A friend of mine contacted me recently with questions about an investigation she was working on. We discussed many topics during our conversation, including online investigations and how a savvy investigator can connect the dots between seemingly small pieces of information in order to find more significant pieces of the puzzle. The puzzle in this case was putting together a profile of factual information about the subject of her investigation. Whenever someone wants to discuss open source intelligence gathering, or putting together data points from across the internet, I of course take great interest in the topic at hand. My friend was (like many people) unaware of just how much personal data is available on each of us, freely available to anyone who has an interest in finding it. I also took the opportunity to educate her on the safety concerns with this fact, especially to someone in her profession.
To illustrate my point, I asked her to imagine me as a bad guy who was motivated to harm her or enact some form of vengeance, for whatever reason. I asked if she wore a name badge on her uniform at work. She told me she wore a name badge that displayed her last name and her first initial. I will obviously keep her real information confidential here, so for the purposes of this post, the name on her name plate displayed “M. Johnson”. I explained that simply by knowing that little piece of information, combined with the agency she worked for “River City Police Department”, that an adversary already had a good foundation of data points to begin “connecting the dots”. She was curious to say the least to see where that could lead, and maybe a bit concerned.
As we continued our conversation I went online and began to search. A publicly available database in her state which lists salary information for all public employees confirmed that she did in fact work for River City Police Department. It listed her full first name “Michelle” and her salary for the past several years. With her full name at my disposal, I quickly found her Facebook profile (which was set to ‘private”) and two other social media accounts that were open to the public. Within about 30 minutes I located her current address at about 20 different people search websites, several of her previous addresses, phone numbers, email addresses, and even her date of birth. Her social media accounts led me to the names and addresses of family members, and far too many photographs for me to pursue in that short amount of time. Some of the photographs were found on her ‘private” Facebook profile, along with comments, posts, and locations she frequented, and photographs of her two children…and of course her cat, “Edison”. The ability to search ‘private’ Facebook information is a well known technique used in online investigations and most people have no idea so much information can be obtained even after they set their profile to “private”.
From one photograph I saw what type of vehicle she drove and a search on her name at a VIN checking database gave me the exact make, model, VIN, and the finance company she used when she purchased it in 2013. A Google Maps street view image of her house confirmed that the vehicle is typically parked in her driveway on weekends, and that her backyard looked like it had a large children’s play set near the swimming pool. The layout of the roof of her home showed me the likely locations where bathrooms, kitchens, and bedrooms would be located. Other photos showed her friends and the local restaurants they frequent. She enjoys red wine, classic rock, and she went to Florida on vacation in March of last year. Oh, and her brother smokes a lot of marijuana and appears to be the family outcast.
During our conversation “Michelle” allowed me to log into her Google account for the purpose of showing her a few other things I thought she would want to know about. As with most people, her Google account revealed every location she had been while carrying her phone in the past six years since she signed up for her account. A map conveniently showed her path (for six years) of everywhere she had been, broken down by date and time. It also showed every search she had ever typed into Google during that time period, the websites she visited, and for convenience, her personal searches were of course searchable. She was happy to hear that all of that information can be deleted, and I showed her how to adjust her settings so that Google would not log her activity in this way.
I purposely omitted the exact searches I used and the different ways that an investigator (or a bad guy) could have found some of that information. For OPSEC reasons, this isn’t the place to discuss those methods. Being aware of how easily information can be found and put together is the lesson here. If I had devoted another 30 minutes to searching, or another day, week, or month…just imagine how much more complete my profile on her could become. If an adversary has the time, money, and motivation to find you; how easily could you be compromised?
Needless to say “Michelle” reads my blog regularly nowadays and she has used the resources I recommend to greatly reduce her online profile. I checked (based on her request) and I was impressed at how much information she has been able to remove about herself. Most importantly, this new awareness has given her piece of mind and an understanding of why privacy and protecting our vital personal information is important.
As usual, I will leave you with a few links to read more in-depth about this topic. Don’t skip these.
98 personal data points that Facebook uses to target ads to you: LINK
How did Facebook get my number? And why is it giving my name out to strangers? LINK
Reddit – Guide To Leaving Facebook: LINK
What Does Google See in You? LINK
Your Google Activity: LINK
Check your app permissions here: LINK
Yout personal information that Google is holding; edit and change privacy settings here: LINK
Here you can control targeted adds when you are logged into Google as well as when your signed out: LINK
Check your location history here: LINK
Your Youtube history here: LINK
Google privacy check-up here: LINK