The OSINT Scammers

The police commander looked at the woman introducing me as though she was explaining advanced physics. When she completed her introduction and a brief explanation of open source monitoring he simply replied, “okay.” It was less an affirmative response than an indication he was still not sure what type of voodoo I practiced. As we walked away she said to me, “Well, he’s the incident commander and you will be spending a lot of time together…so good luck.”

The commander’s response was common ground for a law enforcement open source practitioner. To me it was neither good nor bad, but an indication of where we stand in the broader LE community. “OSINTers”, as we are called, occupy the land between true computer forensics and black magic. To some we are digital ninjas who can glide along the keyboard and produce volumes of information in less time than it takes to empty a K-cup. To others however we represent the best scam going. Unfortunately we’ve done this to ourselves, and if we keep it up, we will go the way of 3 ½ inch floppies.

If you walk into any law enforcement conference in the US and throw a rock, you will likely hit seven open source subject matter experts. They openly describe their art as OSINT, or open source intelligence. Their self-ascribed accolades are almost as dubious as the job they perform. Many will tell you how awesome they are, how smart they are, and how much you really need them. Some of them are products of one or two open source gathering platforms on the market. When you ask them what they do, the truth usually comes out after a few minutes of self-aggrandizement; they surf the Internet…period. Most OSINT “SME’s” use such a broad-based approach to OSINT they end up producing volumes of useless information. In some of the worst cases, they creep through Face Book, Instagram, and others looking for photographs of Marijuana, guns, and “gang indicia.” These folks will demand a high priced OSINT gathering platform, three or four screens at their desk, and will end up costing departments thousands in overtime while producing nothing but strands of useless information. On their best days they might snag a photograph of a teenager smoking a blunt, and if the OSINT god smiles upon them they will hit the jackpot with a photograph of weed lying next to a gun in a nondescript hotel room. Huzza!

The law enforcement community is saturated with these people and they are killing the discipline one deployment at a time. The problem with their approach is they see OSINT as a way to impress others with tech-savvy and screen-shots of drugs all while solidifying a position for themselves in the future. They rarely produce anything with evidentiary value and if they do, courts have a field day stripping their methods and reducing them to something akin to a modern day peeping tom. At large events, they basically troll the internet looking for that one terrorist who decides to Tweet his attack minutes before he executes. In short, they are more like street cops roaming the city waiting to get lucky.

In the meantime, a small cadre of well-trained law enforcement intelligence professionals are working silently in the OSINT realm. It is these people that are the true future of LE-OSINT. These few don’t need a high priced platform, but if they have one it will be one tool in their box. OSINTers of this genre may be involved in evidence gathering, but they approach it with subpoenas and court orders. Most of them however see OSINT as an intelligence art like HUMINT and SIGINT which take time to learn proper gathering and analysis techniques. OSINTers of this level use targeted gathering approaches so as not to waste time rifling through hundreds of spring break photos. These OSINTers spend hours preparing for large events, establishing a baseline of behavior and seeking out grass roots trends. Finally, these OSINTers respect the privacy of other users and keep an eye towards civil liberties protections.

Back to the commander and I. We spent three hours together in the command center; me working my “Matrix” style voodoo and he watching over my shoulder between trips to the meatball tray. It wasn’t till a moment wherein I was able to provide a SITREP of the entire venue footprint that he finally sat back and shot a look of approval. I don’t know what it was he wanted to see, but it was clear I’d earned my spot in the command center for several games to come. Hopefully as we progress we show how this new method of public safety is worthy of the time and money that will be spent. It is my hope that in 10 years, LE-OSINT will take its place beside special investigations and computer forensics as a respected and reputable discipline.

Open Source- The New Art

There is no shortage of high priced OSINT practitioners filling classrooms and lecture halls across the country. The once disregarded art of surfing the Internet for information has become a full blown discipline. Many of the practitioners travelling the country as subject matter experts (SME) are indeed qualified and very experienced in extracting information from various internet sources. The one aspect however most of the current instructors miss is what to do with the information once extracted.

Just like the intelligence cycle, competent OSINT has a specific workflow; Research, Extract, Sort, Analyze, and Disposition. Research is the topic of most open source classes and symposia. Thousands of law enforcement, security, and intelligence professionals are very adept at scouring the Internet for information.  Most of them are equally adept at extracting the information they need. Where the cycle falls apart in many cases is at the sorting phase. Here practitioners need to stop research and extraction and look through the data they have. Decisions need to be made on what is important and what is not based on mission parameters. The data needs to be further categorized in terms of direct impact on the mission, ancillary impact, and questionable impact. From here, the deep analysis begins.

Analysis of open source information is contingent on the overall impact to the mission. If, for example, you are investigating a series of photographs depicting a subject holding firearms, and the subject is a prohibited possessor, the analysis of the photos will need to be rigorous. An investigator will need to determine if the suspect is readily identifiable. Is the weapons he or she possesses real or fake, and what clues lead to either conclusion? How recent is the photograph? Where was the photograph taken? Finally, what was said about the photograph by the poster and the followers? From a criminal intelligence stand point, what about this post has ramifications beyond this case? A private security officer who is examining the photographs must review each comment to measure the general mood of the posts. A lot can be learned about employee social networks and insider threats by reading comments.

Aside from meaningful analysis, the disposition of open source information can be one of the hardest phases of the cycle. Here, a practitioner needs to store the information or deliver it to the needed customer. In law enforcement you have two main choices; case information and criminal intelligence. Case information means the information is evidence and needs to be stored and processed in accordance with court procedures for prosecution. The implications of such a disposition are many due to the various methods for storing digital information. If it is determined the information falls into the criminal intelligence realm, it is governed by 28 CFR Part 23 and will need to be audited. In the intelligence field, this information may need to be sent to other intelligence professionals for analysis on larger threats or trends. Private security may share the information with Human Resource professionals, or store it as a part of insider threat investigations. In any case, disposition of the information will ultimately be scrutinized and must therefore be carefully handled.

Open source intelligence (OSINT) is still an emerging tradecraft and will go through many iterations before it is commonly accepted. Following the cycle above and seeking out training that reinforces the cycle will build a cultural foundation for practitioners and make the discipline far more reputable. As challenges arise, security will be found in establishing solid industry standards like the cycle described above. For those in command positions; seek out full scope training and move away from training that only focuses one aspect of the discipline. After all, looking at a small piece of the canvas is nowhere near as inspiring as seeing the full painting.