bitcoins but also verifies and secures transactions, ensuring the integrity of the blockchain.

Decentralization and Consensus

Bitcoin’s decentralization means no single entity controls the network. It achieves consensus on the state of transactions and the blockchain through the mining process. This decentralized model protects Bitcoin from censorship and allows it to operate without a central authority.

The Significance of Bitcoin’s Design

Bitcoin’s design solves the “double spend” problem, ensuring that each bitcoin can only be spent once. This is achieved through the blockchain ledger, where every transaction is recorded. The ledger is public and verified by a vast amount of computing power, making Bitcoin a secure and transparent way to transfer value.

Bitcoin, blending technology and economics, has paved the way for the development of other cryptocurrencies and blockchain applications. Its inception marks a pivotal moment in the digital age, challenging traditional notions of currency and financial transactions. Whether viewed as an investment, a technology, or a social experiment, Bitcoin’s impact on the world continues to grow.

Understanding Bitcoin Wallet Investigations

When someone uses Bitcoin to make transactions, they use a digital wallet. This wallet doesn’t hold physical coins. Instead, it keeps a record of all transactions. Every transaction is public and recorded on the blockchain, which is like a giant ledger. This public record makes it possible to see where Bitcoins are transferred but doesn’t directly reveal the identity of the people involved.

Tracing Bitcoin Transactions

Imagine you’re trying to follow the trail of a specific Bitcoin as it moves from one wallet to another. Since every transaction is recorded, you can see when Bitcoins are transferred and split into different amounts. If someone sends Bitcoin to another person, a part of that Bitcoin might be returned as “change” to the sender, similar to getting change back when you pay with cash. By looking at these patterns, how the Bitcoins are split, and where they go, you can start to follow a trail.

The Challenge of Connecting Dots

The tricky part is linking these movements to real-world identities. Since the blockchain only shows the movement between digital addresses, it requires additional information to identify the person behind a transaction. This is where investigation techniques come in, using clues from transactions and sometimes combining them with external data to piece together who might own a particular wallet.

Digital Forensic Analysis of Bitcoin Wallets

In a more technical sense, investigating Bitcoin wallets involves examining the blockchain for transaction patterns, wallet addresses, and the flow of bitcoins. Sophisticated software tools can analyze the blockchain to trace transactions back to their source or through the multiple addresses they may pass through.

Understanding Change Addresses

A key concept in Bitcoin transactions is the change address. When someone sends a portion of their Bitcoin balance, the unspent portion is returned to a new address in their wallet, known as a change address. This is akin to receiving change when you pay with cash, but instead of going back to the same pocket, it goes into a new one. Investigators can look for patterns where funds are split between spending and change addresses to track how bitcoins are moved and consolidated.

Linking Transactions to Identities

While Bitcoin transactions themselves are pseudonymous, other information can sometimes link transactions to real identities. For example, if a Bitcoin address is shared on a public forum with identifiable information, or if Bitcoins are transferred to an exchange that implements Know Your Customer (KYC) policies, these data points can be used to identify the person behind the transactions.

Advanced Tracing Techniques

Tracing bitcoins back to the same user involves analyzing the blockchain for patterns where bitcoins are split and then reconsolidated, indicating control by the same entity. Techniques like cluster analysis group together addresses based on transaction behavior, which, combined with external data (such as IP addresses or KYC information from exchanges), can reveal the identity of a wallet’s owner.

Investigating Bitcoin wallets and tracing transactions is a complex blend of blockchain analysis, pattern recognition, and detective work. While the public nature of the blockchain provides a transparent record of transactions, the pseudonymous identities challenge direct attribution. However, through careful analysis and sometimes additional external information, it is possible to uncover the flow of funds and potentially the parties involved.

Cryptocurrencies represent a groundbreaking integration of cryptography, computer science, and financial principles to create a secure, decentralized, and efficient form of digital currency. Through the innovative use of blockchain technology, public ledgers, and consensus mechanisms, they offer a transparent, secure way of conducting transactions without traditional financial intermediaries. As the technology matures and adoption grows, cryptocurrencies continue to redefine the financial landscape.

Resources

The CSI Linux Certified OSINT Analyst (CSIL-COA)
The CSI Linux Certified Dark Web Investigator (CSI-CDWI)

Posted on by

Mastering Domain Reconnaissance / OSINT with Sublist3r

Sublist3r for domain osint
Engaging with Sublist3r: Mastering Domain Reconnaissance in OSINT

Imagine you’re a digital detective, and your mission is to uncover the vast and hidden parts of the online world. Sublist3r is your tool of choice, a powerful ally in domain enumeration. It’s like having a high-powered telescope that scans the digital universe, aggregating data from search engines and sites to reveal subdomains of a target domain.

Let’s take google.com as our target. By running python sublist3r.py -d google.com, Sublist3r unveils a treasure trove of subdomains. This is your first step in mapping the digital empire of Google, revealing its extensive reach across the internet.

Advanced Reconnaissance Tactics

For a more tailored search, Sublist3r lets you choose your battlefields. Use python sublist3r.py -d google.com -e google,yahoo -t 10 -o domains.txt to set Google and Yahoo as your search engines, rev up the speed with 10 threads, and capture your conquests in ‘domains.txt’.

The OSINT Advantage

In the realm of OSINT, Sublist3r is like a master key. It opens doors to hidden corridors of an organization’s online presence. Discovering various subdomains of Google, for example, could reveal new services, potential vulnerabilities, or forgotten digital outposts.

Synergy with Other OSINT Tools

Sublist3r’s discoveries are not the end but the beginning. Pair these findings with tools like Nmap for a stealthy port scan or web application vulnerability scanners, turning data into actionable intelligence.

Navigating Ethical Boundaries

Remember, with great power comes great responsibility. While exploring the depths of google.com or any domain, it’s vital to respect privacy, adhere to legal boundaries, and avoid unauthorized probing.

Sublist3r Syntax Examples
  • Basic Domain Search: python sublist3r.py -d example.com
  • Specifying Search Engines: python sublist3r.py -d example.com -e google,bing
  • Setting Concurrent Threads: python sublist3r.py -d example.com -t 10
  • Saving Output to File: python sublist3r.py -d example.com -o domains.txt
  • Using Brute Force: python sublist3r.py -d example.com -b
  • Specifying Ports for Brute Force: python sublist3r.py -d example.com -b -p 80,443
  • Excluding Subdomains: python sublist3r.py -d example.com --exclude-subdomains unwanted.example.com
  • Verbose Output: python sublist3r.py -d example.com -v
Posted on by

Tor vs. Lokinet: A Comprehensive Comparison

Tor_v_Lokinet

In the field of privacy and anonymity, Tor and Lokinet are two well-known networking protocols. While both aim to provide users with secure and private internet access, their underlying architectures and working principles are quite different. This article sheds light on these two systems, emphasizing the differences in their design, functionality, and user experience.

Tor Network

Definition

The Tor (The Onion Router) network is a free and open-source system that enables anonymous communication across the internet. Its primary goal is to conceal users’ locations and usage from anyone conducting network surveillance.

Architecture and Operation
Tor and the Application Layer of the OSI Model

Tor operates at the Application Layer (Layer 7) of the OSI model. This positioning is central to its design and functionality, and here’s why:

  • Encapsulation: Tor’s onion routing design involves encapsulating the original data with multiple layers of encryption. The Application Layer is responsible for ensuring that communication is carried out in the language that the applications understand, so this is where the encryption takes place.
  • Protocol Translation: Tor handles the traffic and translates it into a form that can be transmitted over the Internet. It needs to understand the application protocols like HTTP, HTTPS, and more, and this translation and interpretation occur at Layer 7.
  • Interface with Applications: Tor primarily provides anonymity for web traffic and directly interfaces with web browsers and other application-level programs. Working at the Application Layer allows Tor to integrate with these programs more effectively.

It relies on a network of volunteer-run servers, known as nodes or relays. These relays bounce the encrypted traffic multiple times before reaching the destination.

  • Entry Relay: Your connection starts at this point.
  • Middle Relay: Acts as a bridge between the entry and exit nodes, further obfuscating the path.
  • Exit Relay: Where your request enters the regular internet.

The layered encryption ensures that no single relay knows the complete path, ensuring anonymity.

Strengths and Weaknesses
  • Strengths: Strong anonymity, widely used, community-supported.
  • Weaknesses: Potential performance issues, the possibility of compromised exit nodes, and application-layer focus only.

Lokinet Protocol

Definition

Lokinet is a privacy-focused networking protocol, part of the Loki Project. Unlike Tor, Lokinet operates at Layer 3 (Network Layer) of the OSI model.

Architecture and Operation

Lokinet uses a mix of onion routing and blockchain technology to create a fully decentralized and anonymous networking protocol. Here’s how it differs from Tor:

  • Layer 3 Functionality: By operating at the Network Layer, Lokinet can encrypt and route not only web traffic but all types of internet traffic, including UDP and ICMP. It essentially creates a private overlay network over the existing internet infrastructure.
  • Decentralization: Lokinet’s reliance on blockchain technology ensures a decentralized framework, allowing more robust security and integrity.
  • Path Building: Lokinet builds multi-hop paths similar to Tor but with a more dynamic and randomized approach. It reduces the risk of correlation attacks.
  • Service Nodes: Lokinet utilizes service nodes, incentivized through blockchain rewards, to route traffic. These nodes stake a certain amount of Loki cryptocurrency to participate in the network.
Strengths and Weaknesses
  • Strengths: More versatile, able to handle various types of traffic, decentralized and incentivized nodes.
  • Weaknesses: Relatively new, lesser community support, potential complexity in setup and use.

Comparison

Here’s a tabular comparison summarizing the differences:

Aspect Tor Lokinet
OSI Layer 7 (Application) 3 (Network)
Traffic Type Primarily HTTP All types
Decentralization Partial Full
Node Incentive Volunteer Incentivized
Community Support Strong Growing

Conclusion

While both Tor and Lokinet offer privacy and anonymity, their operational layers, architectures, and functionality differ substantially. Tor is a well-established system focusing on application-layer traffic, whereas Lokinet’s innovative approach at Layer 3 offers a broader range of encrypted communication.

Lokinet may offer a more versatile solution for various network applications, but it still has some way to go in terms of adoption and community support compared to Tor. The choice between these two depends largely on the specific requirements and preferences of the user or organization.

Posted on by

Tor vs. Lokinet: A Comprehensive Comparison

Tor_v_Lokinet

In the field of privacy and anonymity, Tor and Lokinet are two well-known networking protocols. While both aim to provide users with secure and private internet access, their underlying architectures and working principles are quite different. This article sheds light on these two systems, emphasizing the differences in their design, functionality, and user experience.

Tor Network

Definition

The Tor (The Onion Router) network is a free and open-source system that enables anonymous communication across the internet. Its primary goal is to conceal users’ locations and usage from anyone conducting network surveillance.

Architecture and Operation
Tor and the Application Layer of the OSI Model

Tor operates at the Application Layer (Layer 7) of the OSI model. This positioning is central to its design and functionality, and here’s why:

  • Encapsulation: Tor’s onion routing design involves encapsulating the original data with multiple layers of encryption. The Application Layer is responsible for ensuring that communication is carried out in the language that the applications understand, so this is where the encryption takes place.
  • Protocol Translation: Tor handles the traffic and translates it into a form that can be transmitted over the Internet. It needs to understand the application protocols like HTTP, HTTPS, and more, and this translation and interpretation occur at Layer 7.
  • Interface with Applications: Tor primarily provides anonymity for web traffic and directly interfaces with web browsers and other application-level programs. Working at the Application Layer allows Tor to integrate with these programs more effectively.

It relies on a network of volunteer-run servers, known as nodes or relays. These relays bounce the encrypted traffic multiple times before reaching the destination.

  • Entry Relay: Your connection starts at this point.
  • Middle Relay: Acts as a bridge between the entry and exit nodes, further obfuscating the path.
  • Exit Relay: Where your request enters the regular internet.

The layered encryption ensures that no single relay knows the complete path, ensuring anonymity.

Strengths and Weaknesses
  • Strengths: Strong anonymity, widely used, community-supported.
  • Weaknesses: Potential performance issues, the possibility of compromised exit nodes, and application-layer focus only.

Lokinet Protocol

Definition

Lokinet is a privacy-focused networking protocol, part of the Loki Project. Unlike Tor, Lokinet operates at Layer 3 (Network Layer) of the OSI model.

Architecture and Operation

Lokinet uses a mix of onion routing and blockchain technology to create a fully decentralized and anonymous networking protocol. Here’s how it differs from Tor:

  • Layer 3 Functionality: By operating at the Network Layer, Lokinet can encrypt and route not only web traffic but all types of internet traffic, including UDP and ICMP. It essentially creates a private overlay network over the existing internet infrastructure.
  • Decentralization: Lokinet’s reliance on blockchain technology ensures a decentralized framework, allowing more robust security and integrity.
  • Path Building: Lokinet builds multi-hop paths similar to Tor but with a more dynamic and randomized approach. It reduces the risk of correlation attacks.
  • Service Nodes: Lokinet utilizes service nodes, incentivized through blockchain rewards, to route traffic. These nodes stake a certain amount of Loki cryptocurrency to participate in the network.
Strengths and Weaknesses
  • Strengths: More versatile, able to handle various types of traffic, decentralized and incentivized nodes.
  • Weaknesses: Relatively new, lesser community support, potential complexity in setup and use.

Comparison

Here’s a tabular comparison summarizing the differences:

AspectTorLokinet
OSI Layer7 (Application)3 (Network)
Traffic TypePrimarily HTTPAll types
DecentralizationPartialFull
Node IncentiveVolunteerIncentivized
Community SupportStrongGrowing

Conclusion

While both Tor and Lokinet offer privacy and anonymity, their operational layers, architectures, and functionality differ substantially. Tor is a well-established system focusing on application-layer traffic, whereas Lokinet’s innovative approach at Layer 3 offers a broader range of encrypted communication.

Lokinet may offer a more versatile solution for various network applications, but it still has some way to go in terms of adoption and community support compared to Tor. The choice between these two depends largely on the specific requirements and preferences of the user or organization.

Posted on by

Using Sock Puppet Accounts for OSINT

‘A sock puppet or sock puppet is an online identity used for purposes of deception. The term, a reference to the manipulation of a simple hand puppet made from a sock, originally referred to a false identity assumed by a member of an internet community who spoke to, or about, themselves while pretending to be another person.’ – Wikipedia

These fake social media accounts are used by both sides of the cyber game. You can find hackers, scammers, bots, and other cyber criminals on the dark side while journalists, penetration testers, and investigators are on the other. Like any decent tool, it can be used for both good and evil. Why would YOU want to create an undercover account? When investigating, it is always a good idea to separate your real identity from the initial investigation. You increase the likelihood of the target will get suspicious. You also run the risk of being identified and doxed, harassed, and in the absolute worst-case scenario, targeted for lethal retaliation. Depending on who the suspect is, you always need to take the appropriate countermeasures to protect your organization/agency, yourself, and even your family. Another thing to take into consideration is that many social media sites have Terms of Service (TOS) that specifically cover fake or investigation accounts. Organizations like Facebook are actively looking for these types of accounts, even if they are law enforcement, and banning them.

!!!DO NOT USE YOUR PERSONAL OR BUSINESS ACCOUNTS TO DO INVESTIGATIONS!!!

The Importance of Anonymity and Security

You should connect to a public WiFi access point and only use VPN or Tor as a last resort. The reasons are that VPNs and Tor are sometimes tracked, blocked, or marked as questionable by websites when creating an account. This means the likelihood you will be able to create the account without having a real phone number decreases drastically. Public WiFi tends to look a bit more “normal”.

More about Tor

I love Tor and always have. Tor is great at offering some of the best anonymity available and the best part is that it’s free. The mechanics of Onion routing is that you are essentially moving through several different proxy servers, and this minimizes trace evidence that can be used to tie the traffic back to its original source. You can easily set up a hidden service with a “.onion“ address. This allows us to communicate securely with other investigators, informants, or even suspects. The downside of using Tor is that it is commonly used by criminals and many of the websites we need to investigate may be blocking traffic from Tor or red flagging it. So, even though it offers a lot of benefits, Tor is not always good for Surface Web investigations.

VPN Value?

There has been a ton of advertising for Virtual Private Network (VPN) services that claim that they will protect your Internet traffic. This is only partly true and mostly false. A VPN is a Point-to-Point encrypted tunnel that allows one network to talk to another through an encrypted tunnel. Think of it this way. You are using a third-party VPN service; your traffic is very secure when connecting from your system to the third-party network. The traffic then routes from that server through their Internet connection. The other thousand people using the same service will also share that same gateway IP address. That sounds fine, right? Well, after you leave that service provider, your traffic is back on the Internet for everyone else to see. This means it is naturally less anonymous than Tor. The providers may also be watching everything you do in the name of “Marketing”. Free VPNs and cheaper ones are the biggest risks. The services that claim they DO NOT STORE LOGS are also usually lying or not telling you the whole truth. Within networking, there will always be logs. They are required to troubleshoot when things fail. Logs will be there; it is just a matter of how long and how they are destroyed. Some of the websites are red-flagging the popular VPN services.

Creating a persona

Some people make these accounts from scratch. The more content and backstory you create in the beginning gives you more of direction to make the account look like a real person’s account. Use a password manager to keep track of everything you are creating for these accounts including the user/pass info and keep notes. KeePassXC is a great free solution that is cross-platform that will allow you to share your password management database among multiple computers and different operating systems.

Character/Persona generators

Creating an account can take some time, effort, and creativity. If you are short on any of those for whatever reason. Anyone that has played role-playing games like D&D, WARHAMMER, or other games where you need to generate a character to play, has a step up because they have done this before. There are a few resources you can leverage to help speed up the process and spit out a “character” with a lot of random attributes and content. Below is a list of resources you can use when generating your Sock Puppet persona. Just remember that all information generated is fake. You can change the data to fit your narrative:

  • Fake Identity Generator (fakepersongenerator.com)
  • Random Name Generator (www.elfqrin.com/fakeid.php)
  • Random Character Generator (random-character.com)
  • Personality Generator (rangen.co.uk)
  • Trait Generator (rangen.co.uk)

Image generators

Generating images that have consistency to them can be a challenge. You want to create a realistic person with history and consistency. It is important to NEVER use pictures of friends or family. This can put the investigation at risk and possibly them at risk as well.

  • (thispersondoesnotexist.com) – GitHub project available
  • AI-Generated Faces (boredhumans.com)
  • Gallery of AI-Generated Faces (generated.photos)

Emails

Creating an email is the base for setting up your undercover investigation account. This will be used for setting up social media accounts and communications with suspects. Any email service will work. Here are a few:

  • GMX.com
  • Mail.com
  • Protonmail.com
  • Yandex.Mail

Burner Phones

A burner phone is extremely useful and may be required to create accounts on certain websites along with creating a history for the persona. The reason is the sites are trying to prevent fake accounts from being created and will send an SMS validation message to a phone. Bots rarely have their own phone numbers. In some countries, you do not need to tie your ID or Passport to buy a SIM card or burner phone. If you are in one of these countries, it is suggested to use cash only and let the phone sit for 2+ months before you activate it with a sock puppet email. Sometimes SIM cards can also be purchased on Amazon.com. Keep an eye out for deals and trial offers. Phone emulators can also work.

VoIP Phone

Generate a Voice over IP (VoIP) account with an online vendor. This will be useful to add another layer of separation. Many online services like Google Voice require you to have a real phone number to tie to your account. This makes your burner phone that much more important.

Pre-Paid Credit Cards and Gift Cards

In some cases, you may need to use a credit/debit card for purchases, account setups, and account verifications. If you are in a country or area that allows you to purchase these types of cards (VISA/Mastercard), use good OPSEC to minimize links back. You can also use a privacy.com masked credit card.

Cryptocurrencies

If your investigation requires cryptocurrencies for transactions, you can use prepaid cards on most of the crypto services. Exodus.com is a wallet that allows you to trade many different currencies and their Desktop software is cross-platform compatible. An example of needing cryptocurrencies during an investigation may include fraud cases on sites like Facebook Marketplace, Instagram’s Shop Now, Craigslist, etc. You may also find them useful when purchasing content and buying services.

Social Media Accounts

When creating a social media account, you want to look as ‘normal’ as possible on the website because many of them are trying to stop people from creating fake accounts. Make sure you are not breaking the law or violating terms of service when doing this. Now things to look at when creating your OSINT undercover accounts:

  • Use public Wi-Fi and do NOT use a VPN
  • Pick a social media site to focus on
  • Use your persona’s “real” phone number for verification
  • Save the information in a password manager like KeePassXC
  • Keep Operational Security (OPSEC) in mind:
    – Use a very strong password for the password manager access
    – Use a different password for each account
    – Never cross over accounts with your real-world or personal accounts
  • Go into the settings of the account you just created and change the phone number to a VoIP number
  • When you are done, log out of the account
  • Log back in and start adding information to your account relevant to the profiles
  • Go back to step 2 for the rest of the sites you want to try

Note: You may burn UC personals when creating accounts. Just be patient and persistent. This process takes time and effort.

Aging the Account

Like a fine wine or good whiskey, the account needs to be “aged”. This means creating content and history. This will minimize the likelihood of the account getting flagged as a fake by the service provider and deleted. Become the persona. Go to the same public WiFi you created the account with to log in and generate activity. Like posts, make comments, share things, and grow your connections. Log out when you are done. This is very important and ties into OPSEC. Not logging out can leak other networks and information out for Big Data if you are not careful. The goal is that you are training the site that you are a real person by doing real-person things. Try to add content and history following the personality of the fake character. This includes finding banners with image searches. Think of banners for your social media pages, memes, and pictures from the location your persona is from. Build your account pages how you believe your sock puppet would have. Add enough information to make it look real. Over time, keep logging into the account and add content to build history and the trustworthiness that the account is a “real” person.

Learn from your Investigations

‘Operations security (OPSEC) is a process that identifies critical information to determine if friendly actions can be observed by enemy intelligence, determines if information obtained by adversaries could be interpreted to be useful to them, and then executes selected measures that eliminate or reduce adversary exploitation of friendly critical information.’ – Wikipedia

Things always change and you must keep improving to keep up. Make it a habit of using good OPSEC. There is a saying with investigators. The suspect needs to be lucky every single time, but you only need to be lucky once. The other side can use the same Tactics, Techniques, and Procedures (TTPs) as you do and that flips the table on you. Now, you need to be lucky every single time and they only need to be lucky once.

Resources

  • Creating Research Accounts for OSINT Investigations – We are OSINTCurio.us
  • Dark Side 116: Sock Puppets. What if I told you not all fake social media accounts are used maliciously?
  • DeBot: Twitter Bot Detection via Warped Correlation
  • How to Make Sock Puppet Accounts for OSINT in 2021 | Hacker Noon
  • The Art of The Sock (secjuice.com)
  • The Ultimate Sock Puppets Tutorial for OSINT Operators – Ehacking
  • Identifying Sock puppet Accounts on social media