Real-Time OSINT: Investigating Events as They Happen | SANS OSINT Summit 2020

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

thank you sir all right so one of my favorite things to do as an ocean practitioner is to research things that are happening in real life it's wonderful practice on so I'll start things off with a personal story to kick things off I was traveling back from a sands event in March last year and I had a layover in Atlanta Airport on the way home to my home in South Carolina and so I called my wife and children to say goodnight and because I'm probably to catch them after they go to bed and my wife answers the phone she's like hey I'm glad you called me and the kids are sheltered in the hallway downstairs we got the alert on our phones that there's a tornado warning take shelter immediately she's like I'm phone's a little bit low batteries so I'm not gonna stay on the phone with you but I'll text you what's going on and I'd said okay I love you guys let me know we hung up I said a swear word pretty loud in the airport and immediately pulled out my laptop and some earbuds for my phone on my phone I went to broadcast fi which is an internet radio repeater that'll pull emergency radio fire dispatch him as Public Safety frequencies on the on the website I went to our County and started listening to the feeds on my laptop I pulled out Google Maps and I just started listening to what I was hearing across the radio I heard a couple dispatch locations pop out that sounded like streets I was familiar with so I pulled it up one was community drive in Platte Springs Road which I mapped was about 10 minute drive from my house unfortunately it was in that same exact trajectory that an NWS site was showing that the tornado was heading so I didn't feel great about that I kept listening on about five minutes later I think it was there was a report of downed power lines on they had gone to that location which ended up being a little bit further over another 10 minutes or so from the first location and I heard the dispatch give the location plot it on the map and then listen they got there said that there was reports of the funnel cloud but you know no existing no existing storm signs at the moment and I was able to plot the home address and realize that it you know was going at a trajectory away from her house at this point text the text of wife and kids back home and they said yeah it actually seems like it's it's calming down out there so you know that that sense of urgency there is it's one of those things that will drive you on let's take a step back and tell you a little bit about myself I consider myself very fortunate for the last five years or so I've been doing Oh sent as my main main role with the companies on man currently with with a bank essentially using o cent to track down cyber criminals anybody that's enacting fraud against our bank or our customers I get to dig with Oh cent to find them before that I was doing digital forensics for a private investigation company and when I wasn't digging into electronics in the lab I could talk to the PI's and help them track down people in the cases that they were trying to find if they had dead ends using Osen as well compart the advisory board for the ocean curious project which you'll hear more about here shortly and i blog a lot of my research on learn all the things dotnet i try not to take myself too seriously though I'm just a guy that likes to do Oso research I do have another real time talk I did a couple years ago in this talk there was two escaped fugitives the story itself is pretty tragic but it reads out like a Hollywood action movie on to convicts broke out of a prison bus in City just outside of Atlanta Georgia killed two corrections officers carjacked a nearby car and went on a three-day spree they ended up being apprehended in rural Tennessee three days later but that story as as I research that one in real-time was a great example of why real-time vosen is good practice for our research skills over the three days the trail was white-hot there was police helicopters in the air and then at night the the escapees were laying low so it turned into a cold case where people were kind of waiting for you know what's the next move gonna be when I got done with that talk the very first Q&A hand that went up said yes why do you do this and I was like well in my head because Oh sense awesome and I loved it but I started to think it out as it went along and that sense of urgency that we talked about on the the tornado warning story at the beginning there it drives you to research quickly it kind of keeps you on your toes as you're doing these things the direction that you take to find this information is a little bit different when it's a real time scenario this morning Chris talked about using a similar methodology across Facebook tik-tok and Instagram it was repeatable it was effective in it was something that you kind of would follow in a routine with real-time events you kind of jump around a little bit and go outside of your normal research in essence it just kind of makes you a better investigator that practice mode of kind of shifting gears is one of those things that helps you learn a new way to do something and a lot of times it ends up being a new tactic that you can share with other people this is my ethics slide on real-time events typically involve some type of tragedy the fugitives that escaped you know they killed some people on so you want to be respectful on shoot I don't I don't recommend tweeting out your research real-time on law enforcement may be involved it's potentially you could impede an investigation I saw this in 2017 when there was an explosion and man sir England outside of ariana grande concert somebody was digesting all the early reports that were coming in in they were going out there and really kind of put it out there that it just kind of sounded like a pyrotechnics error in the show on it got a lot of traction but that wasn't the case it was a suicide bomber there was 22 deaths in that situation and the person took a lot of heat online for putting that research out there in that Batman er so well I love to bounce ideas back and forth between my au Senate researcher friends do it in a closed environment be my recommendation because a lot of times look you've used some great ideas but you don't want to be really put it out there and also use OPSEC operational security I think as most osek practitioners know don't use your personal accounts especially if you're looking up fugitives the last thing you want to do is like for your it Cathy in your personal Network to be connected to the Georgia fugitives the next time you log in because you didn't use the the right account doing your research like I said with the the research it kind of makes you shift gears depending on what's going on with the event if we're catching up to the story we use a different type of tactic and probably tools in then we do if we are ahead or kind of with the story as it's happening if you're catching up to the story typically you can kind of use the the standard posit methodology things have already happened so the data that's out there exists on sites that you can probably go and research get a lead on take what you know put your goals of what you're trying to find and kind of run your typical routines if you're catching up to the story it's it's kind of normal ascent day to day if you get ahead of the story your posture changes a little bit because what you're doing is kind of predicting something that might be about to happen on so you cannot look at it a slightly different way you know once we're doing that we're going to want to find out where this information is going to come from if a certain reporter is is tuned in the story you might be watching their accounts specifically on so the things kind of change as we take this route would you stay on the cutting edge of a breaking story sorry pun intended on so I'll share a couple of different stories that I covered and a random super technique that kind of popped out from that research this picture itself has just a little funny story anybody familiar with the show Dexter if you're not he was a serial killer that killed other killers in short when I was making this slide I knew I just wanted to find a picture of his his knife kill kit so I went looking expecting to find like a Dexter fan site and what I found was an Etsy page where somebody was telling custom cutlery kids to hold all of your sheriff tools not uh and some scary people out there and and they're on Etsy alright the first tool I'll share shouldn't be a big surprise that's Google Maps but it's not exactly the the way you think you might use it on what we had was another start of a manhunt reporter gave a County location but not the actual street address so I was trying to figure out where this was happening it the the post was like 30 minutes ago when I first came across it there was a partially visible sign that was cut off in the the photo on so I kind of drilled into the area but what you can do is ask Google Maps for directions through the area a lot of times if there's congestion like a lot of police presence you know we're gonna have the spot that we can maybe dig into you don't have to do it as a directions either if you hit the menu bar up at the top you can actually just go and turn on the traffic filter and a lot of times you'll see different parts of a known city or county kind of readout and you might want to look around those areas after that it's kind of your standard validation you can see the picture on Twitter there is in the street Maps view even though it was kind of a you know woody area there there was branch formations that for sale sign and the the partially visible street sign we're all there to validate the different current event this was just from last month on while I was teaching sec 47 with micah story started training about an explosion outside of Houston Texas on somebody's wise doorbell camera actually caught the explosion and a lot of people were starting to put mutterings online that's different social media about what was going on a lot of times when media gets involved with a breaking story like that they'll give you this block format address the 4,500 block of Gesner is where they were leading us same kind of thing with with other things you know there's a shooting at the 500 block of Main Street they don't tell you exactly where it's happening but you get that that little snippet of the block for those I like the map site we go here calm you can type in that block format address that they gave you and it'll kind of drop that pin in general where that is but if you zoom into that map you can actually see the layout of the block system in that area so you know that it might not be at that point but you can kind of see the the shape of the block and where that 4300 could possibly lie so that comes in handy if you're if you're trying to drill into an address if you don't have a street oh snap map snapchat calm the heat map we'll help you out here we can just kind of see that an area outside of Houston had a whole bunch of activity people that post videos publicly on snapchat those stay on the map for 24 hours and the the map site just kind of gives you a heat map of really high level activity and you can pretty much see where something might be happening as you click through those you'll get videos definitely was police presence at the time when this was going on and there was actually footage on inside people's homes where this explosion had occurred what it turned out it was a chemical plant that had some kind of an accident and exploded damaged a bunch of houses an area and ended up killing two people as a result on snapchat Maps is awesome for finding that information when you don't have street address on I talked about alternatives here this one has a big asterisk just Facebook live actually in June of 2019 if you're familiar with doing Facebook o cent they nerfed a lot of the functionality of the graph search at the same time the Facebook live map went away because they used to have just a great map with dots and everything now it's kind of just a feed of breaking news and TV shows and entertainment stuff periscope kind of the the Twitter alternative they had definitely hits that were going on at the time on and it's it's not as widely used as snapchat but it's good to have the reason to have choices is just different features and strengths snap map widely used the public post will be available for 24 hours and then they kind of drop off so if it's happened very recently it's a great place to start periscope not as widely used but it's got some historic function because those will stay up for about 30 days so if something is a little bit further out might not be on the snap map anymore but periscope would likely still have it for the last month or so like I said Facebook live it's good to note it was really useful when it was there so if it comes back that's great but you know they got rid of it because privacy Mark Zuckerberg is looking out for you this story in 2017 the Seminole Heights serial killer on there was a series of shootings that started to happen and some why it's Florida which is just outside of Tampa and the first location October 9th somebody was shot outside of a bus stop on the second one ten days later I'm another bus stop another one outside of a homeless shelter and another one nearby that same area spanned over two and a half months as these were happening the police started to give us these little photo snippets that you can see on the side what they were looking for was somebody that saw something in the suspects like body language and they weren't really given us a whole lot of details to the locate of where they were traveling to so they kept censoring the the footage just to try to get somebody that hey do you do you see this person do you recognize who that person might be not a whole lot of other details obviously there's an active investigation with peril for the people in the communities so they maybe didn't want to give out the locations of who gave him the footage either but as it started to progress I think after the third shooting they started to finally open up a little bit one of the things that they pushed was a piece of footage that actually showed the suspect walking in one direction through a neighborhood the feed actually pans and changes and you can see them go past a certain house and then a short while later they snip it and you can see that person flying back the other direction as you can imagine he was doing the crime and then retreating the other direction so it gave us something to actually work with there to find that location the IPV em site and is actually designed to help you cover an area with surveillance locate blind spots they've actually got a function that lets you show what different camera functions will show you in the view and it's a cool embedded interactive map it's really tied to Google Maps Street View so you'll have the overhead there where you can drop a camera and then the the breakout sign that'll show you what that cameras perspective is when you drop that stuff in we were able to kind of get into that same area where the shootings were happening and see that the output from IP VN site was showing exactly where the the suspect was running by as I was gathering the slides for this talk the Google Street car had actually gone through again that neighborhood on and done an update when I thought it was really cool because one of the things I like to do when I find footage is to validate where it came from that same spot that I kind of dropped the camera on had two new camera spots actually there and you can see exactly where that footage came from look in both directions which was across the street from that footage there now why was that obviously if we have the site of one of the killings and a direction Prix in a direction post you can tell that that middle cluster right there is definitely a place where somebody can maybe be hiding out possibly a contact or a spot where a getaway vehicle is stored before and after the shootings I talked about broadcast a PHY at the beginning essentially what you're trying to do with all of these stories is put eyes and ears on a location with broadcast fi if you go to the the website version you actually just get a map so if something's happening in a particular state that you want to get a view into you can go ahead and find it and it's not uncommon to hear the dispatchers talk about very specific pieces of information on it was these Austin serial bombings that were occurring back in 2018 somebody was mailing bombs around the city of Austin Texas I was listening in during some of that activity I was across the course of about 22 days and you were literally hearing the dispatch call in on suspicious package people were afraid of Amazon's that were showing up that they didn't order so we could hear the emergency broadcasters give an actual street address number and then you could hear the the police go out there I've heard VIN numbers a whole lot of really detailed information if you happen to be listening at the same time but as you can imagine those results vary by region on if you go on the website there's usually the top listeners which can tell you like kind of a hotspot what's going on in the area Chicago is definitely the hotspot most of the time if nothing in Saenz going on somewhere else because of that somebody built this project site called crime is down comm they have a kind of an interactive map and they're trying to automate some of the feeds that they're getting off of the broadcast if I site and a couple others including the the scanner guide which you can get at the link there on that guide is about a 30 page document that kind of outlines all the research that they've put into this it's a great grab because it's got some of the police jargon and the codes that you might hear when you're listening to these broadcasts on it also has a link back to radio reference comm which I'll get to here in a second but it actually can give you alternative ways to look up information if you happen to be in an area that doesn't have a great coverage there might be a way that you could tune in the radio reference site itself you can just access on your own and that's the same deal it's driven by a map you can find out a different basically different federal and state level even like public radio repeaters and ham radio stuff is in there but you might be able to find the actual frequency that some of the emergency broadcasters are operating on that becomes important if your local enough because you can pick up the quad I'm like an rtl-sdr anybody have one of these you do some really cool stuff with these on you can get into like the the a DBS exchange which is tracking airplanes that are in your area on but one of the things you can really do is just use it as a tune in radio SDR sharp is an open-source free program where you can essentially just look at the bandwidth frequency there and see spikes where it's typically radio channel sometimes it's electronic noise interference in your house which is actually cool to mess with too but you can tune in to those radio frequencies by using the the hardware with your computer to kind of listen in to what's going on in your area in the airwaves I started with a personal story so I'll finish with a personal story here I was at my job at the private investigation firm and one day doing forensics I could see a whole bunch of police presence just kind of surround our block like that's not cool online with Twitter there was reports of a suspicious package that was about a block and a half away we weren't trapped in the block so wasn't super worried but I had a flat tire that day so I had actually left my car on the other side of all the police activity to get a new tire on so I kind of was watching the the radio nothing was really shown on broadcast Fi and then the idea popped in my head well is plug in the rtl-sdr I checked radio reference and I found a couple different frequencies that might have emergency broadcasts on there and I found one that was active finally got it tuned in and I heard the all clear all clear and all the vehicles just sprinted out of the area on because it was a public library on the corner where the homeless kind of would get forget for with their backpacks on so everything was clear I could go get my car and the police caught the the fun of detonating homeless backpacks with the bomb squad Response Team so in conclusion the those type of stories are really fun to share like I said they can be tragic but they're great way to practice your OSINT skills that sense of urgency it just kind of makes you work fast you kind of think outside the box and you find tools that help you stay out ahead of the story that you might not necessarily look into what I like to do with all my talks is I'll drop a link on my website that has all the tools and links to the stories if you notice I don't really put in the names of the criminals and things like that I did that with the original talkback ed b-sides and when they snapped it on on YouTube it kind of memorialized the criminals I don't really like that so I'll give you the links to the stories if you want to see those ones that I talked about but I like to keep the criminals names and victims off of the slides but those will be out there I also like to talk to everybody after the conference during our networking times if you have other tactics and things where you found success on that please let me know and if you're cool with me sharing them I'll be glad to put them on the the link when it goes out so Josh thank you

Info

Channel: SANS Institute

Views: 27,257

Rating: undefined out of 5

Keywords: sans institute, information security, cyber security, cybersecurity, information security training, cybersecurity training, cyber security training, open-source intelligence, osint

Id: yrOOdq25wMw

Channel Id: undefined

Length: 24min 34sec (1474 seconds)

Published: Tue Mar 24 2020