Every investigation is different, but what never changes is how you have to treat an investigation much like the challenge of building something with a bucket of Legos. With each bread crumb, you put another lego piece on the building table, as you keep following leads, you add more pieces to the table and eventually (hopefully) start building something from many bread crumbs observed. You are hopefully moving from less knowledge to more knowledge as you find new pieces to the puzzle.
The last 12 months have introduced a few hurdles for OSINT / PAI hunters as easily resolvable tricks providing easier one-to-one correlations have been removed by many of the social media platforms and collection watering holes alike.
Previously on 24, you could easily correlate many one to one mappings with phone number and email address lookups, and in some cases, you can still do this on select platforms. As time moves forward, I anticipate email addresses and phone number lookups to become much harder for your typical instrumentation.
Not to despair, as a good investigator, you should be adjusting to changes like this already since most investigations are not all the same. Regardless of the starting point in an investigation, you need to remind yourself you need to be flexible and adapt from wherever the starting point is and see where your skills and questions will take you.
I had been provoked to write this after a few exciting cases left little to go with as well as the shift in the industry. As I listened to some of our customers, it sounded like they had been used to “osint button-ology” versus taking on a more robust methodology in their investigative workflow enabling more adaptability and structure to deconstruct the small bread crumbs given.
One of the techniques we have been pushing in training is treat email addresses a bit different.
Deconstructing Email Addresses
Treat the email address as two things.
1) Email address
Joesmith179@gmail.com should be broken up into
Joesmith179 and Joesmith179@gmail.com .
Then search… for one to one correlations against the email address, followed by searching all platforms for correlations to the alias. Human nature wants to use the same thing. Over and over…
Human nature will also want to use the same alias as various email providers, sometimes with smaller variations.
Take Joesmith179@ and also add in a few shotgun approaches to the search.
Following some of these methods tends to increase leads a bit more, while pushing the investigator to rely on a methodology and thinking through the problem a bit more than only relying on one method to attack the problem.
We cover techniques like this in our training courses but will attempt to push more information up into the blogosphere as time permits.
With extensive experience in defensive and offensive security, Daniel has been a quiet trailblazer in digital intel-gathering long before cyber intelligence became a discipline. More than a decade ago he was inventing and applying his own intelligence tools in support of companies and governments around the world facing urgent threats. Using this deep understanding of web technologies and the behaviors of cybercriminals, he has enhanced, updated and packaged these tools under ShadowDragon.
Daniel is a member of the Odonata Holdings, Inc.