Stand-alone Laptop: OPSEC Failures During Investigations
Challenges for Law Enforcement Agents Using Stand-Alone Laptops
The internet of things (IoT) is now part of virtually all investigations, bringing significant new complexity to gathering evidence or conducting undercover activity especially when using stand-alone laptop methods. Consequently, internet-based investigations create a whole new category of risks. Not unlike detectives who work in plain clothes and drive unmarked cars, law enforcement OSINT investigators must avoid detection when collecting evidence online.
Everyone should be aware by now that, when you are active online, your stand-alone laptop, tablet, mobile device, gaming system, etc. reveals a consistent fingerprint. Websites and platforms automatically know your operating system, device model, the app or browser you are using to access the internet, any browser plug-ins you’ve installed, language capabilities, and much more. Platforms and third parties actively use this information to profile and track their users/visitors.
This creates a unique challenge for investigators. With their identity and true location visible by anyone, investigators on a stand-alone laptop will be blocked from accessing target websites or sometimes fed misinformation. For example, a criminal dealing fentanyl on the dark web would not interact with someone using a government IP address, and whose name ties to a Facebook account that follows several law enforcement pages. The entire criminal network would block the investigator immediately, causing significant delays and jeopardizing the mission.
Common OPSEC Mistakes Online
A common method still used to conduct undercover online investigations is to use a stand-alone laptop connected to the internet over personal or public WiFi. Unfortunately, this is an unsafe way to operate, with significant risk of identification, location exposure, content blocking, and infection. Recently, the NSA published a warning that included the risks involved with using public or personal WiFi networks. Additionally, law enforcement officials are often met with difficulties utilizing a stand-alone laptop to satisfy multi-factor authentication methods to gain access to deep web sources.
The Stand-alone Laptop Solution
We know that websites can restrict content or serve up entirely different or fraudulent content if the user’s traffic is originating from a certain region or organization. Investigators often try to avoid this by tethering the stand-alone laptop to a WiFi hotspot that is not affiliated with the organization. However, while a stand-alone laptop prevents the investigator from being trivially tracked back to the organization’s network, it does not prevent content blockage or misinformation from the target website. Without rigorous care and OPSEC, the WiFi can quickly be associated with the organization anyway.
Gathering online research about criminal organizations often leads investigators to websites that contain malware designed to target and profile the site’s visitors. This is an unavoidable risk. Using a standalone laptop will protect the agency’s network, but consistently using the same, possibly infected, laptop across multiple investigations jeopardizes the investigator’s mission. Disposing or re-imaging the stand-alone laptop after each use is the only way to ensure that anything malicious picked up during the course of investigation is destroyed. However, this option is not practical and wastes valuable time and money.
Creating an Inconsistent Digital Fingerprint
Some investigators will try to provide fake information to disguise their fingerprints. To a sophisticated adversary, the underlying information is still discoverable without careful backstopping and the correct technology to hide your various attributes and forms of digital litter. Inconsistent settings on a stand-alone laptop can cause an investigator to look even more suspicious to a target website.
Ignoring Application Tracking and Analytics
Many applications and social media platforms capture and store a user’s metadata. For instance, Telegram’s Privacy Policy states that the app may collect metadata such as your IP address, devices used, history of username changes, and other aggregated metadata. This allows Telegram to inspect the device your app is running on. The detailed device logs could expose data about an investigators device that could indicate an inconsistent digital fingerprint or even completely reveal their true attribution.
Additionally, people will often routinely grant access to unnecessary permissions without even thinking. Facebook and Facebook Messenger request access to a lot of permissions—and, while some are clearly needed to run the application, others, such as downloading files without notification, are a little less obvious. It is important to keep device permissions in mind when conducting a criminal investigation.
To effectively protect their online investigations, law enforcement agents need more robust capabilities and overall protection than any stand-alone solution can provide. Adversaries are becoming more sophisticated by the day, and remaining cover-consistent is increasingly difficult. Only a properly designed, virtualized, and isolated investigation platform can address these issues, ensuring both safe and effective online activities.
To learn about best practices for managing your OPSEC during investigations, sign up for a virtual training with Ntrepid Academy.