Legally Preserving OSINT (Open Source Intelligence)
How should investigators record fast-changing online evidence, such as social media?
Case in point: The Mercer County (New Jersey) Prosecutor’s office followed hundreds of street gang affiliates on Myspace. How did it do that economically? Instead of using seasoned, highly-trained police investigators, it commissioned a team of mere interns. The interns, acting as undercover agents, “friended” target gang affiliates. One fake profile maintained by the interns attracted 180 “friends.”
Collecting evidence from that much online activity can be daunting. Several tools exist, and I’ve previously published demonstrations using webcams and downloaded software.
Free, Easy-to-Use Tools
Here’s another demonstration, which emphasizes low cost, easy-to-use tools. The tools are
- screencast-o-matic, a free, Java-based, open-source tool for recording what you see on your screen, and
- Microsoft’s free Skydrive file storage service.
Picture this hypothetical setting. The county sheriff’s office needs an efficient way to capture what is happening on a dynamic blog. Information on the blog at this minute could be changed or deleted a minute later. The sheriff’s office has no special equipment, but it does have two investigators who need to remain anonymous. They will be identified by numbers. Their voices will be recorded by microphone, but not their faces by webcam.
Two Witnesses Are Better Than One
The resulting screencast video is a unified package of evidence that captures the interaction of the web better than a mere sceenshot does. (Notice, for example, that the screencast video records the action at the beginning of the bad-guy video posted on the blog under investigation. A sceenshot would not capture this action.)
The two investigators corroborate the video and corroborate each other. Each investigator signs the video with the unique sounds of his voice. Each speaks the date and time with his unique, identifying voice.
The involvement of two investigator witnesses makes the Sheriff's Office less dependent on any single person to testify as to the authenticity of the video later, such as in court. Witnesses like interns can come and go.
Depending on the use of the video, an authority (such as a judge in a parole hearing) might rely on the video, signed by two witnesses, without requiring direct testimony from either of the witnesses on the video's authenticity.
Cloud Time Stamp
To further corroborate the date, the video is loaded onto Microsoft’s Skydrive. Skydrive (a third party cloud service) shows the time that the video was last modified.
Thus, if the video, dated by the witness voices as October 10, were uploaded on October 10 but then replaced October 25, there would be a mismatch of dates, suggesting that the video in Skydrive is not the one originally created by the investigators.
To further corroborate the date, the investigators could give the video to colleagues, who could store the video in their own time-stamped, cloud-based file-storage accounts.
Auditors and Whistleblowers
The techniques demonstrated here could be applied outside law enforcement. They might be used by auditors, journalists, whistleblowers, public watchdogs, school administrators or private investigators.
Is this video absolutely unassailable as legal evidence? No. The two investigators could have colluded to make all of this up. But collusion is not easy. It requires coordinated lying by two equally unethical people.
It is rare for legal evidence to be perfect. This video is reasonably good.
What do you think?
Mr. Wright teaches the law of data security and investigations at the SANS Institute.