Wednesday 31 October 2018

Solving an OSINT Challenge


During the SANs SEC487 class, Micah provided a link to an Instagram picture while demonstrating the many techniques on social media intelligence. During the talk, he challenged the class to find the location of this image. It wasn't an official challenge but i was intrigued and i want to challenge myself to see what i could find. Of course it was 2 pm and my after lunch syndrome kicked in and my eyes were tired but this surprise challenge is what prevented me from sleeping in class!

So the challenge was: Find the location of this image. An image the trainer took and posted on his Instagram.
The Flag: Find this place
First thing i did was to screenshot the image, open in paint, save in JPEG format and look at the possible clues in this image.



Extracting the Image from Instagram 

Potential clues/artifacts that could be pivoted

After looking at the clues, I did what many would probably do - use Google Image to see if similar images would provide me the answer - but as i expected... all were strikingly similar but none were the answer.

Google Image results


Next, using Google search and with the two clues 'Constitution' and '2000', i attempt to see if any results would actually makes sense to me. As the image appeared to be possibly a park, keywords 'constitution' and 'park' were used but the results were plenty. I am definitely not going to use each of these results and locate them in Google Maps.
Results when keying the term 'constitution park'
I then used the keywords '2000' and 'constitution' and I got a result that sounded American and the others just didn't make sense to me.

Results when keying in '2000 constitution'
 Using the result '2000 constitution ave' and put it on Google Maps, i found something. But it didn't look like a public park to me. So yeah, definitely not the answer.
Trying out the first 'logical' result

Similarly to using Google search engine, i tried the same keywords on Google Maps and again, plenty of results. I was sure it's one of the hundreds but I don't think i was gonna visit one by one. 

Google Map's results when keying '2000 constitution'

Google Map's results when keying '2000 constitution park'
So after wasting over 20 mins, i went on to find another way. This time I need to find information that could tell me where he was at that time. The clue was at his Instagram pic on a publicly set URL link. Date: 17 November 2017.

Date of Picture Posted

What i did then was to visit his Instagram account in the hopes of getting to see what other pics he might have posted that could provide some clues to where he was at. But unfortunately, his Instagram account was set to Private! So nothing!

Instagram Account is Private
I even went to his personal website and find posts within the date range of 10 November to 20 November but nothing! Absolutely nothing that could help me. Then i recall he has a Twitter account that was set to public! With his twitter handler and using advanced search, i was hoping to find something.

Twitter Advanced Search Option
 That's when i found a single post that could be the holy grail to find what i eventually was looking for. It was a Retweet of a post from a Twitter account tagging him - dated 14 Nov 2017!
Retweeted on 14 November. A possible clue!
 Accessing the original post, the next clue was '@hcpss_arl'. And yeah that's him for sure!

Confirmed his physical presence at this location
Visiting the Twitter account of @hcpss_arl led me to its website

Twitter Profile of HCPSS ARL
Visiting the Twitter account of @hcpss_arl led me to its website and the address! The Google Map link was definitely a bonus!
  
Address of the institution Micah was at
Now that I am here, what next??????

Location of the Institution on Google Maps

This is where my keywords search came in handy! If you have not notice it before, Google Maps provide results that are nearest to the location you are viewing at that moment. So by typing 2000 constitution it will get me all the address with 2000 constitution closest to the location of the map i am currently viewing. In this case it showed as 2000 Constitution Avenue Northwest Washington, DC. 

The first result that is closest to the institution

The distance from the institution to the 2000 Constitution Avenue
 This was the time my confidence level shot up because the location definitely looks like a park to me!
Looks like a Huge Park!!!


Now time to find where exactly the location of the image was taken. Street View to the rescue!!

Street View of the location 
 And finally!!! Found the exact location where the artifacts in that original image are present - now on the Street View itself!

Location Finally Found!

When i showed this to a classmate, he asked a very good question. The Tweet was dated 14 November and the image posted on his Instagram was dated 17 November. So in a way, although i got my answer right, I was actually drawing invisible dots to connect the timeline of events. 

This was where I need to come out with a theory myself to justify my connecting of the invisible dots... so two theories are:
1) Micah could have stayed a few days around the area of the institution before he drove down to the park on the 17th.
2) Micah could have drove down to the park after his lesson, took that pic on 14 November itself and decided to post it on the 17th instead.

Only the trainer knows the logical and true answer and unfortunately I wasn't able to get it from him. But i was pleased to see his reaction when i told him that I found the location and his response was "Oh You Did?!".  I am definitely not sure if this was how it was intended to find the location to the image and I'm sure some of the readers stumbling upon this blog would probably go... "meh.." but nonetheless I was happy to 'capture the flag'!



Tuesday 30 October 2018

SANS SEC487 OSINT Training and CTF

I had a great week attending the OSINT SEC487 training conducted by SANS here in Singapore. Initially i wanted to take the SANS Cyber Threat Intelligence FOR578 training as my current field of work is exactly that however, due to schedule and commitment, i couldn't sign up for it. But as I was going through the list of available training that could benefit and enhance my daily job, i stumbled into this OSINT course and thought this could definitely help for my everyday investigation. You see, part of my job is to analyse threat actors, their IOCs, researching about their TTPs and all those CTI stuffs using open source and tools to deliver the work. So when i saw the modules of this training, I knew this would be something that would definitely benefit my current scope of work.

Micah Hoffman (@webbreacher) the OSINT trainer

The wallpaper of the VM provided for the training

I thoroughly enjoyed the training and Micah was a great trainer, well spoken and easily understood. In spite of me doing OSINT and applying it during my work and personal research since 2013, I learned a handful of new things, new techniques and new features of every day things we rely on during the course of training. I would definitely recommend anyone who wants to have an understanding of OSINT especially if you are in the field where you have to rely on open source resources, fundamentals of the deep and dark net and a feel of finding information legally without hacking. One should consider having this training. I do hope SANS would consider exploring an advance version of this expanding its 'sock puppet' technique into a full cyber HUMINT for intelligence collection, gathering, analysis and reporting as a module.

While the training is all fun and good, I was greatly looking forward for the sixth day Capture the Flag event! That's when you get to apply the techniques you learned and apply them AND if you do well, the winning team will get the rare SANS coin. 

The SANS SEC487 CTF winner coin


The CTF on the sixth day was a tough one. It wasn't straight forward. You don't know if the answer you found was the right answer and the good thing was you can use whatever technique you learned to find them. The more you think out of the box, the more ways you are able to expand your findings. To win this CTF was not just by doing well but you need to present your findings to everyone and eventually be voted by everyone. In that manner, it was indeed a tough process to win. Imagine thinking you have done well but eventually not voted as the winner. So yeah, tough one!

So after a full five hours of 'find, research, analyse, recommend and report' I was happy that our team - all very passionate in their tasks were able to be voted the winner! 

The winning team posing with the trainer

This is my third SANs training and the third time winning their sixth day CTF challenge! The last time was way back in 2013!

SANs 560 (GPEN), 542 (GWAPT) and 487 (OSINT) CTF coins.

Blogposts on past SANs CTF experiences:
http://securityg33k.blogspot.com/2013/09/sans542-gwapt-ctf-won.html
http://securityg33k.blogspot.com/2013/11/sans-560-gpen-training-and-ctf-event.html
http://securityg33k.blogspot.com/2014/01/sans-holiday-hack-challenge-2013.html