Open Source Camp Kubernetes 2024 | Monitoring Kubernetes With Icinga by Eric ...
Advanced Research Investigations for SIU Investigators
1. Advanced Research Investigations for
SIU Investigators
“Obtaining optimal investigative results though the implementation of our diverse team,
made up of specialized research investigators and skilled surveillance experts”
888-989-2800
www.claimspi.com
info@claimspi.com
Adam Groth, Research Investigations Manager - (does all the work)
Daniel Klimek, Director of Operations - (takes credit for all the work)
2. About Us
• Sherlock Investigations takes great pride knowing that we are different. Our
size and diversity allow us to leverage specialists in a variety of investigative
disciplines to ensure that we are designing the best possible investigations for
our clients; resulting in the most optimum results on a consistent basis.
3. What is Internet Profiling?
Collecting and analyzing a person’s
Internet footprint to give the investigator a
broad insight into the person’s activities,
background and relevant characteristics.
4. Definitions
• “Social Media Investigation” - technically refers to
locating and documenting sources of data found within
profiles primarily used for social or professional
networking. The most common examples are
Facebook,Twitter, LinkedIn, Instagram
• “Internet Investigation” and “Internet Profile” -
encompass both social media searches and various
deep-web internet searches, including Google and other
indexable platforms
5. Social Media Internet Profile
Includes only information from social networking
sites
Includes social networking sites
Limited to input data Full internet footprint
Usually only from target’s individual profile Deep web searches
Excludes more obscure platforms Searches images of target and known assoc./family
Largely computerized/automated
Better looking reports!
Uses multiple sources to identify target profiles, even
if the user name is an avatar/screen name unrelated
to the target
Even non-internet/social media users have data
online
6. Topics of the Day
• The Past & Present of Research Investigations
• OSINT
• Types + Sources + Tools
• The Future of Research Investigations
7. History Lesson
•Credit Header Information
•Social Networking Sites
• What’s up with Facebook?
•GeoSearches
• The firehose has been shut off
Slide 7 of 687
8. Cambridge Analytica
• Graph API intentionally left open by FB for developers and other apps
• Granted other apps access FB data
• Used people, likes, shares, etc… as objects to make connections between
people, events, products
• Provided an “open door” to data on private profiles through friends and
shared connections
• 530k on one particular app turned into nearly 30m user accounts available
for access
10. Geo-targeted Searches
• Searching for social media across various
platforms in a specific geographic location/area
• As large as a shopping mall or event center
• As small as a single home or specific highway mile marker
• Specific timeframes for posts can also be set
17. Federal Rule of Evidence 902(13) (14)
• (13) Certified Records Generated by an Electronic Process or System. A
record generated by an electronic process or system that produces an
accurate result, as shown by a certification of a qualified person that
complies with the certification requirements of Rule 902(11) or (12). The
proponent must also meet the notice requirements of Rule 902(11).
• (14) Certified Data Copied from an Electronic Device, Storage Medium,
or File. Data copied from an electronic device, storage medium, or file, if
authenticated by a process of digital identification, as shown by a
certification of a qualified person that complies with the certification
requirements of Rule 902(11) or (12). The proponent also must meet the
notice requirements of Rule 902(11).
18. • Allows for the self-authentication of digital (internet) evidence
• Requires MD5 Hash values (metadata) presented by a
qualified person
• Hash values are a unique algorithm (128bits, 32
characters) for each unique page, image, post, etc…
• This has to be done at the time of collection to ensure data is not deleted
from the internet
19. Digital Media Authentication Solutions
• Largely software based
• Have been available for years
• Include metadata (hash values) for social media, images, pages, etc.
• Metadata pertains to the capture of the media
• Reports are ugly and long, but they ensure compliance when necessary
• Should be done right away if planned to be used
20. METADATA
• The data within the data
• Identifies when a photo was taken
• Possibly even WHERE the photo was taken and with what device
• In most cases is critical in proving WHEN something occurred
• Can include geographic location
• Data about the device, user, domain
22. Metadata vs. Authentication
• Authentication proves that the data was collected, when it was collecte and
where it was collected from.
• It can also show the investigative “path” that was taken to obtain the data
• Can prove data was collected legally and when/where the data existed
• Metadata is what actually proves WHEN or WHERE data was created
• Think about a Facebook image
• Prior slides confirm, there is no metadata available on the majority of social media sites
• This includes Facebook, which means that even with Authentication software, you
cannot prove when a photo was TAKEN, only posted to Facebook.
24. WHAT IS OPEN SOURCE ?
A.K.A. OSINT
Open Source Intelligence (OSINT) is the collection
and analysis of information that is gathered from
public, or open, sources.
OSINT is distinguished from research in that it
applies the process of intelligence to create tailored
knowledge supportive of a specific decision by a
specific individual or group.
25. Where does OSINT Stop?
• OSINT doesn’t “touch” or make contact with a source or a target
• This includes domains, servers, internal databases
• Changes nothing
• Hands off collection of what is available outwardly
• API and web scraping is outward facing, just not easy to get to
• Unintentionally open and available data is still OSINT
26. OSINT is Generally Broken into 6 Main
Categories
• Media:, print newspapers, magazines, radio, and television.
• Internet, online publications, blogs, discussion groups, citizen media
(i.e. – cell phone videos, and user created content), YouTube, and other
social media websites (i.e. – Facebook, Twitter, Instagram, etc.).
• Public Government Data, public government reports, budgets,
hearings, press conferences, and speeches.
• Professional and Academic Publications, information acquired
from journals, conferences, symposia, academic papers, dissertations,
and theses.
• Commercial Data, commercial imagery, financial and industrial
assessments, and databases.
• Grey Literature, technical reports, preprints, patents, working papers,
unpublished works, and newsletters.
27. What are we actually after?
• Text
• Images/Video
• Metadata
• Data about Data
• Connections
• Databases
• Export Raw Data
32. A Personal Favorite
(before Adam gets really technical)
• Tinfoleak – Free Tool to help Analyze Twitter Users
• http://tinfoleak.com/reports2/sherlock_claims.html
33. Where does OSINT fit in if we do our jobs right??
• Investigating Sharon Henry in New Jersey
• No social media (that could be found), No court records, No criminal history
• OSINT to save the Day!
• Search Local Newspapers and find that Sharon attended Clifford J Scott High School
• Find the Yearbook from her graduating class and the world opens up……
34. Some of the ways we do it:
• APIs and URL Manipulation
35. Understanding APIs and URL Manipulation
• API - Application program interface
(API) is a set of routines, protocols,
and tools for building software
applications. An API specifies how
software components should
interact. Additionally, APIs are used
when programming graphical user
interface (GUI) components.
• API – How websites interact with
each other to share data.
• URL Manipulation - the process of
altering the parameters in a
URL. URL manipulation can be
employed as a convenience by a
web server administrator, for
nefarious purposes or by a private
investigator.
• URL Manipulation – altering the
URL to produce results not offered
by the website’s normal platform.
36. Application Programming Interfaces
• APIs were created to make web
platforms more efficient.
• Service APIs allow access to data
that would be secured on the
original version of a website.
• They achieve this by sharing code that
would normally be protected or
proprietary on one platform, so the
code may be used on multiple
platforms.
• Why do we care?
• If we ask Facebook (the webpage) for
specific information, it will tell us that
we do not have access to it.
• If we ask the service API for Facebook
for this data it will provide it to us.
37. URL Manipulation
• Knowing where the information is
coming from on social media websites
allows us to manipulate the URL of
these pages to access content not
usually available through the
webpage.
• There is still information that cannot
be accessed (as it should be) but the
additional pieces of information this
methodology unlocks aids in the
investigation process.
• A perfect example is a case assigned to us
from your office:
• Michael Williams
• Flint, MI
• June 18, 1953
• Head, Neck, Back and Hip Injuries
• Replacement Services Suspected
• One would think a 64 year old might not be
the best candidate for a social media
investigation…
• Clear criminal history, no apparent history of
personal injury suits and he has a very
common name…
38. A Better Way of Searching on Facebook
• The key to searching Facebook
through URL manipulation is to
identify the subject profile’s “user
number”
• Michael Williams chose not to have
his “user name” shown in the
Facebook settings which makes this
easy as it is displayed in the URL.
• If it were not displayed but instead
showed michael.williams9888 as his
“user name” you could find his “user
number through the URL of any of
his images.
39. Using the Facebook User Number
• Once the “user number” is
identified you can manipulate the
URL for Facebook to provide you
with search results for only your
Michael Williams and not every
Michael Williams on Facebook.
• This URL produces photos posted by the
subject.
• This URL produces photos the subject is
tagged in.
• This URL produces posts the subject is
tagged in.
• This URL produces photos the subject has
commented on.
40. Why do you care about these searches?
• Behavior Analysis – If we can understand
who the subject is, what makes them tick,
and what is important to them, we can
better investigate a claim.
• All of these searches offer up a piece of
the puzzle into “who” Mr. Williams is as a
person.
• With these pieces (many or few) we will
have certain advantages when it comes to
surveilling Mr. Williams should it be
needed.
41. Twitter
• Each website has a different
protocol to follow but there are
additional searches that can be
run.
• There are other websites that
make it easier to find information
on Twitter.
• Foller.me – strips biographical
info from a profile as well as join
date.
• Moz.com – allows you to
analyze followers to see overlap
between up to three profiles to
find common links.
• This search allows me to get all tweets
within 1km of a lat/long.
• This search strips out just media posts
by the subject to remove “re-tweets”
• This search strips out just outgoing
tweets
• This search strips out just incoming
tweets
42. What does the future hold?
•Web Scraping/Intelligence
Aggregation
• Data Importation
•AI/Automated Searches
•Data Visualization
•Image Searches
43. Web Scraping
• Web Scraping (also termed Screen Scraping, Web Data
Extraction, Web Harvesting etc.) is a technique employed to extract large
amounts of data from websites whereby the data is extracted and saved to
a local file in your computer or to a database in table (spreadsheet) format.
44. How do we use this information?
• Identify current address
• Locate common locations and habits
• Identify friends/relatives locations
• Locate employment
• Create graphical displays (link analysis) – Visual Data
46. Timeline Elements
• Social Media Images/Videos
• Events
• Criminal Records
• Court Dates
• Vehicle Sightings
• HUMINT
• Hospital/Pharmacy Records
• Additional collisions
• Law Enforcement Contacts
• Hunting/Fishing Licenses
• Vehicle or Home Purchases
• Employment Dates
• Education Records
47.
48. • Adam Groth
• Daniel Klimek
• Info@claimspi.com
• 888-989-2800