OSINT Flashcards
What are the four distinct categories of open information and intelligence according to Nato handbook?
- Open source data - raw print, broadcast, oral or any other form from a primary source, photo, most things on internet etc
- Open source information - generic information that is widely disseminated - news papers
- Open source intelligence - information that has been discovered to a select audience
- OSINTV - very high reliable OSINT (classified documents)
What is socmint
Social media intelligence
What is humint
Human source Intelligence
What is a definition of OSINT?
-Intelligence collection management, finding, selecting, acquiring information from publicly available sources, analyzing and producing actionable intelligence
What is OSINT not?
-Not hacking, spying, not invented by LE, not necessary free, not just internet
What are some sources of OSINT?
- Libraries (off and online)
- Online TV shows
- Government sources
- Business sources
- Academic sources
- Satellite and maps
- Online media
- Social media
- Deep/Dark web
What steps should you take in an online investigation?
- Intake and orientation
- Strategy, search and store
- Technical capabilities, tactical applications
- Analysis (GUID’s)
- Refine, recycle and reporting
What does Intake and orientation mean?
-Where are you going to look? What are you looking for, how much time do you have?, why do you want to know?
What does strategy, search and store mean?
-Consider what strategy you will use and how will you store results
What does Technical capabilities, tactical applications mean?
-Search engine, URL slicing etc
What does analysis mean?
-You have to constantly analysis information and look for global identifier such as email address
What does refine, recycle and report mean?
You constantly refine searches and report
What are four categories of information needs?
- Event eg crime, earthquake
- Theme eg drugs on internet stats
- Organisation eg business, gang
- Person eg background, profiling
What are some useful search techniques
- Unique quriers
- GUID
- use exact phrases
- Use capitals for names
- Translate your keywords
- Use place names
- Use catchphrases
- Add or exclude with + or -
- Use wildcards searches with *
- Use fuzzy search
- Use slang
- Use multiple search engines
What are some operators you can use?
- intitle - must be in the title of the website
- allintitle - all words in title of website
- inurl - must be in the url of the website
- allinurl - all worlds in the url of the website
- site - only seach in that domain eg: Jason site:twitter or site:nz
- file type - pdf, doc
- period - withing a time period eg period:1907…1921
What are some methods for searching for information on net?
- Global search (short internet scan) SIS
- Thorough search
What are the 7 golden W’s?
- What
- Where
- Who
- When
- Why
- What why?
- With what?
What are some search styles and strategies?
- Building blocks = using AND
- Pearl growing =grow quries from relevant documents
- Successive fractions = add bits of data as you go
- Interactive scanning = Researcher has not yet had a good overview but pick out keywords to use
- Berry picking = start with one keyword and build
How can we check something is reliable?
- First hand information likely to be
- Never trust a single source
- Verify facts with as many different sources as possible
- Check the link popularity
- What do other sources say about it (comments, reviews)
- Reliable website (big organisation)
What can we do with an IP address?
- Whois and IP information
- Reverse DNS
- Web and CML queries
What are some signs a domain is suspicious?
- Funny slept name eg using 0
- Warning pops up when you visit
- It has been blacklisted
- Funny details in whois
What is a robot.txt
Page that is in the root of the webserver and is a file that prevents web crawlers to index pages listed in web file
What is page rank?
Link analysis algorythm which assigns a numerical weighting to hyperlinked documents to measure its importance
What are some reasons a search engine wouldn’t show a webpage
- Page isn’t indexed due to robots.txt
- There is only dynamic content
- Page rank is 0
- Search engine doesn’t show it due to previous search preferences
- Search engine doesn’t understand your quriey
How do web browsers differ from each other
- Customization
- RSS feeds
- Tabs
- Plug ins
- Add ons
- Security
Why might we want to hide ourselves online?
- They might obstruct our investigation
- Change their behavior/tactics
- Deny access
- Attack our computers
- Alert them
What are some things we leave as a trace online?
- IP address
- Host name
- Geolocation
- Browser fingerprint
- Referrers
- Cookies
- Server logs
- Stats
What can you use to hide your IP address?
- Proxy server
- Web based anonymiser
- TOR
- VPN
- SSH tunneling
- Prepaid cellphone
- Public wifi
What are the four types of proxy server?
- Transparent - will show your true IP address
- Anonymous - Will hide your IP address
- High anonymous - host will not know you are using a proxy
- Codeen proxy - CODN. Network of high performance proxy
What are some technical and tactical considerations when investigating a site?
- Update software
- Malware and scanning
- Flash cookies
- Tool bars
- Metadata in pic and docs
- Throw away email
- Language, screen resolution
- Download website
- Source code and obfuscation
What is an API
Automated programming interface - Takes request and returns results
What is a channel?
A chat room in IRC
What is a IRC network?
Where channels are based on and operate
What are the 5 types of channels?
- Default (public)
- Private
- Invite only
- Secret
- Invisible
What happens when servers within a network lose contact?
A netsplit occurs and can take a few minutes to reconnect. When this happens a nickname collision may occur which will cause a disconnect.
What does @ before a nick name mean?
It is the channel operator
What can an IRC channel operator do?
- Kick users
- Ban users
- Make other users operators
- Can change channels subject, title and modes
What are IRCops or opers?
They repair netsplits, answer questions, network maintenance
What are IRC bots?
- Scripts run from client or separate program
- Can execute certain commands
- React to certain events
- Clone and floodbots used to multiply to flood other users
- Used to control botnets
What do the terms lag, zooming and k-lined mean?
Lag - Takes a long time for data to be sent
Zooming - entering a channel to see how is there and then leaving
-k-lined - Access restricted for behavior
What are some commands you can use in IRC to search for people?
- /whois (nickname)
- /channel (channel) - list of users on a channel
- /notify (nickname) - notified when someone enters nickname when enters nickname
- /whowas (nickname) - info on someone who just left
What is usenet?
It is a global network of servers that host discussion groups called newsgroups. Each newsgroup has it own topic and community
What protocol does newsnet use?
Net news transfer protocol
How can you stop usenet messages from being archived?
- Use anonymous email addresses
- Use google command to not allow archiving
What are some dark nets?
- TOR
- Freenet
- Zeronet
- I2P
What investigative opportunities do we have for the darknet?
- Dark net search engines
- Sites that leak data
- Examine photos and docs for metadata
- Set up TOR exit nodes
- Undercover operations
- Postal services
- Clearnet searches
- PGP keys
- Bio info
What should you not do on dark net?
- Don’t mix clear and dark net
- Don’t full size browser
- Never your full name days
- Never download anything
- Don’t use your cc
- Don’t open files in adobe etc, read in TOR browser
- Careful when using 3rd party or add ons in browser
What is a definition for cryptocurrency?
Crypo is a decentralized, convertible, virtual currency based on math equations and protected by cryptography.
What is data mining?
The process of discovering patterns in large data sets
What does a bit coin address look like?
A 26 - 26 Alphanumeric characters beginning with either a 1 or 3
