What I learned being an OSINT creeper

thanks for coming back out after lunch everybody my name is Josh Huff today's talk is about open source intelligence or OSINT that's called what I learned by being a no-scent creeper it's not a highly technical talk one of the creepiest things about open source intelligence is the fact that anybody can really do it get started well the first thing to do is define what percent is this is variation of the military definition I mean it consists of two things what OSINT is and the discipline itself of how you acquire it Xhosa is publicly available information it could be just about anything that is out there that you can get for free the library stuff on the internet a sign that's posted on

the front of the storefront window the intelligence discipline is how you acquire it and it's defined as intelligence produced from publicly available information that is collected exploited and reported to address a specific intelligence requirement now it's a highly tactical definition but it's one that I enjoy because of what I do this is me I work for stillinger investigations or private investigation firm in Columbia South Carolina and I do the digital forensics there in the lab most days I'm going to have a full computer hard drive image or a cell phone image and those are just complete open books of people's lives in front of me everybody keeps just about everything on their cell phone anymore so that

tactical definition keeps me in check I have a specific goal that I'm exploring around in this thing I'm not just being a creep and prying around in somebody's lives so again tactical definition but it really works for what I do some things that other groups would be interested in for open source intelligence gathering government and military obviously there's a foreign intelligence that's important getting into terrorism and politics law we're gonna have court documents arrest records inmate and prison records businesses going to be interested in copyright information financial reporting competition marketing and then insecurity you know the red team is going to be looking for Network Star sure his account enumeration IP addresses SSIDs then you get into the personal stuff

addresses date of birth who you work for who your family is that's a creepy stuff that's good I'm gonna cover mostly today before we go into exercises really quick thought on ethics and host sent this definition I pulled from a developer in the UK named Michael he gave him permission to use it from his blog he says Osen is about examining information and data that's public and it should not involve invasions of privacy a legitimate researcher must know where the line is drawn between assent and espionage the latter including stuff like eliciting information actual illegal network penetration and eavesdropping in other words things that haven't proactively been made public working for a private investigator we're

regulated by South Carolina law enforcement division so walking an ethical line is something that we have to do once you get good at this stuff though disclaimer 1 don't be a creep you know if you get the ability to find out information and personal stuff about people there's a difference for doing it for an intelligence tactical reason like the definition says and just being a Snoopy jerk don't do that well the first exercises I like to talk about is just to help you kind of develop an ascent mindset this picture came from Facebook last year I think the caption read something to the fact of check out the sweet deal at our crew Kroger gas

so take a look at it and notice what the account owner wants you to see 70 80 cents a gallon they just got a sweet deal I'm gonna take a snapshot brag about it to all my friends what I want you to see they just put 25 and a half gallons of gas into something you know you can pull a couple inferences and maybe say it's a truck or an SUV you know a larger vehicle right off of that second thing I want you to notice the background pull it up a little bit stronger I can't quite make out the person identify them but there's some key identifiers of the the vehicle they're kind of that

circular Halfmoon of the taillight you can see you can also see that it is actually a larger vehicle so you know SUV truck minivans something like that so we can do a couple things there hit up a Google search for an SUV taillight you know the Halfmoon shape that I'm looking for is close on a few of these things but no cigar so we'll refine the search just a little bit maybe it's not a late-model vehicle used SUV taillight I think the fifth one over on the top row is the one that ends up hitting paydirt it's a dead match you click on that guy and it's a Dodge Durango 2004 to 2009 so you've gone and identified

the the make and model in a pretty close range of years to check into where we go next I mean check cars comm Craigslist public records arrest records basically news articles anything that might give you some some more clues to drill into about that particular type of vehicle coming from Facebook you probably know slightly about what region that came from as well on people.com that's them and Spokeo or really excellent people searches that you can get some some decent information out of before you get to their paywalls also a great way to go now that example produced unintentional o cent this is what I call unintelligent o cent check out the sweet selfie on my my new

debit card on and when we recover the first four digits for security right so let's talk about issue I Jennifer number identifiers numbers a couple of websites out there that have really well laid out listings of what banks use for the first couple of digits and as well as regional identifiers x' that tell you you know almost how to get the first six digits of most cards with a little bit of insight there the one algorithm you can plug numbers into that and it will run a checksum that tells you whether or not it's actually a valid number in that case the the first number was a four because it was a visa and you only had

three more numbers to figure out but one algorithm helped you eliminate about 90% more of those very quickly with math on it's this Osen not exactly I just like the example we're taking known or given information we're gonna apply knowledge or tools and produce intelligence so it makes a good a good example doing these exercises I started to finally drill out you know what was the methodology that I was following from you know kind of a case by case basis so this is kind of what what I do with mine he was going to start with your known items or data points whatever is given in the actual Oh scent that's out there and then go back to the definition we're

gonna set an intelligence goal what is our target data that we're gonna try to get to we'll get our tools that we're going to use to analyze the data and see how those data points are connected then we'll pivot using the new data points get our tools together gather analyze pivot just repeat until you get to your target data once you've gotten to your target data try to validate is our data correct there's a lot of interconnected information out there so validation is very important or you will just spiderweb into nothingness sometimes that's completely unrelated now methodology slide people are sleepy kind of boring one so we'll rename it Oh sing connect dots a little bit more fun

and we'll slap a good case study on it this was last year in October road rage incident happened in Colombia two gentlemen in vehicles one guy pulls a gun and takes a shot at the other one on flees the scene surveillance footage captures a big bright phone number on the side of the vehicle that he was in so go back to hosting connect-the-dots we're gonna start with our known items in the news stories that they posted with that Crimestoppers was looking for information they provided us a name Joseph Lamar Christmas the second age 39 the big bright green phone number from the truck and ties to North Carolina and South Carolina cities we'll set our target data let's get a

picture of the guy that they didn't provide and feed it to Crime Stoppers right go to people calm was my first stop just plugged in the phone number from the truck as well as South Carolina and immediately it pulls up a hit for Joseph Lamar Christmas on 73 years old a couple of phone numbers couple of addresses and some associated people so we go to analyze that put the old data next to the new data and look at it on age difference likely the target's father you know we've got some some new addresses and new phone numbers to play with so to make some inferences off at that like I said possibly the targets father the phone number on the truck

brings up the father and not the target so maybe we're looking at a family business that was a landscaping truck I believe so we decide let's look up the family a little bit get some tools together on this is Mike pizzelles Intel techniques calm I leaned to this website quite a bit if there's a social media searching that um that I'm doing on this slide shows his Facebook search tools the the right side of the screen will help you locate the targets account on Facebook and the left side is designed to help you dig into that account and find information on the target so I quickly analyzed with the right side and locate every single one of the

associated people from the people search and find their pages analyze those a little bit and it's it's all family members there's no apparent account for joseph lamar christmas ii so we're going to look into the the family members a little bit find the Chatterbox the family maybe Ellen or zero pictures J who was actually Lamar senior zero pictures and a very unused account married twenty pictures Jason twenty-seven pictures Margaret 235 pictures found her chatterbox so I go back to the search screen and hit the left side with Margaret's account on this side we'll take her facebook user ID out of the URL convert it to a Facebook number account number and it's going to run API searches

against information so I tagged Joseph and Joe with her Facebook user ID number on a search on that left side and we land on a whole bunch of photos that Margaret's thrown out this is my brother Joe this is my brother Jonah's girlfriend so I'm happy I've found these two pictures snap the little profile off of it how do we validate arrests made in columbia road rage incident it happened to be the same guy holy crap I'm Batman all right so quick common sense alert there don't leak your data online you know being in security and security enthusiasts we're all aware of this you know be careful what settings are on your device but don't let other people

leak that data for you either this guy didn't even have a Facebook account but he's all over Facebook because of a sister now before you go acting like a crime fighter let's talk about a few things you want to cover your tracks we all know that somebody's poking around on our LinkedIn account because we get the no defiers on you're gonna get friend recommendations through Facebook and Twitter if you start poking around looking at people's accounts so be aware that you're gonna want to especially if you're looking at criminals protect who you are on this website fake name generator' comm will make that process super easy it gives you a complete profile name partial social security number mother's maiden

name job what city you came from as well as an email burner account that is actually usable you can take that and register for other accounts on the fly so you've protected who you are at that point protect where you're coming from on tour tales Virtual Private Networks and virtual machines are excellent ways to take some of those steps on tales is a live USB operating system and it automatically runs all its network through tor it's preloaded with privacy and encryption tools and when you shut it down and take it off your host machine it wipes the RAM on shutdown being a forensic analyst that is really cool and neat to see it is also a

completely free tool their websites set up with a easy to follow how-to to make the the live CD and it also has a lot of good privacy information about what it's trying to protect you from it's definitely worth a read alright talking about tools on hosted framework comm is one that I also lean to quite a bit on it is set up with about I think 31 start points on the left side there we're talking about phone numbers address email domains Maps social media a little bit of everything if you have a starting point for euro sent you can find a category that you can jump into and it's going to give you probably five or six tools that you can

lean on to pivot off of that that first information Intel techniques I mentioned this one earlier there's more than just the Facebook search tools on there it is a highly useful website go check out the there's a tutorial on this main page it's about 70 minutes it talks about how to use the the Facebook tools that I was using in that first example pretty in-depth it gives you a lot a lot bigger learning experience on that it is not he has paid lessons but at all the tools on that link set are completely free the reason I like both of those tool sets the most is because I call Oh sent basically the land of dead tools once

you start going through and in bookmark and all the these awesome open source sites that you can use to to gather intelligence on you're going to find obsolescence changes in the online landscape are going to create you know different security privacy updates from the the web websites themselves you're going to get API changes transitions to paid business models for the sites that are doing very well company acquisitions that just you know shut something down or you know maybe make it a paid site and then just abandon projects you know there's a lot of open source stuff out there that we try to share with our peers and our friends and you know we get busier pulled into a new career and

those guys just go by the wayside the one of the big examples of a recent sort of recent API change was Instagram I think back in June they went through big change and it knocked off Icona Square which is an excellent search tool to go through and get on Instagram accounts that had geo tagging and once that one on my count square went to a paid only and a lot of the other tools in that kind of realm just kind of disappeared as far as following some of the field leaders right now these are the probably four guys that would pay attention to if you want to get into OSA and a more in-depth level mike rizzo we've talked

about a bunch of times he he updates that website with a monthly mailer that tells you basically what he's seen as far as the API changes and what has become irrelevant what he's fixed and what he's just dropped because it doesn't work anymore so every month he shoots out an update on on some of his tools and the status of things on that site again all that stuff is completely free on Justin sites he runs a blog automating OSINT he's also got a paid program called hunch Lee that's pretty valuable but it's behind the Licensing automating Osen he does a lot of automation with Python to gather a lot of the the Osen stuff that I'm doing manually it's

definitely worth a look if you want to go to the advanced side of that if you're into to programming Justin or Dean he's the one that runs the O's and framework he's very open to suggestions and recommendations to tools if you found something he'll add it into the framework if you're using something from the framework and it's no good anymore he's he's taking notes and he'll knock him off there on the next update I think he pushed out an update probably within the last three weeks or so he Flags it on github and Twitter so you can get a hold of him on there and keep tabs on that Micah Hoffman a sans instructor he's got a website web Reacher comm with

a decent amount of Osen talks blog examples of different you know tactics that are out there again all all free stuff from Micah we didn't do a few more examples because that's the the fun stuff really reviewing the stuff that I've done over the the last year I realized that I like doing geolocation a lot so a lot of these are just tracking stuff down based on what's what's out there online it's a lot of fun and you kind of see it in everything once you get good at it you see something on TV or a selfie and you're like no no no no there's too much information in that but here's a couple examples

property data on this is something that's linked in on the the OSINT framework public records will take you to melissa data website and it'll tell you about property data public records stuff that's on file with the property so I like to say do a search for the places I'm giving the talk you know what's it say about the building that we're in right now actually nothing which floored me that's the first time that I've plugged in an address and gotten nothing from that search on tried to make a couple of inferences and researches I think it has to do with maybe some of the historic zoning or you know the way the Charleston handles public record possibly if so good for

them so I plugged in last year's venue at the tides this is a little bit more what you're used to seeing you get some property information on on market value square footage you know that kind of stuff but still business information no data so again really surprised by that I gave this talk at Derby Con and the Hyatt in Louisville gives you quite a bit you know you've got a phone number contact for the the hotel you've got approximate number of employees their sales figures the property owner so you've got a tie-in out in Chicago with a business name as well as quite a bit of stats on the building again I would highly recommend that you check that

side out and plug in your own address to make sure that you don't have a good starting point on your own home saying some stuff about you you can find phone numbers emails quite off it's Melissa data yep it's LinkedIn off of the host cent framework but they've got a bunch of different search tools right through that site using show dan we're all familiar with the the wide open webcams that you can find out there this one was an IP address that located out in Texas it was definitely not a good one because the the webcam was one of those pivoting ones and that is a point-of-sale system down in the bottom of the frame and you

could totally see what was going on on that thing do a quick google search for the assign that you can see through the the window there for you fix it and you got four locations in Texas real easy to head over to Google Maps and find the one that matches that picture then you've got a full address there walking dead this example was fun I I got it went to a concert in Atlanta a couple years ago with my wife and the episode that came up on on that a weekend when we got back my it was like man that that structure in the back that looks real familiar you know so I pulled up some

some information on Google Earth yeah there was a 10-10 zombies no spoilers on Google Earth I go back to the area that we stayed in and just started cruising from the hotel to the concert venue that we walked through and real easy I found the same parking structure and that that sky walk and it was filmed at 163 Carnegie Way so that's one was just attention to detail things it struck me as funny I was like oh yeah that's totally the exact address that this was filmed at so just kind of a random example there more geolocation on this is a shopping blog it gets rather be shopping calm and somebody's taking a picture of like the

Walmart app cell phone picture with a cell phone snap metadata linking through the the o cent framework again clicking on images going to metadata Jefferies exit viewer we take that picture and plug it in there and we're gonna actually get the specs of the the cell phone that it was taken with time and date stamps GPS coordinates approximate address based off of the those coordinates and the thing I love the most is that angle down there that's the orientation that the phone was was pointed at when that picture was snapped Wow posted online for for all to see so try to validate some findings there go to Google Maps find the address invert the picture and that's kind of a dead match

that guy's front door and front window they're on side note metadata gets scrubbed by quite a bit of the the commercial websites if you're using like Squarespace or something they do a pretty good job of pulling that out for you but this is obviously somebody that kind of did a DIY web hosting deal one of the dangers of doing that is who is lookups if you don't create a private domain registration all that information is absolutely just pulled out of the URL with the Whois look up as well

all the all the links in examples and I've got a bunch of blogs and kind of further down the rabbit hole stuff is on my my website learn all the things net slash creepy Oh cent and it will not find anything if you plug it into who is so don't try if you guys have any questions or examples of post sent that you have found I'm definitely interested so shoot me an email you can find me on Twitter at the OL PHA dat and I'm going to keep updating the links on the slide series because I've gotten some really good feedback after these talks and added a few things do you guys have any any questions

here with privacy and security it's it's privacy and security yep yeah that's basically the the opposite side of what I just talked about on sidebar if you just catch Ralph's talk at noon it is an excellent talk I would highly recommend going and catching the recording because it's the other side of us and how you protect yourself from from getting this information out there in that web series is definitely on my to-do list it's only what you said four episodes in those guys have some good stuff

it was just a Facebook post somebody threw it up online and said hey check out this sweet deal I got at Kroger you know it is just an example to you know get you thinking you know that's just an innocent post that somebody threw up for their friends not on a private you know Facebook account that's the kind of stuff that you can pull out of things like that again unintentional recent

Basil's book is definitely on there it's it's there's a lot of material in there on if you check my the link that I've got I've got a pretty good amount of blogs that I've read since I started researching Oh sent in you'll just kind of stumble upon like a blog that blows you away like one of them is about on reflection reconnaissance from hotels and that links on there it's it was a band had tweeted some pictures on tour of you know kicking their feet up at the hotel room loss is a suite room and the guy geo-located what hotel they were at based on concert tours and then he gave you a website I think it's important

that actually gives you building statistics and he was able to to find out like what floor they were in and then with Google Earth and all that stuff it was like yeah you're in this room in this hotel you know stuff like that so I'll try to update that thing I don't know a ton of other great recommended reads right now but pizzelles book you mentioned the google hacking giant longs book excellent that's definitely one of those tools that you get into once you learn google hacking a lot of these websites that you're using especially like the the people api's and stuff you can do some manipulation with those URLs I just did a post on Twitter open-source

intelligence recently and I talked about the sample API that they're using there will hit limits after a while but you can go register on people comm they'll give you an API to use for free and you just copy that API drop it into the URL where the sample key is once it runs out and it'll continue giving you full lookups any other questions all right finished a little early but thank you guys [Applause]