Open Source Intelligence (OSI) and Your Case

April 2, 2014

Open Source Intelligence (OSI or OSINT) is intelligence collected from sources that are available publicly.  Much of the information fed to the internet by users, collected by advertisers, or otherwise left behind during a person’s interaction with electronic systems (or with retailers and advertisers that store such information electronically and the resell it) can be identified through “deep-“, or “dark-“ web research.  OSI is important enough of a research methodology that many law enforcement agencies, especially Federal, have dedicated resources to OSINT analysis and gathering. 

In civil litigation OSI is an invaluable resource for:

  • Research of retained and opposing experts
  • Information regarding opposing attorneys
  • Witness and litigant information
  • Uncovering other emails, social site accounts, properties, activities, and repositories of information not disclosed

Consider a recent case that I was involved with: The opposing party had disclosed certain online accounts that contained relevant information regarding their corporate history, communications via web mail, and travel.  An OSI search revealed two alternate web mail addresses, as well as a connection with a competing firm, travel information (previously undisclosed), and some “known associates” that had information relevant to the case.  Metadata analysis of documents and photos contained on the newly discovered sites yielded even more information.  None of this information was contained on the hard drive submitted for inspection.

OSI, on the web, is broken down into two main categories: Direct indexed information, and Dark web (or Deep web) information.

Direct indexed information is the category most familiar to practically anyone that uses the web.  It is information that has been picked up and indexed by a search engine and, with the correct search techniques, can be narrowed down to particular people, places and things.  Indexed information typically ends up on the web through three different paths:

Deliberate – Deliberate information is information that is on the web because of the direct interaction of an entity with a web resource.  This could be information that is publicly available because of social sites, website registration, or signing on to public newsgroups and forums. 

Accidental (Through fault of the information Owner) – Often times information is deliberately provided, but the provider of the information didn’t realize that the information would be publicly searchable.  Facebook is a perfect example of where, by not understanding ALL the privacy implications of use, users (or their friends) often provide way more details, photos, or location information than is intended, desirable, or realized.

Accidental (Through fault of the information Custodian) – Very large data breaches are far too common these days.  The reality is that they have been very common for years and years, but focus has only recently been turned towards the size, and frequency of breaches.  Aside from breaches, however, “information leakage” is not at all uncommon.  Information leakage is where a website or internet resource unintentionally will provide more information than the user, or the owner, realize. There are teams of people, advertisers, and intelligence gathering entities that  look for information leak and harvest the results.

Dark (or Deep) Web information sounds very “techie” and mysterious, but in reality simply describes the large portions of the web that contain information that is not indexed by search engines.  Typically these are databases of information that are accessible from a website, registration information, attendance and membership databases and information of that nature.

The challenge with OSI is to compile information both from direct indexed resources and dark web resources, and then correlate and narrow the information so that it accurate to the particular entity that is being researched.  A thorough manual search can be performed using the “cheat sheets” provided with this book.  The challenge is that aggregation, correlation and verification can take many hours.  There are tools available to an attorney that speed up the process.  LexisNexis offers access to a static database through the Accurint tool (http://www.Accurint.com), and Westlaw (http://www.Westlaw.com) also provides static database information as well.  There are any number of smaller sites that offer various degrees of information through static databases. 

Static information can quickly become inaccurate or stale, and there are tools that fill the niche for automated research.  Vidoc Razor maintains such a tool (If you are an attorney, you can request a login at: http://www.vidocrazor.com/RSInfo.php) that actively mines “live” social information, media and publications, photos, as well as location and known relations and associate information.  The information is then aggregated, correlated, and a baseline validity check performed.  The information is available for filtering and refining from a single point, and custom reports can be generated.

Whether using manual techniques, static databases, or automated approaches, the nature of OSI is important to keep firmly in mind:  it is fluid.  The information “lives” and changes as people live and change.  It is also contradictory; some OSI is incredibly volatile and can “evaporate” without warning, while other OSI is incredibly persistent, and will stay available through harvesting techniques even when the information owner is actively trying to remove it.  Any information derived from any of the harvesting techniques discussed must be verified before action is taken on it.


Weekly Highlights: December 6, 2013

December 5, 2013

Hacker Server Storing Two Million Pilfered Passwords

(From: Ars Technica)  Researchers have unearthed a server storing more than two million pilfered login credentials for all kinds of user accounts, including those on Facebook, Yahoo, Google, Twitter, and a handful of other websites.  While some have initially stated that the password compromises were primarily against the Netherlands, further research showed that the reason for the Netherlands showing so prominently was because the information was filtered through “Command and Control” bots.

Article is HERE.

Lawyer Can’t Grill ISP Over Online Defamation

(From: Courthouse News)  A California-based lawyer alleged defamation and copyright infringement with respect to the use of his photo without permission.  The lawyer filed suit against the ISP, and the Judge, while refusing to dismiss on the basis of safe harbor, granted the ISP’s motion based on the lawyer’s failure to show copyright ownership.

Article is HERE.

A Spurned Techie’s Revenge: Locking Down His Ex’s Digital Life

(From: Ars Technica)  Revenge porn is just the tip of the iceberg when it comes to cyber-domestic abuse.

Article is HERE.

Encryption Made Easy: A Primer for Mac Users

(From: Law Technology Today) This article describes the steps to encrypt documents, folders, hard drives, external drives, and backup devices using Mac OS X Mountain Lion.  Most capabilities described in this article can be found on other versions of OSX, as well.


Weekly Highlights: September 17, 2012

September 17, 2012

Things You Might Have Missed Last Week

(Highlights in legal, forensics, and electronic discovery news for the past week)

Interesting Electronic Evidence Cases

Inhalation Plastics, Inc. v. Medex Cardio-Pulmonary, Inc., No. 2:07-CV-116, 2012 WL 3731483 (S.D. Ohio Aug. 28, 2012)

The defendant inadvertently produced almost 350 pages of email. Even though, after in camera review, the court found that many of the produced materials were “within the ambit of attorney-client privilege”, the court found that privilege had been waived.

Weekly Highlighted Article

From E-Discovery Beat:

Experts Consider E-Discovery Implications of New ABA Ethics Rules Amendments

From BowTieLaw.com:

Forensically Examining a Lawyer’s Computer

Electronic Evidence News

Twitter Gives Occupy Protester’s Tweets to U.S. Judge

Court Issues 20-Year Product Injunction in Trade Secret Theft/eDiscovery Sanctions Case

Samsung Flexes Litigation Muscles at Apple Ahead of iPhone 5 Launch-Again


Part One: Simple Steps To Secure Your Client During Litigation

September 11, 2012

In the past year, there has been a distinct uptick in cases involving data breach and key logging malware- especially in family law cases. This uptick is not by anonymous, random third parties, but rather by the actual litigants in a case.

Part of the reason for the uptick is that “bugging” someone’s computer  or cell phone (electronic intercept) has gotten significantly easier. Most people can handle installing software.  Likewise with breaking into someone’s webmail, banking, or other online accounts.

Here are steps your client can take, right now, to protect their information and communications:

  • Create a List of Electronic Assets – Experience shows that, without a list, things will be overlooked.  Have your client list out cell phone, webmail, social network, and online banking accounts. In the same manner, have them list out things like wifi and home network assets.  This list is the starting point.
  • Change Passwords and Password Recovery Questions – Simply changing passwords is not enough. Password recovery questions (“What is the name of your favorite pet?”) are an easy way for someone who is familiar with your client to gain entry to their online resources.
  • Avoid Password Reuse – Using the same password for everything is a recipe for disaster. Understandably, it can be an inconvenience to use different passwords everywhere, but there are ways to make meaningful passwords that are easy to remember. Here is a full write-up on password reuse.
  • Review WiFi Security – If the opposing side in a matter was the one that set up the home wireless network, then all they need to do is be within range to join back on the network and gain access to systems or to “sniff” and view network traffic (including your client’s passwords, communications, etc.).
  • Review Joint Cellular Accounts – Depending on the carrier, joint cellular plans can give the opposing party access to endpoints in voice and text communications. Some carriers may actually have access to the content of text messages online. While TRO and data protection may prevent a direct change to the account or plan, your client may consider using a pay-as-you-go plan.

These are some simple steps that can be taken with minimal cost, and yet they will provide an immediate boost to your client’s security stance.

Tomorrow: Part 2- Simple Steps In Case of Breach

If you or your client feel that there has already been a breach, or you are facing a particularly aggressive or knowledgeable opposition, you may consider inquiring about our Client Information Security package (CISP).

The CISP is a flat-rate, full assessment of your client’s information security and includes a drop-in firewall with logging and 24/7 monitoring for intrusion attempts, malware activity, and other breach behavior.  Vidoc Razor not only will assess the security of your client, but fixes the issues identified.  All hardware is provided by Vidoc Razor.

You can find more information by clicking HERE.


Weekly Highlights: September 10, 2012

September 10, 2012

Things You Might Have Missed Last Week

(Highlights in legal and electronic discovery news for the past week)

Interesting Electronic Evidence Cases

Robinson v. Jones Lang LaSalle Americas, Inc., No. 3:12-cv-00127-PK (D. Or. Aug. 29, 2012)

The defendant was seeking to compel production of discovery in (among other things) “all social media content involving [Plaintiff] since July 1, 2008” related to the Plaintiff’s “‘emotion, feeling, or mental state,’ to ‘events that could be reasonably expected to produce a significant emotion, feeling, or mental state,’ or to allegations in [Plaintiff’s] complaint.”.

Magistrate Judge Paul Papak (Oregon) found:

“I see no principled reason to articulate different standards for the discoverability of communications through email, text message, or social media platforms. I therefore fashion a single order covering all these communications.”

Link to Opinion PDF

Apple, Inc. v. Samsung Elecs. Co. Ltd., No. C 11-1846 LHK (PSG) (N.D. Cal. July 25, 2012)

The Defendant in this case was sanctioned for the loss of relevant emails due to Defendant’s failure to follow-up with employees to ensure compliance, and the Defendant’s failure to halt the email system’s auto-delete function.  Sanctions included an adverse inference that allowed the jury to presume that the missing evidence was relevant and favorable to the Plaintiff.

Link to Opinion PDF

Weekly Highlighted Case

EEOC v. Simply Storage Mgmt., LLC, 270 F.R.D. 430 (S.D. Ind. May 2010)

This case can be very useful when dealing with social media electronic evidence matters.  It was utilized by the Oregon magistrate in the above listed case (Robinson v. Jones Lang LaSalle Americas) when forming his opinion.

The defendant in this matter was seeking production of claimants’ social networking site profiles, as well as other communications from social sites used by the claimant.

Last May, the Great State of Texas saw a similar matter that relied, in part, on the EEOC case:

IN RE MAGELLAN TERMINALS HOLDINGS, L.P. AND MAGELLAN MIDSTREAM HOLDINGS GP, LLC 
Link to PDF Document

Electronic Evidence News

State Bar of Texas Alert Says ‘Scam Artist’ Stole Nonpracticing Lawyer’s ID for Fake Website

West Let Off the Hook on Web Malpractice Claim

OJ Simpson Prosecutor: Johnnie Cochran May Have Tampered with Bloody Glove


Google and Deep Web Search Cheat Sheets Updated

July 18, 2012

The “Deep Web Search” and “Google Search” cheat sheets have been updated to reflect new information and capabilities in conducting your own research on people, places, companies, and other matter-related information.  The links to the newly updated sheets are located below.

Using “open source information (OSI)”, sometimes referred to as “Publicly Sourced Information”, one can research a variety of information related to a case: Retained or opposing experts, litigants, other witnesses, company information, etc.

Effective use of this type of research can uncover bank accounts, holdings, affiliations, activities, locations, social network accounts and a host of other information that would otherwise remain unknown.

Some Background

In mid-2010 Vidoc Razor published free cheat sheets, as well as a blog post on how to use the sheets to research people involved in a matter: Expert witnesses, places, companies, etc. It is worth it to re-read that post to refresh your memory on how to use the sheets.

The original post can be found here: https://inforensics.vidocrazor.com/2010/11/02/qualifyanexpert/

Since then, the sheets have been very popular, and I have updated the sheets on a yearly basis.

Where Do I Start?

Start with the “Google Cheatsheet” PDF document that I have linked to this post.  For life beyond Google you can look at the “Deep Web Cheatsheet” that is attached.

Google Cheatsheet rev 201207

DeepWeb Cheatsheet rev 201207


Because One Thing Leads to Another: Data Breach and Password Re-Use

June 27, 2012

Dropping Your Breaches…

After the data breach of LinkedIn two weeks ago (6.5 million passwords leaked, a five million dollar lawsuit on the way), I have asked a simple question of some of my clients that I know are LinkedIn users: “Have you changed ALL your passwords yet?”.

The question has been met with confusion (“What data breach?”) and, in most cases, with indifference (“I don’t see what benefit having access to MY LinkedIN would provide a hacker.”). When I mention the phrase “password re-use”, I receive an almost universal response of “huh?”.

Single Point of Failure

Password re-use is seemingly an ingrained response to the presence of a password: You have hundreds of password protected resources, so it is natural that you would re-use the same password across multiple (or all) of those resources. This is the problem.

From the point of view of a hacker the world looks a little wider:

1- Breach LinkedIN passwords

2- Now leverage the email addresses, username conventions, etc. to test the password on:

Workplace accounts – Obvious information on LinkedIN. This could include work email systems, vpn access, extranets, etc.

Gmail and other webmail accounts – Possibly contains password/access information to online banking, work, other accounts

Mobileme and other “Cloud” services – Dropbox, anyone?

Online Banking – A pretty obvious target.

You can see how the seemingly “insignificant” breach can lead to much bigger issues.

In the case of the LinkedIN breach, the information obtained was posted for download by anyone that wanted to take a whack at them. Consider the scenario of an opposing party downloading your breached information and leveraging it for further access.

We know that information security is a balance between usability of information and systems, and security of those same areas. So how does one maintain separate use passwords but still easily access needed resources?

So Now What?

Fortunately there are some solutions. I have listed the top ones below:

Password Safe  (also known as PWSafe) – Windows, iPad, iPhone, Mac, Linux: This is actually my favorite. Syncing among the devices is supported by iCloud (of course then you need to make sure that Apple iCloud isn’t breached) so that a change on one device is rolled out to all the others. Password Safe is free for Linux and Windows (it’s always a nice thing to do to donate to the open-source team that keeps it going and evolving, though). The PWSafe version is $3.99 for Mac and $1.99 for iPad/iPhone.

LastPass  – Windows, Linux, Mac, iPhone, iPad, Android, PocketPC:  LastPass is perhaps the most “feature rich” password management systems out there, and even offers password management for common web-based forms. There is a free and premium version. The premium version runs $1 per month.

KeePass  – Windows, Mac, Linux, iPhone, PocketPC, Android: KeePass uses very strong encryption (SHA-256). It interested me for a couple reasons: Multiple user support and it keeps the password encrypted even in RAM memory. The only reason I don’t use this one is that I don’t find synching to be as transparent, and I was already in the habit of using Password Safe (since it’s creation by Bruce Schneier). KeePass is free for the desktop versions (I recommend donations to the open-source team that keeps it running).

So the question becomes: “How would you and your firm like to be at the center of a multi-million dollar lawsuit that could have been prevented by a series of easy to use software that costs nothing to use?”.

Coming next week: Information security breaches for law firms are on the rise. How vulnerable are you, and what easy steps can you and your firm take to defend yourself?