Open Source Intelligence (OSINT) in a Digital Investigation

The following names and locations have been changed as investigations continue.

A call from a client specialising in providing luxury goods to consumers around the globe stated that a particular individual was sending inappropriate images to the business via their website ‘chat’ facility.

The following stages were completed to potentially determine who was sending the photographs, the level of risk they posed, and to ensure they stopped sending inappropriate images.

Firstly, the chat software had logged the IP address (think of this as an identifying number for a device connected to a network) of the person sending the images. No only this, but the person sending the images had also registered a burner email address with the chat facility so that they could see any replies made by the business.

So, the first stage was to determine if the IP address related to a device, or if it was hidden behind a Tor server, or VPN (Virtual Private Network). Both of these facilities mask the true identity of the device by effectively providing a new IP address. A check on the IP address showed that it was not masked, and that the device used was based in an area of California. More details on the IP address identified the service used as the US carrier, Sprint, and that it was a non-business customer.

So, now we knew the images were potentially sent from a mobile device belonging to a consumer using Sprint telephone service, within a radius of a particular area of California. These IP address details were confirmed with three services used by the person sending the images (the chat software, the email newsletter service they registered with, and the web site).

Next, we turned away from the IP address, to the email address. A search of historical breached data revealed nothing, so this suggested we either had a very new email address, or the person sending the photos was not a heavy user of the Internet e.g. no online shopping etc.

The email address was provided by Gmail, and had a particular username at the start of the email address, similar to 987aaaba987 (although for clarity - this was not the one seen within the investigation). A username search highlighted an account used on Pinterest under this name - which also contained similar images to those sent to our client. Although this is not evidence, it does suggest and warrant further investigation. The ‘first name and last name’ was also shown on the Pinterest account. We used this name for a general search for people with this name - there were a few areas to check, including a Facebook account, but nothing of interest.

We now had a name used by the person (probably not their real name), their username, and their location. We went further with their name. It was unusual and contained a name that could be used by either a man or a woman (a name such as Alex would be an example). If we reversed the first and last name shown on the Pinterest account, it gave us a new name that matched the initials used on the Pinterest username, and the original email account. This was a tenuous link, but again provided a small link worth investigating further. Using the reversed name, we were able to search for an individual within the area of California with that ‘real name’. We found just one person with that name and matching location.

This concluded the first part of the investigation relating to where the person was located, and finding a potential name. After this aspect, we had the following information:

Email address
IP Address
Username used on several services
Approximate location the images were sent from
A high probability the user was not hiding their location
Potential real name to investigate further if required

Next, we started the second stage of the investigation, which related to the images sent. We inspected the images, and they were not deemed to be fake. Two photos were sent using the online chat facility, and we inspected the hidden data contained within each photograph. This can show quite a lot of information, such as camera used, details on focal lengths used, was the flash on, the size of the file, the serial number of the camera, etc, and even the location the image was taken in some instances. We have a particular strength in analysing images, so this warranted further attention.

In this particular case, we were fortunate to see that the two images had been taken some time apart - one a month ago, but the second was taken whilst using the online chat facility (we simply checked the date and time, and ensured the time zone matched). Therefore, we ‘assumed’ the person conducting the chat was using their camera at the time of this conversation (this is an assumption, but again, one worth considering). Further looking at the camera data, we found the camera identifying code, and after matching that with a database of phones, we could see it was taken with a Samsung A10e mobile phone (confirmed by the image resolution, that matched that when taken with the Samsung internal camera). We then double checked this was available on the Sprint network - as expected, it was (but this was worth checking - as some models are specifically marketed at specific networks). We also found that the Samsung was using Android 9 Pie operating system. We can therefore assume that the person using the Samsung A10e phone, took the photo while on the chat service.

This evidence was forwarded to the relevant enforcement teams on the Sprint network responsible for further investigations. I am pleased to say that the problem has been resolved for our client.

This tale has two elements to it. Firstly, that with investigation work, it is possible to work out where those with malicious intent are hiding with some degree of accuracy. Secondly, it highlights that law abiding individuals leave a lot of data about themselves on the Internet even when simply using a ‘chat’ service.