Archive for the ‘Investigative Tools’ Category

Tor and its use during online investigations

Monday, July 18th, 2011

When investigating crimes on the Internet the investigator needs to consider how much information that he presents to servers and webpages that he may be investigating.  Hiding oneself on the Internet used to be the purview of hackers. However, technology changes and so has the ability to easily implement the same techniques hackers use to hide themselves during your investigations. There are many techniques for eluding identification on the Internet. Proxies have been used for years for this purpose. Proxies act as just that a “Proxy” or a go between. It’s a computer that acts on your behalf and forwards to the server you are looking at any requests you make. The server you are investigating only sees the “Proxy”.

Another significant tool in the “I need to hide on the Internet” world is the venerable tool “Tor”. Tor (The Onion Router) was developed from a concept originally written about by the U.S. Navy. According to the Tor website,  “Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location.”

Using Tor during online investigations is much easier now that it has been in the past. This is due to the increase in most users Internet bandwidth, the constant upgrading and improving of the Tor software and it easy integration into the popular browsers. So how does the investigator implement Tor during his investigations? Well the simplest method is to use the Tor network to hide browsing activity. If you are investigating a webpage or website we know that there is certain information that our browser tells that server or website about who we are and potentially where we are. Our browsers can reveal our IP addresses what kind of browser we are using and its version. We can use Tor to prevent a suspect webpage from identifying us.

Let’s take a look at how to install and implement Tor so we can us it during our investigations. Installation for Tor is pretty starting forward now. Go to the Tor project website and download the current “Vidalia” (like the onion) Windows installer. Click on the executable file and the project installs. The trick to using Tor is setting the proxy setting in your browser to use the Tor network. Your browser normally makes a call out through your Internet Service to servers on the Internet. These servers easily identify who you are by your Internet Protocol (IP) address so they can communicate back with you.  This exposure of your IP address is what can tell the bad guy who you are and possible who where you are in the world. The Tor network in its simplest description strips that information out and only provides the end user with an IP address belonging to the Tor network and not you. Thus you have effectively hidden from the end website you are visiting or target user that you may be communicating with through the Internet (Please note this is an over simplification of the process and exact details of how the Tor network works can be found on the project website).

So once Tor is installed your next actions are to set up your browser to use the Tor network as its proxy (proxy being a server acting as your entry point to the Internet and in this hiding your real IP address). Using Windows Internet Explorer version 8 go to Tools|Internet Options|

Changing Internet Explorer Settings

Changing Settings in Internet Explorer

 The select “Connections” and click on “LAN Settings”.

Image 2 -Tor IE LAN settings

IE LAN Settings


IE LAN Settings Address and Port IE LAN Settings Address and Port

In the Local Area Network (LAN) Settings box you need to click on the box “Use a Proxy server for your LAN” in the address box add and add in the Port box 8118. Click OK twice to exit and you are now able to use the Tor network.  You will continue to use the Tor network as your proxy until you uncheck the “Proxy server” box. This will then return you to your normal web access.

The Tor Project has a page you can go to that will verify that you are using the Tor Network or you can go to one of the websites on the Internet that grabs your IP address like

In the Windows taskbar a little Onion symbol when opened will show you the “Vidalia” Control Panel. The control panel lets you know you are connected to the Tor network  and can change the IP address you are coming from by clicking on the “Use new identify” button.

Tor Control Panel

Control Panel

Once connected click on the setting button in the control panel. For our investigative purposes click on “Run as client only”.  This will ensure that other users of the network are not using your system as a relay server on the network (Tor data would actually be passing through your computer). 

Tor Settings Tor Settings

To see the other computers, and their description, on the Tor system click on the “View the Network” button.

We are no ready to go online and start our investigation without being identified.

Things to note here, the online application being used by the tor network in this configuration is Windows Internet Explorer. If you send an email to the target from your normal email client on your desktop, use another browser, instant messaging, or use P2P software you will potentially expose who you really are by your IP address. To use any other applications through the Tor network you need to set them up to use the Tor proxy settings.

Other things to consider in your Browser set up that need to be turned off.  Turn off running scripts, ActiveX and cookies. Also block pop-ups. But “I can’t access all the good content on the Internet”. Correct you can’t but then the end user can’t identify you either. Each of these features enhance our web surfing experience, but they also require code be downloaded through your browser and run on your machine. This can allow for the code to default to a port it use that is not being redirected to the Tor network, thereby exposing who you are. This may not be important in all the cases you work, but be aware of it. If you lock down your browser and don’t get the content you want you can always relax the controls and go back and look at the site, but at least you are aware then of the risks and make that decision based on the investigation.

Using WebCase with Tor requires just installing Tor as described above. WebCase collects web –based evidence through Internet Explorer even when piped through the Tor Proxy. The collection times will be extended because of the way Tor functions and has nothing to do with WebCase.

Twitter is officially now Creepy

Tuesday, April 5th, 2011

Okay, this is a play on words, but it really is getting creepy. Yiannis Kakavas, social media fanatic and software writer, has published a new free tool to scare the pants off of any sane Twitterphile. But if you are updating your Twitter page that much, you probably won’t really care.

Kakavas’s new tool, “Creepy,” is a social networking search tool — or in his words, a “geolocation information aggregator.” But unlike just any search, Creepy searches for where you have posted from, then figures out the posts’ longitude and latitude and makes a pretty map of where you have posted from each time. Can you say “stalker nirvana”?

Now this requires that you have turned on Twitter’s own geolocation service, or used some device (your smartphone) or web service (Foursquare, Gowalla, etc.) that collects your lat/long when you are posting. So, Kakavas’ tool is not collecting anything you haven’t already put online yourself. It just makes it easy for the investigator to get to.

Well, as I have posted before, where there is a great tool for stalkers there is a great tool for investigators. So let’s take a look at this new investigative tool.


Again, this is a simple to use tool. Go to the download page and download the Windows Executable or the Ubuntu version and install on your operating system. The Windows installer is quick and easy and it will have you investigating in no time.

Start Creepy and in the settings authorize it to use your Twitter account. (You do need a Twitter account, but many investigators set up accounts purely for investigative purposes.) Now you can search Twitter users or Flickr users, along with photos from many other online applications. I searched both and easily found the users I was looking for.

Then click on the big “Geolocate Target” button. Under the “Map View” tab, the found lat/long coordinates will be displayed, along with their location on a mapping tool of your choice (there are several different mapping tools, including Google, to choose from).

It may take a few minutes to complete the search, but the results can be very revealing. Just as call detail records from cell phones can help investigators map out a suspect’s or victim’s movements over a period of weeks – including their normal patterns, and departures from normal – Creepy’s maps can show patterns of behavior with regard to social networks. The longer you track these patterns, the better picture you will have of your target.

It’s that simple… or it’s that Creepy.

Do you use Creepy? What have your experiences been?

Using NodeXL for Social Networking Investigations

Friday, March 4th, 2011

nodexllogoMapping social network users is nothing particularly new. Social scientists use it to compare people’s networks online and offline, and thanks to tools like Loco Citato’s MySpace, Facebook and YouTube Visualizers, investigators have a valuable tool for finding criminals and their associates.

Complementing Loco Citato’s excellent tools is an open-source application called NodeXL, which maps Twitter, Flickr and YouTube users. A book about it from Elsevier, “Analyzing Social Media Networks with NodeXL: Insights from a Connected World,” talks about the tool’s social-science value. But whether law enforcement or corporate investigators are using NodeXL is unknown. (If you use NodeXL or have heard of other investigators using it, please let me know.)

Perhaps the most striking fact about NodeXL is that Microsoft made the tool. Licensed under the Microsoft Public License (Ms-PL), NodeXL is available on the open source download site CodePlex.

NodeXL stands for Network Overview, Discovery and Exploration for Excel – yes, that is correct, Excel, which is the engine that runs the graphing. NodeXL is a template for Excel 2007, although it also works in Windows 7.

Crunching large datasets for social maps

Most of the information that appears to be available online so far about NodeXL regards its ability to easily graph data input into the spreadsheet. As social researchers put together relationships between users, the graphing ability allows the researchers to sift through large amounts of data from a social networking site and find associations that might have been missed.

For the few social networks it collects data from, it is quick and very powerful. Flickr, Twitter and Youtube are the only ones programed directly into the template at this time. Some blogs, including Marc Smith’s (one of the authors of a book on NodeXL), mention that Facebook is in the works for inclusion with NodeXL. Hopefully other social media sites will be added as this tool matures.

To test what NodeXL can do with a Twitter account, I used my own, @Webcase. (Please note: you do not have to be logged into an account to use NodeXL.)

Very quickly NodeXL collected a list of the Twitter users being followed by “@webcase”. For visual fun, Excel also makes a graph of the followers (it takes a few settings to get the pictures into the graph—but once you know how, which took me a little research to figure out, it is pretty easy).

Of interest is the number of followers each user has, how many they are following, the number of tweets they have posted, their time zone, when they joined Twitter and the link to their Twitter page.

Pulling information about videos posted on Youtube is one of NodeXL’s excellent features. Let’s say you have an investigation where a particular term or name is used. You can enter that name in to the Youtube video selection and get a list of videos, with the link to those videos, in a usable spreadsheet. Flickr searches are similar: you can search for image tags as well as Flickr users.

The real power of NodeXL, and the reason (besides its price tag) it is so popular among researchers and academics it, is its ability to graph associations. If, for instance, you select a Twitter user to download and choose options to obtain data on both followers and following along with any tweets that mention the user, you can collect a lot of data that can then be used to show associations. Associations for investigators = leads, witnesses or possibly even suspects.

By using the dynamic filters within NodeXL, you can limit the graph’s view to fewer contacts by increasing the requirement for the number of contacts (tweets, retweets) the associations have.

Another plus about NodeXL: it has an active community working on this open source tool, and updates come out regularly.

For more information

A great primer on analyzing social media networks with NodeXL, “Analyzing Social Media Networks: Learning by Doing with NodeXL,” is available from the University of Maryland. (The posted copy on the UMD website says “Draft” and “Please do not distribute”. What? Do they know what the Internet does in Maryland?). Despite that, it is a good guide to some of NodeXL’s more esoteric graphing uses. For our purposes I’ll cover some of the quicker applications from an investigative standpoint.

If you are interested in finding out more about NodeXL, plug it into Google and you’ll get enough responses to keep you busy. Here are a few more references to get you started:

Tracing IP Addresses: Q&A

Friday, February 18th, 2011

We were very pleased to welcome back Dr. Gary Kessler to our “Online Investigations Basics” webinar series this week. Once again Dr. Kessler discussed some of the background and tools relevant to tracing IP addresses. Below is his companion presentation:

During the session, we took several questions from some of our listeners. One person asked whether tracing IP addresses overseas was any different from tracing them domestically. Answer: not technically; the overall process remains the same, but whether American investigators can secure foreign cooperation is a different question. The best bet is for investigators to contact legal representatives in American embassies for help dealing with law enforcement in another country.

Another participant asked whether TCP/IP packets would provide information on what kind of device accessed the Internet; in a related question, someone else asked if MAC addresses from two devices could show that they had been communicating with one another.

By themselves, packets contain no information on the type of device communicating. A device or router is needed to show where an IP address was assigned; the same is true for tracing IP addresses past a private network. And as for MAC addresses, they have only local relevance, not end-to-end applicability.

We wished we could have gotten into more detail about this question: the biggest challenges with tracing IP addresses in the cloud. As the load of traffic increases, and IPv4 addresses diminish (before IPv6 takes hold), more ISPs will begin to allow shared IP addresses. On the flip side, multiple IP addresses will be resolved to single devices.

Again, we’re grateful to Dr. Kessler for taking the time to help educate the community on a complex issue. Have questions? Please contact us. And we’d love to see you at our future “Online Investigations Basics” webinars. In another few weeks, Cynthia Navarro will be talking about online sources of information. We hope you’ll join us!

8 Google Tools that can assist you with your investigation

Monday, November 22nd, 2010

Google as a search engine has always been the investigator’s first choice in searching for people or businesses on the Internet. There are, however, several additional Google tools that can be of great investigative interest:

Google Maps

Maps lets you plot any number of locations, directions to and from, and how these look from a satellite. However, another important aspect of Google Maps is Street View, which despite its recent troubles in the media over privacy issues, provides important location intelligence. You can get virtually a 360 degree view of any location, including nearby buildings, landscaping and traffic patterns. Recently the NYPD even used Street View images in a prosecution of a drug case. Seven people were indicted for selling heroin in Brooklyn.

Google Picasa

Picasa is an image-sharing service, enabling easy photo upload to albums, social sharing – and geotagging. Not only can investigators can search Picasa for “tags,” or labels including names or descriptions; they can also see geotags providing the image’s location.

Picasa adds the latitude and longitude into the EXIF data of the image file if the user selects a location through Picasa. Other embedded EXIF can still be present and not stripped from the photo. You can also find the latitude and longitude data listed under the “more info” link in the sidebar on the image page.

Always remember that if the photo is geotagged through Picasa, this information is user input and could be incorrect.

Google Realtime

Realtime is a service that lets you “see up-to-the-second social updates, news articles and blog posts about hot topics around the world.” This is a new feature that has a lot of potential. As investigations require more information from the Internet contemporaneous to the crime, investigators can gain better situational awareness of their investigations from a wide variety of sources.

Google Reader

If the website or blog you are interested in has an RSS feed, use Google Reader to save time. Reader automates site/blog updates, pulling them in so that you don’t have to remember to visit the website. This can be especially useful if you are working on a long-term investigation or gathering intelligence over a period of weeks or months.

Another Google Reader feature is the ability to arrange blog subscriptions into folders. This can make them easier to parse, especially if you subscribe to many blogs.

Third: the ability to follow people to see what content they share from their blog subscriptions. This can be an important source of intelligence, as it can uncover other blogs via other users.

Google Alerts

An investigator favorite should be Google Alerts. Google Alerts emails daily updates to you of the latest Google news and blog results based on topics, names or search terms you add.

Some examples of using Google alerts for the investigator can include:

  • the name of a suspect or subject of an investigation
  • a company product name (assists you in product protection)
  • company principals’ names (useful for identity theft protection)
  • competitors’ names
  • your favorite topic

A caveat: search terms don’t always turn up the results you want, so you may need to tweak the keywords you search on. Refine them using the same rules as for other search engines: enclose specific phrases (like names) in quotation marks, and add plus or minus signs to make sure that Google only returns items with two terms mentioned in the same article (for instance, esi + “social networking”) or eliminates items with a particular term (such as esi – email).

Google Translate

With the international flavor of Internet investigations today, investigators will invariably encounter foreign languages during their investigations. Google Translate aids the investigator in the examination of websites in almost any foreign language.

Not long ago you had to copy and paste content into the Google Translate box. No more – now, when you have the Google toolbar installed, a pop-up header will notify you when you are on a foreign-language site and asks if you want to translate into one of 50+ languages. The translator isn’t perfect; some words have no English equivalent. But it’s certainly more than enough to get the site’s gist.

Google Patent Search

Investigating theft of intellectual property? Find out more about patents and their holders with Google Patent Search; enter the relevant keywords (again, this may take tweaking) and find the relevant information. (Google also has a Product Search, but this returns results that are not all that dissimilar from an ordinary Google search.)

Google Groups

General Google searches do not search the Usenet. However, Google has cataloged 20 years of the Usenet and and has made it available via Google Groups. Investigators can search the cataloged files for potential leads or intelligence on their cases.

Other Google tools

Orkut, not unlike Twitter or Facebook, is a social network popular in Brazil and India.
Google Voice, which allows you to pick a number in your own or your undercover identity’s area code, can be useful for undercover investigations.
Google Images and Google Videos allow searches for those two respective media. Useful for many different kinds of criminal cases including gangs, intellectual property theft, property crimes, and so on.
Google Trends show keyword topics that have trended through search recently.

Want more? Check out for a full list of Google tools, both beta and not.

Fingerprinting a Web server from an investigative point of view

Wednesday, May 19th, 2010

Fingerprinting web servers is not a startling new revelation in web development. For several years now technology to identify web servers has been used by black and white hackers to identify weaknesses in web servers. Companies have used these “fingerprinting” techniques to identify incoming information about IP addresses and the servers they come from to prevent Identity Theft and credit card fraud. These techniques are also commonly used by penetration testers to help identify a system prior to attempting to review the system. Hackers have used the techniques to ascertain weakness in a web servers implementation to attack the system.

Most often the technique of “fingerprinting” is implemented as a server side technique to view the incoming traffic. The implementation of client side application is what would be of interest to the online investigator. There have been numerous discussions about its use and technical development but not from the law enforcement investigative capacity. Identify the information about a server can be advantageous for an investigation being conducted on the internet. “Fingerprinting” the web server can identifying certain aspect about the server, including the operating system and version.  This identification can potentially provide law enforcement investigators with additional useful information as to the nature and origin of the website.

Using browser responses to identify what the system is running can aid the investigators preliminary examination of a website. The initial review of the website can determine the website’s ownership and validity. A commonly used tool that has been a hacking/penetration tester staple for years is Nmap. Nmap is short for Network Mapper, an open source utility for exploring networks and doing security audits. Other tools have been developed specifically for the purpose of identifying web servers through the server’s response to a browsers request. Some of those tools include hmap, Nikto, httprint and XProbe.

More in depth identification of web server “fingerprinting” needs to be accomplished to identify its complete benefit as an investigative tool. Based on its current use in the field, as a reliable penetration tester’s tool, the prospect appears great that this methodology could be beneficial to law enforcement.

How people socialize online

Thursday, April 8th, 2010

By now, news stories about online criminal investigation are commonplace, from finding graffiti taggers to collecting gang intelligence.

But where do the social network users come from, and how do they use their favorite sites? These are important questions, whether you are trying to understand your community’s overall demographics, or specifically address criminal activity.

From spectators to creators

ladderIn 2007 think tank Forrester Research came up with the graphic on the right (explained most recently in this post). Rather than showing segmented user groups, the Social Technographics Ladder demonstrates a progression of behavior, from “inactive” (bottom rung) to “creators” (top rung), so that behaviors overlap.

What does this mean for law enforcement? Lots of things. Although it’s generic (Forrester has completed profiles for specific companies and industries about their customers), it’s a good start for investigators and administrators who want to understand victims and criminals alike.

First, only 17% of U.S. adults who are online are inactive in social media. From the standpoint of victims, they’re still at risk from email phishing, for instance, or other forms of identity theft.

But they’re not as at risk as Facebook or Twitter users, for instance, who are more exposed to “bad” links that send them to phishing sites, or surreptitiously download keylogger and other malware to their computers.

Criminals, meanwhile, are becoming bolder and more active. They may not so much be “curating” content—collecting, say, tips and techniques—as sharing and creating it, largely for the sake of having “bragging rights.” Witness the copious photos of drug and gun stashes on MySpace.

A full spectrum of social networks

convoprismembedThe other graphic law enforcement can make use of is the Conversation Prism, a graphic designed by public relations professionals Brian Solis and Jesse Thomas. The Prism shows not just the wide variety of social networks out there, but also groups them into categories by use type.

The circular spectrum is a good way to visualize how social networks fit and the many ways users have to create and share content, according to their behavior as shown on the Social Technographics Ladder.

Additionally, at the Prism’s core are shown the value of these uses: ongoing feedback and insight, crisis communications and PR/marketing and customer support, all revolving around an organization’s brand. This is important to law enforcement agencies, but also valuable when applied to criminal organizations, such as gangs or narcotics networks.

And no, investigators do not have to create or maintain accounts on every single one of these sites. That would be cost-prohibitive. They should, however, maintain awareness—of these and of new popular sites—and be prepared to go where the investigation leads.

What online networking behaviors have you observed among criminals you investigate?

Christa M. Miller is Vere Software’s marketing/public relations consultant. She specializes in law enforcement and digital forensics and can be reached at christa at christammiller dot com.

Six Online Tools for Tracing IP Addresses

Tuesday, March 9th, 2010

Tracing IP addresses is a fundamental skill for online investigations. Several resources are available on the Internet to assist in this process. Several online resources for doing your basic IP identification include:

ARIN – American Registry of Internet Numbers
ARIN is a Regional Internet Registry (RIR) that provides services related to the technical coordination and management of Internet number resources in its respective service region. The ARIN service region includes Canada, many Caribbean and North Atlantic islands, and the United States.

Use the “Search Whois” function at  to obtain IP registration information.

Sam Spade
Sam Spade has been in use as a tool for obtaining domain registration information for years. It has a simple Google like interface where you enter an IP address or a domain name.
DNS Stuff
This is another website that has been around for a number of years. This website offers both free and pay for option for assisting in the identification IP addresses and other online information.
Another website with a simple user interface to assist in IP tracing.
Central Ops is another website that assists with your IP tracing. One of its features “Domain Dossier” does multiple lookups on an IP address or domain.
Internet Investigators Toolbar
All of these websites are easily accessible from our free to the online investigations community Internet Investigators toolbar which can be found on our website at

Six Internet Tools for Researching Someone

Saturday, February 13th, 2010

Finding information about someone online can be as simple as searching them in Google. For some more detailed information about people several resources are available on the Internet for identifying people.  Each website returns a limited amount of information on whom you are researching and most are a front end for a pay for service which for a small amount you can get a complete background on the individual. However, searching several of the services, which return different information, you can quickly put together a significant amount of information on your target.

Search Bug

Zabba Search

The Ultimates

Skip Ease


Zoom Info


Internet Investigators Toolbar

All of these websites are easily accessible from our free, to the online investigations community, Internet Investigators toolbar which can be found on our website at

Monitoring Twitter? Try Searchtastic

Monday, February 8th, 2010

Twitter is not the pointless what-I’m-having-for-breakfast exercise in narcissism that many people think it is. The Washington Post recently reported that gangs are now using it and rival Facebook to discuss their activities–thereby inadvertently incriminating themselves.

So, it’s a good idea for gang investigators, probation/parole officers, and other law enforcement officers to monitor Twitter to see what’s going on. Best way to do that? Lauri Stevens over at ConnectedCOPS offers Searchtastic:

Try searching Twitter with its own advanced search “feature” and you might come up a bit disappointed. Put in a term or hashtag and it will take you go back only a week and a half or so in time.

With Searchtastic:

1. Search usernames or hashtags
2. You can pull up tweets from weeks and months back.
3. You can search on a particular user and the people he or she follows.
4. Then, click on a word in the search results and it modifies the search by the word. Once a word is in the search results, if you want to take it back out, click on it again.
5. And the clincher: When your search results look like something that might be interesting, export the results to Excel with the click of one button.

It seems like in ten or fifteen minutes, you could design a search, relevant to any investigation you might be working, that’s full of interesting terms and Twitter usernames. Export those results to Excel and cross reference them through your other database engines and maybe connect a few more dots. Useful?

I tried Searchtastic on the hashtag (a way to organize tweet topics) #webcase, which I used in November to live-tweet training from Charlotte, NC. The first run found tweets going back to October, but not my class tweets.

During my second run, without the # symbol, I found about six pages of tweets. Some came from Todd (who tweets as @Webcase); others from people who had “retweeted,” or recommended, WebCase or something we’d said.

As Lauri says, Searchtastic is in beta, so it may not catch 100% of what you are trying to find. As with so much when it comes to online investigations, best is to run the search sooner rather than later. However, Searchtastic does find much more than Twitter Search; it does organize tweets nicely by username; and it does allow for export to Excel.

Find out more on Searchtastic’s About page.

Christa M. Miller is Vere Software’s marketing/public relations consultant. She specializes in law enforcement and public safety and can be reached at christa at christammiller dot com.