The world wide web is a constantly fluctuating ocean of information. Investigators often have to navigate through massive currents of data to find a few pertinent threads. A technique or tool that you use today may not be the same or even available tomorrow. But as Stephen Hill, Ph.D, MLPI, CIIP, managing director at Hill Bingham Ltd, said in his virtual session at the 2020 ACFE Fraud Conference Europe, “At the end of the day, a search engine is a database, and you’re running a query against that database.”
Granted, it’s a very big database.
The goal for open source intelligence gathering is to take something broad and find the query that will narrow it down to the specific information you need. The key to doing this is your creativity. Although the tools and techniques might evolve as time passes, here are three important building blocks you need when using open sources to gather financial crime intelligence.
Choose a browser that prioritizes privacy
Often times the targets you’ll be investigating will run their own websites. This means they can see every IP address that visits their site. It’s imperative for an investigator to safely view sites without giving away who or where they are. The first thing to consider, according to Hill, is your browser. You want a browser that prioritizes privacy for the user.
Apart from the fact that your location and activity are tracked on around 75% of the sites you visit, as Hill informed session attendees, many popular websites also use filters to personalize search results. This means that when you conduct a search, your results will be biased toward sites and content that you’ve previously visited. This may be useful when you want to find a nearby restaurant for dinner but not so much when you’re trying to conduct an investigation. Here are the five browsers Hill recommends:
Diversify your search engines
Google is currently the most popular search engine, but as Hill pointed out, that could easily change. There are already other search engines that are vying for the position. “Google is not the be all and end all. It’s certainly a useful tool, but it has restrictions,” Hill said.
Each search engine has its own list of strengths and weaknesses, so it’s vital to know which one to use for different tasks and to diversify your search results. Here are a few that Hill reviewed during his session.
Google: It has one of the largest databases, but it’s specifically designed to show you the most popular results. A simple search for the term “ACFE” returns more than two million results. No one has time to go through that many results. Using some advanced features, investigators should aim to get anything below 1,000 results when conducting a Google search. “A really good, creative query can get you to double, if not single, digits,” Hill advised.
Bing: This search engine uses a different database than Google, so while some of the results might be similar, it will return different pages than a Google search. One cool feature with Bing is that you can change your location. If you know a target is in Denmark, but you are in the U.K., then you can use Bing to localize your search results to the target rather than yourself.
DuckDuckGo: Hill classified this one as a specialty search engine because of its extreme focus on user privacy. All searches are anonymous on DuckDuckGo. It can be used on both the clear and dark nets. In fact, if you download the TOR bundle, you’ll get a customized version of Firefox as your browser with DuckDuckGo as the default search engine. It’s also classified as a metasearch engine because it uses several different databases for its search results.
Build a personalized open source toolkit
“We need to think about how we can limit the amount of time we need by using the most productive techniques to get our end result,” Hill said. To do this, an investigator should develop a toolkit — a set of websites, tools and techniques available to use on every investigation. Hill suggested keeping them organized using a site called Symbaloo, but there are several different options for keeping your toolkit organized. The goal of having a toolkit is to log on to any device and access your toolkit.
Hill also mentioned that it’s a good idea to get organizational buy-in for compliance purposes. Say you get a new team member and they suggest an awesome new tool to use. Before the whole team jumps in, the tool can be tested and approved by the compliance team so that all searches and information-gathering efforts are legal. If it’s approved, add it to the toolkit. If not, keep using the tried and true tools.
Ask the right question, get the right answer
“The client at the end of the day doesn’t want page after page of everything you’ve found,” Hill told attendees. “They want the answer.” These three building blocks will help you figure out the right questions to ask so that you can get to your answer in a quick, reliable manner. Ultimately, you will have a strong foundation for your open source intelligence efforts, which you can expand upon and evolve right along with the ever-changing web.