Real Life Examples - OSINT in civil litigation #1 - Running from the truth
This is the first in a series of articles that talks about the benefits of using Open Source Intelligence (OSINT) for civil litigation. Why is it helpful and how does it work? These are real life examples we have used in the past. Obviously the details have been changed for privacy reasons.
Our first example involves a case in which a person running the marathon is assaulted during the race by a volunteer working the water station. The water station is manned by a few individuals who hand out water to runners as they pass. The race is spread over a long distance, so there are few people in the area at the time of the assault. The marathon organizers have asked for volunteers to staff these stations and therefore have no kept any records as to who was working there.
Our client asked us to try and find anyone who may have witnessed the event. The attacker was never identified, as he had left the scene by the time the organizers of the race were notified of the assault.
Let's talk about OSINT for a second. OSINT is the collection, exploitation, and analysis of information that is available in public record. This means we are not gathering private information, so there is no need to get legal permission to do so. Public information really can encompass a lot. This can be everything from information from the internet, to public tax records, to the IP addresses used to log in to certain websites, and so much more. We can start with a small amount of known information and "exploit" it to get more information on a subject. For instance, in this case, we know that the event was a marathon, located in Death Valley, CA. For this example we will call it "The Desert Run."
We can start by using software which collects terms from social media sites like Facebook, Twitter, Instagram, and Flicker to collect mentions of "The Desert Run" from the date March 21, 2017. This returns a result of 158 mentions of the race on that day. We collect these public profiles for analysis. Some will be public, but some will be private as well. There are ways to get private information from social media without breaking any privacy laws, however this is beyond the scope of this article. After reviewing these profiles we can also extract any new people that may have been tagged in the race by existing profiles. This gives us a total of 212 potential witnesses which participated in the race.
Most of these people have posted pictures of the race in progress. Our team begins to review all pictures posted, looking for individuals near or working at any of the water stations. We eliminate profiles which do not add useful information. This eventually leads us to 7 profiles which contain pictures of the water station and 2 people tagged that seem to be working behind the table. We collect these pictures and send them to our client, asking him to show the victim of the attacker, to see if they can ID the person who attacked him. We receive a positive ID on one of the men at the water station as the attacker.
Our team begins working on identifying the real attacker and the other workers at the station as witnesses. The attackers facebook profile is set to private and uses a name that is obviously not real. However reverse image analysis uncovers a twitter profile with the same profile picture that is public. This profile however again uses a fake name. In his twitter profile we can see a post about working at the race that day. Other posts show a picture of him on a plane headed to Miami. In the seat pocket in front of him we can see a plane ticket sticking out. Using special software and cleaning up this picture gives us the name printed on that ticket. A second picture shows him celebrating his birthday with friends, in which several friends comment "happy birthday" on his profile. This tells us his birthday is June 12. Finally a search of the friends that commented on his birthday show a picture of the attacker and a friend moving into a new apartment in which the street number is visible in the background. Twitter GPS location gives us the street and city.
We now know the attackers name from the ticket, his birthday, and an address. Using that information we are able to determine a current location and identity of the attacker. The same techniques were used to locate 2 witnesses which worked the same station with the attacker that day.
With our clients approval we were able to go out and serve these individuals. The client ended up settling this case.
This is one of many examples and the hundreds of tools that we use to collect, exploit and analyse information for our clients on a daily basis.
Questions are always welcome.