By Sam Blackburn of Truxton Forensics
What do you do when you want to perform an investigation, but don’t have any media? At times I have wanted to connect the dots, disprove theories, or just view things from different angles. Stuff that’s easy to do when you have media like phones or hard drives and an analytical tool like Truxton. But, if all you have are sites on the web, what is a resourceful OSINT investigator to do?
Well, we have Python…
We can write a script to do things normally done by exploitation tools during media processing. We will create an investigation, add media to that investigation, add files, events, etc. To demonstrate this, we need something familiar, safe, confusing, and public. The Michael Flynn case is a perfect fit. There’s lots of actors, sworn testimony, behind the scenes worker chit chat, investigation results, and news reports. All of which are downloadable from websites. This investigation was given the name ‘Crossfire Razor’.
The process of writing the script was an exercise in creating several utility functions to make adding files and events far easier than calling the Truxton API directly. When an interesting document is found, a new function is added to the script which adds the file (if present), adds a URL to record where the document came from followed by any geographic locations, events, entities, etc. This provides a straightforward way to add new data. After writing our script (downloadable here), we run it to populate Truxton. Now we can poke around the results and get new perspectives on the data.
Since we added names and photos of the key players in our script, Truxton can automatically import them as Subjects in the UI.
Here we can see the 192 events we manually extracted from 59 different documents. The list view of events is good for filtering by type, sorting, and reading the descriptions. Here we can see the investigation began on 16 Aug 2016 and not much happened through November 2016. Paging through the entries we can see there’s more events in December 2016 through January 2017. A better way to understand this is to switch to the Timeline view.
By clicking around here, you can get a better feel for how the events flowed. You can see the investigation winding down. The first request to close the case was on 08 Nov 2016. 82 days of investigation produced nothing. On 23 Dec 2016 we see more winding down with the termination of National Security Letters for the case and on or about 26 Dec 2016, the case was ordered closed after 132 days. Here’s where things begin to get interesting. On 29 Dec 2016, Flynn called Sergei Kislyak. This is the now-famous phone call. After this phone call, we can see a flurry of activity. It begins with Robert Litt, the DNI General Council on 03 Jan 2016. He read the transcript of the call and told DNI Clapper that this could be a violation of the Logan Act of 1799 (a 216-year-old law that resulted in zero convictions).
The next day you see a fella at FBI having a stroke trying to NOT close the case. Technically it had already been closed but the IT system had not yet been updated. On 05 Jan 2016, FBI Director Comey informs the White House. After this comes some strange events, the lead investigator quits the investigation, the remaining team members purchased professional liability insurance. We then see the communications leading up to the interview of Flynn on 24 Jan 2017. After that, we see the entire team discussing things like the validation of statements, Logan Act violations, etc. After that, a new round of NSLs are issued.
Being able to use the desktop to organize these events and review the source documents has allowed me to notice things that I haven’t seen anywhere else. By tagging events and grouping them together, I came to the conclusion that the Director of NSA, Mike Rogers, was not a team player.
Another thing I found odd was that after the Flynn interview and decision to prosecute was made, the low-level investigation people seemed very uncomfortable about the situation.
As we can see, the ability to leverage basic Python scripting with a forensic tool like Truxton allows OSINT analysts to quickly import, tag, and correlate information found on the web to provide an organized, sequential presentation of any activity, even without traditional forensic media!
Truxton is an easy-to-use forensic software that processes & analyzes digital evidence from multiple sources all in one automated platform. To learn more about Truxton, visit truxtonforensics.com.