This section of Jeff Bardin’s presentation is about using some of the open source tools out there to look up different types of data on the adversaries.
So, now that you’ve got your sock puppet created, you’ve got your anonymity in place, you’ve got your cultural, social, political background and linguistic understanding, religious understanding, you can use these open source tools. I’m going to cover a few here and go through some examples. If you want to find adversaries, they’re on Facebook, they’re on Twitter, they’re all over the place.This site (see image) is no longer up, the Mujahedin channel; it’s long gone. But at the time I actually used one of my sock puppets to friend this channel, and you can get the list of folks here that you can actually start following them, and they follow you. You follow their Twitter accounts, you get to know who they are. And there are some different tools that you can use to actually track this information; tools that give you trending and tendency analysis as well as link analysis, as you go down the road and try and make this happen in a way that doesn’t bury you with information.
Because when you use this type of technique, open source intelligence, you’ll just be under a huge amount of gigabytes of data. So much information makes it difficult to actually sort through it. But some of the tools you’ll use will sift through that and give you this information in a much faster way.So, when I look at the site, I feed it through a tool called Topsy.com (see left-hand image), and there’s some social analytics there, and at each peak of this graph I can mouse over it and it’ll highlight some of the activities and who they are within this tool set. In his case I find Abulhasan and some others here, so now I can track those folks on Twitter or possibly on Facebook and start looking at them as they pop up, as they’re referring to some of the words here that I’ve put in. This gentleman here is Fahad11q8 (on right-hand image). When I stated tracking him, I used this tool called Twopcharts.com, and it gives me all these capabilities where I can compare him against others, I can see the images that Fahad11q8 has used, I can see the frequency of his tweets, when he tweets, the time of day, what he tweets about, who’s following him, who he follows; I can look at the first 10 tweets, the first 10 followers. There is a great deal of information just in this one tool. I can compare his Twitter account against another Twitter account, and overlap them, and see the similarities in it, and it saves me a lot of time.
So, I look at Fahad11q8, I get some information about him, and I can also take this out to his Twitter account and see that he’s on Twitter, where I can go and look at more images there, and get an idea of what his content is, if you can read Arabic or run it through a translator. Regardless, I can see the types of images that Fahad11q8 is using – it gives me a better idea: is Fahad11q8 a cyber Jihadist or not? That’s what I’m trying to determine here. Or is he just someone interested in this; or is he an active participant; or is he, too, a sock puppet like me, trying to gather information? You have to determine this, and you have to look at relevancy of your sources to make sure that your sources are valid. And that can be difficult sometimes.Regardless, I start looking at some of his images, and I pull this up, and this one here is actually about a Muslim brotherhood in Syria. And I look at another image here (see left-hand photo) and I say: “Ok, where does this image come from? How do I find out where this information comes from, where this image originated from?” Well, there are some great tools out there as well for that. They plug right into your browser, whether it’s Chrome, Internet Explorer or Firefox, or you can upload it directly to the site. I can use Google, or I can use a tool called TinEye. I right mouse click on the image, send the image out to TinEye. TinEye will go out and search 2 billion records of images in about 4 seconds to find out that this particular image was originally located on a well-known Jihadist website (see right-hand image). And so I’ve got a good idea now that Fahad11q8 has activity on that particular website, that forum. I go on to the forum where I’ve actually already established a sock puppet, and I start to find that he is there, and I start having conversations with him, so we start building a relationship. In the meantime, I am following him on Twitter; I’m hashtagging; I’m retweeting some of his tweets. I’m also cozied up to him on Facebook and we start building this relationship out there.
The other interesting piece there, and I’ll show you: some of the tools that you can take with you are actually in this PDF (see attached Zip file). There’re 33 pages of tools out there that will be made available to you in this PDF, and they just go on; some of them are link analysis tools, some of them are Google tools.
How many people here search using Google? But if you know how to really search on Google – some call it Google hacks – you can find information like that. If you don’t, then you’ll be searching and you’ll never find the information. But if you use particular Google search tools, the capabilities, then you’ll actually be able to find information very quickly if you know how to do this.
I want to make sure that you get those tools so that you don’t get yourselves in big trouble when you go out and create your own sock puppets. I actually created sock puppets on Facebook to follow my kids when they were in high school, so my kids don’t like me very much when they find that I have more friends on Facebook than they do; at least my persona does. But I find out where the parties are, who’s in trouble in school, who’s pregnant, who’s drinking, where the parties are – I find out before they do.
So, when they go to that party, I’m just sitting there: “Hey, how you’re doing?” because I’m already there. So, if you have young kids, I urge you to create a sock puppet on Facebook and go out there and friend all of their friends, because the whole game in Facebook is the more friends I have when I die more than you, the better person I am. That’s it, that’s how it works. So, you can use this not only for adversaries, you can use it for your kids.
As a matter of fact, a friend of a friend of mine was going through a divorce, and he thought that he had this really locked down: his wife had been sleeping around on him, embezzling money from the business. But every time he went to the judge, he got a setback. He thought he was going to have an opened/closed case through the divorce, and he would get the house and everything, but every time he went to this judge, he got a setback.
So, he asked a friend of his, who had actually gone through the cyber intelligence courses that I teach, to help him see what’s going on: “I can’t believe what’s happening here.” His friend used some of the tools and techniques here to find out that the judge was sleeping with the guy’s wife. When he found this, he presented this to the judge, and then the divorce went his way very quickly. I’m not saying that you should do this; I always maintain legal aspects of this. If you want to be unethical, that’s something else; but maintain legality around these activities.
Read previous: Open Source Intelligence 4: Know Your Adversary
Read next: Open Source Intelligence 6: Data Validation