Deep Dive into Operational Security

(First Published on Medium March 2020)

In my previous posts you may have gathered I have an interest in leveraging mobile phones for the purpose of OSINT however OPSEC is never far from my thoughts and I have @dutch_osintguy to thank for that, as he is passionate about the subject and gave me a few pointers for this blog too. Check out his blogs and webinars.

Now some of what I am going to write about you may think that the risks to your investigation are minimal however depending on the person or entity’s capability and position it could well be an issue. This is a dip in the ocean and It is all about assessing where the risks lie.

My preferred method of using a mobile is to use brand new smart devices although I have reused devices too. I understand that there is always cost elements at play here. We are fortunate in the UK that we can purchase a new smartphone for cash without the need to provide any identification. The same is true of a SIM and access to mobile data.

Reusing old devices however can create potential OPSEC risks.

I am going to talk generally here about Google & Apple devices. They use unique identifiers sometimes referred to as universally unique ID or UUID to track a device and link them to accounts. Don’t forget if you are using an Android device from any other manufacturer they will also be collecting information in a similar fashion and I would say you should read up on their privacy polices too.

This is from Google’s privacy policy on the information they collect,

“A unique identifier is a string of characters that can be used to uniquely identify a browser, app, or device. Different identifiers vary in how permanent they are, whether they can be reset by users, and how they can be accessed.- Unique identifiers may also be incorporated into a device by its manufacturer (sometimes called a universally unique ID or UUID), such as the IMEI-number of a mobile phone.”

In essence what they can do is link an IMEI across their database. So what @dutch_osintguy preaches is never mix your OSINT persona with your personal social media is very relevant here. So if you decide to reuse one of your old smart devices to setup a new sock puppet and you insert a new SIM to provide yourself with a new number for anonymity, that may not be enough to protect your OPSEC.

If you are in any doubt about what information they gather read their privacy polices, maybe a riveting night time read, or maybe not, in any case you will fall asleep.

So the phone is factory reset however when you set the new phone up with a new sock puppet account Google and Apple has a record of the ID of the device so can link it back to the original account or accounts that have previously been on the device. Now this may or may not be an issue as your subject or entity may not have the ability to access that information however at the very least you are leaving a footprint for Google & Apple.

Now I cannot say how Google or Apple’s algorithms work because I am just not bright enough or informed enough but we do know that they use a devices, probe requests, Wi-Fi, Bluetooth, cellular connection and location data to improve there geo-location of you coupled with other factors such as time correlation and behaviour. Now with this in mind you may wish to consider not even having your own personal devices switched on or even in the same place so that there is no possibility of a connection between your personal devices and your sock puppet device. You may even want to consider the purchase of a Faraday bag.

Wi-Fi is another potential issue too. If as part of setting up your new sock puppet account on your device you decide that Wi-Fi at the local McDonald’s is a good idea, herein lies another potential risk. I know this has been a popular choice for creating Facebook accounts so as to protect your OPSEC when not using a VPN and an attempt to fool Facebook. You should however consider using a more privacy focused no logs DNS provider as opposed to the Wi-Fi providers DNS.

Even though the device has been factory reset as soon as you join the Wi-Fi at McDonald’s (which is supplied by 02 in the UK), if that device has been seen previously on the O2 Wi-Fi network it will automatically recognise the device by it’s MAC address and will display the previous persons details as a welcome message. At this point you have two choices continue as you are using the old PII supplied or start again with your new sock puppet’s PII and risk linking the two together as O2 will use the MAC address to do this. What I have seen in the UK, is free Wi-Fi is not necessarily free as you are sometimes having to provide, mobile number, email address, name, date of birth and home address. So careful consideration needs to be given as to what free Wi-Fi you use. Asda does not require any information at all to use their Wi-Fi but in my tests you couldn’t use a VPN either, so there is a trade off.

Another consideration If you are using Facebook on your device is not only their privacy policy as they also capture device identifiers, you may also want to see what information other apps are sharing with Facebook. Navigate to Off-Facebook Activity in your settings and there you will find this information. I have been doing some research recently on how to potentially leverage dating apps and would you believe it, they had all shared information with Facebook. You are able to disable this, so this maybe one of the first things you do when setting up a new account. Again, without meaning to labour the point don’t mix your personal social media with your OSINT.

It really is a game of cat and mouse as to what you lock down from a privacy perspective as this can affect what information you are able to obtain yourself but it is so important to know what the apps and devices you are using are leaking about you so you are able to rationalise that against your threat model.

Useful links

Dutch Osint Guy

Privacy Policies

DNS Articles


Off-Facebook Activity

Investigative Mindset

(First Published June 2020)

Now, for those of you who follow me on Twitter, you may have gathered that I am not the most technical skilled OSINTer. Maybe the result of a misspent youth (and some more years after too). The truth is though, do I have to be? probably not. There is an abundance of non-technical ways we can conduct our OSINT research. It is something however that I find interesting and a challenge though.

Certainly, just as important and maybe more so is having an investigative mindset when conducting our research. We sometimes, I think underestimate the importance of what a Researcher is able to achieve.

The Cambridge dictionary definition of a Researcher: – “Someone who studies a subject, especially in order to discover new information or reach a new understanding:”

The definition of an Investigator: – “A person whose job is to examine a crime, problem, statement, etc. in order to discover the truth:”

Now let’s put the crime aspect of the second definition to one side and incorporate the rest of the wording into the definition of a Researcher and we are now getting close to what an OSINT researcher is.

If you have had the pleasure of reading the excellent blogs by @nixintel, @Sector035 & @MwOsint you will see the above in action.

I regularly hear Researchers being asked, “Can you just do some quick research on….” So, the opening gambit here is setting the tone of how this research will maybe conducted. Is there any such thing as quick research, yes there is, in certain circumstance. What strikes me though is that we are already hardcoding into the Researcher’s mindset the word, “Quick.” At this stage I would be asking more questions of the person tasking me then they would probably be comfortable with. Once you start asking, “What are your aims and objectives?” You can see people become visibly confused at the question. Their aims and objectives are going to influence your methodology on how you conduct your research. Then there are time parameters too to consider, certainly, “Quick”, is not necessarily going to achieve complicated or exhaustive aims and objectives.

At this stage I would like to take the opportunity to share with you my experience as an investigator prior to taking up OSINT about 18 months ago. If I am being honest, I would say that there is far more to learn about OSINT than there is as an investigator. As an investigator you have a large support network of specialists. As a researcher you are that support specialist. In the investigation world we talk of strategies, in OSINT it’s methodology.

Researcher, Investigator, Strategy and Investigative Mindset are easily interchangeable.

The first thing I do when I am tasked to do OSINT, is once I know what the aims and objectives are is to have a brain storm and write down everything that I initially think will assist me in carrying out my research, my strategy, my methodology. Now you may not need to utilise all these ideas but I have found that when I am mentally engaged with my work I don’t always have that freshness of thought to think of new ideas. Plus, the reason I write it down is because experience has taught me I will forget some of them. Also consider including it on any report that you produce too. In my opinion it looks more professional to have had a plan than just to have churned out the results of your research. Think of the long game, will you ever have to present your work, will you remember what your methodology was, when asked.

Once I have my initial thoughts wrote down, I then start to prioritise them. The way you prioritise will differ from project to project. It’s difficult to give an exhaustive list in a short blog but I tend to look at what I am likely to lose if I do not act on something. Or I may decide, what are easy wins that are likely to harvest me the most material to pivot off.

I am definitely someone who performs better with experience, other people are far more dynamic and free flowing (Damn them). So its important to also work how your mind works and set out your methodology accordingly. Don’t be scared to be different. The most important thing is getting the result, how we get there is sometimes personal preference.

If the only information you have to start your investigation is say an email address, this is when you need to plan how you are going to investigate it.

The way my mind works is I have to have order and structure. As I have been learning OSINT I have set out different investigative methodologies, a plan, investigating emails is one. If you haven’t seen @sinwndie flow charts check them out. Also take a look at @jnordine to see how his OSINT resources flow. It maybe that neither of these work for you but they can both be adapted, so you have your own methodology flowcharts. Shooting from the hip in my experience is not the way forward especially when you have time to plan and prepare your research.

I see Researcher’s flying off to create sock accounts for Facebook and Twitter once they are tasked. Do you even need a sock account in the early stages of the research process to interrogate Facebook or Twitter? Can you even find or know how to find an email address on either platform? No thought has gone into an investigative strategy or methodology. I personal do not create any sock accounts until I have exhausted other avenues of leveraging a site. Yes, there are times when will you be presented with information that the subject of your research is on a particular platform or there is no other way to leverage the site but that is all part of your methodology. Creating sock accounts is no easy feat and can be time consuming, time you may not have.

One important factor of research is knowing when you have exhausted a line of inquiry. To much time can be spent down the rabbit hole before you realise that actually you are not achieving the results you want. Time constraints may dictate this to you but you should always stop and assess. This is where the list of priorities you wrote down at the beginning also comes in to play. You may decide that actually it is time to move onto a new line of research.

You need to constantly evaluate, understand what it is you have found, test the reliability of the material, parallel source it. Don’t just accept that what you have found is correct and accurate.

Confirmation bias is another area of the investigative mindset that may have adverse affects on your research. Only seeing what you want to see and ignoring everything else that points away from what you believe. So the above example of knowing when a line of enquiry has ended. Your confirmation bias may blind you to the fact that what you are doing is fruitless, you are ignoring information / material that tells you this is the case. Have an open mind.

I hear the word, “Tenacity,” a lot in OSINT, it is something I have heard far more in the world of OSINT than before.

One definition of Tenacity: – “Extremely persistent in adhering to or doing something; stubborn or relentless”

What more can I say! When you have that gut feeling something is there or that you are missing something then tenacity is what you need. Successful Investigators and researchers have tenacity in abundance. Strongly associated with tenacity, is personal pride and enthusiasm in your work which will also be a major contributor to your success.

Sometimes you have to stop and take stock especially on complex research. Evaluate your research, do you need to look back and alter your methodology accordingly. Have you achieved your aims and objectives? Recharge your batteries, step back, take a break and refresh.

In fairness I could write a book on this subject, this is only a brief insight into my experience of the investigative mindset. The important message is finding out how your mind works, how you work and then build your methodology accordingly. Have a plan, understand what it is you are doing!