Week in OSINT #2019–08
A few blogs, some news, occasional site and a review
This week was crazy! Lots of news to read, work was mayhem and on top of that I just had to play with something new. Now, not my Thrustmaster wheel, but something just as fun… Well, for geeks like me that is! Anyway, off to this weeks overview:
- Chaos Creating Cartographers
- More OSINT Links
- Fresh Veggies Return
- Searching for Slavery with Satellites
- Open Data in Canada
- First Draft
- Who Tweeted First
- Tsurugi
Blog: Chaos Creating Cartographers
While catching up on a big story by Victor Gevers about a publicly accessible database from the Chinese company SenseNets (do read that story!), I found a link to an interesting story. shared by Ewald. The story is about how the “National Geospatial-Intelligence Agency” randomly picked points on a map to be used as the coordinates for a city. The result was innocent people who were being harassed by people who were ripped by online sellers. Amazing story and a must read for people who use ‘Geo-to-IP’ data from companies like MaxMind on a daily basis!
Link: https://gizmodo.com/how-cartographers-for-the-u-s-military-inadvertently-c-1830758394
List: More OSINT Links
I can start creating a weekly section called “OSINT stash’s links” and go on with my life. Just a bunch of links, click on the link to go to the tweet.
Link: https://twitter.com/OsintStash/status/1097502103780708352
Site: Fresh Veggies Return
A few weeks ago people noticed that the website Fresh Onions was offline. This site offered a list of newly discovered sites on Tor and was the go-to list for many investigators. There were other websites, like UnderDir that listed several different categories of or Candle that was a search engine for the dark web. But then we received a message from hpiedcoq that Fresh Onions was back! So you depend on that site? Here it is again. Maybe a new owner, maybe no more history, but it is back!
Fresh Onions: http://vps7nsnlz3n4ckiie5evi5oz2znes7p57gmrvundbmgat22luzd4z2id.onion/
UnderDir: http://underdj5ziov3ic7.onion/
Candle: http://gjobqjj7wyczbqie.onion/
Blog: Searching for Slavery with Satellites
Yes, I love to use alliteration in titles as the majority of steady followers have seen, but I didn’t have to do anything to come up with this title. It is exactly what the next article describes. By using satellite imagery from DigitalGlobe and Planet Doreen Boyd — who works at the Rights Lab at the University of Nottingham in the United Kingdom — started to look into telltale signs of structures in India what is very likely slavery and can be investigated further.
Link: https://www.sciencemag.org/news/2019/02/researchers-spy-signs-slavery-space
Site: Open Data in Canada
Looking for open government data from Canada? Have a look at OpenGovCa, a site shared on Twitter by OSINTtechniques. Not everything is publicly accessible, but there is enough to get you started. Business information, properties and even child care centres.
Link: https://opengovca.com/
Training: First Draft
Need to sharpen your skills? Or want to learn the basics of verification used by journalists? Have a look at the free training programs of First Draft News!
Site: Who Tweeted First?
Another entry by OSINTtechniques this week, the site can give you the answer to the question who was the first to tweet about a certain keyword or phrase. The site can use HTTP or HTTPS, but with the security in place it looks a bit weird… So I will include the more cleaner interface underneath for your viewing pleasure.
Link: http://ctrlq.org/first/
Review: Tsurugi Lab
People that follow me on Twitter must have seen tweets about a new VM that I only recently discovered. After reading a bit about the distro I noticed that Roger Nichols was getting pretty hyped about it — and also helped me with this review, thanks for that! — and after reading his tweets for a couple of days I had to take a look myself too.
I installed it in a VirtualBox on my desktop, gave it 4GB of memory and 2 cores and installed it on a 35GB drive. The requirement is about 28GB and that seems quite a bit for a regular Ubuntu based distribution, but it comes packed with tools!
First I need to explain that this distribution is NOT only for investigators who do a lot of OSINT work. It is also a great platform to dive into crypto currency, malware, steganography or even mobile forensics! This is like a single ring to rule them all when it comes to investigating. It reminds me a tiny bit of DEFT Linux, that I have used multiple times over the last couple of years. That too is a distribution aimed to assist digital investigators and especially forensic analysis. But to be honest, to compare DEFT with Tsurugi is like comparing apples and oranges!
Tool Overview
Let’s first go over all the different sections there are to be found. Directly from the neatly organised menu we first find the following topics, aimed at the workflow or general tools:
- Imaging (several dd flavours, AFF tools, esximager, ftkimager, etc)
- Hashing (from MD5 and SHAx to ssdeep)
- Mounting (Including Bitlocker, APFS, VSS, VeraCrypt, etc)
- Timeline (from Autopsy to tools like PLASO, yarp, Timesketch, etc)
The next set of tools is more about analysis of data in storage or files in general and recovery of data in all kinds of situations. Not only analysis but also password recovery or brute force tools can be found here:
- Artifacts (UEFI tool, browser data, E-mails, Windows logs, registry, etc)
- Data Recovery (files search, foremost, scalpel, undelete, etc)
- Memory Forensics (VolDiff, RSAkeyfind, volatility including evolve, etc)
- Malware Analysis (Radare2, sandboxes, and tools for Flash, Java, PDF etc)
- Password Recovery (Aircrack-ng, hashcat, John, Hydra, etc)
The third section contains the other type of analysis one should find in a toolbox like this. Where the previous section is mostly about storage and files, this one deals with network, devices and very specific analysis:
- Network Analysis (complete ELK-stack, ettercap, scapy, Kismet, Xplico ect)
- Picture Analysis (EXIF tools, OpenStego, Ghiro Forensics, etc)
- Mobile Forensics (Android, BlackBerry, iOS and WhatsApp tools)
- OSINT (OSINT Browser, TOR Browser, Creepy, Maltego, spiderfoot, etc)
- Virtual Forensics (qemu images, conversion to VMDK, docker scanner, etc)
And the last part of the menu contains three remaining topics that were left with the reporting all the way on the bottom. Maybe that should be the first thing you do while investigating, but it can be found just as easily on the bottom of course 😉
- Crypto Currency (Bitcoin tools, recovery tools, key hunter, Electrum, etc)
- Other Tools (NFC, USBguard, RSA attack tool, TCHunt-ng, etc)
- Reporting (text editors, Mobius, screen recorders, Shutter, etc)
Besides all the special tools that you can find in the ‘Tsurugi’ menu, there is also the standard set of Ubuntu tools, little gadgets like Plank (for the iOS fans), KeePassXC, chat clients, code editors, LibreOffice, Audacity, remote desktop tools, an archive manager and a whole bunch of other useful applications for daily use. Anything you could even think of or wish for can be found in here, or at least a very similar application.
But I was especially surprised to find the complete ELK stack (Elastic, Logstash and Kibana) pre-installed inside this distribution! No more hassle to install or configure it, even though it isn’t too hard, since it comes standard with Tsurugi, right out of the box! So pause the reading a bit and start downloading the ISO, so you can dump it on a nice sized laptop afterwards, so you’ll have a complete forensics lab wherever you go:
https://tsurugi-linux.org/downloads.php
But what about the OSINT part?
Yes, I know this is an OSINT newsletter, so let’s have a look at some OSINT tools that are installed. Let’s first talk about a specific feature, called the ‘OSINT Switcher’. This isn’t a profile switcher that can switch between user profiles and settings, but is simply an effective way to hide all the digital forensics and gives you a slimmed down menu with the most needed OSINT tools out there. It tells you the switch is activated by changing the background to a bright green bamboo forest.
So whenever you are busy with a job where you don’t need memory forensics, or aren’t sifting through data on mobile phones, then just click this. Don’t worry, there are still more than enough tools left after clicking this, to name a few:
- Tor Browser
- Creepy
- Maltego
- Tinfoleak
- Tweets_analyzer
- YouTube Downloader
But besides these you also have tools like InstaLooter, to scrape Instagram. Or the great Wojciech tool called ‘Danger Zone’ that visualises domains and IP address. And besides all these goodies, Spiderfoot is already pre-installed for you too.
Then we open what is called the ‘OSINT Browser’ and even more goodness comes our way! It already starts with two of the default tabs it opens: The ‘awesome OSINT’ list by Jivoi, and IVMachiavelli’s OSINT team links. Maybe these are not fully up-to-date and well known link lists like the OSINT Framework, Technisette or Bruno’s start.me would be awesome additions, but it’s already a great start to have these link sites right in front of you after firing up the browser.
In the bookmarks toolbar a huge list of plugins is shown, though I found out some are not playing nicely with mundane tasks, but we’ll get to that later. The list of extensions that come with it out of the box is huge! Anything from screen grabs to ad-blockers and from searching internet archives to User-Agent switchers. Not all the tools that were installed were known to me, but you can always pick-and-mix what you want to have enabled or installed of course. The only issue noticed while testing was that I couldn’t play any videos on Twitter by default, let alone login into Twitter. For some unknown reason there was an extension blocking these actions but I haven’t taken the time yet to find out which extension it was.
Besides the extensions, there is even more goodness to be found in the bookmark menu, right under the extensions. Loads of sites are already bookmarked in an orderly fashion for your enjoyment, and this is a serious treasure trove of information waiting to be discovered by you! I have seen links and tools unknown to me and that I am keen on looking at in the very near future.
Verdict
Even for the OSINT part alone, this is one heck of a VM! Do not make the mistake of comparing it to Buscador though, because in my opinion these are two very completely different VM’s with their own unique user base. Where Buscador is aiming towards the almost covert style of investigation, where staying hidden is of utmost importance, Tsurugi is more aiming towards digital investigators and ‘forensicators’ in broader sense. This is shown by the wide variety of tools, the bookmarks, the complete ELK stack and such.
I do however see that there are still some minor improvements. The huge list of extensions in the OSINT browser don’t always play nicely with a quick recon you want to do. Maybe there is need for a locked down version and a more open browser, that can be used right away, or maybe I need to sit down and turn each extension off to find the culprit and tweak that a bit. Another thing I noticed that after I installed Tsurugi on my desktop and letting it update during installation, CherryTree was unable to start. Maybe I re-install it if I have the need for it, but something went wrong along the way and the logs didn’t give me a hint where it went wrong at first glance.
That all being said though, this is one heck of a VM! And this is just the Tsurugi Lab version used for VM’s or bare metals. For on the road there is also a small Bento portable toolkit, specifically built for live environments and which can be flashed on a USB stick. And for quick disk acquisitions there is another light version called ‘Acquire’, specifically built for that task alone. Enough to choose from and more than enough to play with! Amazing work and this is one VM that will absolutely end up on my laptop, in a dual boot configuration.
どうもありがとう
Words of Wisdom
Have a good week and have a good search
