Lego Bricks Colorful

Every investigation is different, but what never changes is how you have to treat an investigation much like the challenge of building something with a bucket of Legos. With each bread crumb, you put another lego piece on the building table, as you keep following leads, you add more pieces to the table and eventually (hopefully) start building something from many bread crumbs observed. You are hopefully moving from less knowledge to more knowledge as you find new pieces to the puzzle.

OSINT and Investigations Should always be thought like Lego pieces…

The last 12 months have introduced a few hurdles for OSINT / PAI hunters as easily resolvable tricks providing easier one-to-one correlations have been removed by many of the social media platforms and collection watering holes alike.

Previously on 24, you could easily correlate many one to one mappings with phone number and email address lookups, and in some cases, you can still do this on select platforms. As time moves forward, I anticipate email addresses and phone number lookups to become much harder for your typical instrumentation.

Not to despair, as a good investigator, you should be adjusting to changes like this already since most investigations are not all the same. Regardless of the starting point in an investigation, you need to remind yourself you need to be flexible and adapt from wherever the starting point is and see where your skills and questions will take you.

I had been provoked to write this after a few exciting cases left little to go with as well as the shift in the industry. As I listened to some of our customers, it sounded like they had been used to “osint button-ology” versus taking on a more robust methodology in their investigative workflow enabling more adaptability and structure to deconstruct the small bread crumbs given.

One of the techniques we have been pushing in training is treat email addresses a bit different.

Deconstructing Email Addresses

Treat the email address as two things.
1) Email address
2) Alias

Eg.
Joesmith179@gmail.com should be broken up into
Joesmith179 and Joesmith179@gmail.com .

Then search… for one to one correlations against the email address, followed by searching all platforms for correlations to the alias. Human nature wants to use the same thing. Over and over…

ShotGun Approach

Human nature will also want to use the same alias as various email providers, sometimes with smaller variations.

Take Joesmith179@ and also add in a few shotgun approaches to the search.

@yandex
@protonmail
@yahoo
@hotmail
…..

Following some of these methods tends to increase leads a bit more, while pushing the investigator to rely on a methodology and thinking through the problem a bit more than only relying on one method to attack the problem.

We cover techniques like this in our training courses but will attempt to push more information up into the blogosphere as time permits.

[social_warfare]

Daniel Clemens

Daniel Clemens is the founder and CEO of both ShadowDragon and Packet Ninjas, a niche cyber security consulting and services company.

With extensive experience in defensive and offensive security, Daniel has been a quiet trailblazer in digital intel gathering long before cyber intelligence became a discipline. More than a decade ago he was inventing and applying his own intelligence tools in support of companies and governments around the world facing urgent threats. Using this deep understanding of web technologies and the behaviors of cybercriminals, he has enhanced, updated and packaged these tools under ShadowDragon.

Daniel is a member of the Odonata Holdings, Inc.
Scroll to Top