Hunting Threat Actors using OSINT Forensics

hi everyone my name is Abby Waddell and I currently work as a vice president of security testing and I'm also the founder of inquirics which provides research and services on Ocean vulnerability assessments primarily for non-profits I'm going to talk about some of the open source techniques to locate the source of cyber breaches and the identity of suspects that have been used successfully so why ocean breach Recon activities are not usually captured by existing tools um and methods either pre or post-instant mainly because such activities occur away from the company Network Ocean data can be anything available to the public including deep websites and also data which is out on the open but shouldn't be usually from

unintentional leakage an example could be that I email a hotel reception about my room booking but they respond to me with an email that is intended for a different customer by mistake or a web page is misconfigured and shows a list of hidden files and directories which anyone can access if they are technically able to so I'll talk about some useful methods of obtaining information from documents social media password leap repositories websites and forums with some examples of how threat actors have been identified using these methods which have been developed from years of research and original discovery foreign so firstly I'm going to discuss some little tricks to reveal hidden material just to note that any blue rectangles

covering stuff is in this presentation of a reduction privacy purposes so user profile images in Instagram and Twitter it is sometimes possible to reveal the parts of the image hidden by the way the image is presented on these platforms so not everyone's profile photos allow this to be done but when they do it can sometimes reveal useful information so in the example on the left this person's neck tattoos are revealed very useful if there is a need for identification the example on the right shows more clearly the woman next to this user's photo it's very simple to view the entire image just save it locally and open it up or you can open the photo from the platform

in a separate browser window another useful trick is to be able to view a PDF file before any edits have been made using editing tools so on the left is a PDF of an invoice from Amazon and on the right key details of the same document have been altered in order to forge the invoice amount details in the delivery recipient the edge browser PDF editing tool was used to do this if one opens sorry if one opens this document in Google Docs however not the Google Drive preview but Google Docs then this strips away those these edits so you can see the document as it was before the changes were made crop screenshots and images within

Microsoft files such as PowerPoint excellent and Word Documents can reveal the portions of the area deleted but not completely removed so load classification files can therefore still present a risk of sensitive data leakage leading to representational damage Network and system compromise examples of sensitive data could be anything visible on one's desktop at the time of either performing the screenshot or image use such as internal web directories in the URL visible from the browser staff personal details calendar entries contents of open sensitive files and so on so in this way one can use this technique to find out more about the author and origin of any Microsoft Creative Media that is under assessment so this is an example of how this

happens so the screenshot of the inquirics logo is taken and note the surrounding views of open websites and other documents so The Unwanted parts of the image are crop but then the user forgets to actively delete these cropped parts so this is an easy mistake as it requires remembering to do this and manually doing this step in the application so there's no software control for this and and that does this automatically so this is a Nifty free tool wait a second

sorry so I asked to get to head there so basically this is a a tool which can be obtained on the inquirics site it reveals those parts of the screenshots in Microsoft files which have been cropped but not fully deleted so no installation is necessary any only need Microsoft Excel installed with any third-party add-ins disabled very simply just upload the files you want checked and it will extract all the images and save them to a results file these images can then be viewed and they will show the full screenshot with any undeleted areas as can be seen from this example the deleted or crop parts of the this particular image are revealed the yellow box surrounds what was intended

to be viewed but instead the whole screenshot prior to any cropping can be seen restricting editing rights within Microsoft won't prevent this and there is no patch thank you so one useful method of getting Intel on suspects is to use the account recovery function on applications as this sometimes reveals user details such as email addresses usernames and device info it requires attempting to log on to the website using the suspect's email address or username and then seeing what information comes back it's basically the offline equivalent of knocking on someone's house and seeing who answers so you're not basically trespassing or performing any account compromise that so the examples here show the information returned on Facebook and

Gmail when one goes through these steps to reset the user's passwords their passwords are not actually reset as you would stop the process before at this point and it's enough to basically get the information shown so in this case partial email addresses and device phone numbers it's often possible to guess the redacted emails and even having just the last two digits of a phone number can corroborate information held elsewhere and the same method can be used on the UK's British Telecom website only a username or phone number can be guessed here to get the redacted information likewise Microsoft Office provides this kind of user data and it's a useful source as it appears most of the world's

computer users have a Microsoft account Twitter reveals user data in the forgot password function and here is one of the UK's main Banks providing Clues as to the length of the user's password the user's NatWest customer account number which is made up of their date of birth is is needed to log into their account on the website and then without needing to know any other information one can see how many characters their password has when the application requires various characters to be entered from this password so knowing the length of this word can help guess the current password using previously leaked account previously leaked password data and this password may be likely to be used on

other sites where it's being reused so one way of tracing or profiling suspects is to look for matches of the writing they use so this is an example of running a search of the exact wording used on the user profile of an advert of a particular malware vendor on Alpha Bay which then gave some results of other black market sites he was using so in this case in this case the word of the terms and conditions has exactly the is exactly the same on his other sites it's also useful to determine the gender of the user by analyzing their writing through an online analysis tool such as gender guesser so whilst this is not strictly ocean for

those who already have legal access to a suspect's account there are some sites worth exploring to get a better picture of their activities and location so grammarly profiles may show draft documents even with the free version and these documents might contain personal details and other metadata Fitness and sat nav apps control uses location including historic locations not just in vehicles but if they've set up walking or jogging routes Hotel train flight booking sites are also a good location for data and it's also useful to link current credit cards with the physical addresses in use current email addresses and and so on I would estimate the vast majority of users in the UK for instance are registered on any one of either the

Tesco Amazon BBC or Netflix sites so understanding the sites were a suspect has registered on can help with profiling them for instance if they have accounts on lifestyle and clothing sites they're more likely to be women women make up 90 of the users on the popular mumsnet site site registration is on Sports sites tend to point to a higher likelihood of a user being male parking apps May point to a use of the ownership of a car and train and phone company site registrations May point to a country of origin there are some techniques that can be used to discover the person behind a forum pseudonym in the Forum search area you can do a search for the username

plus the first two digits of the commonly used phone prefix for your country for instance Sami 1 and 0 7 may bring up this person's phone number in this case a mobile and then a search can be done on the entire number on in Google Etc in some instances uh users mention their email address in the messages and so a search for the at symbol is worthwhile it is noticeable that people are much more cautious about mentioning their personal details in recent years than before so it pays to research the oldest messages as well as the new ones we're using may be more likely to have divulged more personal information another technique is to search for the

username plus the words for sale or wanted if because if this user has mentioned having things for sale Etc they sometimes give Clues as to their Hometown um and even that might be enough to Cross Match them that with their username to lead to results uh some users will mention landmarks near to where they live and it sometimes becomes a simple case of deduction using online maps to work out their location so there was one real example where a user mentioned in different posts and at various times that he lived equidistant to three Alternative Energy Farms two miles south of a specific River next to a railway Line near a newly built supermarket and with a close view of a

famous landmark it was impossible to triangulate with 95 accuracy his location another useful technique is to scrutinize any media with the user uploads to The Forum for instance images so sometimes these images are hosted on other other servers where their username which may be different to the one they have on the Forum is visible in the URL so further searches of this username on Google and popular deep websites May then point to their real identity often in Forum discussions especially with users who have been on the Forum a while or have made a lot of posts the others you the other users might address their them by their real name either because they've met them in person or

they've engaged in a lot of private messaging in one actual case a user of Interest was given a nickname by another user based on his surname so a Google search was then run on this nickname which led to the easy discovery of his real name searches can also be made in the forum for the username plus sign off words and abbreviations so which sometimes actually give away their first name so an example is you a search of Sami 1 and 80b for all the best which can be swapped for thanks or th sorry h x and take care and so on

the Skype online directory is useful place to find Details such as alternative usernames uh country location images and less useful but still worth knowing is torrent file names which sometimes give away the user's operating system and username so as mentioned before one should always check links to media and other sites from Forum posters these can also give alternative usernames such as in this example where a particular user had a different username on the photo bucket site and this is just to highlight the benefits of uh using a bing mat over Google Maps so these are example images of the same two map locations and you can see how Bing Maps shows the colors and the detail much more so it's always

worth using Bing Facebook is often a valuable resource for finding information for forensic and other purposes and this highlights some useful methods of doing this Facebook's search function produces more more results the more the parameters are defined for instance a search can be made for a standard phone prefix with the option to just look for content posted by that user selected and this will sometimes bring up a past post the user has made mentioning their full phone number on which further searches can be made so to find employees working for a specific company as before the more the search has defined the more the results will come up the example shows a search for all those who say in their profile

that they work for Electronic Arts and whose name contains the letter s that was just a random example so it Rivals LinkedIn um in that in that respect checking the profile name as shown in the URL of a profile is worthwhile as this could show a person's maiden name their middle name or middle name initials and sometimes a nickname it may also point to the fact that the profile is fake foreign this is another example of having to add more search parameters in order to get any results a search for or better 212 in this example comes back with no exact match but refining the search for instance in this case specifying a year produces an exact

match along with a retweeted post from Twitter on Twitter itself this post had been deleted but it still it was still partially visible in Facebook so Facebook's actually quite useful for finding deleted tweets it's also useful to know how to construct queries once the search needs to be more defined so searches are made up of parameters which are then base64 encoded location and user IDs have their own ID number as shown in these examples location IDs can be found by running any search query using the platform's search function and entering the location of choice after which the base64 string in the URL can be decoded to get the specific numeric ID for that location one can receive a user ID by viewing the

HTML source code and the profile of interest and search in this source code for the user ID the following shows how a search query can be constructed so this is an example the word top means all categories such as post people or photos but you could just use a single category the Q equals is followed by keyword in this case knitting and then the filters parameter which refines the query can also include user ID location ID and exact date the query is then base64 encoded and run from the URL to find the contacts of a user has who has prevented others from seeing their friends list one can view any photos images and videos that may be present in

their photo in their profile and view the list of users who have reacted to them so with the list of friends it's useful especially in the case of a man as they do not easily change their surname after marriage to search for any users who have the same surname as the user as they're likely to be family members researching family members May then help build a fuller picture of the user in question and where there are lots of photos in the profile of interest it's useful to check only those pictures who have a higher likelihood of having a greater number of reactions rather than wading through hundreds and hundreds of photos which might not be worth it so in

general there there's certain types of photos which uh attract more user response than others photos showing close-ups of a face generally receive higher number of user reactions as do photos of special occasions such as weddings and ceremonies people wearing smarts or attractive clothing and studio quality images it's often useful to discern whether a social media account is fake fake profiles on Facebook and other social media sites tend to be tend to have the following Hallmarks and the greater number of these characteristics and the greater likelihood that the profile is not genuine so the first uh post date or the join date is relatively recent it's possible to back date or hide Facebook posts and so using the app we've created

which I'll mention uh in a minute this can help find the actual date a profile was created the profile name is different to the profile name as seen in the URL as previously mentioned this usually means that the name has been changed from what it originally was which could have been the user's real name or the name of an account bought from a third party the likes photos and posts are on a single topic so fake profiles especially for uh creative those created for a single purpose are usually dominated by one overriding theme for instance of a photo of a profile was created to Market a particular brand of lawnmower there would be predominantly photos of lawn

mowers and lights around that specific interest but to the exclusion of much else as such there wouldn't be photos of the kids the family holidays mentions of other topics and so on and the profile photo may even represent that particular topic rather than being of an actual person um the photos and the profile go over the top so if a fake profile belongs to someone who's Keen to show to the world that they are of a certain View and of a certain type their photos mentions and likes will be very single themed but also exaggerated perhaps to encourage others to believe that they conform to a standard social stereotype um there are no posts or photos or other

content so an empty profile may just mean that the owner has not got around to populating the sections yet or it may be the profile which only needs to be Bare Bones in order to fit a singular or temporary purpose the person's age does not Accord with the profile content uh the friends are from a different culture like location and possibly language um which is more obvious when an account has been bought from a third party there are no friends who have the same surname so most normal profiles have some family members shown as friends and if there are no other friends showing the same surname this made point to the account being fake the presence of links

to friends whose profiles are also fake particularly common if many of them are engaged in contentious activities a reverse image search reveals the presence of the same image on other sites so fake accounts may use stock rather images obtained from Google Etc profile pictures which do not show a clear image of the face and depending on the purpose of the account the presence of a thousand or more friends or under 20 friends made points to the account being fake so two friends May indicate that it's been recently created or too many maybe due to the fact that the account has been brought secondhand or is being used for a single purpose such as marketing or

sales if an account has been bought secondhand there's more likely to be inconsistencies um due to the presence of a bot created account or an account created for a single purpose and and also if there's no reply to private messages single instances of any of the above don't basically mean that the account is fake it's whether you have lots of these altogether that could point to that the Facebook LinkedIn profile drawing date estimator tool sorry a bit of a mouthful which you can download for free from our site can ascertain with 98 accuracy the data profile was created on these platforms to within the closest 60 days so the user interface has changed since the slide and the updated version

is still to be issued however so you basically enter the target profiles name and their join date will come back instantly a profile's join date is not readily available even sometimes the owner of a profile and it's only by cross matching the pr the platform's user ID number with dates in the app can the user's join date be discovered if a suspect profile has a join date that's very recent or much more recent than their stated posts and this may point to the profile being fake lastly it's worth exploring the chain of contacts in a profile of interest in order to generate further profile leads so as mentioned before on many profiles it will not be possible to see the

friends list of someone but it's possible to retrieve some of the target profiles contacts through the image and other contact react content reactions so in the diagram on the right a is the start profile B C D E and F or A's in immediate or first level friends of interest and their friends are a secondary level friends and their friends in Turner is tertiary level contacts so this is an example scenario of how such an analysis can assist in illicit trade research Janet doe lives in New York and runs a shop which has ancient gree Greek and Roman Antiquities for sale it's suspected that she may have links with dealers and others who are facilitating the source and

transport of stolen Antiquities her Facebook settings have been configured to prevent her non-friends from viewing her friends list a search of her name produces a list of 30 names who have made comments on her Facebook profile a further search of these comments reveals that there is a user Jerry green based in Munich who owns a freight and storage company a search of Jerry shows that he has many Facebook connections to people who work or live near archaeological sites in Turkey one of these contacts has videos and images of using and selling metal detecting equipment and another contact here has advertised unclean coins for sale so by tracking the chain of contacts it may be possible to surmise

how and where Janet does obtaining the Antiquities for her store so we've created a tool to automate this analysis but it needs further development search engine backlinks are often a useful way of generating leads or investigating breaches backlinks or inbound links to a website which get added to a search engine's site ranking and there are a number of places which record these backlinks they're also they also useful for showing old and current links to a site along with relevant dates and times so this example shows some backlinks to the anonfiles.com repository file repository site and this is a screenshot of one particular link found which offers a file of leaked emails and passwords for download

these examples Show links to a carding site and a darknet hacking service site or found through backlinks publicly available lists of leaked accounts are useful when trying to ascertain more about a person's um a personal identity so passwords often represent something which has a strong personal significance such as a family member's name a favorite sports team or a meaningful date or location in some neat repositories it's possible to search under many different criteria even when the data the known data is sparse in some leaked repositories it's possible to search under many different criteria sorry under usernames and IP addresses and other information which can basically allow lead generation searches of potential suspects in criminal matters so in this example the

account user list revealed hundreds of users globally who are chosen passwords which pointed to a very high likelihood of their involvement in specific crimes such as terrorism drug dealing and child pornography recently I conducted a study of thousands of leaked passwords and the gender of those that they belong to those passwords which contain special characters belonged equally between the genders but what was interesting is that the special characters placed in the middle of the password so not at the beginning or the end 26 of such classmates belong to women and 74 to men so even more noteworthy was that the special characters used by the women in this sample were the at symbol the hash

and the percentage size and only the men chose the underscore the dollar and question mark symbols there were even more definite differences between the genders on their choice of password women were over three times more likely to use their first name and their password than men but men were over twice as likely to use their surname men were also more four times more likely to use their first name and surname in the same password than women and nearly twice as likely to use their email account domain name in their password perhaps the most interesting find of all is the use of first names in password in passwords so I looked at whether the gender of the password owner

affected the choice of the first name used males were 1.39 times more likely to choose a female name as opposed to a male name and out of the female names for out of the females choosing first names they were over twice as likely to choose a male name so what we have here is that men are more likely to choose a female name and females are more likely to choose a male name for their password so could this be why ships and other forms of Transport like cars are traditionally given female names is this because the ship's Engineers are known as well mostly men standard theory is on this is that ships are usually given female names because

it symbolizes the protective goddess or the mother with its womb-like container vessel I would propose that the more likely reason is that the ship's owners and designers were men who naturally thought of a female name when naming them likewise if the ship's owners and Engineers have been mostly women in the past we might have had more male name ships foreign records are useful in investigations to link common entities to build a picture of any corporate relationships so two apparently separate business entities may be shown to be linked through common domain names and web service providers so looking at domain registration records on local Registries can sometimes reveal the administrative and Technical contact data as opposed to

others which remove this data due to privacy regulations so in this example we can see the contact addresses of this particular website based in the UAE by looking at this UAE based domain search site company records will sometimes contain useful information about a suspect even when they may have been altered by some they may have altered some of their personal details on the official records to avoid detection regarding the official UK company records site an online search of a director will show their month and year of birth but on some official company documents usually scans of paper records such such as change of directed details the full date of birth can be seen so it's always worth checking these

uploaded companies filing documents rather than just the on-screen version some directors have also been deliberately misspell their name or swap their first and middle names open source data can also be obtained from exposed network devices owned by both companies or private users and this gives a bit on what we can see with with little technical skill needed so this 4G iot NETCOM device login screen was accessed over a browser and it wasn't necessary to log in to see the status details which showed the IMEI the MZ firmware and other information this nebra hotspot crypto Miner device was accessible over this specific port and showed the device's version the MAC address helium Miner address and frequency the other example on the right

shows the files accessible over Anonymous FTP access on Port 21 on a Samsung DVR device for legal purposes Anonymous system access is considered within the bounds of Open Source and this has been verified by legal experts on Cyber Law with suspected IP addresses it's sometimes useful to look at the open ports not just on the address in question but on other addresses belonging to the same ISP within the same range as they may belong to the same threat actor in this example the vulnerability exploitation tool meta support was found to be running on Port 3790 on the suspect address and then other addresses in this raise were searched to see if this port was open on

them which led to another address which was found to have various hacking software accessible on Port 80. torrent peer connections can show IP address and Country location and this is quite useful for those looking for those seeding or leaching data leaks as well as pirated content the S by server map shows those who have registered their software-defined radios as servers on the site show which are live their location and other details like the OS the type of device in use IP address and username and then you can basically then get the location coordinates of a particular SDR device and then it's possible to Target surrounding radio frequency transmitters using Wi-Fi hotspots by using the advertise SDR server to scan for signals

in the locality this is still within the bounds of Open Source as the SDR server in this case is meant to be accessed by the public other useful RF sites include open cell ID to see the location and details of cell towers and the helium Explorer map which shows the location of all active helium cryptocurrency mining devices if you suspect a particular device of Interest either because of its owner or its geographical location it's possible to find out more about device model if it's an iPhone and has the find my iPhone service enabled and you know the user's iCloud credentials because one can basically skip the two-factor authentication in order to use the app via the browser obviously this is meant

to happen this is a feature which is there by Design as it allows users who have lost their phone to find it and they only need to log into iCloud to do this and clearly this is something that only those with authority to use those credentials should do but knowing that the user here has an iPhone 12 we can assume that Ultra wideband is in use and this information may be useful if conducting further Assessments in the locality so Ultra wideband applications for phones include the Apple car key media file transfers and connection with home iot devices this app we created extracts IP addresses from forensic artifacts such as log files and flags if any of them

belong to one of the popular free VPN Services which do not require a credit card sign up so the assumption is that those seeking to conduct nefarious activities would be more like to use services without needing a credit card for greater anonymity so this app basically presents highlights potentially suspicious Source IP addresses you just need to upload the log or paste the text file and the app extracts all the IP addresses and cross matches it with the ranges belonging to those VPN Services which currently do not require a credit card to sign up for I've recently discovered a way that one can jump into WebEx video conference meetings using just a browser and without needing a meeting invitation I

won't be showing how this is done exactly until as it's still going through the responsible disclosure process but even if one can't join a particular meeting it's sometimes possible to see the user's profile picture which may not be publicly visible credential Steeler logs can provide more than just usernames and passwords so here's an excerpt of the logs belonging to a suspect cyber criminal which shows some of the sites they have visited or have an account on the one in large the ones in the large font have been highlighted as they point to their sources and methods as well as the service Services they use to hide their tracks if you think a suspect has multiple

websites it's sometimes useful to compare the fonts in use between the sites to see if they have the same author a handy way to do this is to press the control key plus shift and c and then highlight any text on the website to see the fonts in use as in this example I'm going to show you some examples of putting all this into action with some recent cases starting with this particular.net malware hack tools supplier so cross matching the user name found on Alpha Bay with data and password leaks we find a password containing 1731 we also search for this username being used as a password and this leads to finding a reference to

another password containing the number 1731 and an email address the password appeared to contain a first name other email addresses are real estate found being associated with the 1731 password as well as two IP addresses for this user and a phone number all based in Algeria a Google search was done for this phone number and first name and we found this person and his Associated physical address this case involved hunting a threat actor who had breached a large Telco we only had a username to go on starting with a Google search of this name we found a slight variant of it which led to this forum and showed a photo of a user his Brazil country location and a

Facebook profile link the profile name switched out letters for numbers in a similar manner to the username so we just swap the letters back to get a surname a search on the password leakness showed some passwords and a Hotmail address ing the forgot password function on Google for this address we found two phone device devices associated with this account and an iCloud on iCloud one of these devices had a phone number ending in seven seven searches of the Brazilian equivalent of John along with other information led to a reference where user by these details Arsenal four and four are cracked version of some gaming software and also led to an account on the hacking Forum

nulled although the previous Facebook profile had been deleted it was still possible to locate his Skype and Instagram profiles where there were a lot of photos of him the Instagram profile revealed his birthday his probable work employer and his hometown in Brazil and this is also cooperated with the IP addresses found in the password leakless lastly this involves searching for the identity of someone offering Red List prohibitive Wildlife for sale such as cheetah and lion clubs in various countries the efforts contained a contact form and we made and after we made this initial contact we engaged in some email dialogue which got us an email address and a phone number a search for this number was made on WhatsApp as sometimes

WhatsApp is useful for revealing profile descriptions and pictures it is possible to look someone up on WhatsApp using the add a contact process without this person knowing you've done this on this occasion though WhatsApp didn't provide any any information but Skype and Gmail gave us the username and partial Gmail addresses so using a bit of guesswork was some of the redacted Gmail addresses we found a person's name business email company names and Country location further password email address and names cross matching on the password on the password leak list brought up more leads which led to this export company based in South Africa which I believe was being used to facilitate the export of illicit products such as

Pharmaceuticals as well as wildlife so to conclude I hope this helps with locating the source and identity of cyber breaches and criminal suspects cyber Security Consultants are usually more successful with answering the question of what an attacker did and how they did it but uh rarely who has done something so many thanks for listening and I hope that was useful [Applause]