Much has been discussed and written about online evidence and undoubtedly, more will follow. While this article will add to this running debate, the intention is to provide an overview to the online investigator to evaluate their own position for the ultimate goal of the utilisation of their “evidence” albeit in OSINT or forensically.
The first issue we need to deal with is legality, this is not an in-depth study of the legalities, it is safe to say, the rule of evidence globally is generally similar with some minor exceptions and peculiarities. As a rule of thumb – evidence should be credible and reliable. Credible in the sense it is able to convince the user (client, prosecutor, judge etc.) that it is truthful, has substance, is not biased, it is consistent and is untarnished. Reliable; it was collected and retained through accepted means, comes from a known source and can be interpreted. Importantly, evidence that is not credible will not be reliable e.g. invading privacy to obtain “evidence” will render it unusable in most legal cases.
One of the most common mistakes I often see with online investigators, they complete a lengthy investigation using various tools such as Maltego, Recon-ng, then fail to retain the original information source (such as a copy of a website) to complete the evidence chain, with the result they end up with a bunch of URLs and some analysis. This is particularly common in intellectual property (IP) investigations for branded products. A contraband website may offer a particular branded product today, removes it and a completely different product is offered tomorrow, with the result both the URL and the actual webpage has disappeared. This is a frequent occurrence on social media sites such as Facebook or classified advertisement sites.
The other common mistake, even when the source is retained it is not preserved with an effective method, technique or software (e.g. Hunchly, OSIRT, Page Vault) to render the source as credible evidence and to avoid the previous problem of disappearing websites/pages. Only too often evidence is collected with a screenshot or the page is saved as a PDF file. The problem with the latter techniques, they are open to tampering and alteration, with the result they can be discredited by an opponent in any subsequent proceedings. The other option similar to crime scene investigation, is video screen capture your entire online investigation. This does, however, introduce a number of technicalities and so does the use of virtual machine investigation operating systems. By all means use them, but the online investigator should become highly proficient in using these methods and tools, the investigation flow must be close to unquestionable, avoid superfluous information at all costs as it will only provide a foundation for attack and do not edit or delete any information as this could be discovered and seen as tampering.
Briefly returning to Hunchly, OSIRT, Page Vault, these tools make use of Secure Hash Algorithm (SHA), a cryptographic hash function (a discussion for another day or a search engine is your friend) which provides each piece of information collected with a generated hexadecimal number (a long sequence of numbers and letters). The purpose of this is to ensure that any information is not tampered with, altered or deleted.
The above by and large sets out the “forensic” or legal process in the event the investigation is being conducted for that purpose. Does it apply to OSINT?
Yes and no, but consider this.
It is my firm belief, OSINT in its pure form is a very close cousin to forensic intelligence see outline and definition. OSINT can be used very successfully in all forms of online investigation, intelligence and research. The example I wish to make is that of the murder trial of Christopher Panayiotou and his co-accused (see State v Panayiotou) during which the defence lawyer objected to evidence submitted as “trial by Facebook”. The policeman Warrant Officer Shane Kuhn, testified he had received a cell phone number from an informant which he then reversed searched against Facebook (a resource which Facebook has now discontinued). This lead to the identification of one of the perpetrators in the case. The defence lawyer argued probably correctly, but unsuccessfully, that Kuhn (who also admitted as much) was not an expert in facebook investigation stating “This evidence is nonsense My Lord. It should not be admitted, it carries no probative value”. The evidence was admitted based on other supporting evidence such as cell phone analysis. The reality here is, Kuhn did not realise he was performing any form of OSINT, if he had, he would have testified to his methods and techniques nor did he realise he was in the realms of forensic intelligence. Also, he did not preserve his investigation correctly and the result was a screen print, which surprisingly the defence did not question.
We should however, avoid the mistake that OSINT is web or internet forensics – this is simply another discipline as this requires considerable expertise in understanding aspects such as HTML code, algorithms, search and server technology. If anyone is going to be using OSINT in support of any litigation, it is best to rather focus on the results, analysis and interpretation of the evidence together with its preservation and being able to testify to such. This is not only for criminal trial, but also cases of civil litigation, administrative justice, labour and contract disputes. However, the OSINT practitioner should be honest about their own capabilities and expertise – if they for example, have no legal/investigative training at minimum, then considerable caution must be exercised before venturing down this road.
OSINT can also be used in support of due diligence investigations, intelligence or research, that being; it will not be used in any litigation other than it could assist e.g. discovering evidence options or access points for the investigation team, and it would thus dispose of the “forensic” aspect and therefore does not carry the same burden of proof as the above.
For the purpose of professionalism, providing accurate reports and at least impressing your client with your OSINT skills, it would be my recommendation to retain as a standard, the burden of credibility and reliability. It would still require the same initial collection techniques and methods, and borrowing from the forensic profession, make use of the 2 x 1 rule i.e. the minimum of 2 independent pieces of credible information will equal 1 fact/piece of evidence. The level of preservation should be no different which will allow you to write dazzling reports , and tools such as Hunchly or OSIRT are strongly recommended. While you may not want to submit to your client your investigation results with a report generated by these tools (they are too lengthy in any event for most clients), they will at the very least provide you with an archive of your investigation to deal with any queries from the client or a historical perspective should it be required.
Keep it safe!