OSINT Technologies: Safe Online Data Collection

OSINT

Open source intelligence (OSINT) is considered publicly available information (PAI). OSINT, until the internet was introduced, included newspaper clippings and library resources. OSINT mediums are ever-changing, and therefore, collecting this information is both an art and a science. Finding the most effective and secure OSINT technologies have a lasting impact on investigations.

Conveying the sentiment coined by William Gibson, “the street finds its own uses for things,” OSINT technologies must change even faster than the mediums that contain it. Investigators require technology with a predictive development cycle, one that allows them to outrun adversaries to their next playing field.

OSINT Technologies for a Multi-Layered Environment

The internet, what we now find to be the backbone and start of all OSINT investigations, is multi-layered.

Surface Web

The first layer is the surface web, where we all spend our daily lives. The surface web doesn’t look the same from every angle, meaning depending on who website administrators think you are, where you’re located, and what your browsing history looks like, you will often be fed different information.

There are endless surface web tools that provide access to various categories of data. For example, Google Maps provides geographic data, Translate This provides linguistic data, and archiving tools provide historical data. Like this, each search engine retrieves different search results. Meta search engines even query and aggregate data across search engines.

Many of these tools come in the form of browser add-ons. It’s important to be aware that these add-ons slow browsers down and are often outdated and prone to breaking, creating a doorway of vulnerabilities to your investigation. OSINT technologies with integrated surface web tools close these vulnerable gaps.

Deep Web

The second layer of the internet is the deep web. Visually, the topography of the deep web is the most complex. But data in the deep web is not abstract; it is simply not indexed by search engines and just requires authentication to reach it.

Each deep web platform caters to a different user group. Think of deep web platforms as unique networks of people. Since OSINT is most often for the purpose of researching an individual, shifting the investigative mindset to researching networks rather than individuals will seem less like finding a needle in a haystack.

Additionally, effective online criminals are members of various platforms, which muddies the network waters. Investigators must move laterally through networks, analyzing the degree of separation and looking for weak links in order to gain access to the core individual. Networks, although not directly connected across platforms, are interconnected on a social level. And each platform serves a separate purpose. Without an understanding of social sciences, navigating this terrain can be hazardous during an investigation. OSINT technologies that are developed specifically for securely navigating deep web networks facilitates safe investigations.

The Dark Web

The third layer of the internet, which is known often as the most dangerous, is the dark web, accessed through the Tor browser. Growing interest by investigators in the dark web has required a new level of training to fully understand the behavior of Tor and its intricacies. Investigators must be able to connect information on the dark web to real-world people, places, and things.

Navigating Tor as an investigator without employing a managed attribution (MA) platform is like walking down the street in plain clothes with your badge in your back pocket. Pickpockets know you’re there, and if you aren’t paying attention, will reveal your identity and track your footprints. Investigators must follow a “never trust” philosophy while navigating and collecting OSINT on the dark web and employ holistic OSINT technologies as a foundational layer of security.

Cyber Geography Matters

Just like world geography, the internet is broken down into cyber geography. The domain name system (DNS) both defines the geographic breakdown and makes URLs readable by humans. Top-level domains (TLDs)—like org, com, and gov—further categorize what may be found at the URL address. Without even a high-level understanding of URLs, huge volumes of data can be missed by an investigator researching in the wrong cyber region.

Further, the search results retrieved by search engines very much depend on the user’s location and search history. There are ways around coaxing neglect of geographies, such as using Google NCR or using a clustering search engine like Carrot2. Search results can also be refined in other ways using search operators, known as Google Dorking.

Key OSINT Technologies

Operational Security Rigor

The internet was built for efficiency, not security. There are two types of security that investigators must adopt: practical and technical. Although OSINT technologies are advancing overnight to add layers of security to investigations, humans will always be the weakest link. As layers are added, developers must be cognizant of the diversity, flexibility, and usability of technology. Striking that balance is the difference between simply securing an operation and advancing the performance and efficiency of an operation without sacrificing security.

Here are some ideas to keep in mind when considering the use of OSINT technologies. We’ll expand on these ideas more throughout this year.

An air-gapped managed attribution platform inside a VDI provides a critical separation of the OSINT investigation’s activity from your organization’s network.

Never cross-contaminate research machines with normal browsing activity.

Good computer hygiene should be a regular practice.

As soon as you use social media, the platform has full permission to track your activity. Always log out of social media platforms when day-to-day research is complete.

With these key foundational components, investigators can avoid the direct observation of their online activities and affiliated organizations. But an investigator can’t be totally invisible. Browser profiles and IP addresses are unique and visible to web servers and website administrators as digital fingerprints. With virtual machines (VM), malware and trackers are destroyed at the end of every session through the purging of the VM. MA-platform use alongside safe practices protect the investigator, organization, and research.

Going Dark with Smart Security

Complete privacy on the internet is an oxymoron. The internet’s sole purpose is communication. IP addresses allow systems to communicate to one another in order to retrieve the data that you need and navigate to where you want to go. It’s as easy to figure out your own IP address as it is to figure out another’s.

Why not just use Tor with all its embedded nodes to effectively hide online? Because OSINT investigators need to do more than just blend in. Using Tor is a sure sign to website administrators that you are trying to hide from someone. This may lead to purposeful misinformation by website administrators. Additionally, because of its complex network of nodes, Tor is slow.

Enter VPNs: combining the use of VPNs with an MA platform, investigators can access geographically specific information from the IP location of choice, whereas this can’t be done using Tor. Investigators can even build a custom network rather than rely on the unreliable alternatives. OSINT technology stretches far beyond the walls of your facility and the computer on your desk.

Smart security involves using the right OSINT technology and techniques at the right time—without inhibiting an operation’s diversity, flexibility, and utility. Passive casual browsing requires an MA platform and VPNs. More advanced online operations require access to integrated third-party tools and custom applications within the MA platform. Furthermore, high-pressure situations require intensive practical training and preparation.

Conclusion

Navigating, analyzing, and collecting OSINT on the multi-layered internet need a multi-layered security approach. With these OSINT technologies and techniques and those that will follow in 2022’s Ntrepid blog series, The Art of Operating Online, investigators will learn the critical methods for safely advancing ahead of adversaries.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
esctx	session	The esctx cookie is set by Microsoft for secure authentication of the users' login details.
JSESSIONID	session	The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application.
stsservicecookie	session	This cookie is set by Microsoft for secure authentication of the users' login details.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
x-ms-gateway-slice	session	This cookie is set by Microsoft for secure authentication of the users' login details.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_UA-37785135-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
vuid	2 years	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
personalization_id	2 years	Twitter sets this cookie to integrate and share features for social media and also store information about how the user uses the website, for tracking and targeting.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
buid	1 month	No description available.
fpc	1 month	No description available.
muc_ads	2 years	No description available.
RpsContextCookie	10 minutes	No description available.
visitor_id456132	10 years	This is a cookie pattern that appends a unique identifier for a website visitor, used for tracking purposes. The cookies in this domain have a lifespan of 10 years.
visitor_id456132-hash	10 years	This is a cookie pattern that appends a unique identifier for a website visitor, used for tracking purposes. The cookies in this domain have a lifespan of 10 years.

OSINT Technologies: Safe Online Data Collection

Share this post