5 Ways to Protect Your OSINT Investigations

Have you already started to conduct your own OSINT investigations? If so, have you ever thought of covering your tracks in order not to jeopardize your investigations?

 

There are several ways in which you as an analyst can be tracked by service providers or even your targets. Thus an alternative title might have been:

 

When OSINT hunters get hunted.

 

Let’s first have a look, who is usually interested in your digital traces. There are various actors interested in tracking you as an internet user:

 

1. Advertising companies track you to target you with customized advertisements. Run a search for new Adidas shoes on Google and watch your personalized ads afterward.
2. Analytical companies use web tracking to understand user behavior across websites. 
3. Companies track website visitors to understand which content is of interest and which content should be adapted. There are a lot of powerful tools available for Search Engine Optimization (SEO).
4. Finally, law enforcement agencies track users to solve and prevent crime.

 

With regard to GDPR, not all tracing techniques are legal. But as you can imagine, user tracking involves a lot of money and therefore operators are inventive when it comes to tracking.

 

If tracking can be done by anyone, you should assume that your target can and will track you as well and this might result in a canceled investigation or even in a personal risk for you.

 

Looking at your OSINT investigations, keeping your digital identity hidden is a critical prerequisite before doing any OSINT gathering activity. You do not want that your targeted criminal organization is aware of you as an analyst.

 

Anything you do online is recorded somewhere! Maybe this sentence will appear strange for the first time. However, this is the truth. In this article, we will explore the main methods employed by online trackers to track your online activities when conducting OSINT investigations.

 

For simplicity, we focus on standard web tracking methods. In a separate article, we will explain how API and account tracking is done and how you can conceal your traces even there.

Tracking IP Addresses as Good Standard

An Internet Protocol address (IP address) is a number assigned to each participant of an IP network. IP addresses are unique but can be shared by multiple devices. 

 

For example, a big company network usually has one static public IP address which is internally used by multiple employees. If an employee visits a certain website, only the public IP address is tracked. 

 

Even though there is no guaranteed user identification based on IP addresses, it is the first choice for online trackers as you can extract a lot of information out of the IP address:

 

• Static IP addresses are usually assigned to bigger companies or institutions. If you work for a larger organization and conduct your OSINT investigations within the organization network, your organization will most likely get identified.
• IP addresses reveal your country and sometimes your city. Let’s say, you are in home office due to Corona and start with an online investigation by analyzing a website. If your target is smart, he will see your current country and city.

Rebooting your machine our rebooting your router is no guarantee to get a new public IP address. 

 

Use the powerful service ShowMyIP to get your current IP address, your current country, and most likely current city. Now, you will understand that certain countermeasures are required.

 

 

So are there any tricks to hide your IP address? There are multiple ones:

 

1. Use a Virtual Private Network (VPN) service to get an additional public IP address on top of your standard one. We can recommend ProtonVPN. As it is a Swiss-based service, they are out of the EU and US. They have a no-log policy and can even integrate Tor.
2. Use the Tor browser for anonymous browsing. Your connection will be re-routed over multiple machines which makes it really hard to trace back your IP address.

 

The drawback of those solutions is that your connection will probably get slower.

Cookies Based Tracking

Website cookies have been there since the early days of the web in 1994.  In its simplest form, website cookies are small text files created and stored on your device after visiting a website for the first time. Originally it was developed for useful purposes, such as storing user stateful information when shopping online or remembering user login information or other website configuration settings.

 

However, as with most technologies, cookies have been abused for harmful purposes. Especially for tracking internet users browsing history across the web.

  

Web cookies can be categorized according to different criteria. The most common is grouping it according to who installs them on the user’s device.

 

• First-party cookie: This cookie is installed by the website you are visiting. For example, when visiting CNN, the cookies installed by CNN are considered a first-party cookie.
• Third-party cookie: This cookie is installed by websites other than the one you are currently visiting. This type of cookie raises privacy concerns because it is often used to track users across multiple websites. There was a long discussion on Facebook’s like button last year.

 

Independent to where the cookie comes from, it often contains a unique value that can be used to re-identify you again. Identification is exactly what we do NOT want in case of an OSINT investigation.

 

As a countermeasure, you can enable incognito modes for almost all browsers. This ensures that cookies and browsing histories are not persisted on your device.

 

If you decide to use a VPN service, please also enable the private surfing functionality, otherwise, you still get the cookies.

Entity-Tags as a New Method

An entity-tag (ETag) is a part of the HTTP header and used to provide web cache validation to increase the website performance. 

 

1. If you visit a website for the first time, all content (e.g. images, videos, or documents) is sent back by the server together with a unique ETag. The content is stored locally with the ETag as an identifier.
2. If you visit the website a second time, your browser will ask the server if there is an update for a specific ETag. If not, the locally stored content is used. Otherwise, the content is loaded again from the server.

 

Often, the hash value of the content is used as an ETag. This is a nice idea to reduce data transmitted over limited connections.

 

So far so good. Unfortunately, there are a lot of smart people on the other side as well. Instead of using the same ETag for all clients, they generate client-specific ETags. By doing so, they can track your requests even if you have different IP addresses.

 

To avoid this, you should clear your browser cache at regular intervals. The private browsing functionality of your browser might support this already.

Web and Email Beacons

A web beacon, also known as web bug or tracking pixel, is a mechanism for tracking user activities on websites and to get information when a specific email was loaded or forwarded. 

 

It works by placing a tiny transparent image (1 x 1 pixel in size) on a webpage, inside a banner ad, or within an email message. When a visitor opens an email, the image is loaded from the tracking server and your IP address is revealed. If those images have a unique name, you can even establish a link between an IP address and a dedicated person.

 

Web bugs can be utilized with email messages to track how the recipient handles the received email. For example, when it was first opened, how much time spent on reading it, whether it was forward, and if the recipient clicks any link within the email in addition to recording the IP address of the recipient. 

 

Web bugs were abused by spammers and phishers by recording valid email addresses to target them with more advertisements or to initiate a phishing attack.

 

There are various plugins available for mail clients and browsers to prevent tracking pixels.

Browser Fingerprinting as the Golden Standard

Now, it is getting really crazy. Browser fingerprinting, also known as device fingerprinting, is a technical method to uniquely identify and track your device/browser without relying on your IP addresses, cookies, or ETags. Often it is used to identify and prevent license fraud.

 

Technically seen, it is amazing. From a privacy protection point of view, it is horror. 

 

It works by running a piece of JavaScript code inside your browser.  This code will extract a wide array of technical information:

 

• Browser type and version,
• installed extensions,
• installed fonts,
• language preferences,
• screen resolution (are you still happy about your Retina display),
• operating system type and build number,
• time zone and 
• many more. 

The collected information is stored as a hash value and then used to identify your device among millions of other connected devices. 

 

The collected information from device fingerprinting may seem generic and not enough to distinguish an individual’s computing device among millions of connected devices. However, this is not correct, as it is rare to have two devices share the same settings online. 

 

This makes device fingerprinting a preferred method for online trackers to track an internet user transparently. Have a look at the FingerPrintJS service and decide if you want to leave fingerprints while doing OSINT investigations. 

 

 

At the time of writing, they could even track my personal Tor browser. I will investigate on that!

How can we assist you?

We explained a small fraction of the tracking techniques. However, in most cases, the chosen examples can be technically prevented. 

 

Trickier are the questions:

 

• How can I prevent Google from knowing what I’m looking for?
• How can I prevent Facebook from knowing what I’m looking for?

Here, it is not technical questions that need to be solved, but legal ones. Usually, you agree to certain terms and conditions which makes it hard to run anonymous OSINT investigations.

 

At Traversals, we integrated more and more anti-tracking methods into our Federated Search. In addition to that, we are in close contact with our IT lawyer to discuss what is legally possible.

 

If you are interested in a discussion on that topic, please let us know!

Key Takeaways

• Concealing your digital identity is a must for your OSINT investigations.
• The number of tracking techniques are growing even though not all of them are GDPR compliant.
• It gets trickier if Terms and Conditions prevent anonymization techniques.
• Traversals integrates more and more legal anti-tracking methods into its solutions for Competitor Intelligence, Strategic Intelligence and Vendor Risk Management.