jon – osint.tools

Browser Fingerprinting

SCP Syntax Tutorial

The scp command is available on UNIX based systems (including Linux and Mac OS) and allows files to be copied to, from, or between different hosts. It uses secure shell or ssh for data transfer and provides the same authentication and same level of security as ssh.

Here you’ll find a document outlining the syntax required when using the scp command.

Web Page Certificates

Https is the secure version of the http protocol for connecting to web-servers.

Websites that use the https (hyper text transfer protocol secure) protocol provide an encrypted connection between your device and the web-server hosting the page you have requested.

However, just because you type in https://amazon.co.uk in to your browser bar for example, does not necessarily mean you are connected to the real amazon.co.uk website.

This is because the address amazon.co.uk is converted to the IP address of the web-server hosting the page by a service known as the Domain Name System or DNS.

This works like a phone book, so you type in a web address you want to visit and your DNS looks up the number or IP address of the appropriate web-server and retrieves the web page from the appropriate web-server for you.

If the DNS has been compromised or hijacked in anyway, when you type in https://amazon.co.uk, you are sent to the IP address of a rogue website that appears to be and looks like the real amazon.co.uk site.

The connection to the rogue server is still using https and displays a padlock icon but the attacker will have access to your data.

You can ensure that you are on the correct web page by examining the servers Secure Socket Layer (SSL) Certificate the genuine version of which can only be displayed by the real amazon.co.uk web-server.

Follow these simple steps. The Firefox browser is used here, but all browsers will allow you to view the certificate of a connection using https:

Type amazon.co.uk in to your browers location bar

Your browser will connect to the web-server provided by the DNS and display a padlock icon. Notes in grey, Firefox has added https://www to the address you typed. Its in grey to clearly show what has been added.

Click on the padlock icon

Click ‘More Information’

Click ‘View Certificate’

The SSL certificate will open. Check that the web address against Common Name (CN) is the same as the address in the location bar in the browser. If it is, you are connected to the real amazon.co.uk website with a secure https connection and your data is safe.

If the Common Name (CN) displayed differs in any way to what is in the location bar on your browser, there is a problem and you should not trust the website.

NB – The Common Name (CN) entry on the certificate only needs to match the domain of the website you have visited.

For example:

https://www.amazon.co.uk/gp/prime/pipeline/landing/ref=nav_prime_try_btn

is fine, because the domain matches the Common Name (CN) in the certificate.

You may see messages like the ones below if the web address does not match the Common Name (CN) in the certificate

Other browsers may display the padlock icon in a different location:

Google Custom Search

Click the Google icon below for a PDF tutorial document on creating and using the free Google Custom Search Engine feature.

You’ll need a Google account and password to use this tutorial – click here to get one

Command Line Tutorial

Click the logo below for a PDF tutorial document on using the Windows Command Line and some of its functions.

There is another excellent resource here at ss64.com/nt

Examining Email Headers

Whenever an email is sent, information is transmitted with that email and the route the email takes across a network is recorded. This information is known as the ‘Extended Header’.

The extended header can be of great use to the researcher and when used correctly, provides an insight into the sender, their software and hardware and potential recipients.

The extended header information potentially includes the senders IP address, email client, return address and the route the email has taken to reach its destination. This is useful in identifying and investigating ‘spoof’ or ‘phishing’ emails.

There are three main issues to discuss here before we move on.

The first is that different email services provide different information in the extended header.

The second is that we need to be in possession of original email, not one that has been forwarded to us for examination. A forwarded email will contain extended header information of the forwarder, not of the original email. The subject email can in some circumstances be sent as an attachment and in this case the extender header information will be retained.

The third is that different email clients / web based services present the extended header in different formats and the information is accessed in different ways. A Google search will reveal how to view the extended header information in your email client or web based service.

For our example, we are going to use an email sent from Microsoft Outlook 2013 to a gmail.com address.

We will be viewing the extended header of the email thorough the web based gmail service, but similar procedures apply to all email clients and services.

Below are the details of the email as it was sent from the Outlook 2013 account. We can see details of the recipient, the CC recipient, the BCC recipient, the email subject and the details of the attachment.

headeremail3

So, heres how to view the extended header information in the gmail web service:

Log in to the web service at mail.google.com
Open the email in question
Click the drop-down arrow to the right of the reply button
Click on ‘Show Original’ in the menu that has appeared
The extended header information for that email will open in a new window
Select all of the text that appears and copy it to your clipboard
Open either Word, Notepad or a similar text editor and paste in the extended email header. You can examine the header in its web page but I find it easier in an editor

For the extended header information used in this example , click on the icon below. It should open in a new tab.

This example has the relevant sections highlighted. The red numbers on the highlighted section do not form part of the header and have been appended for reference only.

To examine an Extended Email Header, we should read from the bottom up.

So, working upwards, here are the details:

1. The text content of the email

2. ‘Disposition-Notification-To’ means that the sender has asked for a delivery or read receipt form the recipient. This receipt is often sent automatically when the recipient receives or opens the message, but this option can usually be modified in the recipients email program or client giving the recipient the option whether to send a receipt or not.

3. X-Mailer is the email client used by the sender. A Google search for ‘Microsoft Outlook 15.0’ identifies the client in this case as Microsoft Outlook 2013, so the sender must be running Windows.

3A. Message ID is the unique ID refernence of this message. It may be generated by the mail server or the ISP, but is unique and essential when speaking with administrators to trace a message and related information on a server or network.

4. The day, date and time sent from the senders machine. In this case its GMT +0100 as it is summer. Look closely, further up the header (below item 10) and you will see the server time (kundenserver.de) is GMT +0200 as that is the local time.

5. The subject line of the original email

6. The ‘CC’ or Carbon Copy recipients email address (jhellis@hotmail.co.uk).

NOTE: the ‘BCC’ or Blind Carbon Copy recipients name or email address (jellis@gmx.com) is not shown in the header.

7. The main recipients email address

8. The email address from which the original email was sent.

9. The reply to address (info@onlineops.co.uk) which is different to the senders email address. When the recipient replies to the email, this is the email address the reply is sent to. In this case this is the original senders email address, but could be an alternative email address. This is often the case in ‘scam’ emails.

10. This is the hostname of the computer used by the sender (jonmbp)and the senders public facing Internet Protocol (IP) address. In this case this IP address 87.117.199.182 when investigated (type it in to centralops.net) appears to be owned by Rapidswitch Limited in the UK.

Reading upwards, the first IP address that appears is usually that of the sender.

NOTE: not all email service providers capture the senders IP address in the Extended Header.

11. This entry confirms that the email was delivered to mrjhellis70@gmail.com and this is the recipients email address that this header relates to. This would be different if we where to examine the header of the other recipients email addresses.

The time and date of delivery to the server are shown. In this case the time is followed by the letters PDT which refer to ‘Pacific Daylight Time) and -0700 which means the time displayed is PDT minus 7 hours. This is not the time the email was read by the recipient.

Take particular care when interpreting times in Headers as they are specific to the location of the mail servers.

Try cut and pasting an email header in to the service at mxto ol box .com This services help breakdown the route and email has taken to reach its destination.

For help finding the Extended Email Header in your particular service or client, check out Header Help

As can be seen from the above example, Extended Email Headers provide a wealth of information about the originator and the content of an email, its path and recipients.

Genealogy – A Case Study

Guest Blog by Jo Blake

Find Jo at @taphophileuk

A basic knowledge of genealogy is of huge benefit when wanting trace living people. You may know the persons details but not their current whereabouts.

Below is how I assisted an adopted person be reunited with her birth family (NB all names and locations have been changed)

Starting Point

Ann had visited social services and had been told her birth name was Karen Hunter and that she was born on 1st May 1970 in Manchester.

Ann knew that her mother, Mary Hunter , was 18 when she gave birth to her and already had an 18 month old female child. At the time of Ann’s birth, Mary was living at home with her mother (details unknown) at 123 Oldham Road, Manchester.

Records

My first port of call was Ancestry.co.uk

This website holds the full birth, marriage and death registers from 1837 when general registration began. These registers are not fully transcribed, however all are scanned and fully readable.

The first thing to understand is that the registers are held by year, each year is split into quarters – January-March, April-June, July-September, October-December – so for every year there are 4 registers.

The registers are compiled in alphabetical order – so the register may be 400 pages long but you can skip to page 200 if that’s where you think the surname you are interested in may be.

If the records for that church that you are looking at are transcribed there is a simpler way by searching on the persons details – Karen Hunter born 1970 Manchester. This will bring back a transcribed record with a link to the original entry as detailed above.

It is important to remember the person you are looking for will appear in the quarter when their birth is registered. So someone born mid-late December could quite possibly appear in the registers for the January-March quarter of the following year and so on.

Research

I located the birth registers and selected the year 1970, and the April-June register, and selected the initial H – I checked that a Karen Hunter was registered in that quarter – and she was, it showed her mothers maiden name to also be Hunter, showing that Karen had been born out of wedlock.

The fact that there was only one entry for that name at that time for the right area meant it as definitely the correct entry.

The next thing I did was to run a search on the birth records for Karens sister – I knew she was 18 months older than Karen and her mother would have the same maiden name.

A search on a female birth for 1968 in Manchester with the surname Hunter and a mothers maiden name Hunter revealed 2 matches. One was Deborah and one was Tracy. So it could only have been one of the two.

I then examined the electoral roll for 123 Oldham Road, Manchester for 1968, 1969 and 1970. Mary Hunter was there for all three years living with another female named Doris Wild. Ann knew that her mother Mary lived with her mother, so was Doris Mary’s mother?If so why did she have a different surname?

I searched the marriage indexes for a marriage between a Doris Hunter and someone named Wild – sure enough there had been in 1962, she had married a Jack Wild.

Jack wasn’t on the electoral role so a quick search on him revealed he had died in 1967. A search to see if Doris and Jack had had any children revealed the birth of two sons Paul and John Wild.

Doris had had the surname Hunter. I searched the marriage indexes again for a Doris marrying someone with the surname Hunter in the relevant area – searching around 1950 to allow for the marriage and birth of Mary. There was one entry – Doris Brown had married Eric Hunter.

A search on Eric Hunter showed he had died in 1957, which explains Doris’s 2nd marriage.

I now knew that Ann’s birth mother was Mary Hunter and that her mother was originally Doris Brown. I also knew that Ann’s older sister was either Deborah or Tracy and that she had half uncles named Paul and John Wild.

I searched for any births recorded with the surname Hunter and the mothers maiden name Brown – there were 3 for the relevant area and one of those was Mary Hunter born 1952 – making her 18 in 1970 when Ann had been born, and the other two were probably her siblings.

I also searched for a marriage for Mary Hunter after 1970 – there were several marriages it could have been to the surnames Harper, White and Miller – so I noted them and kept them in mind.

Next Steps

Now I turned to researching Deborah and Tracy – presuming that they would by now be around 46 years old and probably married. I searched the marriage records for both names and found marriages for both.

Social Media is a useful tool here – Facebook, Friends Reunited etc. My first port of call was Facebook – I searched for Paul Wild and found two living in the relevant area – one of them was friends with a John Wild and a Mary Miller – which fitted in with the brother and half sister. Profile pictures and ‘About’ information on profiles often give valuable clues, even if the profile is locked down.

I looked at Mary Millers profile and she had a friend named Tracy – a look at Tracys profile showed her picture – she looked similar to Ann! Searches on these individuals on other websites also revealed that they lived in the immediate area to Ann and where she was born.

This was a relatively simple search assisted by a couple of unusual surnames and the fact none of them had ever moved away from the area. This ended well with Ann meeting her birth mother, sister, uncles, aunts and younger brothers.

The birth, marriage and death records were invaluable with the above scenario and demonstrates how useful it is to go backwards to come forwards again and identify siblings and spouses etc as a point of contact if not the person themselves.

@taphophileuk

Viewing Image EXIF data

Exif stands for Exchangeable Image File and is sometimes called Metadata, a term which actually refers to the tags of information stored in the Exif data. The correct designation is Exif not EXIF.

Exif data is only available in images in .jpg or .tif format images. Whenever an image is captured in one of these formats using a digital device, Exif data is generally embedded into the image as a series of tags. These tags are viewable by other devices as they are in a common format.

Exif data tags can include date and time of image capture, last image modification, image capture device make and model, image capture information including flash activation, a thumbnail of the image, copyright information and GPS location data.

Be aware, though, that Exif data can be edited at any-time after the image has been captured, using software such as

http://www.colorpilot.com/exif.html

Exif data is usually transmitted with the image when you transfer it from the original device by saving it to a memory card, sending by email, publishing on a webpage or backing up to cloud storage. Some messaging applications do not transmit the exif data with the image, such as iMessage on Apple devices.

Many web services such as Facebook and Twitter remove the Exif data from images before the image is published on the service. A notable exception to this trend is Flickr, which retains Exif data and is viewable by users.

Exif data can easily be removed from an image using free software such as

www.easyexifdelete.com

There are several methods available to the researcher for viewing Exif data in an image and some of these are outlined below.

It should be noted however that when examining an image in an investigation, a working copy of the image should be created and examined, with the original being preserved in its original format for evidential integrity purposes.

EXAMINING AN IMAGE USING FIREFOX WEB BROWSER

Install Firefox web browser from www.mozilla.org
Select the Add-ons tab (ctrl+shift+a)
Search for ‘Exif Viewer 2.00’ and install this add-on
Restart Firefox and open a new tab
Drag and drop your image into the main body of the browser from its location
Right click on the image in the browser and select ‘View Image EXIF Data’ from the context menu
When the Exif data window opens, scroll through the information. This information can be copied to your clipboard
You will see GPS data towards the bottom of the information- click on one of the mapping links e.g. Google Maps
The map will open in a new window. Consider using Google Street View or Google Earth functions at this point
When you have completed your examination, close all open tabs and windows etc.

EXAMINING A WEB IMAGE USING FIREFOX WEB BROWSER

As above – but instead of dragging the image into the Firefox browser open the webpage and right click on the image of interest in the webpage. Try this with the images at

exif.htm

If you want to try this with the Google Chrome browser, download it here

www.google.co.uk

and install an extension (add-on) called Exif Viewer 2.33 by Andry Virvich.

This places a small camera icon at the bottom right of any image containing Exif data.

exif

Click on the camera icon to view the data.

EXAMINING AN IMAGE USING A WEB BASED TOOL

Web based tools allow you to upload an image from your device and provide you with a detailed analysis of the Exif Data, including GPS mapping. They can be accessed from any browser on any operating system

exifdata.com

fotoforensics.com

Some web based tools also allow you to remove exif data from your images

verexif.com/en/

and some tools even display the direction the device was facing when the image was captured

http://regex.info/exif.cgi

EXAMINING AN IMAGE ON A MOBILE DEVICE

There are several applications that can be installed on mobile devices to examine Exif and GPS data in images. Koredoko is one that I have tested and it works well. Its available on iOS and Android platforms and is free. Check out the developers website here and download the App from you store :

Koredoko