Open Source Intelligence 3: Retrieving the Target’s Online Activity Traces

Based on his actual engagements, Jeff Bardin clarifies some methods for looking up online mentions of a target and recommends a couple of tools for doing that.

When I first started doing this, this is an example of some of the things out there that I’ve done. One of the targets I was after was Anwar al-Awlaki, who’s no longer with us, and the target here was his sermons – his talks that were all recorded in MP3. I wanted to find them and find the sites that were actually hosting these sites. So, he was my target.

Touchgraph tool

Touchgraph tool

I went to this tool called touchgraph.com (see image). This tool costs 4000 to 5000 dollars, but if you look on the site there is a little button that says Demo. You click on that, and actually you can operate some of the tool there, and it’s a linked analysis tool.

So, I put in his name, which is right in the centre of circle, and I hit Enter, and it explodes out into this Java screen, that every circle I can double-click on, and it explodes out into more screens. And it actually goes out and analyzes the name and where it finds it throughout the Internet for you. It saves you a lot of time in trying to find where Anwar al-Awlaki has been popping up in different sites.

When you look at this, you say: “Ok, where am I going to find his actual sermons out there?” And I don’t think it’s going to be at Huffington Post or New York Times. I don’t think I’m going to find his sermons there, right? So, I can eliminate those pretty easily. I keep going through these, taking a look, and he probably won’t be there. But what I will find is that he’s probably at sites like Kalamullah, or Anwar Al-Awlaki, or Salaat Time, or even Hoor-al-ayn.com. These are typical sites that might have his information on them. Makes sense to take a look at those.

This tool can also come out and give you URLs, and it ranks the URLs by the number of times his name pops up. So, I can take a look at these URLs and say: “This looks like somewhere I want to go with this tool that is actually costly but free.” So, I’ll use that and I’ll start going through these URLs. This is a very fast way to find out where your target may be hiding information out there, or have data.

The sought-for site found via Touchgraph

The sought-for site found via Touchgraph

So, you go to this site, and sure enough I can find that here are all his sermons on the front page of this site (see right-hand image). You would think it was just a very benign site, but underneath it you’ll find all the sermons, all in MP3 for download or on DVD if you want to get those. So, an easy way to target and find out is using tools like Touchgraph.

More tools to find online associations

More tools to find online associations

In addition, there’s a tool called Maltego if you go to paterva.com. Have any of you heard of or are a member of the Cult of the Dead Cow, hacker group from a while back? They’re an older group. They created paterva.com and this tool called Maltego (see left-hand image). It’s another great link analysis tool; there’s a free version of it, called the Community Edition that you can download and use.

With that tool you can go find out information on email addresses, Twitter accounts, phone numbers; it actually builds these links out for you. It takes a little bit to learn this, but I recommend taking a look at this if you haven’t already. It can help you find some of these different tools out there. Silobreaker is another tool that helps you with some different links and getting your information together.

Now, once you find their sites, being hackers you want to hack the site, right? Isn’t that what you want to do? You want to hack it, but if you are in cyber intelligence, you don’t want to hack it – you want to get inside it. You want to become a member of that site and somebody that is very respected in that site.

If you are in cyber intelligence, you don’t want to hack the site – you want to get inside it.

At one time I had multiple different sock puppets on a cyber Jihadist site; one of them had a lot of experience on this site and was well respected. And I had another junior member on this site, and I wanted to get another layer into this site with my senior member, so what I did is I set up my junior member, my other personality, and I made him make some things that were contrary to bin Laden. He said it online. And over here at my senior sock puppet I called him out, got him kicked off this site, and because of that I got better street credentials on this site. So, it’s a way that you can use tools and techniques to get in and penetrate further into these different sites.

Downloading site contents with HTTrack

Downloading site contents with HTTrack

In addition, there are tools out there that you can use, where you can actually target a site, and you can download the whole site if you know how to configure this tool, HTTrack (see image). There are some ways you can configure, where you can bypass the robots.txt and you can copy the site in mass, and it may take a few days to do it, and you’ve got to be careful so it doesn’t go too far out to copy other sites. But you can get SQL server databases, PDF files, everything that you can then gather as you’re collecting this information, so then you can go through and produce it, and organize it, pull out what you want, search it, index it, and start organizing this information before you start analyzing it. So, HTTrack is a free tool as well that you can use, and there are some configuration settings that are actually fairly easy to find, but doing this with your anonymizers, hiding your IP, is a good way to go and download these sites before you go in.

Read previous: Open Source Intelligence 2: Creating and Validating a Sock Puppet

Read next: Open Source Intelligence 4: Know Your Adversary

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: