The right strategies and resources for conducting OSINT on the surface, deep and dark web can make online investigations more efficient, secure and compliant.
Online sources can yield useful information to aid in law enforcement investigations. But browsing sketchy online content can be risky, and untrusted websites are often blocked by the agencies’ policies to protect their people and networks.
So, how do investigators get access to online content they need without compromising safety? How do they store evidence collected on the web securely and collaborate with others while preserving the chain of custody? And how do detectives stay hidden and anonymous online to avoid alerting suspects of their presence and revealing their intent?
Our experts look at the potential dangers that investigators face when traversing both surface and dark web, and share successful strategies and resources that can help make your investigations more efficient, secure and compliant.
Watch the clip on where to find useful information on persons of interest on the web.
People spend a lot of time online, and an experienced investigator can quickly get an idea about a person’s interests, which businesses they patronize, what items they shop for, and what type of friends they spend time with – based on the sites they visit and the information they post on social media.
An item that someone is holding in their photo or a location where they took a picture, can help investigators create a pattern-of-life analysis, which, combined with information obtained from other sources, can help verify whether an individual is involved in illegal activity or affiliated with a criminal organization or group.
There are several online sources that can speed up research into these details that law enforcement should leverage.
Sites like Cyber Background Checks, FamilyTreeNow and Spokeo can assist with finding people and their family members, looking up addresses and even performing reverse phone number searches. The information available from these sources is based on public documents provided by the state and local court websites under the Freedom of Information Act, and can serve as a one-stop-shop when trying to locate someone or get a quick background check on them.
Several commercial services like Accurint, Intelius and Pipl can also help investigators find people, uncover real owners behind anonymous sites and email addresses, and verify identities and affiliations.
And to keep a close eye on someone’s social media activity, investigators can use services like Social Searcher or Social Bearing to monitor for specific keywords, locations, hashtags or website mentions and compile analytical reports.
Within individual social media sites, you can also use advanced profile search features of purpose-built marketing tools, such as Inflact for Instagram.
Many investigators use plug-ins and extensions, like the exchangeable image file format, or exif data viewer, to extract information from images, such as when and where a specific image was taken, and on what type of device.
When you come across a picture of a stolen vehicle that a suspect has posted on social media, for example, finding out specific information about an image can help narrow down the suspect’s location and the time they were there, piecing together a chain of events that could help solve a case.
But even though most of these sites are easy to use and don’t require special training or dedicated personnel, investigators need to build strategies and toolsets to gather data without arousing suspicion, alerting suspects that they are being monitored, or inviting retaliation from criminal individuals and groups.
Creating a fake social media persona to poke around Instagram or TikTok won’t make for a convincing disguise, and most social media sites have become diligent about taking down fake accounts, using advanced algorithms to examine the account owner’s activity, friends and behaviors to identify and remove potential scammers and spammers.
Investigators need specialized tools to protect their identities and support their missions through managed attribution, isolation and configurable workflows.
Most investigators tend to conduct their research using the same computer they use for all their daily work. While this approach is most convenient, researchers need to understand what information their browsers collect about them and share with the owners of websites they visit; and how this data can reveal their identity.
Understanding your digital fingerprint, how it can be exploited, and how to protect your investigation’s confidentiality can improve the efficiency of your online research and reduce the risk.
Fingerprints aren't just a worry for criminals. Watch this short clip from our webinar to see the details browsers collect — and relay to visited sites — about your location, device and browsing history.
Dive deep into the details in our blog, What's in your digital fingerprint and how to control it >
And while most regular cookies are easy to clear, the browser deploys a variety of other methods to record and pass along the information on which type of device you are using, your settings, audio and video configurations, installed plug-ins and lots of other data that could be used by the criminals to build a profile of an online investigator.
Combined with observing individual investigator’s behaviors and patterns, sophisticated adversaries can use this data to hack into law enforcement websites, expose investigators’ personal details, launch cyberattacks and more.
The most common solution many agencies resort to is building a separate network, consisting of several “dirty” computers that are not linked to the agency’s main network. The main downside of this approach is the extra expense of setting up and maintaining a dedicated network, and having to use IT resources to wipe and rebuild machines every time they are infected with malware.
With computers outside of IT control but connecting back to the network, it becomes more difficult to collaborate and share information between agents.
And the fact that the device is “dirty” won’t really stop an adversary from collecting information about its digital fingerprint, so the risk is still there.
Another popular way to keep online investigations separate from everyday online activities is by using a VPN connection and/or private browsing mode.
While offering some protection, such as disguising your location and IP address, a VPN connection doesn’t offer complete anonymity – using other information, such as time zone or keyboard settings, for example, adversaries can still determine your location and devise other identifiable information. And with the code executing on the actual machine, there’s still a real danger of your computer getting infected with malware, especially if you are browsing suspicious websites – on both surface and dark web.
Law enforcement agents conducting OSINT online need purpose-built solutions to protect their identity, their organization and the investigation itself. Managed attribution services can give agents the control they need to manipulate the details of their digital fingerprint and avoid tipping off investigative targets.
Understanding the difference between the surface, deep and dark web is imperative to being a better investigator.
While the surface web is easily accessible via a regular browser, the content on the dark web is not indexed and cannot be found by common search engines. It requires special services to access – like Tor (The Onion Router), ZeroNet, Freenet and I2P – and is commonly associated with criminal activity because it allows users to have private access to information, websites and marketplaces.
Deep web is a layer just below the surface web that houses content that’s not indexed and is often hidden behind paywall, including research journals, technical papers, government databases, books and even services like Netflix.
In this short clip, from our webinar get a quick overview of the surface, deep and dark web.
It is important to understand that open-source research (OSINT) can (and should!) be done on every layer of the web. Different parts of the web house different datasets, and criminals operate within each layer.
Get the basics on the dark web and the main darknets and learn which darknet to leverage in different investigations.
But there’s a reason why many organizations and law enforcement agencies restrict their users’ access, especially to the dark web. The dark web is notorious for booby trapping its sites; often just visiting a page on the dark web could introduce malicious content to the researcher’s machine.
What’s more, investigators could be at risk when accessing blogs or marketplaces known for criminal activity – researchers themselves might arouse suspicion from law enforcement.
Every agency needs to understand the dangers involved with accessing each layer of the web, and have a plan on how to mitigate them.
The most important thing is to be aware of the risks and to not underestimate your adversaries. There are many tools available for online detectives to track their suspects, but criminals, especially well-resourced illegal organizations, can use the information that regular browsers collect and relay about their users, to figure out who is watching them and why.
The takeaway: You could be putting your organization and mission at serious risk if you’re using your regular computer and browser to do online investigations – even if browsing in the “private” mode or connecting through a VPN.
Law enforcement investigators need purpose-built solutions where you can absolutely isolate your research activity from day-to-day browsing, and have a mechanism for safe access to all layers of the web.
See how Silo for Research is designed to help law enforcement perform online data analysis and collection securely and efficiently. Take advantage of its managed attribution, scheduled collections, automatic content translation and customized workflows to promote collaboration and preserve the chain of custody for all evidence.