History of OSINT

Origins of OSINT

• The practice of Open-Source Intelligence (OSINT) dates back to World War era
• The Foreign Broadcast Information Service (FBIS) of the United States monitored publicly broadcasted news related to troops operations, marking an early instance of OSINT
• The FBIS surveillance focused on sources of publicly available news broadcasts

Digital Forensics Process

• Collection -> Examination -> Analysis -> Reporting: the 4 main stages of digital forensics
• 3 main scopes:
  • Identifying
  • Acquiring a copy
  • Preserving

Rules of Evidence

• Authentic: relevant to the crime
• Admissible: preserved in a forensically sound manner, valid in court
• Believable: examiner can explain clearly and concisely
• Reliable: forensically sound methods and tools used
• Complete: clear, complete, and reflects the entire incident in court

Locard's Exchange Principle

• Always leaving traces of their doings at the crime scene
• Locard: director of the first crime laboratory

Search and Seizure Warrants

• PO & AP can: have access to computers used in arrestable offences, prevent others from gaining access, acquire a copy of the device, and prevent suspects from wiping data
• Seizure Warrants: PO can seize/prohibit disposal of devices if used in an alleged crime, constitutes evidence of crime, or used during the crime
• Antor Piller order: for civil cases, including disputes between companies, neighbours, breach of contracts, and mistreatment of employees

Interpol

• If there is an international runaway or unidentified bodies, Singapore contacts Interpol to issue notices to other member countries to share crime-related information
• Interpol Notices:
  • Red: arrest wanted person to be prosecuted or serve a sentence
  • Orange: suspects that may display serious threats and harm to the public
  • Purple: obtain information about a suspect's modus operandi, objects, devices
  • Black: information about unidentified bodies
  • Yellow: locate whereabouts of people, especially minors, or people who can't identify themselves
  • Blue: obtain additional information about suspects
  • Green: suspects that may display possible threats to public

Preparation

• Curate a plan to ensure handling of digital evidence
• List necessary items to collect:
  • Mobile Acquisition Software
  • Hardware equipment
  • Storage media
  • Documentation (Chain of custody)

Chain of Custody

• People involved in handling
• Date/Time of every handover
• Physical condition of object

Identification

• Surveying: determine electronic devices potentially used as evidence
• 1st P: identify devices with running apps
• 2nd P: identify devices that are on
• 3rd P: delegate PO to question suspects, e.g. most used devices

Preservation

• When device is on [CRIME SCENE]:
  • Take a picture of the location of the device
  • Ask owner for lockscreen password (alphanumeric, patterns)
  • Unlock device
  • Enable Airplane mode
  • Disable Wi-Fi and Bluetooth settings
  • Remove SIM card
  • Take pictures of running apps
  • Disable face recognition
  • Switch off device
  • Take pictures of the device (close-up on defects, at least 6 shots)
• When device is off [CRIME SCENE]:
  • Take a picture of the location of the device
  • Remove battery [for older phones]
  • Remove memory card
  • Remove SIM card
  • Ask owner for lock screen password
  • Take pictures of all sides of the device

AT LAB

• On mobile phone in Faraday Box:
  • Unlock mobile phone with given password
  • Enable Airplane mode
  • Disable Wi-Fi
  • Disable Bluetooth

Faraday Box

• Jams all signals received by device
• Easy release latch -> tight RF seal
• Built-in conductive gloves for operating touch screens
• USB outlet
• AC power strip: 4 universal power outlets & 4 USB outlets
• Dual-sided shielded filter with 2 USB ports, 1 AC port & 1 RJ45 ethernet port
• Angled windows on top for viewing devices