Have you already started to conduct your own OSINT investigations? If so, have you ever thought of covering your tracks in order not to jeopardize your investigations?
There are several ways in which you as an analyst can be tracked by service providers or even your targets. Thus an alternative title might have been:
When OSINT hunters get hunted.
Let’s first have a look, who is usually interested in your digital traces. There are various actors interested in tracking you as an internet user:
With regard to GDPR, not all tracing techniques are legal. But as you can imagine, user tracking involves a lot of money and therefore operators are inventive when it comes to tracking.
If tracking can be done by anyone, you should assume that your target can and will track you as well and this might result in a canceled investigation or even in a personal risk for you.
Looking at your OSINT investigations, keeping your digital identity hidden is a critical prerequisite before doing any OSINT gathering activity. You do not want that your targeted criminal organization is aware of you as an analyst.
Anything you do online is recorded somewhere! Maybe this sentence will appear strange for the first time. However, this is the truth. In this article, we will explore the main methods employed by online trackers to track your online activities when conducting OSINT investigations.
For simplicity, we focus on standard web tracking methods. In a separate article, we will explain how API and account tracking is done and how you can conceal your traces even there.
An Internet Protocol address (IP address) is a number assigned to each participant of an IP network. IP addresses are unique but can be shared by multiple devices.
For example, a big company network usually has one static public IP address which is internally used by multiple employees. If an employee visits a certain website, only the public IP address is tracked.
Even though there is no guaranteed user identification based on IP addresses, it is the first choice for online trackers as you can extract a lot of information out of the IP address:
Rebooting your machine our rebooting your router is no guarantee to get a new public IP address.
Use the powerful service ShowMyIP to get your current IP address, your current country, and most likely current city. Now, you will understand that certain countermeasures are required.
So are there any tricks to hide your IP address? There are multiple ones:
The drawback of those solutions is that your connection will probably get slower.
Website cookies have been there since the early days of the web in 1994. In its simplest form, website cookies are small text files created and stored on your device after visiting a website for the first time. Originally it was developed for useful purposes, such as storing user stateful information when shopping online or remembering user login information or other website configuration settings.
However, as with most technologies, cookies have been abused for harmful purposes. Especially for tracking internet users browsing history across the web.
Web cookies can be categorized according to different criteria. The most common is grouping it according to who installs them on the user’s device.
Independent to where the cookie comes from, it often contains a unique value that can be used to re-identify you again. Identification is exactly what we do NOT want in case of an OSINT investigation.
As a countermeasure, you can enable incognito modes for almost all browsers. This ensures that cookies and browsing histories are not persisted on your device.
If you decide to use a VPN service, please also enable the private surfing functionality, otherwise, you still get the cookies.
An entity-tag (ETag) is a part of the HTTP header and used to provide web cache validation to increase the website performance.
Often, the hash value of the content is used as an ETag. This is a nice idea to reduce data transmitted over limited connections.
So far so good. Unfortunately, there are a lot of smart people on the other side as well. Instead of using the same ETag for all clients, they generate client-specific ETags. By doing so, they can track your requests even if you have different IP addresses.
To avoid this, you should clear your browser cache at regular intervals. The private browsing functionality of your browser might support this already.
A web beacon, also known as web bug or tracking pixel, is a mechanism for tracking user activities on websites and to get information when a specific email was loaded or forwarded.
It works by placing a tiny transparent image (1 x 1 pixel in size) on a webpage, inside a banner ad, or within an email message. When a visitor opens an email, the image is loaded from the tracking server and your IP address is revealed. If those images have a unique name, you can even establish a link between an IP address and a dedicated person.
Web bugs can be utilized with email messages to track how the recipient handles the received email. For example, when it was first opened, how much time spent on reading it, whether it was forward, and if the recipient clicks any link within the email in addition to recording the IP address of the recipient.
Web bugs were abused by spammers and phishers by recording valid email addresses to target them with more advertisements or to initiate a phishing attack.
There are various plugins available for mail clients and browsers to prevent tracking pixels.
Now, it is getting really crazy. Browser fingerprinting, also known as device fingerprinting, is a technical method to uniquely identify and track your device/browser without relying on your IP addresses, cookies, or ETags. Often it is used to identify and prevent license fraud.
Technically seen, it is amazing. From a privacy protection point of view, it is horror.
The collected information is stored as a hash value and then used to identify your device among millions of other connected devices.
The collected information from device fingerprinting may seem generic and not enough to distinguish an individual’s computing device among millions of connected devices. However, this is not correct, as it is rare to have two devices share the same settings online.
This makes device fingerprinting a preferred method for online trackers to track an internet user transparently. Have a look at the FingerPrintJS service and decide if you want to leave fingerprints while doing OSINT investigations.
At the time of writing, they could even track my personal Tor browser. I will investigate on that!
We explained a small fraction of the tracking techniques. However, in most cases, the chosen examples can be technically prevented.
Trickier are the questions:
Here, it is not technical questions that need to be solved, but legal ones. Usually, you agree to certain terms and conditions which makes it hard to run anonymous OSINT investigations.
At Traversals, we integrated more and more anti-tracking methods into our Federated Search. In addition to that, we are in close contact with our IT lawyer to discuss what is legally possible.
If you are interested in a discussion on that topic, please let us know!
Copyright © 2023, Traversals Analytics and Intelligence GmbH. All Rights Reserved.