Showing posts with label Investigations. Show all posts
Showing posts with label Investigations. Show all posts

Saturday, July 5, 2014

INFOGRAPH: What Happens to A Social Media When The User Dies


In my current occupation, as an investigator, most of my day is spent on social media. Much of that time is used figuring out who the account belongs to in order to make contact with the user for a case I'm working on. In security, we're often monitoring social media to gain some insight on kinetic events in our areas of operation. In either case, we run the risk of finding out the users of theses accounts being dead with little information given as to who may be using the account in their stead. I found this infograph here and sharing it on this space to help other practitioners.

Monday, December 9, 2013

Social Media Investigations 101 - Are You Sure You Want To Post That?

Soooo.... You've been on Facebook a while and you've set your privacy settings to whatever new super-secret stealthy hidden mode setting Facebook has.  You probably also feel like none of your 400+ friends would ever tell anyone what you post. You look at articles about people posting things they shouldn't going viral and you think "I'm so glad that's not me. I would never do something like that." I destroy that myth everyday at my job. In real life, I investigate leads in criminal cases which can aid my clients. A favorite place I go for these leads is social media.

When I tell people I go to Facebook for leads, the first thing they like to say is "Well, you're not going to find anything on me like that." I'm polite so I smile and tell them "Probably not." Of course, I'm lying. If I've told you that, this is where you're probably feeling a little uneasy. Let's be clear, if I don't have an interest in finding something, I probably won't find it. That's not to say I can't because I assure you I can.

So, let's breakdown how I might do a social media query. I won't bore you with site specifics but I will address some things that are common throughout the social media investigations landscape. This is not to scare you. I am merely trying to inform you so you understand exactly what information you voluntarily give away.

Disclaimer: For the experts: This in not all-inclusive and I'm aware of the many advances in social media investigations. This is mainly informative for those who may not know and to spark some discussion.  All others: Please check whatever jurisdiction for whatever legalities may exist for you.

The best way to illustrate this topic is to assume you'll be doing a search yourself. If you don't mind being spooked, try this on yourself assuming you're a complete stranger who's only been given the task of obtaining whatever information exists on you in social media. I recommend creating your own "blank" account that you have no affiliation with to get started. When we get to associates, feel free to pretend and assume the worse about people on your friends list you haven't seen or spoken to in some time.
  1. Start with a subject. Having a name (preferably a first and last name is good). I've done this with neither. More on that later.
  2. Put the name in the search box of the social media site you're searching. This fruitful if you're seeing if someone is on the site or if the profile is possibly "hidden" from searches. The latter requires for you to know the subject is actually on the site. While doing this, play around with nicknames or aliases. A personal favorite of mine are email addresses. I also use their most used username if I know it. I have also looked up last names only just to see if someone posts things to a relative's profile.

    When searching Google, try to place quotations marks at the beginning and end of your subject's name. Also, type in Novice searchers give up because the results are too many. This narrows it down quite a bit.

    Despite what you think, no name is too common for a determined investigator. There are other things than our names that differentiate us. For example, your name is "John Smith". That's too common of a name for some investigators. But what happens when I search for "John Smith" in Dayton, OH who is a police officer married to a woman named Ebony? If you're the target, you're not as anonymous as you thought.
  3. Search them by username and old phone numbers. Sometimes, this is all you have to go on. Do it. That username may be their most commonly used one for everything. This could lead to old social media profiles (a time machine treasure trove of forgotten pics, lifetime issues and events, contacts, etc.), photo-sharing sites they frequent, articles they bookmark (Pinterest), comments they've made on other sites (Youtube can be great for this stuff), and sites they don't want anyone to know they frequent. Getting the username can be tricky. If I have a confirmed profile for them, I'll take the username that is in the profile's URL and then perform an "exact phrase" search on Google.

    I like to try the phone numbers search quite a bit. I'm not looking for an address neccessarily if it's a social media investigation. Some profiles are only searchable with a phone number. Also people post their numbers on sites that don't value privacy. For example, you run a shop that sells auto parts. As such, you belonged to a parts forum online. There you posted your number to get orders under a username I never knew existed. Not only do I have historical data on you possibly but I may also get a look at your posts there as well whatever I can dig up on this old username.
  4. If none of this proves fruitful, try a Google Image search. You may not be aware of this but Google now allows you to search by image. That means, I don't need your name to find you on the Internet. Sometimes, I find people use the same photo for most sites they frequent. Perhaps, you'll find a site with a picture you have and can dig up useful information such as other pictures, other usernames, and most importantly, associates.
  5. Associates are where the money is. Seriously, most people assume, wrongly, their Facebook friends feel the same way they do about things or they feel some impunity with what they post to their audience. In some cases, this may be true. However, I can guarantee it probably is not. Finding associates can be tricky if you don't know much about your subject. Hopefully, Google will help you out here. If not, I recommend spending the $19.95 to use people-search sites like Intelius or Spokeo. This should give you a list of names of people who either know your subject or lived in the same area as him. Also, try Someone went to high school with your subject and I bet you they're still on their Facebook friend's list. Another feature of some site's search engines is the suggest friend's list. If you're friends with their friends, social media sites like to let you know and ask if you want to be your subject's friend. Of course, you don't. But this provides with that profile you've been looking for or at least one of them.

    Old friendships are tricky. We think the people who have known us the longest have our best interests at heart. Let me assure, some of them don't. Most people trust these folks with lots of personal information, when they go on a tirade or a rant. The simple truth is if someone has it in for you, they can voluntarily give anyone access to whatever you share with them online.

    This young lady thought she was being "funny" outside of Arlington. Several of her "friends" didn't think so.
  6. Be careful what you "like". People wrongly assume the pages they like or the comments they reply to on someone else's page is somehow protected. Yeah, that is totally wrong. It is protected ONLY if they have set themselves up with the strictest privacy settings. Many times, a person's "likes" can reveal about themselves even if an investigator can't see anything else. A great example are Facebook Groups which advocate violence or are sexually explicit. Unfortunately, people forget to hide what pages they "like" and it suddenly has some bearing on something they never imagined it would.
  7. Search for a name in a foreign language. I see you laughing but I once had someone hide their profile by using another language to hide their name. It's a great idea but as I ran out of options, I went to Google Translate and entered the subject's name from English to Korean. Suddenly, her profile appeared.
  8. Search their friends' friends list. Some people hide in plain sight. You may be searching for the right subject but entered the wrong letter. A friend's friends list will probably have the name as something else.
  9. Search EVERY PHOTO, LOCATION TAG, EVENT SIGN-IN, etc. Sometimes, the information we seek is in places we dismiss as being "dry". Look through EVERYTHING. Trust me. This alone can give you more associates, state of mind of your subject, places they've been or frequent, events they've been or locations they can be expected to be at, and all the drama that comes with social media picture posting.
  10. When you've found what you're looking for, archive it. This sounds easier than you think. Grab your smartphone and take a picture of your screen where the information is. People trust screenshots more than they do a link they can click.
  11. Do this exercise on yourself and assume your current or future employer, spouse, child custody judge, friends, family, and others are doing the same. Those who get their 15 minutes of fame from poor Facebook posts never seem to think they'd get turned in by their "friends". Also, here's a tidbit - if you're posting information you shouldn't, never exclaim "I don't care who sees this." I GUARANTEE you will.
*Some places I like to go to search for social media investigation queries
*You're not getting all of my trade secrets

Tuesday, February 5, 2013

15 Things To Remember To Do When An Adult Goes Missing

A perfect example of what missing person's poster should look like.

When you proclaim to be a "security expert", people can ask you a litany of questions about a variety of security-related topics. They range from the mundane ("Can you tell me what the best lock to buy is for my backyard?") to the more serious. The other day a dear friend asked me about the latter. It's the toughest one to give a lot of good advice on.  However, he was a friend and so I gave him what little advice I thought was helpful. His question was "How can I find a missing adult?". This question is tough for a variety of reasons. One of those reasons is when looking for missing adults, you're doing what I call "chasing a ghost". Sometimes, when adults go missing, they hide better than my preschooler when I say it's time for a nap. Many do this for numerous reasons like drugs, domestic violence, stalkers, divorce, debt, etc. So what happens when you're a legitimate party concerned for their well-being and you need to find them?

  1. Call the hospital emergency room. Some hospitals are cool. Others will make life difficult. Actually, that's an understatement. Since the inception of HIPAA, hospitals have treated medical information with higher security protocols than at Area 51. So how do you circumvent the inevitable "I can't tell you that"? Easy. You reply "Can you at least tell me if you have a John/Jane Doe fitting this description?" Be specific and be prepared to go there. You'll need to do this every day until you find your target.
  2. Call the morgue. I know it's crappy to do. However, people die without identification sometimes. Our national health records are still woefully behind. So you'll have to call the morgue periodically. Ask them if they had any John/Jane Does fitting the description of your target with clothes you last saw them in. Be specific and be prepared for the worst.
  3. Call the jail. It's crappy but it's necessary and realistic. Seriously, you and your spouse fight. They leave and have a beer or more. Cop pulls them over for DUI and he sits in a cell sobering up. Calling you is the last thing on his mind. It happens more than many people will admit. You want the numbers for the county jail and the police department's "lock-up". 
  4. Compile a list of email addresses, social media account information, and cell phones used by the missing persons. Law enforcement will ask for this at some point and it's good for your own personal investigation as well. Just remember to forward whatever leads you have to the cops.
  5. You need pictures. Find photos from social media, cell phones, cameras, USBs laying around, etc. What you want are FULL FRONTAL (not that frontal) face shots. You want people to see a face and a body as well. The picture should be clear and easily transferable to various media like newsletters, posters, cards, etc.
  6. You need these picture ASAP. These are the first things the cops ask for. So have them ready.
  7. Make your poster and distribute to places within a 10 mile radius. The poster is easy. Go to an office print shop and tell them what you need. Come back in an hour and you have a missing person poster.  What you want on the poster? Easy. It should resemble a "Wanted" poster. Full face shot with name, nickname, vehicle last seen in, medications needed (people are more prone to look if they know a person could be sick), contact info for you, and any sizable reward money you may have. Distribute this poster at gas stations, convenience stores, drug stores, and fast food places. You'll need to talk to management. That's great because now you can make face-time with the staff who may have seen him as well. Go to bars only if you're comfortable. Here's a link to a really cool template I use on occasion:
  8. Call their friends and family. Don't just call siblings and parents. Call extended family. Someone may have information but not be able to communicate that to siblings and parents. Treat these people like informants. Vet them and ponder their motivations. Never "burn" them. If they tell you something in confidence, it should remain there. You may need them later.
  9. File a stolen vehicle report immediately. Why? Anyone who has ever worked as a police officer will tell you why. It's simple. Cops get briefed at the beginning of their shifts on newly reported stolen vehicles. They love looking for these because they are a guaranteed arrest. So they will be actively looking for our missing person's car. DO THIS ONLY IF YOU OWN THE VEHICLE AS WELL!
  10. Physically walk your missing person's steps from the day they went missing back 24 hours. Sounds crazy but investigators do this at crime scenes. This is how the discover new clues they never saw before. Note where they could have gone, what could have caused them to go missing, and who would have saw them.
  11. Go through their social media life for the past week and note new acquaintances, stressors, topics and areas of interest, and any place they would have gone before under similar circumstances. You should be looking at check-ins, reviews on favorite eating establishments, sentimental locations, any significant dates (death, divorce, birth), increased communication with certain people, and noted change in tone or attitude.
  12. Create a checklist and do this again until you find them. This takes time. A lot of time. Be prepared to revisit these items daily. Annotate any leads in a notepad and revolve your day around following new leads and the checklist. You want to be systematic and thorough. Consider expanding your search on a weekly basis in 5 to 10 mile increments. Pick something that is manageable. Above all, remain calm and be patient.
  13. Don't be afraid of the media. Seriously, call the press ASAP. Make your significant other matter to them. Mention veteran status, children, career aspirations, contributions to society, suspicious circumstances as long as they don't sound like a Univision soap opera, etc. Tell the truth. Never lie or embellish. You lie now and when you need them to believe you they won't.
  14. Stay on the police and forward any significant leads to them. Let me be clear: "Leads are not significant if you're just calling the cops to tell them they suck". Remember what I said about being patient? You're not the only person who is missing someone. However, call them periodically and get to know who is working the case. Ascertain when you can expect contact from them. Ask them what steps they're taking. You don't want to double your efforts but you do want to close any gaps. If you're not making headway with them, remember everyone has a supervisor.
  15. The keys to success in this game are persistence, patience, and diligence.

Thursday, January 10, 2013

Have You Seen Former FBI Agent Robert Levinson?

Former Special Agent Robert Levinson missing since March 2007
Robert Levinson is a former FBI agent who has gone missing since March 2007 in Iran. He was acting as a private investigator looking into cigarette-smuggling. There has been contact with the hostage-takers and Robert Levinson's family. There are some experts who have noted the sophisticated tradecraft involved in the transmission of these messages from the hostage-takers. They conclude this points to Iran clearly. The Iranian government contends they had nothing to do with this. Iranian president Mahmoud Ahmadnejad has stated, "Our security officials and agents have expressed their willingness to assist the FBI, if the FBI has any information about his travels around the world." It's curious he would make such a statement. What would his "travels around the world" illuminate for the Iranians? Ahmenijad has a history of playing coy whenever the Iranians have ever been directly linked with any nefarious activities. It's like asking your child to tell you who broke lock on a drawer you were keeping his Christmas presents and they reply "I would be happy to help you find the lock if you would tell me what the lock was protecting."

Here's an example of the messaging sent to Levinson's family.

Levinson supposedly met with Dawud Salahuddin, an American fugitive who converted to Islam and later assasinated an Iranian diplomat in the US. Salahuddin describes himself as a close friend with whom he "shared hotel room on Kish on March 8. Iranian officials in plain clothes came to the room and detained and questioned Salahuddin about his Iranian passport, Salahuddin said. On his release a day later, Levinson had disappeared, and the Iranian officials told Salahuddin he had left Iran." Salahuddin then says something that caught my eye - "I don't think he is missing, but don't want to point my finger at anyone. Some people know exactly where he is," Salahuddin told the newspaper (Financial Times). "He came only to see me." Salahuddin is in a very tricky spot. Levinson was meeting him to network with Iranian officials who might provide leads for a cigarette company that retained Levinson's services. Salahuddin can't go into further details because of his delicate situation there - he's political in Iran and has supported reformers who oppose the current regime. If the Iranians did take Levinson and Salahuddin knows something, I would suspect he's not going to say much for fear of endangering his safe-haven. 

Fred Burton, the VP for Intelligence at Stratfor, has put out a video talking about hypothetical investigative techniques US authorities have engaged in since they received the messages from the hostage-takers. It is interesting to note the correlation between the imagery analysis to find terrorist groups via their messaging and the analysis that goes into locating a hostage like Levinson with similar messaging. His video is below.

I have several readers in Iran.  So I'm going to post Levinson's picture and biographical data as well as a link to his family's blog.

Kish Island, Iran
March 9, 2007 


levinson_r3.jpglevinson_r1.jpgMIST photo.jpg
Date of Birth:March 10, 1948Hair:Gray
Place of Birth:Flushing, New York              Eyes:Blue
Height:188 cm (74 inches) - at the
time of his disappearance
Weight:104 kg (230 pounds) - at the
time of his disappearance
Remarks:                Levinson wears eyeglasses. He is believed to have lost a significant amount of  weight, possibly 50-60 pounds.


Information is being sought regarding United States citizen Robert A. Levinson, a retired FBI Special Agent, who went missing during a business trip to Kish Island, Iran, on March 9, 2007. Levinson retired from the FBI in 1998 and worked as a private investigator following his retirement. Levinson traveled to Kish Island, Iran, on March 8, 2007, working on behalf of several large corporations, and his whereabouts, well-being and the circumstances surrounding his disappearance have been unknown since that time. 


The United States Government is offering a reward of up to $1,000,000 for information leading directly to the safe location, recovery and return of Robert A. Levinson 


If you have any information concerning Robert Levinson, please contact the FBI Tip Line at You can also contact your nearest American Embassy or U.S. Consulate

Field Office: Washington Field Office

Sunday, January 1, 2012

HOW-TO: Spot a Liar

If you're involved in investigations or ever have need to know if someone is deceiving you, then learning to spot a liar and their "tells" is paramount to your success.  "Tells" are those things in which we all do when telling a lie. Deception was man's first camouflage against other human enemies.  Just like camoflage, deception can be detected if you know what you're looking for.  I HIGHLY recommend watching the video below by Pamela Meyer, a lie detection expert.

According to her site, "Pamela Meyer is founder and CEO of Simpatico Networks, a leading private label social networking company that owns and operates online social networks. She holds an MBA from Harvard, an MA in Public Policy from Claremont Graduate School, and is a Certified Fraud Examiner. She has extensive training in the use of visual clues and psychology to detect deception."

Judging from this video, when they say a woman's intuition is almost always spot-on, I'm inclined to believe they may not be too off.

Click here to obtain a copy of her latest book - Liespotting: Proven Techniques to Detect.

Tuesday, December 27, 2011

Would you hire marijuana grower as your CSO? The Sinaloa cartel did....

Felipe Cabrera Sarabia is shown to the press under the custody of army soldiers at the federal organized crime investigations headquarters in Mexico City, Dec. 26, 2011. (AP Photo/Marco Ugarte)

When I read a headline announcing Felipe Cabrera Sarabia's capture, I was expecting a guy from Scarface not a guy who looks like he should be at a booth for next year's ASIS conference.  The media and the Mexican authorities have dubbed him Joaquin Guzman Loera's "security engineer".  What that means in the security industry and what that means for the guy who protects the assets and safety of the world's biggest drug cartel are two very dissimilar things.

According to Forbes magazine, "Sarabia has allegedly been running operations for the Sinaloa cartel in northern Mexico". Can you imagine if Steve Jobs had left the daily operations of Apple to his chief security officer? I'm not knocking the person but that's one heck of leap. In addition to finding ways to protect the cartel from the Mexican authorities, Sarabia had the somewhat daunting task of dealing with rival cartels. If you've been paying any attention to events south of the U.S. border, you know this is not getting easier.

How and why Mr. Sarabia earned the moniker "security engineer" are what struck me, given his increased responsibilities since his boss went into hiding. Forbes stated, Mexican army spokesman General Ricardo Trevilla said in a press conference on Monday, "Cabrera and three of his brothers began as marijuana growers and that Cabrera rose through the Sinaloa ranks by using violence against his rivals. In recent months, Cabrera waged war against a rival faction of the Sinaloa cartel known as the "Ms", leading to a surge in violence around Durango."

In this June 20, 2011 photo released by Mexico's Attorney General's office, police from the Federal Public Ministry looks at drums of precursor chemicals for methamphetamine that were seized in Queretaro, Mexico. Mexican authorities have made two major busts in as many months in the quiet central state of Queretaro. In one case, they seized nearly 500 tons (450 metric tons) of precursor chemicals. Another netted 3.4 tons (3.1 metric tons) of pure meth, which at $15,000 a pound would have a street value of more than $100 million. Mexico's most powerful drug cartel appears to be expanding methamphetamine production on a massive scale, filling a gap left by the breakdown of a rival gang that was once the top trafficker of the synthetic drug. (AP Photo/Attorney General's office)

Mexican authorities found 14 mass graves with 287 bodies in Durango.  Cabrera was busy.  Killing is one thing but drug dealing is a whole separate part of his job.  Mexican law enforcement  has seized over 550 metric tons of chemicals used to make methamphetamine, in the last 6 to 8 months.
Mexican police excavating a mass grave in Durango
Just in case you're wondering how do you capture someone like this?  The answer is quite simple - snitches.  I just want you to know I have zero verifiable information to back that up.  However, there a few things the Mexicans admitted that bring me to that conclusion.  They stated not a single shot was fired.  That meant they had actionable intelligence on where he was and how vulnerable he would be when they struck.  You don't get that by listening to a wire all day.  You need someone on the inside and clearly the Mexicans did.

What does this mean for his boss and the cartel?  The U.S. currently has a $5 million bounty for Loera, while the Mexicans want him for $7 million.  Not bad for a guy who Forbes listed as a billionaire with over $1 billion in wealth and was listed as #55 out of 100 on their World's Most Powerful People List for 2011.  As far as the cartel is concerned, who knows.  My guess is they'll capture or kill Loera (my money is on the latter) and they'll proclaim a major "victory".  This will put a very small dent in the overall drug trade, as the international appetite for drugs continues to grow at an exponential rate.  Supply and demand is the law of the drug trade.

If you have any information about the whereabouts of Mr. Loera, call:
1-877-WANTED2 (1-877-926-8332)

Friday, December 16, 2011

Targeting Transnational Drug Trafficking Act of 2011 passed by US Senate

Ahhh snap!  According to United States Senate, the boys and gals at the Department of Justice and the Drug Enforcement Administration just got "additional tools to target extraterritorial drug trafficking activity".  Yesterday, December 15, they passed Senate Bill 1612 (aka Targeting Transnational Drug Trafficking Act of 2011) introduced by Senators Gloria Feinstein (D-CA), Richard Blumenthal (D-CT), Robert Casey (D-PA), Charles Grassley (R-IA), Charles Schumer (D-NY), Tom Udall (D-NM), and Ron Wyden (D-OR).    Basically, this makes it a crime to manufacture or distribute a chemical knowing or intending for its import into the United States specifically within 12 nautical miles of the US.  What does that mean?  Let's say, you distribute HU-210 (synthetic cannabis) which is "100 to 800 times more potent than natural THC".  Given the knowledge of its Schedule I status, any chemicals found to be used in its creation could become prosecutable.  The manufacturers of these compounds have also won themselves at the defense table along with you.  If enforced, this might have a profound impact on loophole-savvy "legal pot" storefronts.

Wednesday, December 14, 2011

What happens online - NEVER stays there....

Pay VERY close attention to what I have to say:
  1. The information you see below is not stored on our site and is only visible to you.  I found this site while looking for resources on background check (mostly locating skips).
  2. The information was allocated using information (i.e. torrent files you downloaded, IP address) your computer provided when you, someone in your home, or someone who gained access to your WiFi network downloaded those files.
  3. I am publishing this tool with the hope people will gain a better insight into how their activities can and are being monitored on the Web via information they provide sometimes unknowingly.
  4. There is a removal tool.  However, it only removes your information from their site.  I HIGHLY, HIGHLY, HIGHLY suggest you use it and never have a need for it again.

Saturday, December 3, 2011

HOW-TO: Build and Beat a Polygraph

During Defcon 2010, a talk was given on how to build a lie detector and "beat" it.  I've been enthralled by the idea of lie detectors for some time.  My curiosity has always been whether the simple notion of having a scientific manner of detecting deception is psycho-semantic enough to arouse certain deception "indicators" that can be picked up by the machine.  In plain English, I'm curious to whether people fail these tests purely because they know a machine is actively looking for any signs of deception and there is no way to know what questions may be asked so they unconsciously allow themselves to be caught by it.  If anyone has any ideas, feel free to shoot them my way. 

About Us