From Photo to Passport Number With Maltego OSINT Tools

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hello and welcome to another episode of hacking with friends my name is cody kinsey i am a security researcher with varonis and this is our primary cable plugger michael sure at least you're uh using that thesaurus and not calling me gremlin all the time of course not no michael does a lot of things on the show aside from being the co-host he also edits the show and there's a lot more than that so michael's very much a big part of the show in fact if you caught our last live stream he's only partially responded partially responsible for our stream crashing and leaving everyone hanging for six minutes so uh thank you to everyone who hung with us on that last stream it got a little bit rough but i'm glad we got to have some fun i blame the internet yeah so today we're gonna be doing something that i think is pretty crazy and extreme um we are going to be doing an ocean investigation okay nothing new there but we're going to be going from just a photo and trying to get all the way to some guy's passport number uh and just to clarify for people that may not be familiar with what ocean is it's open to open source so open source intelligence is a practice used by everything from large intelligence agencies down to individual reporters and infosec and hackers uh who want to be able to find as much information about an entity as possible and this could be a business it could be an individual it could even be an event and there's lots of ocean investigations that you'll see maybe on twitter other places that are done by really really interesting organizations like bellingham that expose for example human rights violations and other sorts of really newsworthy events that don't get enough attention because they're really difficult to figure out where these things happen and who was involved so investigators are able to use public sources like government databases uh websites that are maintained by third parties that's kind of scrape this information and offer it in a really easy to digest format and other services to be able to collect enough information to solve these riddles and basically be able to bring in the right information to figure out what sort of uh investigation they're currently working on so you know this is really broad stuff it could be anything from a hacker trying to profile a business that they want to hopefully they're a red teamer and they're allowed to do this but it could be a hacker you know profiling their target and learning all the technical information as well as the social information about the company or it could be somebody like a you know an ocean investigator um maybe somebody looking to press charges against someone in like a criminal investigation that's looking for all the public data they possibly possibly can find without actually needing to request a warrant which is a big deal nowadays yeah i know uh for hackers at least and obviously hopefully red teamers ethical hackers you know uh doing that kind of deep research can be really helpful if you're trying to do a spear phishing attack you know maybe yeah like you pretend oh hey you know i'm some government official we have this information we just need to clarify some stuff or whatever or then also the other side of that too is doing deep research so you can make a very specialized dictionary password search list so that way if you're trying to brute force like a file that person encrypted you have you know much better chance if you know the name of their dog and the name of their the mid name of their wife and all that stuff it's more likely going to be something like that yeah so these are all things that fall under the scope of ocean but today we're gonna be taking the role of that hacker where in a movie when the main character is like all right i gotta picture the guy like you gotta tell me who this is and the hacker's like got it boss and then comes back like five minutes later with all this information about the guys their passport number is five seven one three eight and it's like how did you get that information well today we're actually gonna do that uh assuming that the person that we're talking about has been sanctioned by the us government now there's lots of other ways that we might be able to find out this information but today we're going to be stringing together resources that will allow us to go from a simple photo with no name attached where we don't know who this guy is at all all the way to this person's passport number and specific details of why they have been um sanctioned by the us government so in theory like this could be like a photo that we found on social media of like a protest or like it could be it could be a picture you took yeah yeah or like a sneaky photo you took outside of a business that you're red teaming or something like that right and before we start out with this i have to uh point out a couple things these resources are evolving they are free they are open and they are not going away so while some of the things we're going to show today might be a little controversial for the privacy implications for example there are real uh facial recognition recognition searches out there that really do turn up you know matches of people and it's not really ethical to go around just taking pictures of people and then running them through the search although you know it is important to be aware that it is possible so if you take anything away from today it should be that these services are rapidly becoming a thing and if you want to control your privacy you might need to go on some of these and maybe request some photos be taken down or removed because they do respond to these requests so during the course of our investigation we are going to be using a photo that could basically be from anywhere of course this is going to be a photo that i found on the internet but the same process would theoretically work if you were an investigator and you happen to snap a picture of someone who uh you saw maybe committing a crime um in this case if it was a really big crime and you were an investigator let's say maybe a journalist or somebody else trying to piece together like who this person is then you might be able to string together these resources and actually come up with a large amount of information in a relatively short period of time so the tools we're going to be using today are a couple of web-based tools and again when you're uploading anything to a third party you should be aware that that third party doesn't need to tell you what they're doing with it necessarily so all the tools we're using today are free except for multego and multego has explicit privacy policies about like how they process information and like what goes out and stuff like that you can read it it's very very clear some of these other services oh well and i'll also say i know the people at multego and they have a vested interest in the trust of the people who you know they work with and they primarily work with the investigator community these other tools like specifically the web-based tools we're gonna be using today they don't really answer to anyone and it's not entirely certain what they're doing with the faces uh and uh pictures that you're uploading so be aware that when you're uploading stuff you should especially if it's photos of yourself only upload photos that are already publicly available on the internet and i cannot stress this enough it is already enough of a privacy nightmare that these things exist in the first place let alone feeding them images of yourself to see what else turns up so don't get into the trap of just like feeding in a bunch of new faces just to see if something comes out that is how these things gather new faces so for now if you want to see for example if you are on the service then only pick an image to upload that is publicly available on the internet somewhere because then at that point it's probably already crawled it and you won't be feeding it new stuff i personally find this stuff very creepy but i also find it super useful during my investigations so you know for ocean investigators and other people looking to do something like this they should be aware that it is possible yeah like yeah obviously like there's all the privacy implications right but like just because you don't like it or or you find it unethical doesn't mean people aren't going to take advantage of it and use it so if you just turn your blinders to it then you know you're kind of shooting yourself in the foot i feel like yep all right so we're basically going to be using three tools chained together in order to get someone's identity today and again we're assuming this is for a criminal investigation if you do this against like a romantic partner or someone who you're about to go on a date with or whatever you're kind of creepy and they might get mad at you and they would probably be legitimate to feel like you had invaded their privacy so don't go using this for something where you might get in uh yeah get in trouble right just because you can do it doesn't mean it's ethical yeah so we talk a lot about ethical hacking and one thing is not abusing other people's trust we use these tools because they allow us to do really powerful things but they can also enable abusers and other people who are sketchy to do things that are not ethical so be aware that you know you need to use these tools responsibly and uh if you don't then you're a real creepy guy or gal okay yeah onto your screen onto our screen so let's say that we're starting out this investigation and currently we have an image maybe this is something we snapped ourselves and this is someone who uh is either a very high-level person at this company um or if we're a hacker or red teamer who is going to be using this for like an ocean thing uh where we're gonna do as you said like a spear phishing attack or uh if we're a journalist maybe this is someone who's photographed in the commission of a crime or something and the police like haven't released any information yet but we want to know who this is are they connected to a bigger story is it someone who's important how would we figure out who this is so a lot of people are already gonna know who this is as soon as i open it up because this was a pretty big news story a while ago but not everybody is involved in international news so maybe some people won't so this is the picture we're gonna be taking today um we don't know who this is it's just some guy he's just kind of nicely you know you can kind of make some inferences about like where this might be from but starting from this image is it at all possible for us to figure out who this is and from that can we figure out if there is a bigger story like for example is this person being sanctioned by the united states of america and is their passport number publicly available um that as a journalist might allow us to access other records for example if we had access to maybe travel records or some other stuff that's been leaked or made public we might be able to if we for example find out that there was a large leak around a particular case go through and look for examples of this passport number and find instances of this person where we wouldn't be able to search through that data otherwise so frequently for journalists or investigators getting the first clue and then stringing together more and more will allow us to utilize more and more ocean resources for example once we get something like an email address we might also be able to infer something like a screen name as well which would allow us to search the web for other web like profiles or pages about that person and learn more and more information about them that kind of when you when you kind of break to the next level of clues like that's a really big deal in ocean because it allows you to start from a really small piece of data and maybe there's only one clue in the entire case and be able to pull in a whole bunch more so because like what i often find is like if you have a picture or something then you're able to find like a facebook profile or some social media and that'll give you like an idea of a username and then usually their email is like that username or some variation of their name like that and then that's like you said down the rabbit hole you can go from there so sometimes you get lucky and you can have a one-to-one match now if you have a photo that's just off the internet a lot of people will just run it through a google image search and just try to find out like okay has somebody else uploaded this exact image before but there can be some things like just cropping it for example that can make that not work i was gonna say yeah first thing i always try is google reverse image search but like it's less than optimal because i i believe they've uh intentionally implemented it so that it can't be used like that like for this sort of thing it would return like man and then give you like tons of other pictures of guys exactly yeah so uh in a previous example i took uh i took this image and um there was another one of the same man that had a cowboy hat and i ran it through google reverse image search and it just said cowboy hat and then it like patted itself on the back like great job me yeah i was like that's oh and it'll give you like two photos too and it's like thanks google yeah so um let's see do i have i have a um a browser extension oh i think it's for firefox that's uh just like who stole my photos and you can just take it and you can um search it directly but here you can see there's just like search google for image i think it's literally who stole my photos okay yeah i was gonna say is it like a pixel for pixel like it has to be the exact same size and we can all go home we crack it we crack the case this is a gentleman okay so like google is stupid um at this sort of thing and it is not actually doing facial recognition it's doing matching and of course this photo actually does exist on google but the algorithm is not smart enough to match it to a cropped photo so because i cropped this in we are now officially stumped we don't know who this guy is um and let's say that our other tools aren't working either mine is walking up now yeah we've got a gentleman uh that's all we know bringing all the gentlemen for for questioning so this looks like a dead end but it's not necessarily because there's also other tools we can use that are super mega creepy so let's go go on over to pim eyes which is a weird creepy name for a website most advanced facial recognition yep and aside from um searching eyeless hipsters it also allows us to search web uh pictures we take and this is the website that i do not recommend you upload any photos that are not already public to because i don't know a lot about this website i don't know who's controlling it what they're doing with it they're almost surely using every photo that's uploaded to improve their facial recognition recognition algorithm so just be aware that this is a big data website that's offering up big data and collecting upload every private image i have on my phone oh boy um that's what i'm hearing oh boy all right so uh we're gonna go ahead and use this example we have i have a couple others of the same person but we're gonna start with just this one who are you and once it opens we should have a couple matches with confidence attached to it so basically like how sure we are that this is a match so first we have the original image go us that's great uh and that's really cool but unfortunately we're not trying to just reverse the original image we're also trying to find new ones that might be easier to track down now when you look at this sort of stuff you can see that there is some um variation between like uh the websites that it's from but they're obscured you have to click here to unlock and guess what do you guys know anything about capitalism how that works like how how like things are provided guess what's gonna happen when i click on unlock it's gonna ask for tons of money it's going to give me a gift card let's see who's right oh it's asking for money michael's right i guess i've learned nothing all right well um i don't want to do that so let's uh let's hack guys are you ready are you ready to hack so if i right mouse click inspect i don't know if you guys knew this one boop okay so now we can see the website that this comes from um we can also see a terrifying um i didn't even know that it did this weird thumbnail i wonder if that's where um the bounding box for the facial recognition probably is um but basically right here we have the source the um but it is cropped so we can see like in general what the website is but if we were trying to navigate to this then it wouldn't actually go anywhere for example if i just go here and i try to do this it's going to error out and say 404. i do wonder um it does impromise when you inspect it shows you uh the image itself right that it's displaying like the full non-cropped image yes i bet you could just use google image search with that image and the website and find it you probably could so michael made a good point so one problem is if you were to just take a picture like a screenshot of this for one it like does this like stuff over it to make it harder for you to search it and you'll notice it also puts a black uh like a little black thing on the bottom so as soon as you interact with it it instantly tries to make it harder for you to reverse image search that image which i think is very silly and also lame um but i mean you know they're trying to make some money so you know we could as a hacker just inspect our way to you know the source image here and just try to find like where there's something i'm sure just by clicking and opening we would eventually come up on something but really like i don't care so much about this like uh we can because we can take the next step if we really need to in uh locating an image by just going through and finding something that's a bit more recognizable um so yeah there's there's a lot of that we can really do here and i think yeah i just uh i'm fascinated by um can you make your screen full screen oh yeah i can but it makes the images smaller because i like it yeah yeah so this website scales stuff weirdly but if you really want to go in and try to like snap another picture you can just make it really really big yeah um but yeah so basically like we're able to get a lot of pictures here that give us much more context so we can see like this is a politician we can see the early like cowboy hats this is the one that yield uh yielded the cowboy hats one um and you can also see there's some ones that are split so you know if i wanted to just take one of these and search it this is where there's enough variety here that we could probably take one of these images and get a name so um as michael was saying uh we could probably just take i think maybe something like this and since this is much more clear and we can see that it's been cropped in various ways if i just take this image let's go ahead and do a google image search again and see if we get anything better than uh gentlemen um i kind of suspect that that's gonna give you like some version of gentlemen again because like i know the only time i've had good results with google image search is like when it's a a pixel for pixel match like it's not cropped it's nothing's done to it and then you'll find like the news article it was in or something like that let's see so i do have a solution here um wow it's uploading for a long time um i do have a solution here even if this doesn't work so i'm kind of um let's see no other matches so uh but we have another clue michael this isn't just a gentleman he's also a business okay that's all we gotta do is make a venn diagram of the gentleman that are also businessmen and then we bring them into the lineup yeah and then we just look at all of them and find the right the case is cracked everyone yeah we're done but if we have to do this then there is a way all right so you guys have heard of pem eyes but have you heard of tinai very different everyone very different isn't there a couple others like this too boys don't remember the names there's a lot okay so here google search facial recognition reverse image search um find where the image is else is online so this has a much better algorithm so let's go ahead and take this see if we can upload it and this does things like partial matches much better here we go we found it so tinai is much less stupid than google reverse image search for finding mangled slightly changed cropped or otherwise uh i see urls that don't have pay walls in front of them yes yes yes so not only is it better at dealing with mangled or distorted or otherwise uh modified photos um aka cropped images from pimei's it also allows you full access so let's say we want to go ahead and click on this um we now have the option to also translate this into english i now know that i do not want to subscribe and if i scroll down i can see the name of this gentleman roberto sandoval and i'm not going to pronounce his last name because i'll mess it up but i feel good about that roberto sandoval okay so we also also can see who he is the governor of this state in mexico so if we want to begin our investigation now we've taken basically just a photo which again we could have taken on like an airplane or something like this guy's talking about drug dealing and being a huge micro trafficker in my first class seat behind me that i got firmly upgraded to i wonder who he is um you could actually probably find out um although he might not be flying considering his past i was gonna say in like terms of like investigative journalism it'd be more likely like there's this guy meeting with these top level ceos i wonder who that is or something like that or some such thing yeah yeah so anyway we got to get back to you know our buddy who has sent us this random photo who's asking who this gentleman is so we gotta really impress them and now that we know the name of this person we can start doing a more broad investigation and we're going to use multego so for those who are not aware multego is an investigative tool that is really popular among hackers investigators and reporters and it has a free version so you're welcome to go ahead and try out a lot of the stuff um some of the things i'm going to be working with today are either really new or in the paid version that i'm kind of helping to test but i want to show some of the really powerful things you can do using some of these modules and plug-ins that allow investigators to very quickly be able to drill down on a piece of information so some of this is also new to me so i'm kind of also practicing what i've just learned but um there's a really cool module in multico that allows access to aleph which is a resource that is open source and used by reporters all over the world to combine information and some of this is stuff like the panama paper so if you need to do like a really really big search through a huge data set they strategically add different data sets that are really really uh interesting and useful for reporters investigators and anybody that's using the tool and make it available uh in this case as a transform through multego and there's also a web interface you can use that is as far as i know free um that you can continually do these searches on it's just that it's really difficult to keep tedious uh yeah it's really difficult and tedious to keep track of multiple data points and how they relate to each other when you're just working with a web interface the multigo interface is a really good way to pull in data and show how it's kind of represented yeah i think the main selling point of maltego really in my mind is just the way it allows you to visualize how data is connected and easily expand data um through simple transforms and stuff yes um and if you are a credentialed uh journalist uh i hear that you can contact maltego directly and you may or may not get a discount yeah so if you are press or if you know someone who's pressed definitely let them know about this because multigo is really really friendly to uh press people if you are working uh basically anywhere you're doing investigations and you have a good use case they're always willing to go like for you guys like a demo license and know keep it rolling for as long as makes sense or negotiate a favorable price for your newsroom or whatever else you're working with so um they've been really friendly towards me and all the journalists that i've trained to use it so if you're a journalist or someone who works adjacent one it might be worth it to reach out and say hello so all right we are going to go ahead and open up a new ooh i love the noises um we're going to open up new graph and like alien ufo noises yeah so uh this gives us access to our entity palette and you can see this is serious business when the default entities are like domain email address url and then it kicks up to cryptocurrency owner and then we scroll way down and it's just like uh getting really heavy like specific websites a mug shot um an instructables group uh so there's like there was one that was like a terrorist um so they really prepared for a prison um entities are basically data points and when we are looking through huge sets of data multego recognizes these points of data and represents them as entities and these entities are really easy to keep track of because they have different icons and they're processed in different ways so it provides both standardization of data that you're pulling in so a person's name will be represented by like the same icon every time and you'll be able to search um using the available tools to you know take a name and learn more information the same way every time you pull in a name it's really cool um so i'll do a demonstration but i just love that yeah oh yeah a terrorist a terrorist leader an unknown i was gonna say i i believe malteco is very commonly used by intelligence agencies and the like yep so this is like an incredibly powerful tool yes it is so we're gonna go ahead and start with the most generic thing um which is a phrase and a phrase can be anything and this is something we can use basically as a placeholder if we don't know what kind of entity it's going to be yet and in this case we know that it's a person but let's go ahead and start with just a name so i'm going to just literally copy and paste it yeah because this could be like a pseudonym that we found or a username perhaps okay and when i right mouse click on it i can see that we have lots and lots of different transforms we can run on it now what multego is really doing is it's providing you the ability to take any data point and pivot off of it and using a series of transforms which are called which are basically a combination of like an algorithm to organize data and an api call to bring in new data from an external data source you're able to take a single point of data and turn it into potentially many many different leads that can allow you to take the next step further in your investigation now it's important to note the data sources because some of these might be primary source data meaning it's actually a piece of data from the original source that you can trust and some of these might be secondary sources of data where you actually need to go and make sure the original source it's referring to is real otherwise somebody might have misreported something there could be an error in the data it's it's kind of a an imperative to make sure that the data you're being given is uh in some way referenceable so that you can make sure that it's real but in the case of most of our investigations we're going to be basically pulling down as much data as we can and then getting rid of everything that's irrelevant to our investigation because frequently there could be like a false match something with the same name or something else that's obviously not related to what we're looking for so in this case when we right mouse click we can see there's a lot of transforms available and so not all of these transforms would be included in the community edition correct right so multigo now includes a lot of transforms uh by default in the standard transforms packs so this is if we go to all transforms within it you can see there's still a lot of stuff we can do with the name um just within the standard uh like included by everything in fact let's see if we can run it and see if it does anything i was gonna say also uh so there's a variety of types of transforms like there's the free transforms and then i think there's like special paid transforms that certain other third party companies might make and then i believe you can also create your own transforms and if you're interested in that stay tuned because i think we're going to be doing an upcoming live stream on that and looking at how you can take like an api or some other data source and implement that into malteco to use for your investigations okay so when we run that search we get a variety of different entities back and some of these are pdf files us navy hosting yeah so we can see you have for some reason when we search this guy's name we find a pdf file that says the us navy is hosting something so we can just literally take this um and then control f and it looks like this is not a good match it just found both strings of text in here somewhere so we can delete this and to get rid of something that's not a good match we can just right mouse click and press the x gone so again this is maybe not the best match i don't think we're gonna find this guy on linkedin um but we might be able to find some more information on some more relevant looking stuff um like we know he was accused of corruption yeah it's gonna say mountain is generally pretty good but i do think you need to go through and polish the data most of the time yeah you always have to um check so this is a csv what's in here i don't know it downloaded my computer and i'm immediately going to go ahead and tell running random csv that's always right thanks but no thanks and goodbye okay so um don't want that but still an interesting database as you can see this is like while this is interesting there might be a better module for us to learn about this person so this is kind of a bit more than i want to read through i'm just going to select everything and i'm just going to get rid of it and try a different module instead and again this is one of the newer ones and you can always run um these uh alice searches on the website as well if you want to and we'll see that shortly too so let's go ahead and switch over to a different transform set and in this case we're going to be using um this one ella click on this then there's a lot of transform here you can see look up in all lf data look up in specific data sets so one thing i can immediately do is if i suspect that this is like a big deal kind of guy who might be you know involved in something that would land him on a person's a person of interest list this involves everything from like a red notice from interpol um to you know like i guess like corruption notices from the united states where they decide to make some sort of official sanction against someone a person of interest basically means someone who's been designated by a police agency or a government as someone who's suspected of being involved in a major crime or some sort of other bad stuff uh well something else i was going to say a moment ago is i think this also highlights the importance of if you are doing an osen's investigation on someone relatively high profile it's important to have like a secure computer and be using like vpns and tour at a minimum like using uh incognito tabs or otherwise not being logged in to like linkedin because you don't want the person seeing oh why is this random investigative journalist looking at my linkedin profile right yes i i really hope that um if you are a journalist or an investigator you're not going to people's linkedin pages while you're signed in um we can do a whole other section on like privacy and security settings like for investigators but obviously make sure yes you're taking basic privacy and security uh considerations before you start to do any of this one thing in particular is make sure you know where your searches are going while monteco is a great service there are api calls that go out of it to whatever data source you're using so some transforms act kind of as a middleman um not all of them but there is one i know in particular social links that will basically do searches on your behalf through some of these other parties so they're basically taking your search result digesting it and sending it out to somewhere else and then bringing it back very convenient but they're also possibly retaining your searches and that could be a big deal if you don't want like a russian company that you don't really know processing your data about a sensitive investigation maybe about russia yeah so you know it's it just is important for you to know where your data is going and make sure that you have these bases covered we can't do the whole stream on that right now because it's a really big topic but yes like if you begin an investigation and you start poking around and you don't bother to cover your identity you could very well let your target know that you're investigating them especially if you're not covering your ip address or you're signed into a bunch of your personal social media accounts while you're doing these investigations yeah uh yeah if y'all are interested in that let us know and we can do a future live like that's definitely an hour on its own yep all right so right now we're gonna do a person of interest search which sounds intense and like it should just be for the police that's the name of the tv show too yeah so we're gonna run um and let's see what we get uh as far as a person of interest and again we're just using a phrase for this so if we're not completely sure of someone's uh name then we can double check it here so uh we have a couple different hits we have people here on the usofac sanctions list what is the usofac um google could tell you the u.s office of foreign asset control the only reason you know that is because you just okay all right all right um but here anyway we can see that we also have a bunch of what looks like documents so we can double click here and go to properties and see exactly what this is and it looks like we've located a pdf so if you want to see more about this we can scroll down we can see that there's the web url to this piece of information on aleph which again is a third-party source of data so we have to check it out before we just trust it so let's go to the domain that we found here and as you were saying before aleph is like something most investigative journalists would already know about yes um free and available however it can be a little uh cumbersome or tedious to look through and and really figure out how all the information is connected okay so i'm not seeing any roberto here but this is the document that allegedly has um some sort of tie back to him so we can see that um uh this comes from a data set of uh persons of interest in mexico or south america so that i mean that sounds legitimate um and we can see there's 40 countries included 338 emails wow um wow there is a lot here so yeah we can search this data set see if there's anything else relevant i mean it looks like we found like one of the sources where we can probably find more information about him i was going to say literally when we started the search it could have been one of what like seven billion people in the world okay half that since we know it male or whatever but still like even getting that narrowed down to like 300 something emails it's a tremendous sleep just in a couple minutes well yeah um so we have pablo roberto sandoval we have roberto sandoval and then we have carlos roberto oh my gosh this name is love um carlos roberto isaiah garcia sandoval i don't wow so this is an interpol red notice um this is from the sanctions list and you can see we're getting multiple names off this one um so there might there's a couple things that could be going on there could be multiple people with very similar names or these different data sets could be referring to different people so here i can also see that uh i can identify this person's date of birth 1986 um and i can also see their place of birth yeah so you could try to compare those so if i go over here if i go to properties and let's see uh i don't have a birth date but do i have a place of birth place of birth all right so i'll have to compare that mexico uh yeah because the last thing you're different is that's a case of mistaken identity yeah so it looks like it's different so this this person may not be our subject whereas these ones two are very well made so yep this one the place of birth matches and we have a completely different date of birth i'm thinking this is our guy so is there a way to combine those entities since we know that there's the same person and they're both person entities uh i don't know but first before we do that i'm gonna go ahead and verify that this is the person we're talking about by checking the link here we can even see that we've got their passport number so this is a general profile of this person um that allows us to oh yeah uh see all the other mentions in the database so here if i want to get that same result and i'm like damn i want that passport number that looks great i can right mouse click and since we have a different uh basically we have a different type of entity here um instead of this being just you know a phrase this allows us to do more specific transforms and look for this in a better way than we were doing before so i'm going to go ahead and in the alif transforms i'm going to look for all relationships and this will look for any relationship to data that has this individual in it and hopefully we can pull down some more data um such as the passport number because i really want to be able to just get this in multego without having to go through the web interface and there we go so now we have his passport ta-da and we can see that he's on the sanctions block list as well you can see the authority who issued the specific order it's the u.s office of foreign asset control see that's how i do it um and then you can see that this is the global magninsky act which that means that this person did something very very and i imagine you could look that act up and find that oh yeah so if you matter do you know what that is no so the this act is uh to basically punish people or punish like governments that are doing uh things that are very corrupt or bad um it's by the united states department of state and it's been used to go after major violators of human rights um so this is a big deal if you're on this then you've done some messed up stuff um and you're probably like a very rich russian person but also potentially a very corrupt um mexican politician apparently yeah so uh yeah so basically this is how we can get from a point basically we just took a photo that we couldn't find any matches on the internet we managed to identify the through facial recognition other photos we were able to achieve a match and then we used another matcher to bring us full circle back to this person's passports and here you can see if you go to the properties you have the source who provided this passport number you have the passport number itself and you know if you wanted to run more searches on this it's like all right where else is this passport i was gonna say i think that would be a valuable piece of information to extrapolate yeah so here um you can just run all transforms but i like to do run uh let's see what's it get all relationships okay and when you're doing these transforms it's like taking in like the kind of entity it is and all the information included or is it just like straight up like just searching that number on google no in this case it's searching for a specific data set so it's searching through alif it's not searching through google which means that there's much less need to sanitize the data because a lot of this stuff is coming from a single source that's more or less curated itself now i'm not really sure if we're going to get much by sort running all transforms on this but hey let's see if any 30 seconds later there's like 50 entities that pop off oh yeah it happens a lot um oh we did find something a country i think we wow thank you i'll take a crack for this but how you bowling yeah and then it's and some of this is just referring back so what's what's nice about this is every one of these arrows is an entity that otherwise would be cluttering up the graph but it's recognized that hey this password belongs to this guy and two different data sources have now confirmed this so while this could be perceived as like annoying to have like a data to these data sets pointing to each other they're basically confirming each other and that's something that i like about this um it allows us to take a single a source of data and be like oh okay like this is confirmed by three other sources of data from three separate entities that are all pointing back at this and again you can go ahead and follow up on any of these through aleph i think that um now that i i haven't really been too active using this before but i find that it is really cool how easy it is to get started um you know just learning all this stuff but again it looks like it's um some sources are hidden from anonymous users well then i'm gonna access it through multiple accounts uh it really wants me to um but i'm just gonna use baltaco because i want to so multico let you see that even when you're anonymous yeah oh hey this is interesting so okay so one thing one taking a quick step outside of multego we can see that there's some data sets that are related to our good friend roberto such as the panama companies registry um that's not good so like panama the panama papers leaks um showed a lot of shell companies and other like sketchy businesses that were hiding money from taxes and basically doing stuff like money laundering so being able to find uh for example florida land property uh databases that contain this person's name i mean we do need to make sure we're not getting any false matches but aleph has already done some of that for us by matching things like biographic information and making sure for example that these people at least seem to have like the same birthday and stuff like that um so we can also see that there is a wikileaks document this is from the us department of state and we can see that there's a cable that apparently mentions this guy so that's interesting so if we had any interest in knowing what the us department of state was saying about uh see if i can find it that might be more in his governmental capacity yeah well but also if they knew he was prep uh while roberto sandoval is likely no angel his arbitrary and illegal arrest has many in sucre is quite concerned mr bubba yeah so basically we can just see what um the u.s department of state thought about the whole situation as it developed so if you're a reporter who you know has now realized that the person you were sitting next to in first class or that your source sent you a picture of is actually like a major drug pin that's on the run or something or corrupt official on the run then uh you know being able to see the context behind this could add a lot to the story or lead you to the next clue and i don't think we're gonna go uh any further than leaks um cables from the united states department of state i think that that's as far as this investigation needs to go but going from someone's face to you know leaked conversations diplomats are having about you um is a is a pretty interesting tool today being able to do that in like a handful of minutes with what like i guess like two or three searches is pretty uh spooky when you think about it actually yep so something i would probably try to do then is actually go through should i go back to your screen oh no no uh we're right i would i would basically go back and try to start tying all this stuff together in multego and create a graph that's easier to do a report on for like an intelligence analyst and kind of having all these like screenshots of stuff once i know where the data is i can generally find it in multego import it and have it all together and of course you can also using voltego do things like have your own local transforms or bring your own data sets in certain instances so it's a really flexible tool that i like a lot for um just organizing your thoughts during an investigation and you can always manually add um all this stuff as well just to keep track of it as you go along so for visualizing this stuff and potentially a very complex investigation i find it to be a great tool and again the free version is available for anyone who wants to check it out um but also the other tools you mentioned today pim eyes and tinai are also really useful for investigations that are based on a single photo or something that otherwise might be really hard to track down these tools have evolved a lot and they are creepy so make sure if you're using them you're only using them for an investigation uh or in some other ethical way make sure that you're also not uploading photos of yourself or other people that don't already exist on the internet it is rude and you're basically teaching this creepy service that's not accountable to anyone how to recognize photos even better and feeding those pictures into the system so just just don't do it um it's like it's it's just creepy it's just creepy yeah but um hopefully you guys have gotten a taste for how powerful osint is it's a really amazing tool for investigators hackers or anybody else that needs to learn about well pretty much anything because the data out there exists and the tools exist to get to the right piece of data you're looking for you just have to know your question really well and then the tools you have at your disposal to get there so yeah if you guys want to check out more oset tools make sure to let us know in the comments we are here answering questions and also you can hit me up on twitter cody kinsey if you have other ocean ideas for us i'd love to cover more ocean stuff on the show and i think we're going to be doing a lot of ocean stuff over the next month or so so if you have ideas for tools you want to see covered please let us know uh because we would love to hear from you uh yeah i think that's everything we have for today right yep cool so if you guys like the show make sure to check out the security forward that security fwd channel all of these are recorded and saved there so you can watch this as well as other great ones we have two other uh ones on ocean one of them on trucker ocean which i'm honestly shocked is very popular uh you guys don't want to like track down trucking logistic problems like all right fine uh and then well as some of my other favorite channels always say sure i'm showing you how to do this particular thing it but it's also more about the process so learning the process you know sure like i now know how to look up this one guy's passport number but knowing the process of having how to look up anyone's passport number much more important yep and also um if you want to check out our other one it was on i believe just ocean using government databases as well as a little bit of multego and we took a look at the theranos investigation where we looked at all the online assets of this fraudulent company managed to figure out where they were registering their businesses and all the different deals they had and then found out about all the tons and tons and tons of lawsuits that are now buried under yes super fun and also if you want to uh see other general security content verona says a lot of other great stuff you can check out the ad powershell course which is a great way to get started working with active directory in powershell and of course you can always catch out some of the great webinars we have on things like ransomware if you're interested in that too awesome yeah all right that's all we have for today thank you guys for hanging with us if you have any questions make sure to save them up for our q a or drop them in the youtube comments where we'll answer them live on the q a which it's not next week but the week after they're every other wednesday every other wednesday so if you're watching this right now then it's going to be next not next wednesday wednesday after yes all right we'll see you guys next time bye you

Info

Channel: SecurityFWD

Views: 164,409

Rating: undefined out of 5

Keywords:

Id: TtTOp-o-TOs

Channel Id: undefined

Length: 47min 5sec (2825 seconds)

Published: Sat Oct 10 2020