Virtual Machines for OSINT

If you are an OSINT investigator you undoubtedly have your cache of tools and search resources. There is no short supply of start.me pages and link collections out there. However, for good operational security and case management a good virtual machine is just as vital to your investigation.

For the last several years Michael Bazzell and David Wescott’s Buscador VM was my go to for this, however since that project is no longer updated I’ve changed my strategy a bit. Luckily there are still several free options out there pre-configured and pre-loaded with tools that can help you get up and running quickly. We’ll do a quick tour of several of my favorites and I’ll try to leave you with enough resources you can build out your own custom virtual machine. The latter isn’t the fastest or easiest but will probably give you the best environment since you the investigator know what tools you consider a must have and which ones you would use from time to time.

To try a virtual machine out, you may not always want to grab a 20 gigabyte image file for a test drive… so I did it for you! Let’s take a quick tour!


Pre-built VM

Trace Labs Virtual Machine

Screen Shot 2020-07-23 at 11.04.27 AM.png


Trace Labs produced their own custom VM for anyone who may be participating in one of the OSINT Search Party CTFs. The system is a customized Kali Linux build so if you are familiar with the famous penetration testing VM you may have an extra comfort level. There were several pre-built apps and a massive OSINT bookmarks section installed in Firefox.

Nice assortment of links sorted by category

Nice assortment of links sorted by category

Anbox (Android in a Box) a containerized android system seemed convenient to have pre-installed, as mobile emulators can sometimes be frustrating to setup quickly.

Anbox (Android in a Box)

Anbox (Android in a Box)


Other cool programs like Phone Infoga were also ready to go. If you don’t know Phone Infoga has some phone number research mixed with google dorks which opens up across multiple tabs for some fast OSINT.

Sample of Phone Infoga’s Google-fu

Sample of Phone Infoga’s Google-fu

Those were two of the most handy pre-loads I found but there is a lot more to unpack the full list of applications in the build can be found on the Trace Labs Github page: https://github.com/tracelabs/tlosint-live#applications-included-in-the-build

With that many features the Tracelabs VM is likely an easy starting point for many researchers. The project is also on version 2.0 and seems to have some community momentum so the potential for it to improve is high.

Trace Labs VM is available for download here: https://www.tracelabs.org/trace-labs-osint-vm/

Tsurugi Linux

Screen Shot 2020-07-27 at 6.36.32 PM.png

Tsurugi Linux is a hybrid VM designed for digital forensics, malware analysis and OSINT. I’ve used it a couple times when it first came out but they’ve released a few updates, so I grabbed a fresh copy for a look.

As I poked around the tools and features of the OS it is quickly apparent this VM is loaded.

Fully loaded Tsurugi.png


The preloaded applications for malware analysis and digital forensics are impressive, but there is an OSINT switcher that toggles many of those away for better access to the other more commonly used OSINT tools.

OSINT Switcher toggled

OSINT Switcher toggled

As I explored the OSINT tools one thing that stands out to me about the Tsurugi toolsets is that really seemed to be catered to actual analysis of data, not just collection and pivoting. There are several options for analysis of photos, video files, website structure and one of the most important sections that should never be overlooked… reporting.

reporting.png

If you find yourself doing specialized investigation (Digital Forensics or Malware Analysis) then you should definitely grab the latest copy for your tool kit.

Tsurugi can be downloaded here: https://tsurugi-linux.org/downloads.php

Tails

tails.jpg

I’m counting Tails as a virtual machine for this blog, but Tails is a self-contained (on USB drive) privacy centered operating system. If I was somewhere away from my own machines or office but had access to a Tails USB drive and somebody else’s computer I could use Tails to conduct an investigation without risk of contaminating the host system. Kind of a quick and dirty solution, but one to know about. The setup goes through a bit of a process to ensure a clean install so it can take a while to setup initially.

Tails can be downloaded here: https://tails.boum.org/install/index.en.html

Remnux + SIFT

sift remnux.png

Remnux recently had an update so if you happen across anything malware related in your OSINT cases this is a good VM to know about. The documentation page found here is very useful and has a rundown of the tools and uses found in the virtual machine.

Screen Shot 2020-08-12 at 12.24.57 PM.png

I’ve used a hybrid VM in the past that coupled the more digital forensics focused SIFT workstation. Lenny Zeltser wrote a blog earlier this month showing a few options to make the hybrid VM.

Making the hybrid VM takes a little work, but the documentation out there is great so It is pretty easy for most to follow along even if not an expert in virtual machines.

You can download Remnux here: https://docs.remnux.org/install-distro/get-virtual-appliance

You can download SIFT here: https://digital-forensics.sans.org/community/downloads

Roll Your Own

There are several free options to get ‘clean’ operating systems and bake in your own tools and configurations. Let’s face it each of us has our own investigative methods and patterns so building out your own system is not going to be the easiest answer but you may be able to keep handy the best tools for both investigating, note taking and reporting if you build out your own research VM. Below you will find a few links that may help you get started:

Ubuntu Linux

https://ubuntu.com/download/desktop


Windows 10

https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/


Genymotion Android Emulator (Personal Edition)

https://www.genymotion.com/fun-zone/

My good friends at The OSINTcurious Project reminded me that our own Nixintel wrote a great blog series about building your own custom VM

nix.png

https://nixintel.info/linux/build-your-own-custom-osint-machine-diy-buscador-part-1/

If you have any VM suggestions to share or comments please drop me a line on Twitter @baywolf88

Happy OSINTing












Opting Out Like a Boss - The OSINT way (part 1)

Tip of the Hat

Quick tip of the hat to Michael Bazzell and Justin Carroll over at the Complete Privacy and Security Podcast.  The offense and defense segment they do toward the end of each episode goes over one newer OSINT tactic and a way to defend your privacy against it.  On a recent episode they discussed another people search site that popped up plus the opt-out link so you can have your information removed.  That episode got me thinking about these types of sites and this blog is a result of that brainstorming session.

People Searching

If you follow OSINT or Privacy techniques, then you are familiar with the main people search sites like Pipl, Spokeo and Radaris.  As an OSINT investigator I try to stay familiar with both the main sites and the smaller websites that continue to appear.  I notate the sites with reliable results for my investigation purposes and I make sure to opt my own information off the sites for privacy.  

osintframework.com currently has 44 links to various people search websites

osintframework.com currently has 44 links to various people search websites

Opt Out

Opting out is not an easy task.  It takes time and effort to remove your information from the multiple sites on the internet.  Some sites have a simple opt out page, others require valid ID submission as proof of your record before they will remove it.  Its also not a one and done situation since new search sites appear every few months. 

There are 2 excellent resources I recommend if you are going to start down the path of opt out:

Lesley Carhart wrote a blog highlighting the removal process on several sites and also delves into security checkups on your social media accounts.

Micah Hoffman hosts an awesome document for opt out created by a colleague which is described on his website.

 

Once you feel like you have a handle on your publicly available info, set yourself a reminder and in about 6 months, go back and look for your info online again.  Be prepared for another round of opting out and also don't forget about others in your household.  Just because you removed all of your records from the internet doesn't mean I can't find a record of your significant other who happens to live with you now or in your past.  The task of opting out is never ending.  That said... can we do it more efficiently?

OSINT on the People Search sites

As I was checking out people search sites, something occurred to me.  Why haven't I done OSINT on the people search sites themselves?  On the OSINT framework photo I can see similarities in the names of the sites themselves.  Peoplefinder.com vs Peoplefinders.com and TruePeopleSearch vs. FastPeopleSearch are very similar in name.  The look and feel of the websites are all pretty similar, so my thought process goes like this.  What if some of these sites are the same companies?  If they were it would be pretty easy to just to launch another website and connect their people database to the new URL.  Maybe there is even a trigger for the database transfer, like a certain percentage of opt outs.  Those are all speculation, but I decided to dig a little bit.  

I started with 2 sites similar in appearance and name Truepeoplesearch and Fastpeoplesearch:

Side by side view

Side by side view

Visibly similar in layout and almost identical toward bottom of the web page is the Terms, Privacy and Contact links.  

For a closer look I drop both pages into a comparison tool at Copyscape.com.  Copyscape is part of a plagiarism checking service.  It runs a quick side by side comparison of matching words on 2 different webpages.

Snapshot of comparison checker at Copyscape.com

Snapshot of comparison checker at Copyscape.com

97 and 99 percent matching to each other, we can posit that even if this isn't the same company, both sites at least used the same legal template and just changed out the company name. They even have the same update stamp visible of April 5, 2017.  I file this under interesting and add the comparison tool to my OSINT arsenal.  Time to search a deeper level than matching words.

Sub-domain Enumeration

In the world of penetration testing, sub-domain enumeration is used to find additional servers and machines on a network to increase the chances of finding a vulnerability for the pen test.

I'm not officially on the red team so while I know of programs like Sublister and Aquatone that make Sub Domain Enumeration more automated, there are other tools just as easy for me and my use cases.  Enter DNSdumpster.com:

I put DNSdumpster to work and looked for any overlap in the sub-domains of the people search websites.  I started with the list of sites on Inteltechniques.com Real Name Search found here.  I noticed something interesting when I got to Peoplefinders.com and Peoplesearchnow.com.

That MX record for Peoplesearchnow at 204.44.57.11 looks interesting

That MX record for Peoplesearchnow at 204.44.57.11 looks interesting

There it is again on Peoplefinders 

There it is again on Peoplefinders 

DNSdumpster has other features that I recommend exploring like the Domain mapping graphs and exporting the host info to an xls file, but more on that later.  What I've found is my first potential link between 2 people search sites.  To test my theory I want to try an opt out.  Domain maps lead me to believe that PeopleFinders network is the larger one.  In theory, if I opt out of the larger site, my info should drop off the smaller site as well.  

2 For 1 Opt Out Attempt

First I find my record on both sites to confirm I am a part of the database in both places  According to HowManyofMe.com there are approximately 142 people in the United States with the same name as me.  It doesn't take long to find my record with just my name and the state I live in.

 

There I am on Peoplefinders.com

There I am on Peoplefinders.com

There I am on PeopleSearchnow.com

There I am on PeopleSearchnow.com

You will find the opt out link for PeopleFinders here ( https://www.peoplefinders.com/manage ) and PeopleSearchNow here ( https://www.peoplesearchnow.com/opt-out ). I submit the opt out process on the PeopleFinders site:

Optoublurredt.JPG

Submit for my confirmation

Confirmation

Confirmation

So my record drops off of PeopleFinders.com instantly, which is nice since some sites will tell you your record may take 24 hours or more to stop showing up in search results.  Before I hit submit on the PeopleFinders opt out, I opened up my record in side by side browsers on the other site PeopleSearchNow.  After the opt out submission I hit a refresh on the browser on the right and....

Boom... 2 for 1 opt out

Boom... 2 for 1 opt out

So my theory is confirmed, if multiple sites are indexing my data from the same company or server, I can opt out of multiple sites if I know which ones are connected.  Since this is 2 sites out of many more that are online, I decide to dig further so I can determine if there are other ways the people search sites are connected.  

Coming in Part 2

I took a closer look at the company contact info for PeopleFinders I notice another company name in the mix.  I've done some OSINT pivoting on business search sites like Manta.com which look at business filings and business registration info.  (Items like Duns Number, SIC and NAICS which you can read more about here)

Those pages can lead you to the company's executive names and business contact info like phone number and addresses.  I'll take a closer look in part 2.

If you have any techniques to share or comments please drop me a line on Twitter @baywolf88

Happy OSINTing