Hunting Threat Actors using OSINT Forensics

hi everyone my name is Abby Waddell and I currently work as a vice president of security testing and I'm also the founder of inquirics which provides research and services on Ocean vulnerability assessments primarily for non-profits I'm going to talk about some of the open source techniques to locate the source of cyber breaches and the identity of suspects that have been used successfully so why ocean breach Recon activities are not usually captured by existing tools um and methods either pre or post-instant mainly because such activities occur away from the company Network Ocean data can be anything available to the public including deep websites and also data which is out on the open but shouldn't be usually from unintentional leakage an example could be that I email a hotel reception about my room booking but they respond to me with an email that is intended for a different customer by mistake or a web page is misconfigured and shows a list of hidden files and directories which anyone can access if they are technically able to so I'll talk about some useful methods of obtaining information from documents social media password leap repositories websites and forums with some examples of how threat actors have been identified using these methods which have been developed from years of research and original discovery foreign so firstly I'm going to discuss some little tricks to reveal hidden material just to note that any blue rectangles covering stuff is in this presentation of a reduction privacy purposes so user profile images in Instagram and Twitter it is sometimes possible to reveal the parts of the image hidden by the way the image is presented on these platforms so not everyone's profile photos allow this to be done but when they do it can sometimes reveal useful information so in the example on the left this person's neck tattoos are revealed very useful if there is a need for identification the example on the right shows more clearly the woman next to this user's photo it's very simple to view the entire image just save it locally and open it up or you can open the photo from the platform in a separate browser window another useful trick is to be able to view a PDF file before any edits have been made using editing tools so on the left is a PDF of an invoice from Amazon and on the right key details of the same document have been altered in order to forge the invoice amount details in the delivery recipient the edge browser PDF editing tool was used to do this if one opens sorry if one opens this document in Google Docs however not the Google Drive preview but Google Docs then this strips away those these edits so you can see the document as it was before the changes were made crop screenshots and images within Microsoft files such as PowerPoint excellent and Word Documents can reveal the portions of the area deleted but not completely removed so load classification files can therefore still present a risk of sensitive data leakage leading to representational damage Network and system compromise examples of sensitive data could be anything visible on one's desktop at the time of either performing the screenshot or image use such as internal web directories in the URL visible from the browser staff personal details calendar entries contents of open sensitive files and so on so in this way one can use this technique to find out more about the author and origin of any Microsoft Creative Media that is under assessment so this is an example of how this happens so the screenshot of the inquirics logo is taken and note the surrounding views of open websites and other documents so The Unwanted parts of the image are crop but then the user forgets to actively delete these cropped parts so this is an easy mistake as it requires remembering to do this and manually doing this step in the application so there's no software control for this and and that does this automatically so this is a Nifty free tool wait a second sorry so I asked to get to head there so basically this is a a tool which can be obtained on the inquirics site it reveals those parts of the screenshots in Microsoft files which have been cropped but not fully deleted so no installation is necessary any only need Microsoft Excel installed with any third-party add-ins disabled very simply just upload the files you want checked and it will extract all the images and save them to a results file these images can then be viewed and they will show the full screenshot with any undeleted areas as can be seen from this example the deleted or crop parts of the this particular image are revealed the yellow box surrounds what was intended to be viewed but instead the whole screenshot prior to any cropping can be seen restricting editing rights within Microsoft won't prevent this and there is no patch thank you so one useful method of getting Intel on suspects is to use the account recovery function on applications as this sometimes reveals user details such as email addresses usernames and device info it requires attempting to log on to the website using the suspect's email address or username and then seeing what information comes back it's basically the offline equivalent of knocking on someone's house and seeing who answers so you're not basically trespassing or performing any account compromise that so the examples here show the information returned on Facebook and Gmail when one goes through these steps to reset the user's passwords their passwords are not actually reset as you would stop the process before at this point and it's enough to basically get the information shown so in this case partial email addresses and device phone numbers it's often possible to guess the redacted emails and even having just the last two digits of a phone number can corroborate information held elsewhere and the same method can be used on the UK's British Telecom website only a username or phone number can be guessed here to get the redacted information likewise Microsoft Office provides this kind of user data and it's a useful source as it appears most of the world's computer users have a Microsoft account Twitter reveals user data in the forgot password function and here is one of the UK's main Banks providing Clues as to the length of the user's password the user's NatWest customer account number which is made up of their date of birth is is needed to log into their account on the website and then without needing to know any other information one can see how many characters their password has when the application requires various characters to be entered from this password so knowing the length of this word can help guess the current password using previously leaked account previously leaked password data and this password may be likely to be used on other sites where it's being reused so one way of tracing or profiling suspects is to look for matches of the writing they use so this is an example of running a search of the exact wording used on the user profile of an advert of a particular malware vendor on Alpha Bay which then gave some results of other black market sites he was using so in this case in this case the word of the terms and conditions has exactly the is exactly the same on his other sites it's also useful to determine the gender of the user by analyzing their writing through an online analysis tool such as gender guesser so whilst this is not strictly ocean for those who already have legal access to a suspect's account there are some sites worth exploring to get a better picture of their activities and location so grammarly profiles may show draft documents even with the free version and these documents might contain personal details and other metadata Fitness and sat nav apps control uses location including historic locations not just in vehicles but if they've set up walking or jogging routes Hotel train flight booking sites are also a good location for data and it's also useful to link current credit cards with the physical addresses in use current email addresses and and so on I would estimate the vast majority of users in the UK for instance are registered on any one of either the Tesco Amazon BBC or Netflix sites so understanding the sites were a suspect has registered on can help with profiling them for instance if they have accounts on lifestyle and clothing sites they're more likely to be women women make up 90 of the users on the popular mumsnet site site registration is on Sports sites tend to point to a higher likelihood of a user being male parking apps May point to a use of the ownership of a car and train and phone company site registrations May point to a country of origin there are some techniques that can be used to discover the person behind a forum pseudonym in the Forum search area you can do a search for the username plus the first two digits of the commonly used phone prefix for your country for instance Sami 1 and 0 7 may bring up this person's phone number in this case a mobile and then a search can be done on the entire number on in Google Etc in some instances uh users mention their email address in the messages and so a search for the at symbol is worthwhile it is noticeable that people are much more cautious about mentioning their personal details in recent years than before so it pays to research the oldest messages as well as the new ones we're using may be more likely to have divulged more personal information another technique is to search for the username plus the words for sale or wanted if because if this user has mentioned having things for sale Etc they sometimes give Clues as to their Hometown um and even that might be enough to Cross Match them that with their username to lead to results uh some users will mention landmarks near to where they live and it sometimes becomes a simple case of deduction using online maps to work out their location so there was one real example where a user mentioned in different posts and at various times that he lived equidistant to three Alternative Energy Farms two miles south of a specific River next to a railway Line near a newly built supermarket and with a close view of a famous landmark it was impossible to triangulate with 95 accuracy his location another useful technique is to scrutinize any media with the user uploads to The Forum for instance images so sometimes these images are hosted on other other servers where their username which may be different to the one they have on the Forum is visible in the URL so further searches of this username on Google and popular deep websites May then point to their real identity often in Forum discussions especially with users who have been on the Forum a while or have made a lot of posts the others you the other users might address their them by their real name either because they've met them in person or they've engaged in a lot of private messaging in one actual case a user of Interest was given a nickname by another user based on his surname so a Google search was then run on this nickname which led to the easy discovery of his real name searches can also be made in the forum for the username plus sign off words and abbreviations so which sometimes actually give away their first name so an example is you a search of Sami 1 and 80b for all the best which can be swapped for thanks or th sorry h x and take care and so on the Skype online directory is useful place to find Details such as alternative usernames uh country location images and less useful but still worth knowing is torrent file names which sometimes give away the user's operating system and username so as mentioned before one should always check links to media and other sites from Forum posters these can also give alternative usernames such as in this example where a particular user had a different username on the photo bucket site and this is just to highlight the benefits of uh using a bing mat over Google Maps so these are example images of the same two map locations and you can see how Bing Maps shows the colors and the detail much more so it's always worth using Bing Facebook is often a valuable resource for finding information for forensic and other purposes and this highlights some useful methods of doing this Facebook's search function produces more more results the more the parameters are defined for instance a search can be made for a standard phone prefix with the option to just look for content posted by that user selected and this will sometimes bring up a past post the user has made mentioning their full phone number on which further searches can be made so to find employees working for a specific company as before the more the search has defined the more the results will come up the example shows a search for all those who say in their profile that they work for Electronic Arts and whose name contains the letter s that was just a random example so it Rivals LinkedIn um in that in that respect checking the profile name as shown in the URL of a profile is worthwhile as this could show a person's maiden name their middle name or middle name initials and sometimes a nickname it may also point to the fact that the profile is fake foreign this is another example of having to add more search parameters in order to get any results a search for or better 212 in this example comes back with no exact match but refining the search for instance in this case specifying a year produces an exact match along with a retweeted post from Twitter on Twitter itself this post had been deleted but it still it was still partially visible in Facebook so Facebook's actually quite useful for finding deleted tweets it's also useful to know how to construct queries once the search needs to be more defined so searches are made up of parameters which are then base64 encoded location and user IDs have their own ID number as shown in these examples location IDs can be found by running any search query using the platform's search function and entering the location of choice after which the base64 string in the URL can be decoded to get the specific numeric ID for that location one can receive a user ID by viewing the HTML source code and the profile of interest and search in this source code for the user ID the following shows how a search query can be constructed so this is an example the word top means all categories such as post people or photos but you could just use a single category the Q equals is followed by keyword in this case knitting and then the filters parameter which refines the query can also include user ID location ID and exact date the query is then base64 encoded and run from the URL to find the contacts of a user has who has prevented others from seeing their friends list one can view any photos images and videos that may be present in their photo in their profile and view the list of users who have reacted to them so with the list of friends it's useful especially in the case of a man as they do not easily change their surname after marriage to search for any users who have the same surname as the user as they're likely to be family members researching family members May then help build a fuller picture of the user in question and where there are lots of photos in the profile of interest it's useful to check only those pictures who have a higher likelihood of having a greater number of reactions rather than wading through hundreds and hundreds of photos which might not be worth it so in general there there's certain types of photos which uh attract more user response than others photos showing close-ups of a face generally receive higher number of user reactions as do photos of special occasions such as weddings and ceremonies people wearing smarts or attractive clothing and studio quality images it's often useful to discern whether a social media account is fake fake profiles on Facebook and other social media sites tend to be tend to have the following Hallmarks and the greater number of these characteristics and the greater likelihood that the profile is not genuine so the first uh post date or the join date is relatively recent it's possible to back date or hide Facebook posts and so using the app we've created which I'll mention uh in a minute this can help find the actual date a profile was created the profile name is different to the profile name as seen in the URL as previously mentioned this usually means that the name has been changed from what it originally was which could have been the user's real name or the name of an account bought from a third party the likes photos and posts are on a single topic so fake profiles especially for uh creative those created for a single purpose are usually dominated by one overriding theme for instance of a photo of a profile was created to Market a particular brand of lawnmower there would be predominantly photos of lawn mowers and lights around that specific interest but to the exclusion of much else as such there wouldn't be photos of the kids the family holidays mentions of other topics and so on and the profile photo may even represent that particular topic rather than being of an actual person um the photos and the profile go over the top so if a fake profile belongs to someone who's Keen to show to the world that they are of a certain View and of a certain type their photos mentions and likes will be very single themed but also exaggerated perhaps to encourage others to believe that they conform to a standard social stereotype um there are no posts or photos or other content so an empty profile may just mean that the owner has not got around to populating the sections yet or it may be the profile which only needs to be Bare Bones in order to fit a singular or temporary purpose the person's age does not Accord with the profile content uh the friends are from a different culture like location and possibly language um which is more obvious when an account has been bought from a third party there are no friends who have the same surname so most normal profiles have some family members shown as friends and if there are no other friends showing the same surname this made point to the account being fake the presence of links to friends whose profiles are also fake particularly common if many of them are engaged in contentious activities a reverse image search reveals the presence of the same image on other sites so fake accounts may use stock rather images obtained from Google Etc profile pictures which do not show a clear image of the face and depending on the purpose of the account the presence of a thousand or more friends or under 20 friends made points to the account being fake so two friends May indicate that it's been recently created or too many maybe due to the fact that the account has been brought secondhand or is being used for a single purpose such as marketing or sales if an account has been bought secondhand there's more likely to be inconsistencies um due to the presence of a bot created account or an account created for a single purpose and and also if there's no reply to private messages single instances of any of the above don't basically mean that the account is fake it's whether you have lots of these altogether that could point to that the Facebook LinkedIn profile drawing date estimator tool sorry a bit of a mouthful which you can download for free from our site can ascertain with 98 accuracy the data profile was created on these platforms to within the closest 60 days so the user interface has changed since the slide and the updated version is still to be issued however so you basically enter the target profiles name and their join date will come back instantly a profile's join date is not readily available even sometimes the owner of a profile and it's only by cross matching the pr the platform's user ID number with dates in the app can the user's join date be discovered if a suspect profile has a join date