How can professional investigators securely conduct research on social media without exposing their organization? Authentic8’s Nick Finnberg, OSINT training specialist and former intelligence analyst, shared insights and tradecraft insights, tips and tools at a webinar on social media investigations.
There are more than 3.5 billion active social media users across the world. Facebook, Instagram, Twitter, LinkedIn, Reddit, 8chan and Co. can be a treasure trove for law enforcement, fraud investigators, corporate security specialists, and Open Source Intelligence (OSINT) analysts. Provided, that is, the researchers have tools at their disposal that are up to the task.
That’s a big IF. Online investigators need to be able to quickly and efficiently collect, save, and collaboratively analyze data while maintaining adequate operational security (OpSec). This often poses a challenge, because they also grapple with budget constraints, inadequate online tools with inherent security vulnerabilities, and an acute shortage of properly trained cybersecurity personnel.
How to safely, effectively, and anonymously use social media for investigations under time pressure and on a budget? At an OSINT training webinar hosted by the Association of Certified Financial Crime Specialists (ACFCS), Authentic8’s own Nick Finnberg answered this and other questions from a broad audience of professional financial fraud investigators and analysts.
Nick speaks their language and knows the challenges that online investigators face from first-hand experience. A former Army National Guard and counterdrug intelligence analyst who specialized in anti-money laundering (AML) OSINT collection, he was recognized for his outstanding financial investigations by the US Department of Treasury, among others.
Typical questions from participants at the social media investigation training course included “Any guidance on how best to conduct anonymous research via LinkedIn?”, “How would criminals ID investigators?” (spoiler alert: that’s what happens when investigators use a “free” browser - check out this blog post with a real case example), and “What’s the difference between using a VPN and the Silo Cloud Browser?” (find our in-depth take here).
Why did the last question come up? Silo, the cloud browser developed by Authentic8, is at the core of Silo Research Toolbox, the cloud-based online research platform used by cybersecurity threat hunters, law enforcement agencies, and financial fraud investigators worldwide.
Nick’s live demo answered many of the tactical questions. Using a real-life drug cartel investigation as an example, he showed how the combination of Silo Research Toolbox with an array of powerful social media investigation tools minimizes the risk of exposure while optimizing intelligence production.
Professional investigators turn to Silo Research Toolbox because it solves the two primary problems researchers are grappling with when conducting online investigations.
When OSINT Goes Wrong: Is the Web Following You Home?
Most OSINT collectors - whether on Fortune-100 corporate security teams, in Fraud Investigation Units (FIUs), or in metropolitan police departments - are facing mainly two challenges on the web:
- If they inadvertently expose their identity or that of their organization while conducting covert web research with flawed tools that may be also vulnerable to web-borne malware or spyware attacks, this can result in a compromised mission, and worse.
- If their research platform and toolset provide stronger security at the expense of manageability, efficiency, and expediency, then valuable time is lost. The bad guys may cover their tracks, crucial investigation leads and potential evidence vanish from timelines or profile pages before they can be saved and analyzed.
Both problems are intricately linked to the use of locally installed “free” browsers. While many researchers still use them to access the web and social media platforms, many are aware of the associated risks.
Because regular browsers process web code on the local machine and are leaking data to the internet by design, they are inherently vulnerable to malware, user tracking, and de-anonymization.
Until a few years ago, the most common method to mitigate such risks for analysts and investigators in larger organizations was for teams to custom-build their own online research platform from the ground up. Fewer companies and public sector entities could afford to take the expensive route and purchase out-of-the-box solutions from a small number of specialized vendors.
The catch: At their core, both approaches still rely on local browsers. In most cases, a patchwork of point solutions is shoring up traditional browsers for a mission they weren’t designed for.
Examples are dedicated hardware (“dirty boxes”), software (anti-virus tools, VPN, sandboxing), and costly IT infrastructure expansions (network segregation, VDI). Investigation units all across public and private sectors are reporting that this hodge-podge of IT security solutions is impeding workflows and has resulted in significant cost creep.
This development has slowed down critical investigations and is putting additional burdens on online investigators and IT teams. They point to the tedious setup, configuration, and post-mission clean-up procedures that are required under the traditional approach to ensure security and anonymity for their researchers. Others have paid a premium for licensing and maintenance of turnkey online investigation frameworks that are costly to expand and update.
Silo Research Toolbox, in comparison, is a managed attribution and research suite layered over Silo Cloud Browser. Our research shows that Silo Research Toolbox enables investigation units to save an average of 89% per year, compared with organizations that deploy, maintain, and operate a comparable, custom-built infrastructure.
How does Silo Research Toolbox work?
Silo Research Toolbox combines web isolation with attribution management for conducting secure, geographically distributed data analysis across the clear, deep, and dark web. All web code is rendered in the cloud and converted into a high-fidelity remote display of the session, protecting endpoints from malware, spyware, and drive-by downloads.
Silo’s patented technology has been compared to the “air gap” approach that isolates the IT network of military submarines or nuclear power plants from the outside world. Websites and social media platforms are presented only with the IP address of Authentic8’s server.
Silo Research Toolbox can be configured to exit to the internet from one of dozens of global exit nodes and spoof different client environments. To the website under examination, Toolbox appears like another garden-variety browser on a local device on a local network.
With Toolbox, the risk of attribution or de-anonymization when conducting an online investigation becomes a non-issue. Encrypted audit logs and a secure data storage manager help maintain the integrity of the investigation and meet Chain of Custody evidentiary policy compliance.
Its capabilities and intuitive user interface have made Toolbox the research platform of choice for law enforcement and federal agencies. Its flexibility enables investigators to easily pair up Silo Research Toolbox with specialized analysis tools - a powerful combination, as Nick demonstrated in the training webinar for social media and fraud investigators from the financial services industry.
Missed the webinar? Check it out here.
To find out more about Silo Research Toolbox here.
7 Tools for Conducting Social Media Investigations
By Nick Finnberg
At the social media investigation training course, many participants asked me for tools recommendations. Below, I’ve listed seven tips that come in handy when digging deeper. Some of them require you to be logged in with your social media account; with others, we don’t know who’s tracking.
That means, in any case, when using these tools on the job - watch your six and protect yourself and your organization with Silo Research Toolbox. Here you go:
Google Reverse Image Search
With Google’s reverse image search, users can search by image instead of by keyword. Results include visually similar images and other sites where the image appears. Although this is not Instagram specific, it’s an excellent tool for finding additional social media profiles for a particular target by showing other pages where the image appeared.
Tweet Beaver enables investigators to do a complete analysis of a Twitter account as well as download different aspects of that account, including timeline, followers, conversations, and much more. It allows them to download all of the tweets for a specific profile to conduct further analysis or to store them as evidence.
With Social Bearing investigators can search for tweets by keyword, Twitter handle, geotagged, people, followers, and friends. The Twitter handle search can be extremely beneficial for investigators. Search results include a complete breakdown of an individuals twitter profile including; all tweets, geotagged tweets, tweets by source (Android, iPhone apps), and much more.
Track Reddit allows investigators to be alerted when specified key phrases of interest are posted to Reddit by sending you near real-time alerts via email or text message. This is a useful tool for keeping updated and investigating a specific topic on Reddit.
Reddit Insight’s user tracking tool helps investigators gain a broad and detailed overview of an individual’s activities on the Reddit platform. The results include account metrics, most popular Subreddits, and most popular posts. This tool comes in handy for examination of individual Reddit accounts that may be used for malicious activity.
This tool allows investigators to search by name, address, phone number, and email address without getting changed a search fee. Search results often include home addresses, phone numbers, possible relatives, email addresses, and aliases.
The email search tool on the site makes it easy to find out who owns and operates a particular email address. This is an essential step for this kind of research because once an email address is identified for a target, it can be used to search for social media profiles associated with that email address.
YouTube Geo Find
YouTube Geofind enables investigators to search for YouTube videos by location and date/time range. This is particularly useful when a researcher has been assigned to researching a specific region and wants to look for videos from that area, for example, such that were uploaded by people involved in illegal activities.
About Nick Finnberg:
Nick Finnberg is an open source intelligence training specialist at Authentic8 who trains analysts in anonymous online investigation techniques. Nick started his career as an Army National Guard Intelligence Analyst and spent four years with the Illinois National Guard counterdrug task force, specializing in large scale money laundering investigations and open source intelligence gathering.