April 21, 2021
OSINT for Ghost Hunters: How to Find Someone Who Doesn’t Want to be Found
Laura O'Driscoll
Content Manager
The digital environment gives twenty-first-century investigators a novel advantage. Virtually everyone now has a basic digital footprint that is hard to erase, making it difficult for the modern-day criminal to go full "Lord Lucan". And many fugitives from justice continue to sprinkle data across the open source internet with far less discretion than you - or they - might realize.
But whilst the digitization of everyday life has made it harder for criminals to disappear entirely, it’s still not easy to find someone who’s made significant efforts to cover their tracks. After all, “Billion Dollar Whale” Low Taek Jho - the alleged mastermind of the $4.5 million 1MDB scandal - had been flying under the Interpol radar since 2016.
Successfully tracking a fugitive across the badlands of the internet is a question of skill, capability, and resourcefulness. A well-designed approach to open source intelligence (OSINT), supported by the right tools and technologies, is an investigator’s best bet to hunt down these digital ghosts.
Criminal Masterminds: Bad at Spelling?
The first principle to bear in mind - before you even begin scouring the internet - is that you are not just looking for one person. You’re looking for a hundred different reflections and refractions of that person.
One of the most common techniques an individual will use to scuff dirt over their digital tracks is to vary their own name. This could be anything from a nickname (“Joe” instead of “Joseph”), to a misspelling (“Josxeph” instead of “Joseph”), or an alternate spelling (“Jozef” instead of “Joseph”). They may also use different combinations of middle names, maiden names, or even different alphabets, to scatter the trail.
To identify and verify these aliases you need to build a strong enough picture of the subject’s overall data profile so that you can recognize a disguise when you see it. That way, if you’re looking for “Joe Bloggs” and you find “J. A. Z. Blögges”, you can rely on data such as date of birth, home address, and linked individuals, to tell you if you’re looking at the same person. Coverage of friends and family is also critical. Alternate profiles might be given away by something as simple as a background appearance in a geotagged photograph on a friend’s Instagram, or a newly-created Facebook account that interacts regularly with family members.
Social Media: More than Just a Pretty Footprint
When most people think about digital footprints, they think about social media. Each different platform offers unique investigative opportunities. Twitter automatically geolocates many posts; Instagram holds visual clues for advanced geolocation (historically used to both good and bad ends); Vkontakte-linked FindClone is notorious for its facial recognition capabilities, and Snapchat’s “Snap Map” is a rich source of location-specific data.
Many such uses are now well established within investigative circles. Individually, they yield interesting but finite data: cleverly combined, through applying a creative mindset and a quality toolkit, they can offer far more.
In one case last year, the FBI used a resourceful combination of Instagram, Etsy, and LinkedIn to track down a masked protester in Philadelphia. To identify the woman, agents cross-referenced television helicopter footage with photos and videos taken from Instagram and Vimeo. They traced her T-shirt to a specific shop on Etsy, with a review linked to a Philadelphia-based user. Searches based on the Etsy username brought up another profile from a different website: this time linked to a name. Searches for a woman of this name, based in Philadelphia, led investigators straight to the suspect’s LinkedIn profile.
Getting Under the Skin: the Deep and Dark Web
The deep web refers to those parts of the internet that aren’t searchable through standard search engines. And this sphere is enormous: in 2001 the deep web was estimated to be 400–550 times larger than the surface web, and it has been growing ever since.
Most of the deep web is home to the benign kinds of data that you wouldn’t expect to find on Google, but which can usually be accessed through a certain “gateway”: from public databases to personal email accounts, company intranets, and digital file-shares.
Much of this space is deliberately open source, including many less obvious sources of useful data: from government datasets, corporate registries, court records, and compiled public records services, to political donations, lobbying activities, and campaign finance. These might sound like dry number-crunching exercises, but they can yield unexpectedly rich data. It’s one thing to wipe out your social media: but another thing entirely to try and scrub your name off data drawn from hunting or firearms licenses, utilities records, motor vehicle records, or voter databases.
What’s more, these records can hint at the hobbies, relationships, and habits that an individual is likely to carry over into their new life. Political donations or lobbying records might highlight key support relationships. An SEC filing might flag up the name of a trust or offshore entity used to own physical residences. Someone with a love of yachting might pop up again in a favorite location or market. Names change, but habits often don’t.
Archived information is another important consideration if you’re looking for someone with a trigger-happy finger on the “delete” key. Search engines will hold cached versions of a site for a certain amount of time, but catching these before they are removed can be touch and go. Certain websites exist specifically to archive old web pages. These will not be “googleable” but are openly accessible: and can be invaluable sources for information that someone has tried to conceal, remove, or edit out of digital history.
Then, of course, there’s the dark web. Thought to occupy just 0.01% of the deep web, what it lacks in size it makes up for insignificance. Illegal activity isn’t the only thing that happens here, but it is where most online skulduggery does occur. For criminals, anonymity makes for a great playground. For investigators, this gloves-off attitude makes for a potentially fruitful, but high-risk, source of data. There are significant legal caveats and risks to personal safety that make entering and exploring the dark web oneself unadvisable. OSINT tools that extract relevant data safely, legally, and anonymously from the dark web, are an invaluable investigative asset.
Mastering the Basics: Do you already know more than you think?
If you tug for long enough at the right thread, the sweater will unravel. Properly exploited, the smallest and most innocuous piece of data can eventually crack open a case. One of the biggest mistakes an investigator can make is not to take full advantage of the basic data at their fingertips.
In 2018, for example, investigators at Bellingcat used just one physical address to identify 305 Russian military intelligence officers. The officers had all used the same address (that of Russia’s Military Academy of the Ministry of Defense) to register their cars: data which was publicly available on a Russian automobile ownership database. Success, after all, isn’t just about having more data. It’s about how well equipped you are to use it.
Advanced OSINT technology will help investigators not just to collect the data they need from across all three layers of the web, but to exploit it to its full potential. When time and money are of the essence - as they always are when someone is on the run - advanced technology can support analysis by foregrounding patterns in disparate data that would not be obvious to the human eye. The right tools can recognize aliases and account for anomalies, drawing on related individuals, buried and archived sources, to flesh out missing parts of the picture. Beyond that, it’s up to human determination and ingenuity to find the story hidden in the data - and to act before the trail goes cold.