PDA

View Full Version : MABS tools and techniques



Pages : [1] 2

submessenger
9/06/2016 7:44am,
Seems we have a lot of MABS threads that never get off the ground, because the initial reporter hasn't taken time to do any investigation. I've also seen plenty of threads, over the years, where the subject of investigation gets wind and changes their online presence.


With those symptoms in mind, it's a good idea to share some tools and basic investigative techniques, to enable all Bullies to better pursue investigations.


This will be the first in a series of posts which exposes tools and methods for gathering information, with a focus on martial arts. goodlun and I will be posting videos, screenshots, links, and write-ups, here.

This is a MABS sticky thread, so off-topic posts and derails WILL be culled to a new location. But, if you have constructive tips or advice to add, here, it will be welcomed.

submessenger
9/06/2016 4:46pm,
Lesson 0: CamStudio. Excellent screengrab software. You should have it installed by default. http://www.camstudio.org/


https://www.youtube.com/watch?v=t02g4s5860c

submessenger
9/08/2016 10:26am,
Lesson 2: Introduction to CaseFile, and harvesting information on IP addresses and domain names

This one was ready, first, so I'm putting it out there. The first thing you should do is in Lesson 1, which should be going online sometime today. Until then...


https://www.youtube.com/watch?v=MmqZ9ztC1dE

There are a couple of pro-tips I didn't include in the video, because unscripted. I also failed to write them down, but I remember one right now. Many internet providers and hosting companies, these days, will force you to take a CIDR block of 8 addresses (a /29, in tech parlance, which translates to 5 usable IP addresses). That is because ARIN requires a public registration of information at that minimum level; so, if you're doing something disreputable, online, the WHOIS lookup will show your information, not the provider's.

submessenger
9/08/2016 1:05pm,
Lesson 1: HTTrack

Start here, seriously. This is your first step. Do this before you start a MABS investigation.

In this video, I introduce basic HTTrack usage, and have some fun sifting through images on Ashida Kim's website:


https://www.youtube.com/watch?v=VBd3mNdN7SI

scipio
9/09/2016 5:35am,
Lesson 1: HTTrack

Start here, seriously. This is your first step. Do this before you start a MABS investigation.

In this video, I introduce basic HTTrack usage, and have some fun sifting through images on Ashida Kim's website:


https://www.youtube.com/watch?v=VBd3mNdN7SI

Really like the demo - HTTrack looks like an incredibly useful tool - wish we had used it when we investigated Richard Spencer the other year.

Question, you mentioned that when you are downloading the site and you use their bandwidth there is a risk that you might take their website down in what would be an effective DOS attack. Are we leaving ourselves open to potential prosecution?

submessenger
9/09/2016 7:09am,
Really like the demo - HTTrack looks like an incredibly useful tool - wish we had used it when we investigated Richard Spencer the other year.

Question, you mentioned that when you are downloading the site and you use their bandwidth there is a risk that you might take their website down in what would be an effective DOS attack. Are we leaving ourselves open to potential prosecution?

Not necessarily. I should have worded that better. What I mean is that it is conceivable that you could tweak the settings up high enough to saturate their bandwidth or saturate your own bandwidth. If you stick with the defaults, you're probably in no danger of causing them trouble.

submessenger
9/09/2016 1:30pm,
Lesson 3: Introduction to Photo Forensics


https://www.youtube.com/watch?v=Z9Jg6cEAkH0

(edit) I knew I forgot something... That's not Crocop, that's W Silva, duh, axe murderer. I can be very dense, sometimes.

Cake of Doom
9/12/2016 5:58am,
Really like the demo - HTTrack looks like an incredibly useful tool - wish we had used it when we investigated Richard Spencer the other year.

Question, you mentioned that when you are downloading the site and you use their bandwidth there is a risk that you might take their website down in what would be an effective DOS attack. Are we leaving ourselves open to potential prosecution?

That's true with the Spencer thread. His site was changed so regularly, that the thread got saturated with screen shots.

scipio
9/12/2016 6:54am,
That's true with the Spencer thread. His site was changed so regularly, that the thread got saturated with screen shots.

I know - if I remember we were scrabbling around trying to save screen shots in a format that could be posted!

submessenger
9/12/2016 7:20am,
I know - if I remember we were scrabbling around trying to save screen shots in a format that could be posted!

It may seem obvious, today, but a decent way to get screenshots of web sites is to print them to PDF or XPS. There are some quirks with that, but seems like good fodder for another short tutorial.

That Spencer thread also raises another topic, which is versioning - especially for volatile sites, like that. I'll add that to my list of things to get to, as well.

submessenger
9/12/2016 9:08am,
OK, quick addendum to the HTTrack video. Here, I briefly cover some other HTTrack options, as well as The Wayback Machine (http://www.archive.org/web/) and Google cache.


https://youtu.be/lxtqQn6uNG4

ChenPengFi
10/27/2016 2:54pm,
The error level analysis page that was used here in the past is no longer up.
I found this one but haven't tried it yet.
https://29a.ch/sandbox/2012/imageerrorlevelanalysis/

Any other suggestions along those lines for detecting altered images?

submessenger
10/27/2016 2:57pm,
The error level analysis page that was used here in the past is no longer up.
I found this one but haven't tried it yet.
https://29a.ch/sandbox/2012/imageerrorlevelanalysis/

Any other suggestions along those lines for detecting altered images?

I highlight a few options in my Photo Forensics video; I suppose I should also post the URLs, here. Or, you can do it yourself using GIMP or Photoshop (GIMP is covered in the video).

(edit)
https://www.izitru.com/
http://fotoforensics.com/

ChenPengFi
10/27/2016 3:14pm,
I highlight a few options in my Photo Forensics video; I suppose I should also post the URLs, here. Or, you can do it yourself using GIMP or Photoshop (GIMP is covered in the video).

(edit)
https://www.izitru.com/
http://fotoforensics.com/



Thanks, must have missed that bit.
I have gimp and paint.net but was looking for online options.
It can be better to point to a third party site rather than,
"Well look what happened when I put it in this program and did xyz..."
when doing forensics.

submessenger
10/27/2016 3:41pm,
Thanks, must have missed that bit.
I have gimp and paint.net but was looking for online options.
It can be better to point to a third party site rather than,
"Well look what happened when I put it in this program and did xyz..."
when doing forensics.

Good point. I allude to it a couple of times in the videos, but I still haven't done a chain-of-custody discussion. One of these days...

submessenger
10/27/2016 4:48pm,
OK, here's a quiz.

1) Is this a fake?
2) If so, how did they fake it?
3) What analysis methods led you to that conclusion?

GO!

http://i.imgur.com/kGdp1o5.jpg

(edit) I'll give you all a day or two to work the problem. Use your own methods, and/or anything I discuss in the Photo Forensics video, above. I'll be recording my analysis tomorrow morning. No cheating!