top of page

Counter Digital Forensics

This is a precursor to our Open Source Intelligence series, the importance of obscuring your digital actions can not be overstated. We live in an era of constant digital observation where our location, beliefs, and actions are intently monitored. Please understand that OPSEC is a balance between your ‘investment’ in your security and the damage that will be done if that security is breached i.e. there's no point putting $10 behind a $1000 lock. Make a realistic assessment of the information you are protecting and structure your privacy (and level of inconvenience) accordingly.


Definitions:

Anonymous

A quality of a service/activity/network or other that can not be linked to an identity/person.

Backdoor

An exploit that allows access to a system or data that bypasses the systems security.

Bug

A device that can covertly collect sound, video, location, or other data.

ISP

Shorthand - Internet Service Provider e.g. AT&T, Verizon, Vodafone, Telstra.

Open Source

​Software with code that is made freely available. This allows any third party to inspect how a software operates.

​PED

Shorthand - Personal Electronic Device e.g. phone, computer, smart watch.

Private

A quality of a service/activity/network or other that can not be accessed or understood. Generally achieved by encryption.

VPN

Shorthand - Virtual Private Network, a protocol that allows for the establishment of a private network by redirecting data through an additional (remote) server.

Digital Forensics : Brief


Digital forensics refers to the processes of collecting and analyzing electronics and their data. To explain this most simply, let's think of digital forensics as traditional forensics. When a forensics officer is tasked with a crime scene they look for contact points, areas the perpetrator has interacted with, the floor, handles, doors, chairs, buttons/switches, tools/equipment, etc; on these contact points the officer expects to find some trace that not only shows a person was there, but also reveals identifying information: a boot print, fingerprint, clothing fibers, blood/mucus/skin, etc. Compare this to the Digital Forensics’ job. The Digital Forensics’ contact points are the electronic storage on phones, computers, smart watches, and networks/servers; once the Digital Forensic has access to these storages they look for unique identifiers, location logs, files, message logs, internet history, or purchases.


How your data is used depends on how it was collected. For our purposes we will divide data access into ‘legal’ and ‘extra-legal’, which means: was the data collected through means expressly dictated by law/contract? If the data was collected through backdoors, bugs, or government coercion it is ‘extra-legal’.

Legal Access

Extra-Legal Access

Government

Information accessed via subpoena or Investigation, for the purpose of legal prosecution.

Information accessed via broad and non-targeted surveillance of a population, generally permitted by anti-terrorism legislation.

Civilian

Information accessed by companies for the purpose of marketing and optimisation, permitted via their privacy disclosure agreement.

Information accessed by malicious individuals for the purpose of blackmail, ransom, or other criminal activity.

In short, your government has the capability to access most of your digital communication. They do this by working (forcefully or willingly) with your ISP in order to access the websites you visit, your unencrypted messages (SMS texting), how long you engage with content, the devices you use, and your location. This information is archived away and used to make AI driven analysis of you, which inturn is used to inform Federal investigations (not as evidence, but in order to target individuals who are deemed ‘risky’).


There is an idea that governments use ‘zero day’ exploits [1] on phones, computers, and other smart devices in order to turn them into bugs or to remotely control them to transmit stored information. Make no mistake, this is a capability the US and other governments hold, however, ‘zero days’ are expensive and can only be used so many times before they are discovered and patched. These advanced cyberwarfare tools are not intended for use on criminals regardless of how nefarious they are, it’s also likely that evidence found from the use of these tools would be thrown out of western courts due to their questionable legality. It is far easier to plant a traditional bug in a car/home/workplace or to subpoena PEDs after an arrest has been made.


Before we continue, please understand two things:


1. We must leave behind the idea that ‘normal internet use’ is secure, it is not. Thinking that AT&T, Verizon, Vodafone, Microsoft, Google, Apple, Samsung, Amazon, Instagram, or YouTube’s ‘Privacy and Security Team’ is capable of keeping your data safe from three letter government bodies is no different to thinking a pane of glass is good concealment. These corporations are either willingly working with the government or have been ‘backdoored’ by the government [2].


2. The only way to be completely safe from digital observation is to not use your phone, computer, smart watch, credit cards, etc. This is obviously not a reasonable compromise, so we will focus on securing our files, communications, internet use, and location.


Good Practice


1. Data encryption - For our purposes, all of our OSINT data must be encrypted as soon as it is downloaded; this is not a mandatory step, though it is highly recommended. To do this, any service that offers open source data encryption will do. VeraCrypt is a popular option.


2. Biometrics - As your biometrics (fingerprint, iris, face, etc) are physical items, a court can subpoena them and force you to unlock any device secured by them. It is advisable that you disable biometrics on any device that you want to keep secure.


3. Passwords - Your password MUST be more than 15 characters. Combine numbers, letters, capital letters, and symbols. Don't use the same password for every service. We recommend using a compound word as the base of your password, for instance, ‘42Underestimated?’ would take millions of years for modern computers to crack.


4. Updates - Constantly update your PEDs and the software they run. Doing so will ensure that you are not susceptible to old vulnerabilities, the importance of this cannot be overstated.



Internet Activity


How well you are trying to hide your data will massively affect your approach to security. If your intent is to reduce the amount of information the government has about your online activity then you may be satisfied with a secure internet browser coupled with a VPN; use the Firefox or Brave browser [3], replace your search engine for a service like DuckDuckGo or Startpage, and use a VPN outside of your nations jurisdiction [4]. This approach will be safer than no protection, but please understand that VPNs don't keep you private in the way their marketing portrays, using a VPN only shifts the owner of your information from your ISP to your VPN; for this reason many people will make and use their own VPN [5].


Now, while the above may be sufficient for typical use, we highly recommend you follow the one of these two methods when conducting OSINT:


Adequate Security -


Download and use the Tor browser. The Tor browser uses a network of user run nodes that pass your connection between each other, generally through multiple countries, the system also protects your data from the nodes by encrypting it for each node separately [6]. This system ensures a, not perfect, but very high level of security.


High Security -


Download the Whonix machine and use Tor within it. Whonix is effectively a virtual computer within your computer, it separates your device's data from its own, it adds an array of additional security protocols that keep your connection private, and it protects your computer from malware. For added security, do not use your own WiFi, instead move to a public WiFi to conduct your business. By only accessing the internet through the Tor network, on a virtual computer, from someone else's WiFi, you will have made it (practically) impossible for any organization to link what you did online to your identity.


Whether you use the adequate or high security method please understand the following:


DO NOT enter any personal information into Tor.

DO NOT bookmark websites in Tor.

ALWAYS use the .onion alternative to a website (Tor will notify you if one is available).

ALWAYS encrypt data that is downloaded or website URLs you want to save.


Additionally, while the Tor browser will give you access to the ‘dark net’ [7], this guide is not sufficient for protecting you from the threats within the ‘dark net’ please seek further guides on the additional security procedures you must employ if you are interested in this.


Communication


Communication from person to person is vital to organize and share information, unfortunately, most (if not all) default communication methods on your PED are transmitted in plain text and are as easy for your ISP/government to read as they are for the actual recipient. We must find a service for both our instant messaging and email.


A secure messaging service will have:


Anonymous sign up - The application allows you to use it without asking for any personal data.


End to end encryption - A protocol where all encryption and decryption is done on the user's PED. Any information that your phone transmits is encrypted, until the intended receiver decrypts it on their device.


Forward secrecy - A protocol where the key used to encrypt data is changed frequently, ideally for every message, this ensures that if one key is compromised only minimal data is lost.


Open source - The service's source code is open to inspection, hopefully any red flags will be identified before you use the service.


For the sake of brevity - Don’t use anything made/owned by Facebook (Meta). Signal (provided you sign up using a disposal SMS, like AnonymSMS) is ‘good enough’ [8], however, if you want more control you must look at alternatives such as Element, Briar, or Yami. These services allow you to communicate like any other traditional internet messaging service while using end to end encryption and other security protocols by default.


When signing up to any service on the internet an email is generally required, so we must find an email service that keeps our information private and that has an anonymous sign up. It is best practice to use multiple email addresses to limit the amount of data that will be compromised in a breach. To do this we will use a combination of permanent and burner emails.


Tutanota and Mailfence are both great permanent mailbox solutions. ProtonMail is a widespread service, however, ProtonMail is very deceptive with what they offer and it is our earnest recommendation that you do not use their platform.


Guerrilla Mail and temp-mail.org both provide a temporary, receive-only, email address.


When using any email service for OSINT/Dark Net work, it is very important that you only connect to and create accounts through the Tor network as discussed in ‘internet activity’. Failure to do so will result in your real IP address and data being linked to that email.


Location


Your mobile phone is your enemy. Your phone, by design, transmits your (semi-accurate) location every time it moves into a new cell tower’s area [9]. This issue is made worse if your phone has applications that ask for its location directly from its GPS. Turning off your mobile data or using airplane mode may help obscure your location, however, due to the lack of transparency from Apple and Android (Google), there is no way to be certain that this will secure your position; safety features and WiFi signals may still compromise your location.


If it is important to you that your location remains private then you should power off your phone. If you are concerned that this is not enough, then the best alternative is to not carry a phone or buy a phone with a removable battery.


Please note that we have used the term ‘phone’ to refer to any device that uses a sim card or otherwise connects to cell towers/networks (GPS tracking devices, sat-phones, etc).


Data Deletion


We must be competent in true data deletion because, regardless of how strong our encryption is over a network, the key to decode our data and our data itself is stored on our PED. Government actors have the capability to pull data from 'dead' drives, even if the data appears to be deleted. When you press delete on your PED it doesn't remove the data, it just hides it. In as simple terms as possible: The ‘area’ that the data you deleted occupied on the Hard Disk Drive/Solid State Drive (HDD/SSD) has only been ‘reclassified’ which gives your computer permission to re-write over it, the old data is still there until new data replaces it.


Digital shredding is the process of selected data being re-written over. In theory, you can shred data without needing to install a program onto your device, however, this is rather complicated so our recommendation is to use an open source application. BitKiller is a good option.


If you are disposing of a PED or the device is inoperable, i.e. waterlogged, forgotten password, or otherwise not accessible, it is good practice to physically destroy the drive so its data cannot be recovered. There are some electronic recycling facilities that will let you watch your drives be destroyed, but let's assume that is not a good option for you. In order to physically destroy a HDD or SSD we need to first identify and dismantle that component from your device.


(Image showing labelled examples of HDDs and SSDs)


Computers and Laptops will use either HDDs, SSDs or a combination (the newer the device is the more likely it will use SSDs), phones and compact devices will use an SSD attached directly to their circuit board which may make the storage harder to identify. The rule of thumb is to destroy the entire phone's circuit board.


To destroy a HDD:

  1. unscrew its case using a Torx screwdriver set,

  2. unscrew and remove the hard disks and circuit board,

  3. use 120 grit sandpaper to thoroughly damage the surface layer of the hard disks,

  4. use a hammer to break the disks and circuit board into multiple pieces,

  5. (optional) use a gas torch or fire to heat the fragments upwards of ~1500°F.


To destroy an SSD:

  1. remove it from the computer or laptop,

  2. if it is held in a casing, remove the circuit board from the case,

  3. use a hammer to break the circuit board into multiple pieces, focusing on the NAND and DRAM chip,

  4. (optional) use a gas torch or fire to heat the fragments upwards of ~1500°F.


To destroy a phones data:

  1. Open the phone and locate any component that looks like a NAND or DRAM chip,

  2. use a hammer to break the circuit board into multiple pieces, focusing on the NAND and DRAM chip,

  3. (optional) use a gas torch or fire to heat the fragments upwards of ~1500°F.



Privacy is a human right. We need to move away from the mentality that hiding from big brother is a crime. It is not. It is instead a form of survival in a country or state that has become, or will become, oppressive. Stay hidden, stay safe.


[1]

A ‘zero day’ exploit (sometimes referred to as a voodoo hack) is an unknown vulnerability in a device or piece of software, this vulnerability may be used to force a computer to execute a task/program. These exploits will be patched as soon as they are discovered by the maker of the device/program, this gives the discoverer a choice: they can attempt to alert the maker and potentially be given a reward or they can sell their discovery to the highest bidder (typically this goes to a middle man who then cooperates with government agencies).


[2]

Most countries have sections of legislation that dictate any personal data that is collected and stored by a third party organization becomes property of that organization, because of this, corporations are able to pass your personal information to the government without needing to notify you. This can occur through subpoena, coercion, or just by asking nicely. If an organization is not willing to hand over your data, then the your government likely has the implied legal backing to obtain that data ‘extra legally’.


[3]

While these browsers are an improvement over Chrome, Bing, Safari, and Explorer, it is important that you disable any privacy settings that you are not comfortable with e.g. save cookies, save browsing history, etc. It is also advisable that you add an ad blocker plugin to these browsers.


[4]

VPNs are not the most trustworthy organizations. If you are in the market for a VPN we recommend ignoring all claims made by the service and instead only look at the reviews of professionals within the OPSEC/pen-test communities. TLDR: buy Mullvad VPN with cash or Monero.


[5]

Mental Outlaw is a very good resource in the space of OPSEC and VPNs: https://www.youtube.com/watch?v=Lk_v6Q0YsNo&ab_channel=MentalOutlaw


[6]

This is a misnomer, however, we chose brevity over accuracy. An accurate description of this process is that the Tor network encrypts your data 3 times, the entry node decrypts the first layer of encryption with their key, the relay (middle node) decrypts their layer with their key, and the exit node removes their layer of encryption and transmits the final (still encrypted packet) to the destination. Effectively, no one knows who is who, and everyone is speaking gibberish.


[7]

The big, bad, scary darknet. Like any good lie, it has its roots in reality. There are illegal things on the darknet, however, if you spend any amount of time ‘looking around’ you will learn how innocuous it really is.


[8]

We came to our conclusion on signal after reading through the various subpoenas it has faced. Signal collects very little data, each subpoena filing that has asked for users information has been met with three data points: the phone number used to sign up, the date/time of account creation, and the date/time of last connection to the Signal servers. No empire lasts forever. If Signal becomes compromised, move to the next best alternative.


[9]

In short—when stationary, your phone will send a ‘ping’ (a data packet consisting of various unique identifiers, potentially including your GPS location) to the cell tower it has the strongest connection to. This ‘ping’ happens about every 8 hours (depending on ISP). When moving, your phone constantly searches for which cell tower it has the strongest reception to, if it detects a stronger cell tower it will send a ‘ping’ to that tower to alert the network of its new position.


bottom of page