├── reports ├── README.md ├── Domain and Website Analysis Report.md ├── CTI Report 2.md ├── Compliance Analysis Report 2.md ├── CTI Report 1.md ├── GEOINT Report 1.md ├── Compliance Documentation Report 1.md ├── Communication Patterns Analysis Report 1.md ├── Individual Investigation Report.md ├── Blockchain Investigation Report 2.md ├── Blockchain Investigation Report 1.md ├── Network Reconnaissance Report.md ├── Company Investigation Report.md ├── GEOINT Report 2.md └── Communication Patterns Analysis Report 2.md ├── playbooks └── README.md ├── manuals ├── README.md ├── ai-media-forensics-manual.md └── paranoid-opsec-manual.md ├── checklists ├── README.md └── ai-detection-checklist.md ├── appendices └── README.md └── README.md /reports/README.md: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /playbooks/README.md: -------------------------------------------------------------------------------- 1 | # 📑 Playbooks 2 | 3 | This directory contains **operational playbooks** for investigators, SOC teams, and OSINT/DFIR practitioners. Playbooks provide **structured workflows** that guide analysts step by step during specific scenarios. 4 | 5 | ## 🎯 Purpose 6 | 7 | * Define **repeatable procedures** for common investigative and incident response cases. 8 | * Ensure **consistency** across teams and analysts. 9 | * Serve as **training and reference material** during live operations. 10 | 11 | ## 📂 Example Playbooks 12 | 13 | * **Incident Response Playbook** – handling security incidents from detection to remediation. 14 | * **Phishing Analysis Playbook** – workflow for investigating phishing campaigns. 15 | * **OPSEC Playbook** – operational security best practices for investigators. 16 | 17 | ## 🛠️ Usage 18 | 19 | Playbooks are meant to complement: 20 | 21 | * 📘 **Manuals** (in `/manuals`) for deep background and methodologies. 22 | * ✅ **Checklists** (in `/checklists`) for quick actionable steps. 23 | * 📂 **Appendices** (in `/appendices`) for supporting scripts, tools, and references. 24 | 25 | -------------------------------------------------------------------------------- /manuals/README.md: -------------------------------------------------------------------------------- 1 | # 📘 Manuals 2 | 3 | The manuals in this directory serve as foundational guides for investigative and analytical work in the cyber intelligence domain. Each manual combines methodological depth with actionable procedures, offering practitioners clear, consistent, and adaptable resources for complex investigations. 4 | 5 | ## 🎯 Purpose 6 | 7 | * Deliver **full-spectrum guidance** for investigators and analysts. 8 | * Provide **step-by-step procedures** for forensic verification and analysis. 9 | * Serve as **reference documents** that complement checklists and playbooks. 10 | 11 | ## 🛠️ Usage 12 | 13 | Manuals are designed for **deep-dive analysis** and should be used alongside: 14 | 15 | * ✅ **Checklists** (in `/checklists`) for quick, field-ready tasks. 16 | * ⚡ **Playbooks** (in `/playbooks`) for workflow-oriented procedures. 17 | * 📂 **Appendices** (in `/appendices`) for tools, scripts, and technical references. 18 | 19 | ### 🔖 Credits 20 | 21 | Maintained by **oryon** + **[OSINT360](https://tntpp9.short.gy/osint360-gpt)**. 22 | This document is part of the **[Cyber Intelligence Toolkit](https://github.com/oryon-osint/cyber-intelligence-toolkit)** project. 23 | -------------------------------------------------------------------------------- /checklists/README.md: -------------------------------------------------------------------------------- 1 | # ✅ Checklists 2 | 3 | This directory contains **operational checklists** for investigators, OSINT analysts, and forensic practitioners. Checklists are designed as **concise, step-by-step guides** that can be applied quickly in the field or during investigations. 4 | 5 | ## 🎯 Purpose 6 | 7 | * Provide **short, actionable references** without lengthy explanations. 8 | * Support **rapid triage, verification, and validation** tasks. 9 | * Ensure **consistency and completeness** in investigative workflows. 10 | 11 | ## 📂 Example Topics 12 | 13 | * **OSINT Checklist** – structured process for open-source intelligence collection. 14 | * **Forensic Lab Setup** – minimal requirements and configuration validation. 15 | * **AI Detection Checklist** – quick steps for identifying AI-generated images, audio, and text. 16 | * **Incident Verification** – ensuring claims match digital evidence. 17 | 18 | ## 🛠️ Usage 19 | 20 | Checklists are meant to complement: 21 | 22 | * The **Manuals** (in `/manuals`) for in-depth context. 23 | * The **Playbooks** (in `/playbooks`) for workflow-oriented procedures. 24 | * The **Appendices** (in `/appendices`) for technical details and automation. 25 | 26 | ### 🔖 Credits 27 | 28 | Maintained by **Oryon** +**[OSINT360 GPT](https://tntpp9.short.gy/osint360-gpt)**. 29 | This document is part of the **Cyber Intelligence Toolkit** project. 30 | 31 | 32 | 33 | -------------------------------------------------------------------------------- /appendices/README.md: -------------------------------------------------------------------------------- 1 | # 📂 Appendices 2 | 3 | ## 🎯 Overview 4 | 5 | The **Appendices** directory contains supporting resources that complement the manuals, playbooks, and checklists in this repository. These files provide additional depth, reference material, and technical aids that enhance investigative workflows. 6 | 7 | This section is designed to serve as a **resource hub** for: 8 | 9 | * Supplementary tools and utilities 10 | * Automation scripts and command snippets 11 | * Technical references and data tables 12 | * Templates for case logs and documentation 13 | 14 | Appendices are not standalone manuals but instead provide **quick-access resources** that strengthen the core content of the repository. They are especially valuable when analysts need ready-to-use materials during field operations or forensic analysis. 15 | 16 | ## 📂 Example Contents 17 | 18 | * **Tools Matrix** – curated list of open-source utilities with usage notes. 19 | * **Automation Snippets** – ready-to-run command-line scripts and code fragments. 20 | * **Case Log Templates** – standardized documentation formats for investigations. 21 | * **Reference Data** – mappings, standards, or cross-check tables. 22 | 23 | ## 🛠️ Usage 24 | 25 | * Use appendices alongside the **Manuals** for detailed context. 26 | * Apply them with the **Playbooks** to streamline workflows. 27 | * Refer to them when using the **Checklists** to ensure technical accuracy. 28 | 29 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Cyber Intelligence Toolkit 2 | 3 | ## 🎯 Overview 4 | 5 | The **Cyber Intelligence Toolkit** is a curated collection of manuals, playbooks, checklists, and appendices built to support a wide spectrum of investigative and analytical tasks. It equips investigators, analysts, and practitioners with structured, reliable, and actionable references for digital investigations — from rapid verification and OSINT workflows to deep forensic analysis. 6 | 7 | This repository emphasizes: 8 | 9 | * **OSINT (Open-Source Intelligence):** Methods for discovering, verifying, and analyzing information from open sources. 10 | * **Digital Forensics:** Workflows and tools for verifying authenticity of media and digital traces. 11 | * **AI & Synthetic Media Detection:** Practical approaches to identify AI-generated content across text, images, audio, and video. 12 | * **Operational Security (OPSEC):** Guidelines and best practices for protecting investigators during sensitive operations. 13 | * **Investigation Frameworks:** Standardized methodologies to ensure consistency and reproducibility. 14 | 15 | The toolkit combines theory with hands-on procedures, making it suitable for quick field use, structured analysis, and long-term investigative projects. 16 | 17 | ## 📂 Repository Structure 18 | 19 | ``` 20 | cyber-intelligence-toolkit/ 21 | │ 22 | ├── manuals/ # Full manuals & guides (in-depth methodologies) 23 | ├── playbooks/ # Workflow-driven procedures for investigations 24 | ├── checklists/ # Concise step-by-step verification guides 25 | ├── appendices/ # Tools, automation snippets, references 26 | └── README.md # This overview 27 | ``` 28 | 29 | ## 📌 Audience 30 | 31 | * OSINT practitioners 32 | * Digital forensic analysts 33 | * Cyber threat intelligence teams 34 | * Investigative journalists 35 | * Security & compliance officers 36 | * Researchers and educators 37 | 38 | ### 🔖 Credits 39 | 40 | Maintained by **oryon** + **[OSINT360](https://tntpp9.short.gy/osint360-gpt)** 41 | This document is part of the **[Cyber Intelligence Toolkit](https://github.com/oryon-osint/cyber-intelligence-toolkit)** project. 42 | 43 | -------------------------------------------------------------------------------- /reports/Domain and Website Analysis Report.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Domain and Website Analysis Report - [Domain Name] 3 | date: 4 | tags: [domain-analysis, website-investigation, DomainName] 5 | status: [Not Started, In Progress, Completed, On Hold] 6 | --- 7 | 8 | ## Executive Summary 9 | - **Objective of Investigation**: Perform an in-depth analysis of [Domain Name]'s registration details, hosting information, content review, and online reputation to identify potential security risks, legal issues, or fraudulent activities. 10 | - **Key Findings**: 11 | - Overview of domain registration history and changes. 12 | - Analysis of website content, structure, and associated digital assets. 13 | - Assessment of website security measures and vulnerabilities. 14 | - Insights into website's traffic, user engagement, and SEO performance. 15 | - **Recommendations**: Actionable steps to address any identified issues or to enhance online presence. 16 | - **Investigation Status**: Overview of findings with suggestions for future monitoring. 17 | 18 | ## Domain Registration Details 19 | - **Registrar**: [Name of the Registrar] 20 | - **Registration Date**: [Date] 21 | - **Expiration Date**: [Date] 22 | - **Registrant Information**: [Name, Contact Details – if public] 23 | - **WHOIS History**: [Summary of Historical WHOIS Records, e.g., [WHOIS History Tool](https://whoisrequest.com/history)] 24 | 25 | ## Hosting Information 26 | - **IP Address**: [IP Address] 27 | - **Server Location**: [Geographical Location] 28 | - **Hosting Provider**: [Provider's Name] 29 | - **DNS Configuration**: [Details of DNS Settings] 30 | 31 | ## Website Content and Structure 32 | - **Main Themes**: [Core Topics and Messages] 33 | - **Content Management System**: [CMS Used, e.g., WordPress, Joomla] 34 | - **Key Pages and Sections**: [Overview of Main Site Areas] 35 | - **Multimedia Elements**: [Use of Images, Videos, Interactive Content] 36 | 37 | ## Security Assessment 38 | - **SSL Certificate**: [Validity and Provider] 39 | - **Malware Scan**: [Results of Recent Scans, e.g., [Sucuri SiteCheck](https://sitecheck.sucuri.net/)] 40 | - **Vulnerabilities**: [Known Issues from Sources like [CVE](https://cve.mitre.org/)] 41 | - **Data Privacy**: [Compliance with Regulations like GDPR or CCPA] 42 | 43 | ## Traffic and SEO Analysis 44 | - **Traffic Estimates**: [Visitor Numbers, Sources, e.g., [SimilarWeb](https://www.similarweb.com/)] 45 | - **Search Engine Ranking**: [Keywords and Positions, e.g., [SEMrush](https://www.semrush.com/)] 46 | - **Backlink Profile**: [Overview of Incoming Links, e.g., [Ahrefs](https://ahrefs.com/)] 47 | - **Social Media Engagement**: [Analysis of Social Media Influence and Links] 48 | 49 | ## Legal and Compliance Review 50 | - **Copyright Notices**: [Existence and Validity] 51 | - **Terms of Service & Privacy Policy**: [Compliance and Coverage] 52 | - **Domain Disputes**: [History of UDRP cases or other legal issues] 53 | 54 | ## Recommendations for Improvement 55 | - **Content Strategy**: [Suggestions for Content Enhancement] 56 | - **Security Measures**: [Recommendations for Addressing Vulnerabilities] 57 | - **SEO Strategies**: [Advice for Improving Search Visibility and User Engagement] 58 | 59 | ## Appendices 60 | - Appendix A: Detailed WHOIS Record 61 | - Appendix B: Full DNS Record Analysis 62 | - Appendix C: Website Content Inventory 63 | 64 | ## References and Sources 65 | - [List of Tools and Databases Used for Analysis] 66 | 67 | ## Revision History 68 | - **{{date}}**: Initial creation and data gathering. 69 | - **{{date}}**: Updated with comprehensive security review. 70 | - **{{date}}**: Final adjustments post peer review. 71 | -------------------------------------------------------------------------------- /reports/CTI Report 2.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Cyber Threat Intelligence Report - [Threat Name/Event] 3 | date: 4 | tags: [cyber-threat-intelligence, cybersecurity, ThreatNameOrEvent] 5 | status: [Not Started, In Progress, Completed, On Hold] 6 | --- 7 | 8 | ## Executive Summary 9 | - **Objective of Investigation**: Analyze and document comprehensive details about [Threat Name/Event], including its origins, tactics, techniques, procedures (TTPs), and impact on targeted systems or networks. 10 | - **Key Findings**: 11 | - Summary of the threat's characteristics and behavior. 12 | - Identification of affected systems, networks, and data. 13 | - Assessment of the threat's impact and potential future risks. 14 | - **Recommendations**: Specific security measures and response strategies to mitigate the threat and prevent future occurrences. 15 | - **Investigation Status**: Overview of the threat investigation's progress and anticipated next steps. 16 | 17 | ## Threat Overview 18 | - **Threat Name**: [Name of the malware, hacking group, etc.] 19 | - **Type of Threat**: [Malware, Phishing, DDoS, etc.] 20 | - **First Identified**: [Date and origin of first identification] 21 | - **Targeted Sectors/Industries**: [List of primarily targeted sectors or industries] 22 | 23 | ## Technical Analysis 24 | - **Malware Analysis**: 25 | - Hash Values: [MD5, SHA-1, SHA-256] 26 | - Behavior: [Actions performed by the malware] 27 | - C2 Communication: [Details about command and control servers] 28 | - Persistence Mechanisms: [How the threat maintains its presence] 29 | - **Attack Vector**: 30 | - Entry Point: [How the threat gains access, e.g., email, compromised website] 31 | - Exploited Vulnerabilities: [Specific vulnerabilities exploited] 32 | - **Indicators of Compromise (IoCs)**: [List of IoCs, e.g., file hashes, malicious IPs] 33 | 34 | ## Impact Assessment 35 | - **Systems/Networks Affected**: [Details on the affected systems and the extent of impact] 36 | - **Data Compromised**: [Information on the type and sensitivity of data compromised] 37 | - **Business Impact**: [Analysis of the threat's impact on operations, reputation, and finances] 38 | 39 | ## Threat Actors 40 | - **Origin**: [Information on the origin of the threat actors, if known] 41 | - **Motivation**: [Insights into the actors' objectives, whether financial, espionage, etc.] 42 | - **Capabilities**: [Assessment of the threat actors' technical capabilities and resources] 43 | 44 | ## Mitigation and Response Strategies 45 | - **Immediate Response Actions**: [First steps to contain and eradicate the threat] 46 | - **Long-term Mitigation Measures**: [Strategies to secure systems against similar threats in the future] 47 | - **Recommendations for Patching and Updates**: [Guidance on specific software patches and updates to apply] 48 | 49 | ## Legal and Regulatory Considerations 50 | - **Compliance Issues**: [Analysis of any compliance violations or legal implications] 51 | - **Reporting Requirements**: [Overview of mandatory reporting obligations, e.g., GDPR, HIPAA] 52 | 53 | ## Future Threat Landscape 54 | - **Emerging Trends**: [Insights into evolving cyber threat trends and tactics] 55 | - **Predictive Analysis**: [Predictions on future targets, sectors, or methods of attack] 56 | 57 | ## Appendices 58 | - Appendix A: Detailed Malware Analysis Report 59 | - Appendix B: Full List of IoCs 60 | - Appendix C: Incident Response Logs and Documentation 61 | 62 | ## References and Sources 63 | - [Cybersecurity Frameworks, Threat Intelligence Platforms, Incident Reports] 64 | 65 | ## Revision History 66 | - **{{date}}**: Initial threat identification and research. 67 | - **{{date}}**: Updated with detailed technical analysis and impact assessment. 68 | - **{{date}}**: Final review and development of response strategies. 69 | -------------------------------------------------------------------------------- /reports/Compliance Analysis Report 2.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Legal and Compliance Analysis Report - [Subject/Entity] 3 | date: 4 | tags: [legal-compliance-analysis, regulatory-review, SubjectOrEntity] 5 | status: [Not Started, In Progress, Completed, On Hold] 6 | --- 7 | 8 | ## Executive Summary 9 | - **Objective of Investigation**: Conduct a thorough review of [Subject/Entity]'s adherence to applicable laws, regulations, and industry standards, identifying any areas of non-compliance or legal risks. 10 | - **Key Findings**: 11 | - Overview of compliance status with specific regulations and legal frameworks. 12 | - Identification of legal risks, including potential litigation or sanctions. 13 | - Recommendations for addressing compliance gaps and mitigating legal risks. 14 | - **Recommendations**: Detailed action plan to ensure compliance and address identified legal issues. 15 | - **Investigation Status**: Summary of investigative findings and next steps for maintaining ongoing compliance. 16 | 17 | ## Regulatory Compliance Overview 18 | - **Applicable Regulations**: List of relevant laws and regulations applicable to the subject/entity, including GDPR, CCPA, HIPAA, SOX, and others. 19 | - **Compliance Assessment**: Evaluation of the subject/entity's policies, procedures, and practices against each applicable regulation. 20 | 21 | ## Legal Risk Assessment 22 | - **Litigation History**: Review of past and current litigation involving the subject/entity. 23 | - **Contractual Obligations**: Analysis of contracts and agreements for potential risks or liabilities. 24 | - **Intellectual Property**: Assessment of IP rights management, potential infringements, or disputes. 25 | 26 | ## Data Privacy and Security 27 | - **Data Handling Practices**: Examination of how personal and sensitive data is collected, used, stored, and shared. 28 | - **Security Measures**: Review of cybersecurity practices and data breach response plans. 29 | - **Privacy Policy**: Evaluation of the privacy policy's compliance with legal requirements. 30 | 31 | ## Employment and Labor Law 32 | - **Employee Relations**: Analysis of employment practices, worker classification, and compliance with labor laws. 33 | - **Workplace Safety**: Review of adherence to OSHA standards and workplace safety regulations. 34 | 35 | ## Financial Regulations and Reporting 36 | - **Financial Compliance**: Assessment of financial reporting practices, tax filings, and adherence to accounting standards. 37 | - **Anti-Money Laundering (AML)**: Review of AML policies and procedures to prevent financial crimes. 38 | 39 | ## Industry-Specific Regulations 40 | - **Sector Compliance**: Detailed review of compliance with industry-specific regulations, such as FDA guidelines for healthcare or FERC standards for energy. 41 | 42 | ## Recommendations for Compliance Enhancement 43 | - **Compliance Strategy**: Suggested improvements for policies, training, and monitoring to enhance regulatory compliance. 44 | - **Risk Mitigation**: Strategies to address identified legal risks and prevent future compliance issues. 45 | 46 | ## Action Plan for Remediation 47 | - **Short-Term Actions**: Immediate steps to address critical compliance gaps or legal exposures. 48 | - **Long-Term Initiatives**: Recommendations for sustaining compliance and legal risk management over time. 49 | 50 | ## Appendices 51 | - Appendix A: Detailed Compliance Checklist and Findings 52 | - Appendix B: Summary of Legal Disputes and Outcomes 53 | - Appendix C: Data Privacy and Security Audit Results 54 | 55 | ## References and Sources 56 | - [Legal Documents, Compliance Guidelines, Industry Best Practices] 57 | 58 | ## Revision History 59 | - **{{date}}**: Initiation of legal and compliance review. 60 | - **{{date}}**: Updated with findings from data privacy and security analysis. 61 | - **{{date}}**: Final report with comprehensive recommendations and action plan. 62 | -------------------------------------------------------------------------------- /reports/CTI Report 1.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Cyber Threat Intelligence Report - [Threat Name/Event] 3 | date: 4 | tags: [cyber-threat-intelligence, cybersecurity, ThreatNameOrEvent] 5 | status: [Not Started, In Progress, Completed, On Hold] 6 | --- 7 | 8 | ## Executive Summary 9 | - **Objective of Investigation**: Analyze and assess the cybersecurity threat [Threat Name/Event], its mechanisms, impact, and spread to provide actionable intelligence and mitigation strategies. 10 | - **Key Findings**: 11 | - Nature and mechanics of the threat, including malware analysis, attack vectors, and exploited vulnerabilities. 12 | - Scope of impact, including affected regions, industries, and systems. 13 | - Defensive measures evaluated for effectiveness against the threat. 14 | - **Recommendations**: Specific security measures and response strategies to mitigate the threat and prevent future incidents. 15 | - **Investigation Status**: Overview of the investigation's progress and next planned actions. 16 | 17 | ## Threat Overview 18 | - **Threat Type**: Classification (e.g., ransomware, phishing, DDoS). 19 | - **First Detected**: Date and initial discovery context. 20 | - **Source/Origin**: Known information about the threat actors or origin. 21 | - **Motivation**: Potential motives behind the threat (financial, espionage, disruption). 22 | 23 | ## Technical Analysis 24 | - **Malware Analysis**: Detailed examination of any associated malware, including payload, infection methods, and command and control (C2) mechanisms. 25 | - **Attack Vectors**: Paths through which the threat is initiated or propagated. 26 | - **Exploited Vulnerabilities**: Specific vulnerabilities exploited, including CVE identifiers and patch status. 27 | - **Indicators of Compromise (IoCs)**: Artifacts or actions indicating a potential infection or breach. 28 | 29 | ## Impact Assessment 30 | - **Affected Systems**: Overview of systems, networks, or services impacted by the threat. 31 | - **Geographical Spread**: Analysis of the threat's reach and impacted regions. 32 | - **Business Impact**: Evaluation of operational, financial, and reputational damage. 33 | 34 | ## Defensive Measures 35 | - **Detection Techniques**: Methods and tools for identifying threat presence. 36 | - **Mitigation Strategies**: Steps taken to isolate, remove, or nullify the threat. 37 | - **Prevention Tactics**: Long-term measures to prevent recurrence or spread. 38 | 39 | ## Threat Actors 40 | - **Profile**: Information on the suspected or known threat actors, including affiliations and objectives. 41 | - **Tactics, Techniques, and Procedures (TTPs)**: Analysis of the threat actors’ modus operandi. 42 | - **Historical Activity**: Overview of past incidents attributed to the same actors. 43 | 44 | ## Legal and Regulatory Considerations 45 | - **Compliance Issues**: Any legal or regulatory implications of the threat or its handling. 46 | - **Law Enforcement Interaction**: Details of any investigations or actions taken by legal authorities. 47 | 48 | ## Recommendations for Stakeholders 49 | - **For IT Teams**: Specific technical actions to strengthen defenses and respond to incidents. 50 | - **For Management**: Strategic decisions to manage risk and improve security posture. 51 | - **For End-Users**: Guidelines and best practices to avoid falling victim to similar threats. 52 | 53 | ## Appendices 54 | - Appendix A: Full Malware Analysis Report 55 | - Appendix B: List of Indicators of Compromise (IoCs) 56 | - Appendix C: Summary of Legal and Compliance Implications 57 | 58 | ## References and Sources 59 | - [Security Reports, Threat Intelligence Platforms, Incident Response Tools] 60 | 61 | ## Revision History 62 | - **{{date}}**: Initial threat identification and report creation. 63 | - **{{date}}**: Updated with new analysis findings and impact assessment. 64 | - **{{date}}**: Final recommendations and stakeholder advisories completed. 65 | -------------------------------------------------------------------------------- /reports/GEOINT Report 1.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Geospatial Intelligence Report - [Location/Area of Interest] 3 | date: 4 | tags: [geospatial-intelligence, location-analysis, AreaOfInterest] 5 | status: [Not Started, In Progress, Completed, On Hold] 6 | --- 7 | 8 | ## Executive Summary 9 | - **Objective of Investigation**: Conduct a comprehensive geospatial analysis of [Location/Area of Interest] to understand geographical features, activities, and potential security concerns. 10 | - **Key Findings**: 11 | - Overview of geographical layout and notable landmarks. 12 | - Analysis of human activity patterns and their implications. 13 | - Identification of potential security vulnerabilities or environmental hazards. 14 | - **Recommendations**: Suggested measures for area security, environmental protection, or further surveillance. 15 | - **Investigation Status**: Summary of geospatial analysis progress and proposed next steps. 16 | 17 | ## Area Overview 18 | - **Geographical Coordinates**: [Latitude, Longitude] 19 | - **Topographical Features**: Description of the terrain, natural resources, and environmental conditions. 20 | - **Land Use and Ownership**: Overview of property distribution, land usage, and ownership details. 21 | 22 | ## Satellite and Aerial Imagery Analysis 23 | - **Imagery Sources Used**: List of satellite and aerial imagery sources utilized, e.g., [Google Earth](https://earth.google.com/), [Sentinel Hub](https://www.sentinel-hub.com/). 24 | - **Key Observations**: Significant findings from imagery analysis, including changes over time or unusual activities. 25 | - **Imagery Timestamps**: Dates of the captured images used for analysis. 26 | 27 | ## Human Activity Patterns 28 | - **Population Density**: Overview of population distribution and density in the area. 29 | - **Movement and Traffic Patterns**: Analysis of human movement and vehicular traffic, utilizing sources like [Strava Heatmap](https://www.strava.com/heatmap). 30 | - **Cultural and Social Landmarks**: Identification of significant cultural or social gathering points. 31 | 32 | ## Infrastructure and Development 33 | - **Critical Infrastructure**: Details of essential structures, facilities, and utilities. 34 | - **Construction Activities**: Overview of ongoing or planned construction projects and their implications. 35 | - **Service Accessibility**: Assessment of access to essential services such as healthcare, education, and emergency response. 36 | 37 | ## Environmental Assessment 38 | - **Ecological Features**: Examination of flora, fauna, and ecological zones. 39 | - **Environmental Hazards**: Identification of natural or human-made environmental risks. 40 | - **Conservation Areas**: Mapping of protected regions or significant ecological sites. 41 | 42 | ## Security Analysis 43 | - **Vulnerability Points**: Identification of potential security weak spots based on geographical and infrastructural factors. 44 | - **Threat Assessment**: Analysis of external or internal threats influenced by geographical characteristics. 45 | - **Surveillance Opportunities**: Recommendations for strategic surveillance locations or methods. 46 | 47 | ## Recommendations for Management and Development 48 | - **Land Use Planning**: Suggestions for sustainable land use and development strategies. 49 | - **Environmental Protection**: Measures for conserving natural resources and mitigating environmental hazards. 50 | - **Security Enhancements**: Proposed security improvements based on geospatial analysis. 51 | 52 | ## Appendices 53 | - Appendix A: Detailed Maps and Imagery 54 | - Appendix B: Infrastructure and Development Documentation 55 | - Appendix C: Environmental Impact Assessment Reports 56 | 57 | ## References and Sources 58 | - [Geospatial Data Repositories, Imagery Sources, Environmental Studies] 59 | 60 | ## Revision History 61 | - **{{date}}**: Initial area assessment and mapping. 62 | - **{{date}}**: Updated with latest satellite imagery analysis. 63 | - **{{date}}**: Final review with added security and environmental recommendations. 64 | -------------------------------------------------------------------------------- /reports/Compliance Documentation Report 1.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Compliance Documentation Report - [Company/Entity Name] 3 | date: 4 | tags: 5 | - legal-compliance 6 | - regulatory-analysis 7 | - CompanyOrEntity 8 | status: 9 | - Not Started 10 | - In Progress 11 | - Completed 12 | - On Hold 13 | --- 14 | 15 | ## Executive Summary 16 | - **Objective of Investigation**: Provide a comprehensive review of [Company/Entity Name]'s adherence to applicable legal standards and regulatory requirements, identifying any areas of non-compliance and associated risks. 17 | - **Key Findings**: 18 | - Summary of the company/entity's current compliance status with specific legal frameworks and regulations. 19 | - Identification of gaps in compliance documentation, policies, and practices. 20 | - Assessment of potential legal risks and implications of non-compliance. 21 | - **Recommendations**: Actionable steps to improve compliance and mitigate legal risks. 22 | - **Investigation Status**: Overview of compliance assessment progress and next steps for achieving full legal conformity. 23 | 24 | ## Legal Framework and Regulatory Requirements 25 | - **Applicable Laws and Regulations**: List of relevant legal frameworks and regulatory standards applicable to the company/entity, e.g., GDPR, HIPAA, SOX. 26 | - **Compliance Obligations**: Detailed breakdown of the company/entity's obligations under each legal and regulatory framework. 27 | 28 | ## Compliance Assessment 29 | - **Policy Review**: Examination of the company/entity's existing policies against legal requirements, highlighting any deficiencies. 30 | - **Documentation Analysis**: Review of compliance-related documentation, including contracts, data processing agreements, and privacy notices. 31 | - **Control Evaluation**: Assessment of administrative, technical, and physical controls implemented to ensure compliance with regulatory standards. 32 | 33 | ## Risk Analysis 34 | - **Legal Risks**: Identification of legal exposures due to non-compliance or inadequate documentation. 35 | - **Operational Risks**: Assessment of how compliance gaps may impact business operations. 36 | - **Reputational Risks**: Consideration of the potential damage to the company/entity's reputation resulting from legal challenges or publicized non-compliance. 37 | 38 | ## Compliance Improvement Plan 39 | - **Policy Updates**: Recommendations for revising policies to align with legal requirements. 40 | - **Documentation Enhancements**: Suggestions for improving record-keeping and documentation practices. 41 | - **Control Strengthening**: Proposed measures to strengthen compliance controls and procedures. 42 | 43 | ## Training and Awareness 44 | - **Employee Training Programs**: Overview of existing compliance training programs and recommendations for improvement. 45 | - **Awareness Initiatives**: Suggestions for raising legal and regulatory awareness among employees and stakeholders. 46 | 47 | ## Monitoring and Reporting 48 | - **Compliance Monitoring**: Strategies for ongoing monitoring of compliance status and effectiveness of implemented controls. 49 | - **Incident Reporting**: Procedures for reporting and responding to compliance incidents or breaches. 50 | 51 | ## Legal and Regulatory Updates 52 | - **Recent Changes**: Summary of recent or upcoming changes in applicable laws and regulations that may affect the company/entity. 53 | - **Future Compliance Requirements**: Analysis of emerging legal trends and future regulatory challenges. 54 | 55 | ## Appendices 56 | - Appendix A: Detailed Compliance Checklist and Status Report 57 | - Appendix B: List of Reviewed Policies and Documents 58 | - Appendix C: Compliance Risk Assessment Matrix 59 | 60 | ## References and Sources 61 | - [Legal Databases, Regulatory Bulletins, Compliance Guidelines] 62 | 63 | ## Revision History 64 | - **{{date}}**: Initiated legal and compliance documentation review. 65 | - **{{date}}**: Updated with findings from policy and documentation analysis. 66 | - **{{date}}**: Completed final compliance improvement recommendations. 67 | -------------------------------------------------------------------------------- /reports/Communication Patterns Analysis Report 1.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Communication Patterns Analysis Report - [Individual/Group Name] 3 | date: 4 | tags: [communication-patterns, digital-forensics, IndividualOrGroupName] 5 | status: [Not Started, In Progress, Completed, On Hold] 6 | --- 7 | 8 | ## Executive Summary 9 | - **Objective of Investigation**: Examine the communication patterns of [Individual/Group Name] across various platforms to identify typical behaviors, potential risks, and notable anomalies. 10 | - **Key Findings**: 11 | - Dominant themes and topics of discussion. 12 | - Key individuals or groups within the communication network. 13 | - Time patterns indicating preferred communication hours or irregular activities. 14 | - **Recommendations**: Suggested actions based on identified communication patterns and associated risks. 15 | - **Investigation Status**: Overview of the analysis progress, findings, and suggested next steps. 16 | 17 | ## Subject Profile 18 | - **Name/Group**: [Name or Group Description] 19 | - **Known Aliases**: [Aliases Used Across Platforms] 20 | - **Platforms Used**: [List of Communication Platforms] 21 | - **Associated Entities**: [List of Associated Individuals or Groups] 22 | 23 | ## Methodology 24 | - **Data Collection**: Techniques and tools used to gather communication data, e.g., email archives, social media scraping. 25 | - **Analysis Tools**: Software and methodologies applied to analyze communication patterns, e.g., [Maltego](https://www.maltego.com/), text analysis tools. 26 | - **Data Privacy Compliance**: Measures taken to ensure compliance with data protection laws and regulations. 27 | 28 | ## Communication Analysis 29 | ### Email Correspondence 30 | - **Volume and Frequency**: Analysis of email interactions over time. 31 | - **Key Contacts**: Major individuals or organizations in email communications. 32 | - **Subject Matter**: Common themes or topics identified in email chains. 33 | 34 | ### Social Media Activity 35 | - **Platforms Analyzed**: Specific social media platforms reviewed. 36 | - **Posting Patterns**: Frequency and timing of posts, tweets, or updates. 37 | - **Engagement**: Analysis of likes, shares, comments, and direct messaging patterns. 38 | 39 | ### Messaging Apps and Forums 40 | - **Apps Used**: Identification of messaging applications and online forums. 41 | - **Message Content**: Overview of predominant discussion topics and sentiment. 42 | - **Network Connections**: Key members and influencers within chat groups or forums. 43 | 44 | ## Behavioral Insights 45 | - **Preferred Communication Channels**: Preferred platforms and mediums for communication. 46 | - **Temporal Patterns**: Specific times or days when communication peaks. 47 | - **Geographical Insights**: Locations deduced from communication data or metadata. 48 | 49 | ## Risk Assessment 50 | - **Information Disclosure**: Instances of sensitive information being shared. 51 | - **Anomalous Behavior**: Communication activities that deviate from established patterns. 52 | - **External Influences**: Indications of external entities influencing communications. 53 | 54 | ## Recommendations for Monitoring and Intervention 55 | - **Surveillance Recommendations**: Strategies for ongoing monitoring of communication channels. 56 | - **Security Measures**: Suggestions to enhance privacy and data security for communications. 57 | - **Intervention Strategies**: Steps to take if illicit or harmful communication patterns are detected. 58 | 59 | ## Appendices 60 | - Appendix A: Comprehensive Logs of Analyzed Communications 61 | - Appendix B: Network Analysis Charts and Graphs 62 | - Appendix C: Detailed Account of Anomalous Communication Events 63 | 64 | ## References and Sources 65 | - [Communication Analysis Tools, Data Protection Regulations, Psychological Studies on Communication Patterns] 66 | 67 | ## Revision History 68 | - **{{date}}**: Commencement of communication data collection. 69 | - **{{date}}**: Updated with initial analysis findings. 70 | - **{{date}}**: Completed in-depth communication pattern analysis and formulated recommendations. 71 | -------------------------------------------------------------------------------- /reports/Individual Investigation Report.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Individual Investigation Report - [Subject Name] 3 | date: 4 | tags: [individual-investigation, personal-background, SubjectName] 5 | status: [Not Started, In Progress, Completed, On Hold] 6 | --- 7 | 8 | ## Executive Summary 9 | - **Objective of Investigation**: Detailed exploration of [Subject Name]'s background, digital footprint, and online behaviors to assess potential risks, affiliations, or character. 10 | - **Key Findings**: 11 | - Summary of significant personal, professional, and social findings. 12 | - Analysis of subject's online presence and activities. 13 | - Assessment of potential risks or red flags associated with the subject. 14 | - **Recommendations**: Suggested actions based on investigation findings. 15 | - **Investigation Status**: Current phase and future steps. 16 | 17 | ## Subject Profile 18 | - **Full Name**: [Full Name] 19 | - **Aliases**: [Known Aliases] 20 | - **Date of Birth**: [DOB] 21 | - **Nationalities**: [Nationalities] 22 | - **Current Residence**: [Address or Location] 23 | - **Occupation**: [Current Occupation] 24 | - **Education**: [Educational Background] 25 | - **Social Security Number/ID**: [If applicable] 26 | 27 | ## Digital Footprint 28 | ### Social Media Accounts 29 | - **Facebook**: [Link/Details] 30 | - **LinkedIn**: [Link/Details] 31 | - **Twitter**: [Link/Details] 32 | - **Instagram**: [Link/Details] 33 | - [Other Platforms]: [Link/Details] 34 | 35 | ### Websites and Blogs 36 | - Personal Websites: [Link/Details] 37 | - Professional Portfolios: [Link/Details] 38 | - Blogs or Publications: [Link/Details] 39 | 40 | ### Email Addresses 41 | - Personal: [Email Addresses] 42 | - Professional: [Email Addresses] 43 | 44 | ### Phone Numbers 45 | - Mobile: [Numbers] 46 | - Home: [Numbers] 47 | - Work: [Numbers] 48 | 49 | ## Professional Background 50 | - **Employment History**: 51 | - [Company Name]: [Position, Duration, Responsibilities] 52 | - **Business Affiliations**: 53 | - [Organization/Role, Description] 54 | 55 | ## Personal Background 56 | - **Family Members**: 57 | - [Relation, Name, Relevant Information] 58 | - **Residential History**: 59 | - [Addresses, Duration] 60 | - **Legal History**: 61 | - [Legal Issues, Locations, Dates] 62 | 63 | ## Online Behavior and Associations 64 | - **Forum Participation**: 65 | - [Forum Names, Usernames, Topics of Interest] 66 | - **Membership in Online Groups**: 67 | - [Group Names, Platforms, Roles] 68 | - **Online Purchases and Subscriptions**: 69 | - [Services, Products, Dates] 70 | 71 | ## Financial Overview 72 | - **Bank Accounts**: [Details, Banks] 73 | - **Credit Cards**: [Details, Issuers] 74 | - **Investments**: [Details, Types, Institutions] 75 | 76 | ## Geospatial Intelligence 77 | - **Location Check-ins**: 78 | - [Locations, Dates, Occasions] 79 | - **Geo-tagged Photos**: 80 | - [Locations, Dates] 81 | 82 | ## Network and Relationships 83 | - **Known Associates**: 84 | - [Names, Relationships, Contexts] 85 | - **Professional Contacts**: 86 | - [Names, Positions, Nature of Relationship] 87 | 88 | ## Psychological Profile 89 | - **Personality Traits**: 90 | - [Traits, Behaviors, Evidences] 91 | - **Interests and Hobbies**: 92 | - [Activities, Memberships, Skills] 93 | 94 | ## Risk Assessment 95 | - **Threats and Vulnerabilities**: 96 | - [Potential Risks, Impact, Evidence] 97 | - **Recommendations for Monitoring**: 98 | - [Surveillance Tips, Key Areas for Future Observation] 99 | 100 | ## Appendices 101 | - Appendix A: Detailed Social Media Activity Logs 102 | - Appendix B: Full Employment Verification Reports 103 | - Appendix C: Comprehensive Financial Records Review 104 | 105 | ## References and Sources 106 | - [Data Sources, Research Tools, Verification Platforms] 107 | 108 | ## Revision History 109 | - **{{date}}**: Initial report compilation. 110 | - **{{date}}**: Updated with social media analysis results. 111 | - **{{date}}**: Final review, added risk assessment and recommendations. 112 | -------------------------------------------------------------------------------- /reports/Blockchain Investigation Report 2.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Blockchain Investigation Report - [Case/Transaction ID] 3 | date: 4 | tags: [blockchain-investigation, cryptocurrency-analysis, CaseOrTransactionID] 5 | status: [Not Started, In Progress, Completed, On Hold] 6 | --- 7 | 8 | ## Executive Summary 9 | - **Objective of Investigation**: Conduct a detailed examination of transactions, wallet addresses, and associated entities within the blockchain to uncover illicit activities, trace asset flows, or authenticate transactions related to [Case/Transaction ID]. 10 | - **Key Findings**: 11 | - Summary of critical blockchain activities and transaction patterns. 12 | - Identification of wallet addresses linked to suspicious activities. 13 | - Connections between transaction entities and known illicit networks. 14 | - **Recommendations**: Strategic steps for asset recovery, legal actions, and enhanced surveillance. 15 | - **Investigation Status**: Summary of current findings with proposed next steps for continuous monitoring or investigation closure. 16 | 17 | ## Transaction and Wallet Analysis 18 | - **Transaction Details**: Overview of specific transactions including dates, amounts, and involved addresses, e.g., [Blockchain Explorer](https://www.blockchain.com/explorer). 19 | - **Wallet Addresses**: List and analysis of wallet addresses involved, highlighting any known associations with illicit activities. 20 | - **Asset Flow**: Visualization of asset movement between addresses to illustrate potential money laundering or fraud schemes. 21 | 22 | ## Entity Linkage and Clustering 23 | - **Address Clustering**: Techniques used to group addresses controlled by the same entity, providing a clearer picture of transactional relationships. 24 | - **Entity Identification**: Efforts to link blockchain addresses to real-world identities, utilizing public data sources and intelligence databases. 25 | - **Interconnected Networks**: Analysis of how the subject’s addresses connect with broader networks, indicating potential collaborators or criminal networks. 26 | 27 | ## Smart Contract Review 28 | - **Contract Analysis**: If applicable, review and assessment of smart contracts related to the case, including any known vulnerabilities or exploits. 29 | - **DeFi Interactions**: Examination of interactions with DeFi platforms, identifying any irregularities or risky transactions. 30 | 31 | ## Source of Funds and Financial Analysis 32 | - **Funding Sources**: Analysis of where and how the subject’s assets were acquired, looking for connections to known criminal activities or unexplained wealth. 33 | - **Transaction Patterns**: Study of transactional behavior for signs of typical laundering stages: placement, layering, and integration. 34 | 35 | ## Legal and Regulatory Compliance 36 | - **Regulatory Examination**: Review against compliance with AML, KYC, and CFT regulations applicable to cryptocurrency transactions. 37 | - **Sanctions Check**: Cross-referencing of entities and wallet addresses against global sanctions lists, e.g., [OFAC’s SDN List](https://www.treasury.gov/ofac/downloads/sdnlist.txt). 38 | 39 | ## Risk Assessment 40 | - **Vulnerabilities**: Identification of security risks related to wallet storage, transaction privacy, and smart contract execution. 41 | - **Threat Evaluation**: Assessment of potential threats from associated entities or through identified transaction patterns. 42 | 43 | ## Recommendations for Further Action 44 | - **Monitoring Strategies**: Suggestions for ongoing surveillance of identified addresses and entities. 45 | - **Legal Actions**: Recommended legal steps for asset recovery, injunctions, or further investigations. 46 | - **Security Enhancements**: Proposed improvements for securing cryptocurrency assets and preventing unauthorized transactions. 47 | 48 | ## Appendices 49 | - Appendix A: Detailed Transaction Logs 50 | - Appendix B: Address Clustering Results 51 | - Appendix C: Legal and Regulatory Compliance Documentation 52 | 53 | ## References and Sources 54 | - [Cryptocurrency Analysis Tools, Blockchain Explorers, Legal Documents] 55 | 56 | ## Revision History 57 | - **{{date}}**: Initial analysis based on transaction data. 58 | - **{{date}}**: Updated with results from entity linkage and clustering. 59 | - **{{date}}**: Final review and compilation of recommendations. 60 | -------------------------------------------------------------------------------- /reports/Blockchain Investigation Report 1.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Blockchain Investigation Report - [Case Identifier] 3 | date: 4 | tags: [blockchain-investigation, cryptocurrency, CaseIdentifier] 5 | status: [Not Started, In Progress, Completed, On Hold] 6 | --- 7 | 8 | ## Executive Summary 9 | - **Objective of Investigation**: Conduct a thorough examination of blockchain transactions, wallet addresses, and associated entities to uncover illicit activities, trace asset flows, or validate financial histories related to [Case Identifier]. 10 | - **Key Findings**: 11 | - Summary of critical blockchain activities linked to the subject or case. 12 | - Identification of significant transactions, wallet addresses, and their connections to known entities. 13 | - Analysis of patterns indicating potential money laundering, fraud, or other illicit activities. 14 | - **Recommendations**: Proposed measures based on investigative findings, such as asset recovery or enhanced monitoring. 15 | - **Investigation Status**: Summary of investigation progress and next steps for continued monitoring or action. 16 | 17 | ## Subject or Transaction Overview 18 | - **Subject Name/Alias**: [If applicable] 19 | - **Blockchain Network**: [e.g., Bitcoin, Ethereum] 20 | - **Primary Addresses**: [List of key wallet addresses] 21 | - **Associated Transactions**: [List or summary of significant transactions] 22 | 23 | ## Transaction Analysis 24 | - **Key Transactions Detail**: 25 | - Date/Time: 26 | - Amount and Currency: 27 | - From Address: 28 | - To Address: 29 | - Transaction Hash: [e.g., [Blockchain.com Explorer](https://www.blockchain.com/btc/tx/transactionhash)] 30 | - **Transaction Patterns**: [Analysis of recurring transactions, timing, and amounts] 31 | 32 | ## Address Clustering 33 | - **Methodology**: [Description of address clustering techniques used] 34 | - **Clustered Addresses**: [Groups of addresses believed to be controlled by the subject] 35 | - **Associated Entities**: [Identification of any entities connected to these address clusters, e.g., exchanges, mixing services] 36 | 37 | ## Entity Linking and De-Anonymization 38 | - **Known Entities**: [Details of known individuals or organizations linked to addresses] 39 | - **Service Identification**: [Identification of services used, such as exchanges or wallet providers, with supporting evidence] 40 | - **De-Anonymization Efforts**: [Summary of attempts to link anonymous addresses to real-world identities] 41 | 42 | ## Financial Analysis 43 | - **Asset Estimation**: [Estimation of total assets held across identified addresses] 44 | - **Source of Funds**: [Analysis of fund origins, highlighting any suspicious sources] 45 | - **Fund Movement**: [Tracking of asset transfers between addresses and entities] 46 | 47 | ## Legal and Compliance Review 48 | - **Regulatory Scrutiny**: [Assessment against anti-money laundering (AML) and counter-financing of terrorism (CFT) standards] 49 | - **Sanctions Check**: [Examination of addresses against sanction lists, e.g., [OFAC Sanctions List](https://www.treasury.gov/resource-center/sanctions/SDN-List/Pages/default.aspx)] 50 | - **Compliance Violations**: [Identification of any breaches in regulatory compliance] 51 | 52 | ## Cybersecurity Assessment 53 | - **Smart Contract Analysis**: [For Ethereum-based transactions, analysis of associated smart contracts for vulnerabilities] 54 | - **Security Risks**: [Assessment of security risks associated with subject’s blockchain activities] 55 | 56 | ## Risk Assessment and Recommendations 57 | - **Risks Identified**: [Summary of identified risks from financial, legal, and security perspectives] 58 | - **Monitoring Recommendations**: [Suggestions for ongoing surveillance of identified addresses and transactions] 59 | - **Strategic Actions**: [Recommended actions for law enforcement, regulatory response, or asset recovery] 60 | 61 | ## Appendices 62 | - Appendix A: Detailed Transaction Logs 63 | - Appendix B: Clustering Methodology and Results 64 | - Appendix C: Legal Compliance Checklist 65 | 66 | ## References and Sources 67 | - [List of blockchain analysis tools, legal documents, and investigative resources used] 68 | 69 | ## Revision History 70 | - **{{date}}**: Initial analysis and report compilation. 71 | - **{{date}}**: Updated with new transaction data. 72 | - **{{date}}**: Final review and strategic recommendations. 73 | -------------------------------------------------------------------------------- /reports/Network Reconnaissance Report.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Network Reconnaissance Report - [Network Name/Target] 3 | date: 4 | tags: [network-reconnaissance, cybersecurity-analysis, NetworkNameOrTarget] 5 | status: [Not Started, In Progress, Completed, On Hold] 6 | --- 7 | 8 | ## Executive Summary 9 | - **Objective of Investigation**: Execute an in-depth analysis of [Network Name/Target]'s infrastructure to identify potential vulnerabilities, assess security posture, and recommend mitigation strategies. 10 | - **Key Findings**: 11 | - Summary of network architecture and exposed services. 12 | - Identification of critical vulnerabilities and misconfigurations. 13 | - Assessment of network perimeter defenses and internal security controls. 14 | - **Recommendations**: Tailored security improvements and best practices for network hardening. 15 | - **Investigation Status**: Summary of analysis progress and future steps for continuous network monitoring. 16 | 17 | ## Network Overview 18 | - **Network Topology**: Description of the network layout, including main components and connections, e.g., [Draw.io](https://app.diagrams.net/). 19 | - **IP Range**: Listing of IP addresses associated with the target network. 20 | - **Domain Names**: Associated domain names and any relevant DNS information. 21 | 22 | ## Vulnerability Assessment 23 | - **Scanning Tools Used**: List of network scanning tools and software used, e.g., [Nmap](https://nmap.org/), [Nessus](https://www.tenable.com/products/nessus). 24 | - **Identified Vulnerabilities**: Details of vulnerabilities found, including CVSS scores and potential impact. 25 | - **Misconfigurations**: Overview of network misconfigurations and security weaknesses identified. 26 | 27 | ## Service Enumeration 28 | - **Exposed Services**: List and analysis of services exposed to the internet or internal network. 29 | - **Service Configurations**: Examination of service settings for security implications. 30 | - **Authentication Mechanisms**: Review of authentication methods and password policies. 31 | 32 | ## Intrusion Detection and Response 33 | - **Firewall and IDS Configurations**: Assessment of firewall rules and intrusion detection settings. 34 | - **Log Analysis**: Summary of findings from system and security log reviews. 35 | - **Incident Response Capability**: Evaluation of the network's ability to detect and respond to security incidents. 36 | 37 | ## Data Protection Measures 38 | - **Encryption Standards**: Analysis of encryption protocols used for data transmission and storage. 39 | - **Data Access Controls**: Review of data access levels and permissions. 40 | - **Data Backup and Recovery**: Assessment of backup solutions and disaster recovery plans. 41 | 42 | ## Network Performance and Health 43 | - **Bandwidth Usage**: Overview of network traffic and bandwidth utilization. 44 | - **Latency and Packet Loss**: Measurements of network performance metrics. 45 | - **Network Health Monitoring**: Tools and practices used for ongoing network health assessment. 46 | 47 | ## Compliance and Regulatory Review 48 | - **Compliance Standards**: Review against applicable compliance standards such as GDPR, HIPAA, PCI-DSS. 49 | - **Regulatory Findings**: Any compliance gaps or regulatory issues identified. 50 | 51 | ## Risk Assessment 52 | - **Risk Scoring**: Evaluation of identified risks based on severity and likelihood. 53 | - **Threat Landscape**: Analysis of potential external and internal threats to the network. 54 | 55 | ## Recommendations for Network Enhancement 56 | - **Remediation Steps**: Prioritized list of actions to address identified vulnerabilities and misconfigurations. 57 | - **Security Best Practices**: Recommendations for improving network security posture and compliance. 58 | - **Future Monitoring Strategies**: Suggestions for continuous monitoring and incident detection. 59 | 60 | ## Appendices 61 | - Appendix A: Full Network Scan Reports 62 | - Appendix B: Detailed Vulnerability Assessment Results 63 | - Appendix C: Compliance Checklist and Findings 64 | 65 | ## References and Sources 66 | - [Network Security Tools, Compliance Guidelines, Industry Best Practices] 67 | 68 | ## Revision History 69 | - **{{date}}**: Initial reconnaissance and network mapping. 70 | - **{{date}}**: Updated with vulnerability assessment results. 71 | - **{{date}}**: Final review, risk assessment, and recommendations. 72 | -------------------------------------------------------------------------------- /reports/Company Investigation Report.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Company Investigation Report - [Company Name] 3 | date: 4 | tags: [company-investigation, corporate-analysis, CompanyName] 5 | status: [Not Started, In Progress, Completed, On Hold] 6 | --- 7 | 8 | ## Executive Summary 9 | - **Objective of Investigation**: Comprehensive assessment of [Company Name]'s business operations, market reputation, legal standings, and cybersecurity posture. 10 | - **Key Findings**: 11 | - Overview of company's financial health, market position, and potential risks. 12 | - Insights into corporate culture, employee satisfaction, and executive leadership. 13 | - Evaluation of company’s legal compliance, historical litigations, and current legal challenges. 14 | - Analysis of cybersecurity practices, historical breaches, and current threats. 15 | - **Recommendations**: Strategic advice based on the analysis to mitigate identified risks and leverage potential opportunities. 16 | - **Investigation Status**: Summary of investigative progress and outline of next steps. 17 | 18 | ## Company Profile 19 | - **Official Name**: [Full Official Name] 20 | - **Operating Names**: [DBAs, Brand Names] 21 | - **Headquarters**: [Location] 22 | - **Global Offices**: [List of Key Locations] 23 | - **Industry**: [Sector/Industry] 24 | - **Products/Services**: [Core Offerings] 25 | - **Website**: [Official Website](https://www.companywebsite.com) 26 | - **Founding Date**: [Date] 27 | - **Founders**: [Names] 28 | - **Key Executives**: [Names and Titles] 29 | 30 | ## Financial Overview 31 | - **Revenue**: [Latest Fiscal Year] 32 | - **Profit Margin**: [Latest Fiscal Year] 33 | - **Market Share**: [Details] 34 | - **Funding Rounds**: [History & Amounts] 35 | - **Major Investors**: [List] 36 | - **Financial Health Indicators**: [Debt Ratios, Liquidity Ratios] 37 | 38 | ## Market Position and Reputation 39 | - **Competitors**: [Top Competitors] 40 | - **Market Position**: [Details on Market Standing] 41 | - **Customer Base**: [Demographics, Size] 42 | - **Brand Reputation**: [Insights from Customer Reviews, e.g., [TrustPilot](https://www.trustpilot.com/review/companyname)] 43 | - **Media Coverage**: [Significant Press Highlights, e.g., [Company News Archive](https://www.companywebsite.com/news)] 44 | 45 | ## Legal and Compliance 46 | - **Regulatory Compliance**: [Status and Relevant Regulations] 47 | - **Historical Litigations**: [Summary of Past Legal Issues] 48 | - **Current Legal Challenges**: [Ongoing Litigation Details] 49 | - **Intellectual Property**: [Patents, Trademarks held by the company] 50 | 51 | ## Cybersecurity Assessment 52 | - **Security Posture**: [General Assessment] 53 | - **Past Breaches**: [Details and Impact] 54 | - **Current Threats**: [Identified Vulnerabilities, e.g., [CVE Database](https://cve.mitre.org/)] 55 | - **Data Privacy Practices**: [Compliance with GDPR, CCPA, etc.] 56 | 57 | ## Corporate Culture and Employee Sentiment 58 | - **Employee Reviews**: [Summary, e.g., [Glassdoor](https://www.glassdoor.com/Reviews/company-reviews.htm)] 59 | - **Corporate Social Responsibility (CSR)**: [Activities and Community Engagement] 60 | - **Diversity and Inclusion**: [Policies and Employee Demographics] 61 | 62 | ## Network and Affiliations 63 | - **Partnerships and Alliances**: [Key Business Partners] 64 | - **Industry Affiliations**: [Membership in Associations] 65 | - **Executive Relationships**: [Interconnections with other companies and industries] 66 | 67 | ## Risk Assessment 68 | - **Financial Risks**: [Market Fluctuations, Debt Levels] 69 | - **Operational Risks**: [Supply Chain Vulnerabilities, Legal Risks] 70 | - **Reputational Risks**: [Public Perception, Media Issues] 71 | - **Cybersecurity Risks**: [Potential for Data Breaches, IT Infrastructure] 72 | 73 | ## Recommendations for Further Action 74 | - **Strategic Initiatives**: [Suggestions for Growth, Partnership Opportunities] 75 | - **Risk Mitigation Strategies**: [Plans to Address Identified Risks] 76 | - **Compliance Recommendations**: [Enhancements for Legal and Ethical Compliance] 77 | 78 | ## Appendices 79 | - Appendix A: Detailed Financial Statements and Ratios 80 | - Appendix B: Full Legal Case Summaries 81 | - Appendix C: Comprehensive Employee Survey Results 82 | 83 | ## References and Sources 84 | - [Financial Reports, Legal Documents, Public Records, Third-Party Assessment Tools] 85 | 86 | ## Revision History 87 | - **{{date}}**: Initial compilation of company data. 88 | - **{{date}}**: Updated with latest market analysis. 89 | - **{{date}}**: Added new section on cybersecurity threats. 90 | -------------------------------------------------------------------------------- /reports/GEOINT Report 2.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Geospatial Intelligence Report - [Location/Area of Interest] 3 | date: 4 | tags: [geospatial-intelligence, location-analysis, LocationOrAreaOfInterest] 5 | status: [Not Started, In Progress, Completed, On Hold] 6 | --- 7 | 8 | ## Executive Summary 9 | - **Objective of Investigation**: Conduct a thorough analysis of the geospatial data for [Location/Area of Interest] to identify patterns, strategic locations, and potential security threats. 10 | - **Key Findings**: 11 | - Overview of geographical features and critical infrastructures. 12 | - Analysis of movement patterns and logistical routes. 13 | - Identification of vulnerabilities and potential security threats in the area. 14 | - **Recommendations**: Strategic advice for enhancing security, optimizing logistics, or mitigating environmental risks. 15 | - **Investigation Status**: Summary of the geospatial analysis progress and insights for further exploration. 16 | 17 | ## Geographical Overview 18 | - **Location Description**: Detailed description of the area, including geopolitical significance. 19 | - **Topographical Features**: Overview of natural landscapes, water bodies, and terrain types. 20 | - **Critical Infrastructure**: Listing and analysis of key infrastructures such as bridges, power plants, and communication networks. 21 | 22 | ## Satellite and Aerial Imagery Analysis 23 | - **Imagery Sources Used**: List of satellite and aerial imagery sources utilized, e.g., [Google Earth](https://earth.google.com/web/), [Sentinel Hub](https://www.sentinel-hub.com/). 24 | - **Key Observations**: Insights drawn from the imagery, including changes over time or anomalies detected. 25 | - **Image Annotations**: Detailed annotations of images highlighting areas of interest. 26 | 27 | ## Movement and Activity Patterns 28 | - **Traffic and Logistics Routes**: Analysis of major transportation routes and patterns of movement. 29 | - **Population Density and Distribution**: Insights into population trends, density areas, and potential evacuation zones. 30 | - **Activity Hotspots**: Identification of areas with high levels of activity, possible gatherings, or events. 31 | 32 | ## Environmental and Ecological Considerations 33 | - **Natural Resources**: Assessment of available natural resources and their strategic importance. 34 | - **Environmental Risks**: Evaluation of environmental threats such as flooding, wildfires, or landslides. 35 | - **Conservation Areas**: Information on protected areas, wildlife reserves, and ecological significance. 36 | 37 | ## Security and Defense Posture 38 | - **Military Installations**: Location and analysis of military facilities within or near the area. 39 | - **Surveillance Capabilities**: Assessment of surveillance systems, checkpoints, and border controls. 40 | - **Vulnerability Assessment**: Identification of security vulnerabilities based on geographical features and infrastructure. 41 | 42 | ## Technological Infrastructure 43 | - **Communication Networks**: Overview of the communication infrastructure, including cell towers and internet backbone. 44 | - **Energy Grids**: Analysis of the energy supply network, including potential vulnerabilities. 45 | - **Smart City Initiatives**: Review of any smart technologies or IoT deployments within the area. 46 | 47 | ## Risk Assessment 48 | - **Strategic Risks**: Evaluation of risks associated with geopolitical tensions, resource scarcity, or territorial disputes. 49 | - **Operational Risks**: Assessment of risks to logistics, supply chains, and infrastructure stability. 50 | - **Environmental Risks**: Analysis of environmental impacts and natural disaster preparedness. 51 | 52 | ## Recommendations for Strategic Initiatives 53 | - **Security Enhancements**: Proposals for improving physical and cyber security measures. 54 | - **Infrastructure Development**: Suggestions for infrastructure upgrades or development projects. 55 | - **Environmental Protection Measures**: Strategies for environmental conservation and risk mitigation. 56 | 57 | ## Appendices 58 | - Appendix A: High-Resolution Satellite Images 59 | - Appendix B: Detailed Maps of Infrastructure and Resources 60 | - Appendix C: Risk Assessment Matrix 61 | 62 | ## References and Sources 63 | - [Geospatial Data Providers, Environmental Studies, Security Analysis Tools] 64 | 65 | ## Revision History 66 | - **{{date}}**: Initial compilation of geospatial data and imagery. 67 | - **{{date}}**: Updated with movement pattern analysis. 68 | - **{{date}}**: Final review, incorporating security and environmental assessments. 69 | -------------------------------------------------------------------------------- /reports/Communication Patterns Analysis Report 2.md: -------------------------------------------------------------------------------- 1 | --- 2 | title: Communication Patterns Analysis Report - [Subject/Entity] 3 | date: 4 | tags: [communication-patterns-analysis, digital-forensics, SubjectOrEntity] 5 | status: [Not Started, In Progress, Completed, On Hold] 6 | --- 7 | 8 | ## Executive Summary 9 | - **Objective of Investigation**: Examine the communication patterns of [Subject/Entity] across various digital platforms to identify typical behaviors, potential anomalies, and insights into social networks and interactions. 10 | - **Key Findings**: 11 | - Overview of primary communication channels used by the subject/entity. 12 | - Identification of regular contacts, key influencers, and networks. 13 | - Analysis of message content for themes, sentiment, and potential coded language. 14 | - Detection of any anomalous communication patterns that could indicate covert activities or cybersecurity threats. 15 | - **Recommendations**: Proposed actions based on the communication analysis, including monitoring strategies and further investigative needs. 16 | - **Investigation Status**: Current phase of the analysis and suggestions for continued observation or closure. 17 | 18 | ## Communication Channels Overview 19 | - **Emails**: Analysis of email exchanges, including senders, recipients, frequency, and content themes. 20 | - **Social Media**: Overview of activity on platforms like [Facebook](https://www.facebook.com), [Twitter](https://www.twitter.com), and [LinkedIn](https://www.linkedin.com) - focusing on posts, direct messages, and network structures. 21 | - **Instant Messaging and Apps**: Examination of usage patterns on platforms such as WhatsApp, Telegram, and Signal, including group memberships and messaging cadence. 22 | - **Voice and Video Calls**: Summary of call logs, participants, and call durations if available through digital forensics or lawful intercepts. 23 | 24 | ## Network Analysis 25 | - **Social Network Mapping**: Visualization of the subject's/entity's social network, highlighting central figures and connection strengths, using tools like [Gephi](https://gephi.org). 26 | - **Key Contacts and Interactions**: Identification of frequent and influential contacts within the communication network. 27 | - **Community Detection**: Analysis of clustered communities within the larger network to identify sub-groups or affiliations. 28 | 29 | ## Content Analysis 30 | - **Thematic Analysis**: Breakdown of common topics, interests, or concerns discussed across communication mediums. 31 | - **Sentiment Analysis**: Assessment of the emotional tone within communications to gauge sentiment towards certain topics or entities. 32 | - **Keyword and Phrase Tracking**: Identification of frequently used or potentially significant keywords and phrases. 33 | 34 | ## Anomaly Detection 35 | - **Pattern Disruptions**: Instances where established communication patterns deviate significantly, potentially indicating an event or change in behavior. 36 | - **Encrypted or Coded Language**: Analysis of communications for the use of encryption, slang, or codes that could obscure message content. 37 | 38 | ## Legal and Compliance Review 39 | - **Privacy Considerations**: Assessment of investigation methods for compliance with privacy laws and regulations. 40 | - **Data Handling**: Review of data security measures in place to protect sensitive communication data gathered during the investigation. 41 | 42 | ## Risk Assessment 43 | - **Vulnerabilities and Threats**: Identification of potential risks arising from the subject's/entity's communication patterns, including exposure to phishing or social engineering attacks. 44 | - **Impact Analysis**: Evaluation of how identified communication patterns could impact the subject/entity or associated networks. 45 | 46 | ## Recommendations for Monitoring and Intervention 47 | - **Monitoring Strategies**: Suggested approaches for ongoing surveillance of key communication channels and contacts. 48 | - **Intervention Measures**: Recommendations for addressing any identified risks, including cybersecurity measures and counterintelligence tactics. 49 | 50 | ## Appendices 51 | - Appendix A: Detailed Logs of Analyzed Communications 52 | - Appendix B: Social Network Maps and Graphs 53 | - Appendix C: List of Keywords and Phrases Monitored 54 | 55 | ## References and Sources 56 | - [Digital Forensics Tools, Social Media Analysis Platforms, Legal Guidelines] 57 | 58 | ## Revision History 59 | - **{{date}}**: Initiated communication pattern analysis. 60 | - **{{date}}**: Updated with preliminary findings from social media and email analysis. 61 | - **{{date}}**: Finalized report with comprehensive analysis and recommendations. 62 | -------------------------------------------------------------------------------- /checklists/ai-detection-checklist.md: -------------------------------------------------------------------------------- 1 | # ✅ AI Detection Checklist 2 | 3 | ![Version](https://img.shields.io/badge/version-v1.0.0-blue) 4 | ![Last Update](https://img.shields.io/badge/updated-2025--09--13-red) 5 | 6 | A comprehensive and detailed checklist for detecting and analyzing AI-generated or manipulated media — including images, video, audio, and text. It is intended for OSINT investigators, journalists, digital forensic analysts, and security professionals who require structured, reliable verification procedures. 7 | 8 | ## 🖼️ Image & Visual Content Verification 9 | 10 | - **Anatomy & Object Integrity** 11 | 12 | - Inspect hands: count fingers, check proportions, examine nail shape and placement. 13 | 14 | - Examine eyes: look for mismatched irises, unnatural reflections, symmetry that is “too perfect.” 15 | 16 | - Inspect teeth: check if rendered as a uniform block, misaligned gum lines, or blurry interiors. 17 | 18 | - Inspect ears and earrings: check for asymmetry, distortions, or blending into hair/skin. 19 | 20 | - Check accessories (glasses, hats, jewelry) for warped edges, melting, or blending artifacts. 21 | 22 | - **Clothing & Fabrics** 23 | 24 | - Look for stitching errors, inconsistent textures, or repeating patterns. 25 | 26 | - Validate logos and printed text on clothing (AI often renders gibberish or blurred letters). 27 | 28 | - Check folds and shadows in fabric for natural consistency. 29 | 30 | - **Background Consistency** 31 | 32 | - Inspect signage and text in the background for legibility. 33 | 34 | - Identify warped objects (lamp posts, buildings, cars). 35 | 36 | - Check perspective lines: ensure vanishing points are consistent. 37 | 38 | - **Lighting & Shadows** 39 | 40 | - Ensure all shadows align with a single light source. 41 | 42 | - Validate intensity and direction of light on different objects. 43 | 44 | - Use [SunCalc](https://www.suncalc.org/) to validate time of day. 45 | 46 | - **Reflections** 47 | 48 | - Inspect mirrors, windows, and water surfaces. 49 | 50 | - Ensure reflected objects match reality (orientation, size, color). 51 | 52 | - **Technical Checks** 53 | 54 | - Run **reverse image search** on full image and cropped anomalies. 55 | 56 | - Perform **Error Level Analysis (ELA)** via [Forensically](https://29a.ch/photo-forensics/). 57 | 58 | - Inspect for cloning or copy-paste elements. 59 | 60 | - Review **EXIF metadata** using [ExifTool](https://exiftool.org/). 61 | 62 | - Validate GPS and timestamps against claimed context. 63 | 64 | 65 | ## 🎥 Video Verification 66 | 67 | - **Frame-by-Frame Analysis** 68 | 69 | - Scrub video frame by frame for inconsistencies. 70 | 71 | - Check lips vs. phonemes for sync accuracy. 72 | 73 | - Look for flickering artifacts or blending errors. 74 | 75 | - **Motion & Blur** 76 | 77 | - Validate natural motion blur; AI often generates sharp unnatural edges during motion. 78 | 79 | - Look for “halo” effects or ghosting in moving objects. 80 | 81 | - **Context Checks** 82 | 83 | - Verify landmarks, signs, and clothing seasonality. 84 | 85 | - Cross-check weather with [Meteostat](https://meteostat.net/) or [OGIMET](https://www.ogimet.com/). 86 | 87 | - Use [SunCalc](https://www.suncalc.org/) for shadow analysis. 88 | 89 | - **Technical Tools** 90 | 91 | - Extract thumbnails and keyframes with [InVID](https://www.invid-project.eu/tools-and-services/invid-verification-plugin/). 92 | 93 | - Run reverse video searches. 94 | 95 | - Analyze encoding for unusual compression signatures. 96 | 97 | - **AI Detection** 98 | 99 | - Run frames through [SensityAI](https://sensity.ai/) or Reality Defender. 100 | 101 | - Apply forensic CNNs like FaceForensics++. 102 | 103 | 104 | ## 🔊 Audio Verification 105 | 106 | - **Listening Checks** 107 | 108 | - Identify robotic cadence, flat intonation, or overly clean delivery. 109 | 110 | - Check for missing human sounds (breathing, mouth clicks, filler words). 111 | 112 | - Detect looping or repetitive background noise. 113 | 114 | - **Spectrogram Analysis** 115 | 116 | - Generate spectrograms in [Audacity](https://www.audacityteam.org/) or [Praat](https://www.fon.hum.uva.nl/praat/). 117 | 118 | - Look for: 119 | 120 | - Clean unnatural high frequencies. 121 | 122 | - Banding artifacts. 123 | 124 | - Missing natural harmonics. 125 | 126 | - **Environmental Verification** 127 | 128 | - Validate background sounds (birds, traffic, wind) against claimed setting. 129 | 130 | - Compare ambient audio with expected acoustics (e.g., indoor echo vs. outdoor open field). 131 | 132 | - **Technical Tools** 133 | 134 | - Run AI voice detection with Deepware Scanner or Intel FakeCatcher. 135 | 136 | - Compare with known samples of the speaker. 137 | 138 | - Analyze jitter/shimmer metrics in Praat. 139 | 140 | 141 | ## 📝 Textual Verification 142 | 143 | - **Linguistic Checks** 144 | 145 | - Identify repetitive scaffolding (e.g., “In conclusion, …”). 146 | 147 | - Look for vague or generic phrasing without specifics. 148 | 149 | - Check for fabricated citations, URLs, or ISBNs. 150 | 151 | - **Factual Validation** 152 | 153 | - Spot-check quotes and references against primary sources. 154 | 155 | - Cross-verify dates, events, and names in OSINT databases. 156 | 157 | - **Technical Tools** 158 | 159 | - Run [GLTR](http://gltr.io/) or [DetectGPT](https://github.com/eric-mitchell/detect-gpt). 160 | 161 | - Perform stylometric comparison with JStylo. 162 | 163 | - Use HuggingFace AI detection models for second opinion. 164 | 165 | 166 | ## 🌍 Contextual & Environmental Consistency 167 | 168 | - Validate location using Google Earth and Street View. 169 | 170 | - Cross-check building architecture with regional styles. 171 | 172 | - Verify vegetation/season (trees in bloom vs. claimed season). 173 | 174 | - Validate weather data with [Meteostat](https://meteostat.net/) or [OGIMET](https://www.ogimet.com/). 175 | 176 | - Check holidays, political events, or known gatherings on claimed date. 177 | 178 | - Match crowd size against known venue capacity. 179 | 180 | ## 📊 Metadata & Technical Fingerprints 181 | 182 | - **EXIF Analysis** 183 | 184 | - Extract with [ExifTool](https://exiftool.org/). 185 | 186 | - Look for missing or improbable fields. 187 | 188 | - Detect editing software tags (Stable Diffusion, MidJourney, Photoshop). 189 | 190 | - **Compression & Encoding** 191 | 192 | - Validate JPEG quantization tables. 193 | 194 | - Compare video codecs against known device profiles. 195 | 196 | - **Sensor Noise & PRNU** 197 | 198 | - Run [Noiseprint](https://github.com/isi-vista/noiseprint) for sensor fingerprinting. 199 | 200 | - Compare with known authentic samples. 201 | 202 | - **Provenance Checks** 203 | 204 | - Check for C2PA metadata. 205 | 206 | - Validate Adobe Content Credentials. 207 | 208 | - Run Google SynthID watermark checks if available. 209 | 210 | ## 🤝 Peer Review & Validation 211 | 212 | - Share findings with a second analyst for independent validation. 213 | 214 | - Compare across multiple tools and detection methods. 215 | 216 | - Store SHA256 and MD5 hashes of original files for integrity. 217 | 218 | - Maintain chain of custody logs for evidentiary purposes. 219 | 220 | - Document all anomalies with annotated screenshots. 221 | 222 | - Record all commands, queries, and tools used for auditability. 223 | 224 | ## 🛠️ Quick Access Tools 225 | 226 | |Tool|Type|Purpose| 227 | |---|---|---| 228 | |[Forensically](https://29a.ch/photo-forensics/)|Image forensics|Error level analysis, clone detection, metadata review| 229 | |[InVID Plugin](https://www.invid-project.eu/tools-and-services/invid-verification-plugin/)|Video verification|Extract thumbnails, reverse video search, metadata analysis| 230 | |[ExifTool](https://exiftool.org/)|Metadata extraction|Inspect and validate EXIF and file metadata| 231 | |[GLTR](http://gltr.io/)|Text analysis|Detect statistical patterns in AI-generated text| 232 | |[DetectGPT](https://github.com/eric-mitchell/detect-gpt)|Text analysis|Identify likely AI-generated passages| 233 | |[Noiseprint](https://github.com/isi-vista/noiseprint)|Image forensics|Sensor fingerprinting and camera source validation| 234 | |[Audacity](https://www.audacityteam.org/)|Audio analysis|Waveform and spectrogram inspection| 235 | |[Praat](https://www.fon.hum.uva.nl/praat/)|Audio forensics|Acoustic analysis of speech and voice patterns| 236 | |[Meteostat](https://meteostat.net/)|Contextual data|Historical weather validation| 237 | |[SunCalc](https://www.suncalc.org/)|Contextual analysis|Validate shadows and sun positions by time and place| 238 | |[SensityAI](https://sensity.ai/)|AI detection|Deepfake and synthetic media detection services| 239 | 240 | 241 | ### 🔖 Credits 242 | 243 | Maintained by **Oryon** + **[OSINT360](https://tntpp9.short.gy/osint360-gpt)**. 244 | This document is part of the **Cyber Intelligence Toolkit** project. 245 | -------------------------------------------------------------------------------- /manuals/ai-media-forensics-manual.md: -------------------------------------------------------------------------------- 1 | # AI Media Forensics Manual 2 | ### Practical Techniques for Detecting Synthetic Media 3 | 4 | ![Version](https://img.shields.io/badge/version-v1.0.0-blue) 5 | ![Last Update](https://img.shields.io/badge/updated-2025--09--13-red) 6 | 7 | # 📑 Table of Contents 8 | 9 | - [1. Introduction](#1-introduction) 10 | - [2. Analysis Models](#2-analysis-models) 11 | - [3. Detection Domains](#3-detection-domains) 12 | - [4. Step-by-Step Procedures](#4-step-by-step-procedures-step-by-step-procedures) 13 | - [5. Best Practices](#5-best-practices) 14 | - [6. Analyst Toolkit (2025)](#6-analyst-toolkit-2025) 15 | - [7. Strategic Outlook](#7-strategic-outlook) 16 | - [Appendix A: Domain → Tools Matrix](#appendix-a-domain--tools-matrix) 17 | - [Appendix B: Automation Snippets & Field Kit](#appendix-b-automation-snippets--field-kit) 18 | - [Credits](#credits) 19 | 20 | ## 1. Introduction 21 | 22 | Artificial Intelligence has enabled the creation of hyper-realistic synthetic media — images, video, audio, and text that can convincingly mimic authentic content. While AI brings innovation in media production, it also introduces risks: misinformation campaigns, reputational attacks, political manipulation, and cyber-enabled fraud. 23 | 24 | This manual is designed for journalists, investigators, analysts, and digital forensic professionals. It delivers: 25 | 26 | - A **structured methodology** for content verification. 27 | 28 | - A **multi-phase workflow** that scales from rapid screening to evidentiary forensics. 29 | 30 | - A **toolkit of practical technologies** aligned with OSINT and DFIR practices. 31 | 32 | - **Best practices** for documentation, reporting, and transparency. 33 | 34 | 35 | ## 2. Analysis Models 36 | 37 | The detection process is divided into four escalating phases: 38 | 39 | 1. **Rapid Triage (Initial Screening)** – Quick suspicion check. 40 | 41 | 2. **Preliminary Verification (Lightweight Checks)** – OSINT-based fast validation. 42 | 43 | 3. **Structured Forensic Analysis (In-Depth Review)** – Comprehensive forensic-grade methods. 44 | 45 | 4. **Peer Review & Validation (Cross-Check)** – Independent replication to reduce bias. 46 | 47 | 48 | ## 3. Detection Domains 49 | 50 | **How to use this section:** Each domain targets a distinct failure mode common to synthetic media. Treat domains as **independent lines of evidence**. A single red flag rarely proves anything; **two or more from different domains** justifies escalation. 51 | 52 | ### 3.1 Anatomy & Object Integrity 53 | 54 | **Objective:** Detect biological or object construction errors introduced by generative AI. 55 | 56 | **Indicators:** 57 | 58 | - Extra, missing, or fused fingers; malformed nails; symmetrical eyes without natural variation. 59 | 60 | - Teeth rendered as uniform blocks or inconsistent with gum lines. 61 | 62 | - Ears, earrings, or glasses distorted or asymmetrical. 63 | 64 | - Clothing, fabric, or accessories with warped stitching, inconsistent patterns, or impossible geometry. 65 | 66 | 67 | **Checks:** 68 | 69 | - Zoom to 200–400% and scan hands, eyes, and teeth. 70 | 71 | - Look for repeated face patterns in group shots. 72 | 73 | - Compare mirrored body parts for natural asymmetry. 74 | 75 | 76 | **Tools:** [Forensically](https://29a.ch/photo-forensics/), magnifiers, reverse image search on cropped anomalies. 77 | 78 | ### 3.2 Geometry & Physics 79 | 80 | **Objective:** Test whether light, perspective, and reflections obey physical laws. 81 | 82 | **Indicators:** 83 | 84 | - Shadows inconsistent with light sources or each other. 85 | 86 | - Reflections missing in mirrors, water, or glass. 87 | 88 | - Vanishing points misaligned; horizon misplaced. 89 | 90 | - Object scale inconsistent with distance. 91 | 92 | 93 | **Checks:** 94 | 95 | - Use SunCalc to validate shadow length vs. claimed time/place. 96 | 97 | - Draw vanishing lines to test perspective. 98 | 99 | - Inspect reflections for parity and content. 100 | 101 | 102 | **Tools:** [SunCalc](https://www.suncalc.org/), Google Earth/Street View, [Forensically](https://29a.ch/photo-forensics/). 103 | 104 | ### 3.3 Metadata & Technical Fingerprints 105 | 106 | **Objective:** Analyze embedded metadata and camera/device signatures. 107 | 108 | **Indicators:** 109 | 110 | - Missing EXIF in photos that should contain it. 111 | 112 | - Impossible timestamps or GPS coordinates. 113 | 114 | - Software tags showing AI editors or generators. 115 | 116 | - Uniform synthetic noise lacking natural PRNU (Photo Response Non-Uniformity). 117 | 118 | 119 | **Checks:** 120 | 121 | - Run ExifTool to review `Make/Model`, `DateTimeOriginal`, `GPS` fields. 122 | 123 | - Inspect compression signatures and quantization tables. 124 | 125 | - Apply Noiseprint for sensor fingerprinting. 126 | 127 | 128 | **Tools:** [ExifTool](https://exiftool.org/), [FotoForensics](http://fotoforensics.com/), [Noiseprint](https://github.com/isi-vista/noiseprint). 129 | 130 | ### 3.4 Voice & Audio 131 | 132 | **Objective:** Identify synthetic patterns in speech or environmental sound. 133 | 134 | **Indicators:** 135 | 136 | - Robotic cadence; unnatural prosody. 137 | 138 | - Missing breathing, mouth clicks, or ambient noise. 139 | 140 | - Spectrogram anomalies: clean high frequencies, banding. 141 | 142 | 143 | **Checks:** 144 | 145 | - Inspect spectrograms for unnatural frequency bands. 146 | 147 | - Measure jitter/shimmer in Praat for vocal variation. 148 | 149 | - Compare lip sync to phonemes in video. 150 | 151 | 152 | **Tools:** [Audacity](https://www.audacityteam.org/), [Praat](https://www.fon.hum.uva.nl/praat/), Deepware Scanner, Intel FakeCatcher. 153 | 154 | ### 3.5 Contextual Consistency 155 | 156 | **Objective:** Confirm claimed time, place, and environment. 157 | 158 | **Indicators:** 159 | 160 | - Seasonal mismatch (snow vs. claimed summer). 161 | 162 | - Buildings or skylines inconsistent with stated location. 163 | 164 | - Weather contradicting meteorological records. 165 | 166 | 167 | **Checks:** 168 | 169 | - Validate shadows and lighting with SunCalc. 170 | 171 | - Compare weather with Meteostat or OGIMET logs. 172 | 173 | - Cross-reference landmarks via Google Earth or Street View. 174 | 175 | 176 | **Tools:** [Meteostat](https://meteostat.net/), [OGIMET](https://www.ogimet.com/), [Google Earth](https://earth.google.com/). 177 | 178 | ### 3.6 Behavioral & Social Signals 179 | 180 | **Objective:** Assess realism of group dynamics and human behavior. 181 | 182 | **Indicators:** 183 | 184 | - Identical faces or clothing repeated in crowds. 185 | 186 | - People ignoring focal events (all gazes in wrong direction). 187 | 188 | - Uniform expressions or synchronized gestures. 189 | 190 | 191 | **Checks:** 192 | 193 | - Run face clustering to detect duplicates. 194 | 195 | - Check gaze direction consistency. 196 | 197 | - Observe micro-expressions and natural motion. 198 | 199 | 200 | **Tools:** [InVID](https://www.invid-project.eu/tools-and-services/invid-verification-plugin/), Forensically. 201 | 202 | ### 3.7 Textual AI Fingerprints 203 | 204 | **Objective:** Detect linguistic artifacts of AI-generated text. 205 | 206 | **Indicators:** 207 | 208 | - Repetitive scaffolding or formulaic phrasing. 209 | 210 | - Fabricated citations or unverifiable facts. 211 | 212 | - Uniform sentence lengths and transitions. 213 | 214 | 215 | **Checks:** 216 | 217 | - Run AI detectors on samples. 218 | 219 | - Perform stylometric comparison to known author texts. 220 | 221 | - Spot-check quotes and references. 222 | 223 | 224 | **Tools:** [GLTR](http://gltr.io/), [DetectGPT](https://github.com/eric-mitchell/detect-gpt), [HuggingFace Models](https://huggingface.co/), JStylo. 225 | 226 | ### 3.8 Provenance & Watermarking 227 | 228 | **Objective:** Identify provenance credentials or embedded watermarks. 229 | 230 | **Indicators:** 231 | 232 | - Valid C2PA signatures showing edit history. 233 | 234 | - Invisible watermarks indicating AI generation. 235 | 236 | 237 | **Checks:** 238 | 239 | - Extract provenance JSON and verify signatures. 240 | 241 | - Run SynthID or watermark scanners where available. 242 | 243 | 244 | **Tools:** [C2PA](https://c2pa.org/), Adobe Content Credentials, Google SynthID. 245 | 246 | ### 3.9 AI-vs-AI Detection 247 | 248 | **Objective:** Apply specialized AI detectors trained to spot generative content. 249 | 250 | **Indicators:** 251 | 252 | - High detector confidence across multiple frames. 253 | 254 | - Consistent outputs from different models. 255 | 256 | 257 | **Checks:** 258 | 259 | - Apply forensic CNNs (XceptionNet, FaceForensics++). 260 | 261 | - Compare results across multiple detectors. 262 | 263 | 264 | **Tools:** [FaceForensics++](https://github.com/ondyari/FaceForensics), DFDC models, XceptionNet-based classifiers. 265 | 266 | ### 3.10 Cross-Modal & Narrative Consistency 267 | 268 | **Objective:** Ensure all media modalities align with the narrative. 269 | 270 | **Indicators:** 271 | 272 | - Lip sync mismatch between audio and video. 273 | 274 | - Weather sounds inconsistent with visual conditions. 275 | 276 | - Narration contradicting imagery. 277 | 278 | 279 | **Checks:** 280 | 281 | - Align timestamps across text, audio, and video. 282 | 283 | - Verify environment acoustics match visual context. 284 | 285 | - Map camera positions vs. scene constraints. 286 | 287 | 288 | **Tools:** CrossCheck, [SensityAI](https://sensity.ai/), Reality Defender. 289 | 290 | ## 4. Step-by-Step Procedures. Step-by-Step Procedures 291 | 292 | This section provides an operational, reproducible workflow from first contact with a file/link to an evidence‑grade conclusion. It is organized into **four phases**. Each phase includes objectives, inputs, actions, tools, outputs, and escalation criteria. 293 | 294 | ### 4.0 Pre‑Flight: OPSEC & Chain of Custody (CoC) 295 | 296 | **Objective:** Preserve evidentiary integrity and avoid contaminating artifacts. 297 | 298 | **Inputs:** Source URL, file(s), claims (who/what/where/when), stakeholder urgency. 299 | 300 | **Actions:** 301 | 302 | - **Acquire original** if possible (avoid platform‑compressed versions). Request raw files via secure channel. 303 | 304 | - **Hash immediately:** 305 | 306 | - Bash/macOS: `shasum -a 256 ` 307 | 308 | - PowerShell: `Get-FileHash -Algorithm SHA256` 309 | 310 | - **Snapshot context:** copy URL, post ID, author handle, timestamps (include time zone), and a screenshot of the claim. 311 | 312 | - **Workspace:** operate on a **copy**; never re‑encode originals. Record tool names & versions. 313 | 314 | - **Risk & scope:** decide if this is _routine verification_ or _high‑stakes_ (elections, conflict, criminal case). 315 | 316 | 317 | **Output:** Case record with IDs, hashes, source notes, and a plan for Phase 1. 318 | 319 | ### 4.1 Rapid Triage (Initial Screening) 320 | 321 | **Objective:** Decide in seconds whether the material merits deeper checks. 322 | 323 | **Inputs:** One image/video frame, short audio snippet, or text excerpt. 324 | 325 | **Actions (by media type):** 326 | 327 | - **Image/Video frame:** 328 | 329 | - **Anatomy & objects:** hands, eyes, teeth, ears, accessories, signage, logos. 330 | 331 | - **Physics:** shadow direction/length, reflections, specular highlights; lighting continuity. 332 | 333 | - **“Too perfect” test:** cinematic composition, hyper‑clean surfaces, uniform faces. 334 | 335 | - **Audio:** listen for breath/pauses, monotone prosody, robotic shimmer at pitch changes. 336 | 337 | - **Text:** repetitive phrasing, encyclopedic tone, confident statements without sources. 338 | 339 | 340 | **Common red flags:** extra/merged fingers; mismatched shadows; mirrored or unreadable micro‑text; cloned textures; lip‑sync oddities; identical smiles. 341 | 342 | **False positives:** heavy denoise/HDR; professional retouching; platform recompression; staged marketing visuals. 343 | 344 | **Output:** **Triage code** — Green (plausible), Amber (suspicious), Red (multiple anomalies). Amber/Red → Phase 2. 345 | 346 | ### 4.2 Preliminary Verification (Lightweight Checks) 347 | 348 | **Objective:** Use fast OSINT & basic forensic tools to confirm or challenge authenticity. 349 | 350 | **Inputs:** Original (preferred) or best‑quality copy; claimed time/place/context. 351 | 352 | **Tools (typical):** Google/Bing/Yandex Images; InVID‑WeVerify; ExifTool; Forensically / FotoForensics; Noiseprint; SunCalc; Timeanddate/Meteostat/OGIMET; Google Earth/Street View. 353 | 354 | **Step‑by‑step:** 355 | 356 | 1. **Reverse search (image/video):** 357 | 358 | - If video, extract 4–12 **keyframes** (InVID → Keyframes or `ffmpeg -i input.mp4 -vf fps=1 frames/f%04d.jpg`). 359 | 360 | - Search the **full image** plus **cropped regions** (faces, signs, skyline). Try **horizontal flip** when relevant. 361 | 362 | - Compare hits: earlier appearances, different captions, stock/AI galleries. 363 | 364 | 2. **Metadata inspection (images/video/audio):** 365 | 366 | - `exiftool ` → review `Make/Model`, `Software`, `DateTimeOriginal`, `GPS*`. 367 | 368 | - Red flags: missing EXIF in camera JPEGs, impossible timestamps, odd `Software` (generator), GPS contradicting claim. 369 | 370 | - Caveat: social sites often strip/alter EXIF. 371 | 372 | 3. **Basic pixel forensics (images):** 373 | 374 | - **ELA/Clone/Noise** in Forensically/FotoForensics. 375 | 376 | - Red flags: isolated high ELA around inserted objects; tiled repeats; uniform noise where natural variation is expected. 377 | 378 | - **Noiseprint/PRNU hint:** lack of camera‑like noise structure can support suspicion. 379 | 380 | 4. **Context cross‑check (all media):** 381 | 382 | - **Place:** landmark geometry in Google Earth/Street View; signage language & fonts. 383 | 384 | - **Time/lighting:** SunCalc — does shadow azimuth/elevation match claimed date/time/location? 385 | 386 | - **Weather:** compare precipitation/clouds/temperature with Timeanddate/Meteostat/OGIMET. 387 | 388 | 389 | **Evidence to capture:** screenshots of reverse‑search results; EXIF dumps; ELA/Noise overlays; SunCalc and weather pages (PDFs or images). 390 | 391 | **Decision & escalation:** 392 | 393 | - **Converging authentic signals** → document as _provisionally authentic_. 394 | 395 | - **≥2 independent inconsistencies** → escalate to Phase 3. 396 | 397 | 398 | ### 4.3 Structured Forensic Analysis (In‑Depth Review) 399 | 400 | **Objective:** Produce a defendable assessment using advanced methods across modalities. 401 | 402 | **Inputs:** Highest‑quality media; claims; any prior investigative notes. 403 | 404 | **Modules & procedures:** 405 | 406 | **A) Video Forensics** 407 | 408 | - **Frame extraction:** 409 | 410 | - Constant rate: `ffmpeg -i in.mp4 -vf fps=5 frames/f_%05d.jpg` 411 | 412 | - Scene changes: `ffmpeg -i in.mp4 -vf "select='gt(scene,0.5)'" -vsync vfr scenes/s_%05d.jpg` 413 | 414 | - **Temporal artifacts:** look for warping/morphing around faces/hands; inconsistent motion blur; jitter on edges; rolling‑shutter realism during pans. 415 | 416 | - **Optical flow/consistency:** check for motion coherence of shadows/reflections across frames. 417 | 418 | 419 | **B) Audio Forensics** 420 | 421 | - **Spectrogram analysis (Audacity):** View → Spectrogram; inspect harmonics, breath noise, plosives; spot copy‑paste bands. 422 | 423 | - **Prosody/phonation (Praat):** measure pitch (F0), jitter/shimmer; overly uniform patterns suggest synthesis. 424 | 425 | - **Deepfake detectors:** run Resemble Detect / Deepware; treat as **supporting**, not decisive. 426 | 427 | - **Physiological cues:** where applicable, evaluate biometric pulse cues (e.g., FakeCatcher‑style signals) with caution. 428 | 429 | 430 | **C) Text Stylometry** 431 | 432 | - Establish a **baseline** from verified writings (if authorship is at issue). 433 | 434 | - Analyze with JStylo (function words, POS patterns, sentence length variance). 435 | 436 | - Cross‑check with GPTZero/DetectGPT/HuggingFace classifiers; corroborate with factual verification (quotes, sources, dates). 437 | 438 | 439 | **D) Contextual OSINT** 440 | 441 | - **Geolocation:** skyline line‑drawing; terrain/river bends; sign typography; street furniture; license plates. 442 | 443 | - **Chronology:** construction timelines (bridges, towers), event schedules, transport GTFS feeds. 444 | 445 | - **Remote sensing:** Sentinel Hub/NASA Worldview for cloud cover, snow extent, wildfire smoke on claimed dates. 446 | 447 | 448 | **E) Provenance & Watermarking** 449 | 450 | - **C2PA/Content Credentials:** inspect with compatible viewers; export the provenance JSON; verify signatures and edit history. 451 | 452 | - **SynthID/Watermarks:** where tooling is available, check invisible watermarks in images/audio/text; document limitations. 453 | 454 | 455 | **F) Model‑Specific Forensics (AI‑vs‑AI)** 456 | 457 | - Apply forensic CNNs (e.g., XceptionNet/FaceForensics++/DFDC models) on images/frames; **never as a sole indicator**. Record model type, version, thresholds, and confusion risks. 458 | 459 | 460 | **G) PRNU / Camera Fingerprinting (expert option)** 461 | 462 | - Extract sensor noise residuals; compare to a reference set of images from the purported device. 463 | 464 | - Caveats: recompression, denoise, and resizing degrade PRNU; treat as corroborative. 465 | 466 | 467 | **Outputs:** 468 | 469 | - Annotated frames/spectrograms; tool outputs (versions, parameters); OSINT corroboration; a reasoned conclusion with **probability language** (see 4.5). 470 | 471 | 472 | **Escalation triggers:** conflicting signals; high impact (elections, criminal proceedings); legal request for expert affidavit. 473 | 474 | ### 4.4 Peer Review & Validation (Cross‑Check) 475 | 476 | **Objective:** Reduce bias and ensure reproducibility. 477 | 478 | **Process:** 479 | 480 | - Prepare a **neutral brief** (facts, methods, outputs) avoiding leading language. 481 | 482 | - A second analyst **replicates** key steps (reverse search, EXIF, pixel/audio/text analysis, context checks) independently. 483 | 484 | - Compare findings; document agreements and discrepancies; if needed, seek a third expert or additional data (original file, higher resolution, longer cut). 485 | 486 | 487 | **Artifacts:** replication log, checklist of reproduced results, change log of conclusions. 488 | 489 | **Outcome:** consensus conclusion or documented divergence with rationale. 490 | 491 | ### 4.5 Decision & Reporting Framework 492 | 493 | **Probability bands (recommendation):** 494 | 495 | - **Very Low (≤20%)** — unlikely AI‑generated. 496 | 497 | - **Low (21–40%)** — weak indicators; more data recommended. 498 | 499 | - **Indeterminate (41–59%)** — conflicting signals; seek originals or expert tests. 500 | 501 | - **High (60–80%)** — multiple independent indicators of AI/manipulation. 502 | 503 | - **Very High (>80%)** — strong, corroborated evidence across domains. 504 | 505 | 506 | **Language examples:** _“High likelihood of AI generation based on [A, B, C], with no contradicting evidence. Limitations: [X, Y].”_ 507 | 508 | **Minimum evidence for publication (suggested):** ≥2 independent indicators from different domains **or** 1 strong forensic indicator + context contradiction. 509 | 510 | ### 4.6 Automation Recipes (Optional) 511 | 512 | - **Batch EXIF export:** 513 | 514 | - `exiftool -csv -r -DateTimeOriginal -Make -Model -Software -GPS* > exif_report.csv` 515 | 516 | - **Batch keyframes:** 517 | 518 | - `ffmpeg -i in.mp4 -vf fps=1 out/frame_%05d.jpg` 519 | 520 | - **Scene change list:** 521 | 522 | - `ffmpeg -i in.mp4 -filter:v "select='gt(scene,0.4)',showinfo" -f null - 2> scenes.log` 523 | 524 | 525 | **Tip:** Log tool versions and parameters alongside outputs for reproducibility. 526 | 527 | ### 4.7 Case Log Template (suggested fields) 528 | 529 | - Case ID, Analyst, Date/Time (TZ), Source URL/ID, Acquisition method, File hashes (SHA‑256), Media type, Claimed context, Tools & versions, Steps performed, Findings per step, Indicators (pro/contra), Probability band, Peer reviewer, Final conclusion, Evidence archive location. 530 | 531 | 532 | ## 5. Best Practices 533 | 534 | - **Two-signal principle:** Never conclude based on one indicator. 535 | 536 | - **Documentation:** Maintain chain of custody (hashes, metadata, tool versions). 537 | 538 | - **Probabilistic reporting:** Use “high likelihood” instead of absolutes. 539 | 540 | - **Continuous adaptation:** Update methods every 6–12 months. 541 | 542 | - **Automation:** Integrate tools into scripted pipelines. 543 | 544 | - **Crowdsourced verification:** Collaborate with OSINT/fact-checking communities. 545 | 546 | 547 | ## 6. Analyst Toolkit (2025) 548 | 549 | - **Images:** Forensically, FotoForensics, ExifTool, Noiseprint. 550 | 551 | - **Video:** InVID, ffmpeg, FakeCatcher. 552 | 553 | - **Audio:** Praat, Audacity, Resemble Detect, Deepware Scanner. 554 | 555 | - **Text:** GPTZero, DetectGPT, JStylo, HuggingFace classifiers. 556 | 557 | - **Provenance:** C2PA tools, Adobe Content Credentials, SynthID. 558 | 559 | - **Context:** Google Earth, Sentinel Hub, Meteostat, NASA Worldview. 560 | 561 | - **AI-forensics:** XceptionNet, FaceForensics++, DFDC models. 562 | 563 | 564 | ## 7. Strategic Outlook 565 | 566 | - **Evolving AI:** Generation models are rapidly improving, masking older flaws. 567 | 568 | - **Future of detection:** Watermarking, provenance standards, and blockchain-based verification will be critical. 569 | 570 | - **Present reality:** Only a hybrid approach (intuition + OSINT + forensics + AI detectors + provenance tools) can sustain investigative integrity. 571 | 572 | 573 | ## Appendix A: Domain → Tools Matrix 574 | 575 | |Detection Domain|Techniques|Tools (Open-Source / Free)| 576 | |---|---|---| 577 | |**Visual Forensics**|Identify anomalies: hands, eyes, teeth, reflections, shadows|[Forensically](https://29a.ch/photo-forensics/), Deepware Scanner, GIMP| 578 | |**Metadata & File Integrity**|Extract & analyze EXIF, XMP, hashes, signatures|[ExifTool](https://exiftool.org/), Mat2, Hashdeep| 579 | |**Error Level & Compression Analysis**|ELA, JPEG ghost detection, noiseprint mismatch|[FotoForensics](http://fotoforensics.com/), [Noiseprint](https://github.com/isi-vista/noiseprint)| 580 | |**Reverse Image/Video Search**|Reverse search images/videos for provenance|[InVID-WeVerify](https://www.invid-project.eu/tools-and-services/invid-verification-plugin/), Yandex Images, TinEye| 581 | |**Audio Forensics**|Spectrograms, waveform anomalies, deepfake audio classifiers|[Sonic Visualiser](https://www.sonicvisualiser.org/), [Praat](https://www.fon.hum.uva.nl/praat/), FakeCatcher (Intel)| 582 | |**Textual Stylometry**|Stylometry, linguistic patterns, AI-text probability detectors|[GLTR](http://gltr.io/), [DetectGPT](https://github.com/eric-mitchell/detect-gpt), [HuggingFace Transformers](https://huggingface.co/)| 583 | |**Context & OSINT Cross-Verification**|Cross-check geography, time, weather, events|[OSINT Framework](https://osintframework.com/), Wayback Machine, Bellingcat Tools| 584 | |**Network & Source Traceability**|Trace network origins, domains, C2PA provenance|WhoisXML API, [Maltego CE](https://www.paterva.com/), RiskIQ, [C2PA](https://c2pa.org/)| 585 | |**Cross-Modal Consistency**|Check if narrative matches across modalities|CrossCheck, SensityAI, Reality Defender| 586 | |**Automation & Pipelines**|Automate via pipelines, ML models, SIEM/XDR integrations|Apache Tika, HuggingFace pipelines, Python, MISP, Sigma rules| 587 | 588 | ## Appendix B: Automation Snippets & Field Kit 589 | 590 | ### Image & Metadata 591 | 592 | - **Extract metadata (all files in folder to CSV):** 593 | 594 | ```bash 595 | exiftool -csv -r folder/ > exif_report.csv 596 | ``` 597 | 598 | - **Strip metadata for sharing (privacy):** 599 | 600 | ```bash 601 | mat2 file.jpg 602 | ``` 603 | 604 | 605 | ### Video Analysis 606 | 607 | - **Extract 1 frame per second:** 608 | 609 | ```bash 610 | ffmpeg -i video.mp4 -vf fps=1 frames/out_%04d.jpg 611 | ``` 612 | 613 | - **Extract scene changes:** 614 | 615 | ```bash 616 | ffmpeg -i video.mp4 -filter:v "select='gt(scene,0.4)',showinfo" -vsync vfr scenes/out_%04d.jpg 617 | ``` 618 | 619 | - **Get video codec/container info:** 620 | 621 | ```bash 622 | mediainfo video.mp4 623 | ``` 624 | 625 | 626 | ### Audio Analysis 627 | 628 | - **Convert to WAV for spectrograms:** 629 | 630 | ```bash 631 | ffmpeg -i input.mp4 -vn -acodec pcm_s16le output.wav 632 | ``` 633 | 634 | - **Generate spectrogram (SoX):** 635 | 636 | ```bash 637 | sox output.wav -n spectrogram -o spectro.png 638 | ``` 639 | 640 | 641 | ### Text Analysis 642 | 643 | - **Detect AI-like text probability (DetectGPT):** 644 | 645 | ```python 646 | from detectgpt import DetectGPT 647 | model = DetectGPT() 648 | score = model.score_text("sample text") 649 | print(score) 650 | ``` 651 | 652 | - **Check perplexity with GPT-2 LM (HuggingFace):** 653 | 654 | ```python 655 | from transformers import GPT2LMHeadModel, GPT2TokenizerFast 656 | import torch 657 | 658 | model = GPT2LMHeadModel.from_pretrained("gpt2") 659 | tokenizer = GPT2TokenizerFast.from_pretrained("gpt2") 660 | 661 | text = "sample text" 662 | encodings = tokenizer(text, return_tensors="pt") 663 | max_length = model.config.n_positions 664 | stride = 512 665 | nlls = [] 666 | for i in range(0, encodings.input_ids.size(1), stride): 667 | begin_loc = max(i + stride - max_length, 0) 668 | end_loc = i + stride 669 | trg_len = end_loc - i 670 | input_ids = encodings.input_ids[:, begin_loc:end_loc] 671 | target_ids = input_ids.clone() 672 | target_ids[:, :-trg_len] = -100 673 | 674 | with torch.no_grad(): 675 | outputs = model(input_ids, labels=target_ids) 676 | nlls.append(outputs.loss * trg_len) 677 | 678 | ppl = torch.exp(torch.stack(nlls).sum() / end_loc) 679 | print(ppl.item()) 680 | ``` 681 | 682 | 683 | ### Networking & Provenance 684 | 685 | - **WHOIS lookup (Linux):** 686 | 687 | ```bash 688 | whois example.com 689 | ``` 690 | 691 | - **Get SSL/TLS certificate info:** 692 | 693 | ```bash 694 | echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -dates -issuer -subject 695 | ``` 696 | 697 | 698 | ### Workflow Helpers 699 | 700 | - **Batch hash files in folder:** 701 | 702 | ```bash 703 | sha256sum * > hashes.txt 704 | ``` 705 | 706 | - **Create case log template (Markdown):** 707 | 708 | ```markdown 709 | # Case Log 710 | - Case ID: 711 | - Analyst: 712 | - Date/Time (TZ): 713 | - Source URL/ID: 714 | - File Hashes (SHA-256): 715 | - Media Type: 716 | - Claimed Context: 717 | - Tools & Versions: 718 | - Findings: 719 | - Indicators: 720 | - Probability Band: 721 | - Peer Reviewer: 722 | - Final Conclusion: 723 | ``` 724 | 725 | ### 🔖 Credits 726 | 727 | Maintained by **Oryon** +**[OSINT360 GPT](https://tntpp9.short.gy/osint360-gpt)**. 728 | This document is part of the **Cyber Intelligence Toolkit** project. 729 | 730 | -------------------------------------------------------------------------------- /manuals/paranoid-opsec-manual.md: -------------------------------------------------------------------------------- 1 | # 🛡️ Paranoid OPSEC Manual 2 | ### Extreme Practices for Identity Protection and Operational Security 3 | 4 | ![Version](https://img.shields.io/badge/version-v1.0.0-purple) 5 | ![Last Update](https://img.shields.io/badge/updated-2025--09--13-red) 6 | 7 | # 📑 Table of Contents 8 | 9 | - [Overview](#overview) 10 | - [1. Scope & Assumptions](#1-scope--assumptions) 11 | - [2. Threat Modeling & Risk Assessment](#2-threat-modeling--risk-assessment) 12 | - [3. OPSEC Principles & Posture Levels](#3-opsec-principles--posture-levels) 13 | - [4. Identity & Persona Compartmentalization](#4-identity--persona-compartmentalization) 14 | - [5. Device & Endpoint Security](#5-device--endpoint-security) 15 | - [6. Browser, Fingerprinting & Content OPSEC](#6-browser-fingerprinting--content-opsec) 16 | - [7. Network & Transport Security](#7-network--transport-security) 17 | - [8. Communications Security (COMSEC)](#8-communications-security-comsec) 18 | - [9. Data Handling, Evidence & Chain of Custody](#9-data-handling-evidence--chain-of-custody) 19 | - [10. Social & Behavioral OPSEC](#10-social--behavioral-opsec) 20 | - [11. Travel OPSEC & Physical Security](#11-travel-opsec--physical-security) 21 | - [12. Source Protection & HUMINT Interactions](#12-source-protection--humint-interactions) 22 | - [13. Advanced Topics](#13-advanced-topics) 23 | - [14. Monitoring, Audits & Incident Response](#14-monitoring-audits--incident-response) 24 | - [15. Tools & Utilities Reference](#15-tools--utilities-reference) 25 | - [16. Checklists](#16-checklists) 26 | - [17. Templates & Automation (Snippets)](#17-templates--automation-snippets) 27 | - [🔖 Credits](#-credits) 28 | 29 | ## Overview 30 | 31 | The **Paranoid OPSEC Manual** is designed for investigators, journalists, and security practitioners who operate in **high-risk or hostile environments**. It focuses on **no-compromise methods** for safeguarding identity, devices, communications, and evidence. 32 | 33 | - **Audience:** Professionals and practitioners who require the strictest levels of anonymity and compartmentalization. 34 | - **Scope:** Covers devices, networks, personas, communications, travel OPSEC, data handling, and adversary simulations. 35 | - **Approach:** Layered, paranoid-level security posture; continuous validation; defense-in-depth with zero trust assumptions. 36 | 37 | ## 1. Scope & Assumptions 38 | 39 | - **Audience:** OSINT investigators, journalists, DFIR analysts, CTI teams, compliance officers. 40 | 41 | - **Use cases:** OSINT collections, dark web monitoring, covert outreach, digital forensics, source protection. 42 | 43 | - **Legal/Ethics:** All activities must comply with applicable laws, platform ToS, and organizational ethics. This manual is for **defensive** and **legitimate investigative** use. 44 | 45 | 46 | ## 2. Threat Modeling & Risk Assessment 47 | 48 | - **Adversaries:** 49 | 50 | - _Low:_ scammers, basic doxers, automated scraping. 51 | 52 | - _Medium:_ organized cybercrime, private intel shops, well-resourced harassers. 53 | 54 | - _High:_ state/security services, APT, cross-platform data brokers. 55 | 56 | - **Capabilities:** data brokerage, device exploitation, SS7/SIM swap, ML-based deanonymization, cross-modal correlation (voice/face/gait), social graph inference, legal compulsion. 57 | 58 | - **Assets:** identity, device, network location, sources, methods, evidence integrity, operational plans. 59 | 60 | - **Risk matrix (example):** 61 | 62 | - Impact (Low/Med/High) × Likelihood (Low/Med/High) → control selection & escalation. 63 | 64 | - **Outputs:** written threat model per case; control checklist; escalation triggers. 65 | 66 | 67 | ## 3. OPSEC Principles & Posture Levels 68 | 69 | **Goal:** Define the foundational mindset and operational tiers that govern all other decisions in an investigation. These principles and posture levels serve as a baseline for tailoring security controls depending on case sensitivity and adversary profile. 70 | 71 | ### 3.1 Core Principles 72 | 73 | - **Least Exposure:** Reveal only what is necessary for the task. Every extra data point can become an attack surface. 74 | 75 | - **Compartmentalization:** Keep personas, devices, networks, and evidence completely isolated. Cross-contamination creates attribution risks. 76 | 77 | - **Defense-in-Depth:** Layer multiple controls (technical, procedural, behavioral) so that a single failure does not expose the operation. 78 | 79 | - **Need-to-Know:** Limit knowledge distribution both inside the team and with external stakeholders. 80 | 81 | - **Minimize Metadata:** Strip or neutralize metadata in all shared content (photos, documents, messages). 82 | 83 | - **Verify, Then Trust:** Assume deception by default. Validate identities, sources, and tools before use. 84 | 85 | - **Continuous Review:** OPSEC is never static; it requires ongoing monitoring, audits, and adaptation. 86 | 87 | 88 | ### 3.2 Posture Levels 89 | 90 | A four-tier posture system defines what protections to enforce depending on case sensitivity, adversary capability, and potential consequences. 91 | 92 | #### **L0 – Routine Exposure** 93 | 94 | - **Use case:** General OSINT browsing, public sources, low adversary risk. 95 | 96 | - **Controls:** 97 | 98 | - VPN or hardened proxy; browser with basic fingerprint protections. 99 | 100 | - Hardened OS or dedicated VM. 101 | 102 | - Routine patching and endpoint hygiene. 103 | 104 | - Minimal persona setup, can overlap with semi-public analyst identity. 105 | 106 | 107 | #### **L1 – Sensitive Operations** 108 | 109 | - **Use case:** Investigating scams, cybercrime forums, or potentially hostile individuals. 110 | 111 | - **Controls:** 112 | 113 | - Strict persona separation (unique email, browser profile, VM). 114 | 115 | - Encrypted storage for collected data. 116 | 117 | - Tor Browser or multi-hop VPN. 118 | 119 | - Metadata scrubbing of all shared content. 120 | 121 | - No crossover between personal and operational accounts. 122 | 123 | 124 | #### **L2 – High-Risk Operations** 125 | 126 | - **Use case:** Dark web infiltration, adversaries with technical sophistication, potential targeting of the analyst. 127 | 128 | - **Controls:** 129 | 130 | - Dedicated hardware or Qubes/Tails OS per case. 131 | 132 | - Air-gapped storage for sensitive evidence. 133 | 134 | - Multi-hop anonymity (VPN→Tor, or chained VPNs). 135 | 136 | - Strict logging of all actions for accountability. 137 | 138 | - Persona register with lifecycle management. 139 | 140 | - Two-person rule for validation of high-risk actions. 141 | 142 | 143 | #### **L3 – Critical/Hostile Environment** 144 | 145 | - **Use case:** Investigating state actors, organized crime, or environments with strong surveillance. 146 | 147 | - **Controls:** 148 | 149 | - Clean hardware purchased specifically for the operation. 150 | 151 | - No reuse of devices, SIMs, accounts, or networks. 152 | 153 | - Travel OPSEC enforced (burner devices, Faraday pouches, no personal phone). 154 | 155 | - One-time use personas with no long-term footprint. 156 | 157 | - Legal review and organizational approval required before operation. 158 | 159 | - All communications via deniable, strongly encrypted channels. 160 | 161 | 162 | #### 🔥 Extreme Practices (Optional) 163 | - Treat **L3** not as exceptional but as **default baseline**. 164 | - Rotate between **multiple hardware sets** in separate jurisdictions. 165 | - Maintain **duplicate infrastructures** (e.g., two distinct Tor/VPN paths for same task, cross-check results). 166 | - Conduct **threat simulation drills** (e.g., adversary seizes your device in 5 min – what leaks?). 167 | ## 4. Identity & Persona Compartmentalization 168 | 169 | **Goal:** Build and operate investigative personas that cannot be reliably linked to you, your organization, other personas, or prior operations—while remaining credible for the mission. 170 | 171 | ### 4.1 Definitions & Scope 172 | 173 | - **Persona:** A constructed identity (name, contact points, device profile, behavior) used for investigative tasks. 174 | 175 | - **Compartment:** A self-contained environment (device/VM, browser profile, password store, comms channels) dedicated to a single persona or case. 176 | 177 | - **Cross‑contamination:** Any shared artifact (IP address, browser fingerprint, wording quirks, reused avatars, payment trail) that can link compartments. 178 | 179 | 180 | ### 4.2 Policy Baselines 181 | 182 | - **One Persona = One Compartment** (device/VM, browser, password vault, comms, storage). No sharing. 183 | 184 | - **Zero Reuse Rule:** No reuse of usernames, avatars, bios, recovery emails/phones, payment instruments, or VPN egress IPs across personas. 185 | 186 | - **Attribution Budget:** Treat every artifact as a potential identifier. Keep the sum of identifiers per persona as low as possible. 187 | 188 | - **Lifecycle Discipline:** Plan for **provision → operate → rotate → retire**, with documented criteria for each step. 189 | 190 | 191 | ### 4.3 Persona Lifecycle (Plan → Provision → Operate → Rotate → Retire) 192 | 193 | **Plan** 194 | 195 | - Define objectives, target platforms, required credibility (age of account, posting cadence, social graph). 196 | 197 | - Choose risk level (L0–L3) from §3 and map mandatory controls. 198 | 199 | - Run a pre‑provision conflict check to avoid collisions with real people/brands. 200 | 201 | 202 | **Provision** 203 | 204 | - Create **unique credentials** and recovery channels (no overlap with other personas). 205 | 206 | - Stand up dedicated **VM/OS** (Qubes domain, separate VM, or dedicated device) and **browser profile**. 207 | 208 | - Establish **contact points** (email/number) and **2FA** (hardware token per persona). 209 | 210 | 211 | **Operate** 212 | 213 | - Follow a **content and engagement script** (topics, tone, posting windows, reaction policy). 214 | 215 | - Maintain **network separation** (distinct VPN exit/Tor circuit). Log sessions for post‑op review. 216 | 217 | - Keep a **persona register** (metadata and link graph) updated after each session. 218 | 219 | 220 | **Rotate** (when exposure risk rises or objectives change) 221 | 222 | - Change exit IP ranges, posting windows, and low‑value attributes. 223 | 224 | - Re‑issue credentials and regenerate keys as required. 225 | 226 | 227 | **Retire** 228 | 229 | - Tombstone gracefully (final benign message or silence, depending on OPSEC). 230 | 231 | - Archive evidence, export logs, revoke tokens, destroy keys/seeds, wipe or reimage the compartment. 232 | 233 | 234 | ### 4.4 Persona Design (Credibility without Linkability) 235 | 236 | - **Biographic outline:** plausible age, locale, language variant, time‑zone; avoid copying personal details or unique biographical events. 237 | 238 | - **Backstory & cover:** minimal and congruent (job/education kept generic). Keep statements easy to maintain under questioning. 239 | 240 | - **Style & linguistics:** align spelling, idioms, and punctuation with claimed locale. Randomize rhythm; avoid distinctive catchphrases. See §13.4 for stylometry OPSEC. 241 | 242 | - **Visual identity:** avatars/banners with **lawful, licensed** stock or purpose‑made media. Avoid reusing GAN portraits across personas (researchers can cluster style). Strip EXIF before upload. 243 | 244 | - **Social graph:** follow/connect gradually, mirroring normal user behavior. Seed with low‑risk follows before target engagement. 245 | 246 | 247 | ### 4.5 Provisioning: Accounts, Contact Points, and Payments 248 | 249 | **Email** 250 | 251 | - Create per‑persona mailboxes with providers supporting privacy and aliases: **Proton** ([https://proton.me](https://proton.me/)), **Tuta** ([https://tuta.com](https://tuta.com/)). Consider relay/aliasing (e.g., **SimpleLogin** [https://simplelogin.io/](https://simplelogin.io/) or **AnonAddy** [https://anonaddy.com/](https://anonaddy.com/)) for site‑specific addresses. 252 | 253 | - Enable **2FA**; prefer **FIDO2 hardware keys** (per‑persona token). Keep recovery codes offline in the compartment vault. 254 | 255 | 256 | **Phone / Voice** 257 | 258 | - Use lawful VoIP/burner services with clear ToS (e.g., **JMP.chat** [https://jmp.chat/](https://jmp.chat/)). Avoid numbers tied to your identity; understand KYC requirements by jurisdiction. 259 | 260 | - For high‑risk ops, avoid voice/SMS verification; prefer app‑based or hardware 2FA when platforms allow. 261 | 262 | 263 | **Domains & Web Presence (optional)** 264 | 265 | - If persona needs a site, register with **WHOIS privacy** enabled; separate registrar account and payment method; no analytics. Host static-only pages; disable logs where legal. 266 | 267 | 268 | **Payments** 269 | 270 | - Use organization‑approved methods (virtual cards, prepaid where lawful). Keep **receipts in encrypted vault**; never reuse payment instruments across personas. 271 | 272 | 273 | ### 4.6 Compartment Engineering (Devices, VMs, Browsers) 274 | 275 | - **Device/VM:** one VM per persona (e.g., Qubes `persona‑x` AppVM) or a dedicated laptop. Snapshots before/after operations. 276 | 277 | - **Browser:** dedicated profile per persona. Prefer **Tor Browser** (no extensions) or **Brave** hardened profile. Disable password sync/cloud features. 278 | 279 | - **Password store:** separate **KeePassXC** vault per persona with its own strong passphrase; store in the persona’s compartment only. 280 | 281 | - **Key material:** per‑persona PGP keys (GnuPG). Keep master/backup offline; use subkeys operationally. 282 | 283 | - **Storage:** encrypt at rest (VeraCrypt/LUKS). Distinct containers for evidence vs. persona working data. 284 | 285 | 286 | ### 4.7 Network Separation & Traffic Hygiene 287 | 288 | - **Exit isolation:** each persona uses a distinct **VPN egress IP** or **Tor circuit**. Do not alternate multiple personas over the same exit during overlapping windows. 289 | 290 | - **Leak control:** enforce DNS/IPv6/WebRTC hardening. Validate at **ipleak.net** after every environment change. 291 | 292 | - **Session windows:** schedule distinct activity windows per persona (time‑zone believable for the cover story). Vary posting times within natural ranges. 293 | 294 | - **Geo‑consistency:** ensure IP geolocation matches claimed region; align with language and content cadence. 295 | 296 | 297 | ### 4.8 Operational Conduct (Content, Engagement, and Safety) 298 | 299 | - **Content script:** predefine acceptable topics, tone, and red lines. Avoid statements that demand deep domain knowledge you cannot sustain. 300 | 301 | - **Engagement playbook:** expected responses to DMs, friend requests, and provocations. Use templated, low‑commitment replies where possible. 302 | 303 | - **Attachments:** scrub metadata (MAT2/ExifTool) and validate file types before opening inbound media. Never open untrusted files in the same compartment used for persona comms—use a disposable analysis VM. 304 | 305 | - **Cross‑platform discipline:** do not copy/paste verbatim text across platforms. Vary formatting and timing to reduce correlation risk. 306 | 307 | 308 | ### 4.9 Deconfliction & Linkage Testing 309 | 310 | - Before first use, run an **OSINT collision scan**: search proposed names/handles, image reverse‑search for avatars, and check for brand conflicts. 311 | 312 | - Periodically audit the persona with outside‑in tests: browser fingerprint checks (AmIUnique), leaked credential searches (HaveIBeenPwned [https://haveibeenpwned.com/](https://haveibeenpwned.com/)), and social graph diffusion (manual review). 313 | 314 | - Plant low‑risk **canary interactions** (e.g., distinct redirects) to detect unintended cross‑links between compartments. 315 | 316 | 317 | ### 4.10 Rotation & Retirement 318 | 319 | - **Rotation triggers:** platform KYC prompts, unusual login alerts, direct targeting, change in mission scope, or accumulated attribution budget. 320 | 321 | - **Rotation actions:** change exit infrastructure, regenerate keys, adjust posting windows/tone, refresh avatar/biographic minor details (keep core identity consistent to avoid suspicion). 322 | 323 | - **Retirement:** export evidence, revoke API tokens, delete or freeze accounts per policy, destroy keys/seeds, wipe/reimage the compartment. Update the persona register to **RETIRED** with rationale and date. 324 | 325 | 326 | ### 4.11 Records & Templates 327 | 328 | Maintain a **Persona Register** (stored inside an encrypted case vault): 329 | 330 | - `Persona ID`, `Handle(s)`, `Creation Date`, `Purpose/Case`, `Risk Level (L0–L3)`, `Email`, `Phone/IM`, `2FA method`, `Device/VM ID`, `VPN/Tor profile`, `Notes on style/locale`, `Known contacts`, `Rotation history`, `Retirement date & reason`. 331 | 332 | 333 | **Checklists (quick use):** 334 | 335 | - **Pre‑Provision:** name/handle collision check; decide risk level; prepare VM; create email/2FA; set password vault; note recovery codes. 336 | 337 | - **Go‑Live:** fingerprint test; IP geo check; seed social graph; first low‑risk posts; log session. 338 | 339 | - **Ongoing:** vary cadence; keep logs; run periodic linkage tests; update register. 340 | 341 | - **Sunset:** archive, revoke, wipe, document. 342 | 343 | #### 🔥 Extreme Practices (Optional) 344 | - Use **one-time personas** – identities should exist only for a single task, then be retired. 345 | - Operate personas exclusively on **burner hardware** purchased anonymously and destroyed after use. 346 | - Apply **stylometric masking**: alter writing style, vocabulary, errors, and tone depending on the persona. 347 | - Maintain **multi-layered identities**: one as a primary cover, one as a decoy, and one as a “sacrificial” persona ready for intentional exposure. 348 | - Never repeat the same **activity patterns** (time of day, session length, UI language) across multiple personas. 349 | 350 | ## 5. Device & Endpoint Security 351 | 352 | **Goal:** Prevent endpoint compromise and leakage of identifiers by hardening platforms, controlling execution, encrypting data, and validating boot trust. Controls are mapped to posture levels (L0–L3) from §3. 353 | 354 | ### 5.1 Platform Profiles (When to Use What) 355 | 356 | - **Qubes OS** — strong compartmentalization via Xen VMs; ideal for L2–L3 where isolation between personas/cases is mandatory. [https://www.qubes-os.org/](https://www.qubes-os.org/) 357 | 358 | - **Tails** — amnesic, Tor‑routed live OS; ideal for one‑off high‑risk browsing or sensitive transfers (L2–L3). [https://tails.boum.org/](https://tails.boum.org/) 359 | 360 | - **Whonix** — Tor‑gateway + workstation model inside VMs; good for anonymity workflows (L1–L2). [https://www.whonix.org/](https://www.whonix.org/) 361 | 362 | - **Hardened Linux (Debian/Fedora/Ubuntu)** — daily driver with AppArmor/SELinux enforced; suitable for L0–L2. 363 | 364 | - **Windows 11 (Hardened)** — enable BitLocker, VBS/HVCI, WDAC/ASR; enterprise telemetry minimized; suitable for L0–L2. 365 | 366 | - **macOS (Hardened)** — FileVault, Gatekeeper, notarization; consider Lockdown Mode on iOS companion devices; suitable for L0–L2. 367 | 368 | - **Mobile (GrapheneOS)** — hardened Android with strong permission model; use as comms endpoint for L1–L3. [https://grapheneos.org/](https://grapheneos.org/) 369 | 370 | 371 | **Mapping tip:** If your adversary can compel providers or run device exploits → prefer Qubes/Tails + strict compartmentalization. 372 | 373 | ### 5.2 Boot & Firmware Trust 374 | 375 | - **UEFI Secure Boot**: **ON**; vendor keys or custom MOK where needed. Linux check: `mokutil --sb-state`; Windows check: `Confirm-SecureBootUEFI`. 376 | 377 | - **TPM 2.0**: present and **owned**; bind disk encryption to TPM+PIN where feasible. 378 | 379 | - **BIOS/UEFI**: admin password set; external boot **disabled**; Thunderbolt security **enabled**; DMA protection **on**. 380 | 381 | - **Firmware updates**: apply via LVFS/fwupd where supported: `fwupdmgr get-devices && fwupdmgr get-updates` ([https://fwupd.org/](https://fwupd.org/)). Record versions in the case log. 382 | 383 | 384 | ### 5.3 Storage, Encryption & Secrets 385 | 386 | - **Full‑Disk Encryption**: 387 | 388 | - Linux: LUKS2 with strong PBKDF (argon2id), separate /boot if Secure Boot measured. 389 | 390 | - Windows: BitLocker (XTS‑AES‑256), recovery key stored offline. 391 | 392 | - macOS: FileVault 2 (enable institutional recovery key if in org setting). 393 | 394 | - **Hidden/deniable volumes**: VeraCrypt containers for sensitive materials ([https://www.veracrypt.fr/](https://www.veracrypt.fr/)). Use cautiously and lawfully. 395 | 396 | - **Secrets management**: 397 | 398 | - Passwords in **KeePassXC** (one vault per persona/case): [https://keepassxc.org/](https://keepassxc.org/) 399 | 400 | - Crypto/short secrets with **age** or **GnuPG**: [https://github.com/FiloSottile/age](https://github.com/FiloSottile/age) • [https://gnupg.org/](https://gnupg.org/) 401 | 402 | - **Hardware tokens (FIDO2/OpenPGP)**: YubiKey / SoloKeys for per‑persona 2FA & key storage: [https://www.yubico.com/](https://www.yubico.com/) • [https://solokeys.com/](https://solokeys.com/) 403 | 404 | 405 | ### 5.4 Application Control & Sandboxing 406 | 407 | - **Windows**: 408 | 409 | - **WDAC** (Windows Defender Application Control) policy or **AppLocker** allowlists for L2–L3. 410 | 411 | - **ASR Rules** (Attack Surface Reduction): block Office child processes, script abuse, and LSASS credential theft. Enable via PowerShell (see §5.13). 412 | 413 | - **Controlled Folder Access** for ransomware mitigation. 414 | 415 | - **Linux**: 416 | 417 | - **AppArmor**/**SELinux** in **enforcing** mode; use Flatpak for sandboxed apps; **Firejail** to isolate risky binaries: [https://firejail.wordpress.com/](https://firejail.wordpress.com/) 418 | 419 | - **macOS**: 420 | 421 | - Gatekeeper **enabled**; restrict to App Store + identified developers; leverage TCC prompts; avoid kexts; disable unsigned system extensions. 422 | 423 | 424 | ### 5.5 Peripherals, USB & Side‑Channels 425 | 426 | - **USB**: 427 | 428 | - Disable autorun everywhere. 429 | 430 | - Linux: **USBGuard** (allowlist policy): [https://usbguard.github.io/](https://usbguard.github.io/) 431 | 432 | - Windows: Group Policy → Device Installation Restrictions (block new device classes except approved). 433 | 434 | - **Network radios**: disable unused (BT/NFC); randomize Wi‑Fi MAC; avoid auto‑join. 435 | 436 | - **HID injection** defenses: restrict new keyboards/mice; verify device IDs on connection; prefer **data‑only** USB cables for charging. 437 | 438 | 439 | ### 5.6 Updates, Telemetry & Logging 440 | 441 | - **Patching**: OS and firmware monthly (or faster for L2–L3); browser daily. 442 | 443 | - **Telemetry**: reduce to minimum compatible with security; avoid 3rd‑party analytics in investigative compartments. 444 | 445 | - **Logging**: capture **local** security logs needed for audits, but **export** to an encrypted vault separate from operational compartments. Do not transmit logs to external cloud SIEMs from sensitive personas without de‑identification policies. 446 | 447 | 448 | ### 5.7 Backup & Recovery (3‑2‑1) 449 | 450 | - **3 copies**, **2 different media**, **1 offline/off‑site**. 451 | 452 | - Tools: **BorgBackup** ([https://www.borgbackup.org/](https://www.borgbackup.org/)), **restic** ([https://restic.net/](https://restic.net/)), **rclone** ([https://rclone.org/](https://rclone.org/)). 453 | 454 | - Always encrypt backups (repo keys offline); test restores quarterly; hash manifests. 455 | 456 | 457 | ### 5.8 Mobile Endpoints 458 | 459 | - **Device policy**: separate phones for personal vs. operational personas; prefer GrapheneOS for Android; iOS use **Lockdown Mode** where threat justifies. 460 | 461 | - **Baseband risk**: assume cellular radio is observable; avoid sensitive ops on mobile networks; prefer wired or trusted Wi‑Fi via VPN/Tor. 462 | 463 | - **Permissions**: deny default access to mic/camera/location; use hardware camera shutters and mic mute switches when available. 464 | 465 | 466 | ### 5.9 Golden Images & Reproducibility 467 | 468 | - Maintain **golden VM templates** per posture level (L0–L3). 469 | 470 | - Provision ephemeral **linked clones** per case/persona; destroy after operation. 471 | 472 | - Automate hardening with **Ansible** (Linux) or **PowerShell DSC/Intune** (Windows) to keep builds consistent and auditable. 473 | 474 | 475 | ### 5.10 EDR/AV Considerations (Trade‑offs) 476 | 477 | - **Windows Defender** with ASR + cloud protection **on** is acceptable for many L0–L1 use cases; for L2–L3 consider stricter WDAC and reduced telemetry profiles. 478 | 479 | - **Linux/macOS**: lightweight AV (ClamAV) as needed; rely on sandboxing and least‑privilege. 480 | 481 | - Avoid vendor agents that introduce identifiable telemetry into sensitive compartments. 482 | 483 | 484 | ### 5.11 Validation Checklists & Commands 485 | 486 | **Boot & encryption status** 487 | 488 | - Linux: 489 | 490 | - Secure Boot: `mokutil --sb-state` • TPM: `tpm2_getcap properties-fixed` 491 | 492 | - LUKS volumes: `lsblk -f` then `cryptsetup status ` 493 | 494 | - Windows PowerShell: 495 | 496 | - Secure Boot: `Confirm-SecureBootUEFI` 497 | 498 | - BitLocker: `Get-BitLockerVolume | Select MountPoint,VolumeStatus,EncryptionMethod` 499 | 500 | - VBS/HVCI: `Get-CimInstance -ClassName Win32_DeviceGuard | Select *` 501 | 502 | - macOS: 503 | 504 | - FileVault: `fdesetup status` • Gatekeeper: `spctl --status` 505 | 506 | 507 | **Sample hardening commands (Windows, run as Admin)** 508 | 509 | ```powershell 510 | # Enable key ASR rules (example subset) 511 | $rules = @( 512 | "D4F940AB-401B-4EFC-AADC-AD5F3C50688A", # Block Office child processes 513 | "3B576869-A4EC-4529-8536-B80A7769E899", # Block credential stealing from LSASS 514 | "5BEB7EFE-FD9A-4556-801D-275E5FFC04CC", # Block execution of potentially obfuscated scripts 515 | "BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550" # Block executable content from email and webmail 516 | ) 517 | Add-MpPreference -AttackSurfaceReductionRules_Ids $rules -AttackSurfaceReductionRules_Actions Enabled 518 | 519 | # Turn on Controlled Folder Access 520 | Set-MpPreference -EnableControlledFolderAccess Enabled 521 | 522 | # Check BitLocker status 523 | Get-BitLockerVolume | Format-Table -AutoSize 524 | ``` 525 | 526 | **Sample hardening commands (Linux)** 527 | 528 | ```bash 529 | # AppArmor enforcing 530 | sudo aa-status || sudo aa-enforce /etc/apparmor.d/* 531 | 532 | # Verify Secure Boot and firmware updates 533 | mokutil --sb-state 534 | fwupdmgr get-devices && fwupdmgr get-updates 535 | 536 | # Create and mount a LUKS2 container 537 | sudo dd if=/dev/zero of=secure.img bs=1M count=4096 538 | sudo cryptsetup luksFormat --type luks2 --pbkdf argon2id secure.img 539 | sudo cryptsetup open secure.img securevault 540 | sudo mkfs.ext4 /dev/mapper/securevault && sudo mount /dev/mapper/securevault /mnt 541 | ``` 542 | 543 | ### 5.12 Posture Mapping (L0–L3) — Key Endpoint Controls 544 | 545 | |Posture|OS/Env|Boot Trust|Encryption|Exec Control|Network/Browser|Notes| 546 | |---|---|---|---|---|---|---| 547 | |**L0**|Hardened Linux/Win/macOS|Secure Boot on|FDE on|Basic AV, no unsigned installs|VPN, hardened browser|Routine OSINT| 548 | |**L1**|Hardened Linux/Win/macOS|Secure Boot + TPM|FDE + vaults|ASR/AppArmor enforcing|VPN/Tor; anti‑leak checks|Separate persona VM| 549 | |**L2**|Qubes/Whonix/Tails|Secure Boot strict|FDE + offline backups|WDAC/AppLocker; SELinux enforcing|Tor‑first; kill‑switch|Air‑gapped evidence| 550 | |**L3**|Qubes + Tails|Custom keys, measured boot|FDE + deniable containers|Full allowlist; no dynamic code|Tor bridges; no personal devices|Dedicated hardware, no reuse| 551 | 552 | > Record all settings (with commands and outputs) in the case log for auditability and repeatability. 553 | 554 | #### 🔥 Extreme Practices (Optional) 555 | - Rely only on **disposable devices** (burner laptops/phones) that are physically destroyed after the mission. 556 | - Configure hardware entirely offline with **custom firmware** (e.g., coreboot, Heads) and your own Secure Boot keys. 557 | - Never store credentials or keys in RAM – assume adversaries can perform **cold boot attacks**. 558 | - Split operations across **dedicated machines**: one for research, one for communications, one for data analysis. 559 | - Apply an **air-gap-first policy**: evidence analysis and archival should only occur on machines with no network interfaces. 560 | - In extreme contexts: use **hardware purchased abroad**, operated only locally, never transported across borders. 561 | 562 | ## 6. Browser, Fingerprinting & Content OPSEC 563 | 564 | ### 6.1 Fingerprinting Risks 565 | Web browsers are one of the **most fingerprintable tools** an investigator uses. 566 | Even without cookies, sites can identify and track users via: 567 | - **Headers** (User-Agent, Accept-Language, Referer). 568 | - **Screen resolution & color depth**. 569 | - **Fonts and plugins**. 570 | - **Time zone & system locale**. 571 | - **WebGL / Canvas rendering hashes**. 572 | - **Audio context fingerprints**. 573 | - **Hardware information** (CPU cores, GPU vendor, battery stats). 574 | 575 | ### 6.2 Browser Hygiene 576 | - Maintain **separate browser profiles** per persona or investigation. 577 | - Use different **default languages, time zones, and OS UI locales** to avoid overlaps. 578 | - Disable **autofill, password managers, and syncing**. 579 | - Always use **private browsing/incognito** but understand it does **not prevent fingerprinting**. 580 | 581 | ### 6.3 Isolation Techniques 582 | - For high-risk operations, use **dedicated VMs or containers** with a fresh browser instance for each session. 583 | - Do not mix work and personal browsing on the same system. 584 | - Consider **sandboxed browsers** (e.g., via Firejail, Qubes DisposableVMs). 585 | - Use **different user agents** and rotate them across personas. 586 | 587 | ### 6.4 Anti-Fingerprinting Tools 588 | - **Tor Browser**: best-in-class for uniform fingerprinting; all users look alike. 589 | - **Mullvad Browser**: similar to Tor Browser but without enforced Tor routing. 590 | - **Brave**: offers fingerprint randomization, but not foolproof. 591 | - **Firefox + arkenfox**: hardened with custom configs, but increases uniqueness. 592 | - Test fingerprints regularly via: 593 | - [https://coveryourtracks.eff.org/](https://coveryourtracks.eff.org/) 594 | - [https://browserleaks.com/](https://browserleaks.com/) 595 | 596 | ### 6.5 Content Handling OPSEC 597 | - Treat **downloads** as potentially dangerous: 598 | - PDFs may contain beacons. 599 | - Office docs may contain macros. 600 | - Always open files in **sandboxed environments**. 601 | - Strip metadata from documents and images before sharing. 602 | - For screenshots, use tools that avoid embedding device metadata. 603 | - Never paste investigation content directly between personas → use an **air-gap or controlled transfer channel**. 604 | 605 | #### 🔥 Extreme Practices (Optional) 606 | - Never use a **general-purpose browser** for high-risk investigations. Instead, run **disposable hardened browsers** inside **ephemeral VMs** (destroyed after each session). 607 | - Disable all **JavaScript, WebRTC, and WebGL** by default; only enable in tightly controlled test environments. 608 | - Use **network-layer obfuscation**: VPN/Tor routing combined with traffic padding to defeat timing analysis. 609 | - Employ **browser compartment switching**: e.g., one VM for passive observation (Tor Browser, no login), another for active interaction (burner identity, Mullvad Browser). 610 | - For the most sensitive work: 611 | - Access content via **remote disposable proxies** (e.g., headless browser in the cloud, viewed through VNC with no direct connection). 612 | - Download suspect files only via **air-gapped intermediary machines**, then analyze with **multi-layer sandboxes**. 613 | - Assume all browser activity can be **correlated over time** — rotate entire **device/browser/VM stacks** frequently. 614 | 615 | ## 7. Network & Transport Security 616 | 617 | ### 7.1 Threat Landscape 618 | Networks are often the **weakest link** in OPSEC. Even if devices are hardened, traffic analysis, metadata collection, and interception can compromise identities. 619 | - **Passive surveillance**: ISPs, IXPs, governments recording traffic. 620 | - **Active interception**: MITM, rogue access points, DNS poisoning. 621 | - **Metadata correlation**: timing analysis, packet size signatures, cross-jurisdiction data sharing. 622 | - **Commercial tracking**: advertising networks, third-party analytics. 623 | 624 | ### 7.2 VPN Usage 625 | - Use only **trusted, audited VPNs** with strong no-log policies. 626 | - Prefer VPN providers outside your own jurisdiction. 627 | - Avoid free or unverified VPNs (high risk of data monetization). 628 | - Chain VPNs with Tor when stronger unlinkability is needed. 629 | - Always test for **DNS and WebRTC leaks** after connecting. 630 | 631 | ### 7.3 Tor & Onion Routing 632 | - **Tor Browser** ensures traffic looks like every other Tor user. 633 | - Bridges and pluggable transports (obfs4, meek) help evade censorship. 634 | - Never log into personal accounts via Tor. 635 | - Use **separate circuits** for different personas. 636 | - Be mindful of exit node monitoring – never transmit plaintext sensitive data. 637 | 638 | ### 7.4 Proxies & Chaining 639 | - HTTP/SOCKS proxies can add layers but do not provide encryption. 640 | - Use **multi-hop configurations**: VPN → Tor → Proxy or vice versa. 641 | - For OSINT scraping, rotating proxies can reduce account lockouts. 642 | - Avoid commercial “residential proxy” services tied to user devices (ethical and OPSEC concerns). 643 | 644 | ### 7.5 DNS & Resolution 645 | - Use **encrypted DNS** (DoH or DoT). 646 | - Consider self-hosted recursive resolvers (e.g., Unbound, Knot Resolver). 647 | - Be aware that DNS queries often reveal as much as web traffic itself. 648 | - Monitor with tools like [dnscrypt-proxy](https://github.com/DNSCrypt/dnscrypt-proxy). 649 | 650 | ### 7.6 Wi-Fi & Access Points 651 | - Never connect to public Wi-Fi without VPN or Tor. 652 | - Assume hotel, airport, and café Wi-Fi are **hostile by default**. 653 | - Randomize **MAC addresses** (modern OS can do this automatically). 654 | - Prefer tethered connections from burner mobile devices when possible. 655 | 656 | ### 7.7 Transport Layer Security 657 | - Always enforce HTTPS (use [HTTPS Everywhere](https://www.eff.org/https-everywhere) or built-in equivalents). 658 | - Validate certificates when in doubt; avoid click-through. 659 | - Consider using **TLS fingerprint randomization** (e.g., uTLS libraries for custom clients). 660 | 661 | ### 7.8 Monitoring & Testing 662 | - Check connections with [Wireshark](https://www.wireshark.org/) or [mitmproxy](https://mitmproxy.org/). 663 | - Test VPN leaks at [ipleak.net](https://ipleak.net). 664 | - Run periodic audits: does your IP/geolocation ever leak? 665 | 666 | #### 🔥 Extreme Practices (Optional) 667 | - Chain multiple **independent network layers**: e.g., local VPN → Tor → foreign VPN → custom proxy. Each in a different jurisdiction. 668 | - Rotate entire network stacks frequently — new SIM, new VPN provider, new Tor bridges — to avoid long-term correlation. 669 | - Treat **all ISPs as compromised**: never rely on provider secrecy. 670 | - Use **satellite internet** or **shortwave/radio links** in extreme denial-of-service or censorship scenarios. 671 | - For sensitive transfers, use **sneakernet**: physically move data on encrypted drives via trusted couriers instead of any online channel. 672 | - Employ **traffic shaping and padding** (e.g., obfs4, meek, Snowflake, VPN obfuscation modes) to make packet sizes and timing indistinguishable. 673 | - Consider **multi-jurisdictional relays** you control (self-hosted VPN endpoints in foreign countries). 674 | - For ultimate deniability: **one-time network identities** – a SIM or access point is used only once, then permanently discarded. 675 | ## 8. Communications Security (COMSEC) 676 | 677 | ### 8.1 Threat Landscape 678 | Communication metadata is often more dangerous than content. Even with encryption, adversaries can learn: 679 | - Who talks to whom, when, and how often. 680 | - Device identifiers (IMEI, IMSI, MAC). 681 | - Location through cell towers, Wi-Fi, or timing correlation. 682 | - Patterns of activity that reveal persona overlaps. 683 | 684 | ### 8.2 Principles of Secure Communication 685 | - **Confidentiality**: protect message content with strong encryption. 686 | - **Anonymity**: avoid linking messages to real identity. 687 | - **Plausible deniability**: ensure you can credibly deny authorship. 688 | - **Ephemerality**: minimize persistence of communications. 689 | 690 | ### 8.3 Messaging Tools 691 | - **Signal**: strong end-to-end encryption, but tied to phone numbers. 692 | - **Wire**: supports pseudonymous registration, strong encryption. 693 | - **Session**: onion-routed messaging with no central metadata. 694 | - **Briar**: peer-to-peer over Tor or Bluetooth/Wi-Fi direct, no central servers. 695 | - **Element (Matrix)**: decentralized, strong encryption, but servers may log metadata. 696 | 697 | ⚠️ Rule of thumb: **if the app requires your phone number, it leaks metadata**. 698 | 699 | ### 8.4 Voice & Video 700 | - Use encrypted apps (Signal, Wire, Jitsi with E2EE). 701 | - Be mindful of voice biometrics: adversaries can fingerprint your speech. 702 | - Consider voice changers or text-to-speech in sensitive ops. 703 | - Avoid landlines and unencrypted VoIP providers. 704 | 705 | ### 8.5 Email 706 | - Use providers with strong privacy policies (ProtonMail, Tutanota). 707 | - For high-risk, use **self-hosted mail with Tor hidden services**. 708 | - Always use **PGP or age** for sensitive content, but remember: PGP does not hide metadata. 709 | - Avoid reusing recovery emails across personas. 710 | 711 | ### 8.6 Metadata Minimization 712 | - Disable read receipts, typing indicators, and online status. 713 | - Use burner accounts created over Tor with disposable emails. 714 | - Avoid group chats that mix multiple personas. 715 | - Strip EXIF and headers from file attachments. 716 | 717 | ### 8.7 Key Management 718 | - Use strong passphrases for encryption keys. 719 | - Rotate keys regularly; never reuse across personas. 720 | - Store master keys offline on hardware tokens (e.g., YubiKey, Nitrokey). 721 | - Distribute keys via out-of-band channels (QR codes, paper slips, encrypted removable media). 722 | 723 | ### 8.8 Ephemeral Practices 724 | - Prefer apps with **disappearing messages** (Signal, Session, Wire). 725 | - Manually delete logs and caches after sensitive conversations. 726 | - Use **burner phones** for temporary comms and destroy them after use. 727 | - Assume all cloud backups of chats are hostile. 728 | 729 | #### 🔥 Extreme Practices (Optional) 730 | - Eliminate all persistent messaging platforms: use **one-time communication channels only**, then destroy keys and devices. 731 | - Pre-share **one-time pads (OTPs)** or keys on air-gapped devices before operations. 732 | - Communicate via **encrypted containers** (e.g., VeraCrypt, age) exchanged offline via sneakernet or air-gapped transfer. 733 | - Employ **steganography**: hide encrypted messages inside images, audio, or video. 734 | - Use **voice masking or text-to-speech** to prevent biometric voiceprint collection. 735 | - For high-risk contacts, establish **multi-channel communication redundancy** (e.g., one channel for urgent signals, one for fallback, one as decoy). 736 | - In extreme cases: use **non-digital communication** (dead drops, coded signals, couriers) to eliminate all electronic traces. 737 | - Treat every communication channel as **compromised by default**; rotate frequently and assume metadata is logged indefinitely. 738 | 739 | ## 9. Data Handling, Evidence & Chain of Custody 740 | 741 | ### 9.1 Core Principles 742 | - **Integrity**: preserve original data without alteration. 743 | - **Authenticity**: ensure evidence can be verified as genuine. 744 | - **Confidentiality**: prevent leaks during collection, transfer, or storage. 745 | - **Auditability**: maintain a complete record of actions taken. 746 | 747 | ### 9.2 Collection 748 | - Use **forensically sound methods** (write blockers, disk imaging tools). 749 | - Always work on **copies**; keep the original in secure storage. 750 | - Log every action: who collected, when, where, and how. 751 | - For OSINT captures: 752 | - Record URLs, timestamps, and context. 753 | - Take **screenshots and video captures** with hashes. 754 | - Store **original HTML and metadata** where possible. 755 | 756 | ### 9.3 Storage 757 | - Encrypt all evidence at rest (AES-256, LUKS2, VeraCrypt, BitLocker). 758 | - Use **redundant storage**: at least 3 copies, including offline media. 759 | - Maintain **hash manifests** for every file (SHA-256 preferred). 760 | - Store master logs in **tamper-evident formats** (append-only, digitally signed). 761 | 762 | ### 9.4 Chain of Custody 763 | - Maintain a **chain of custody log** recording every handler, date, and action. 764 | - Use digital signatures (PGP, age) to authenticate transfers. 765 | - Label physical media with unique IDs and store in tamper-proof bags or cases. 766 | - Use hardware tokens or secure vaults for credential storage. 767 | 768 | ### 9.5 Transfer 769 | - Prefer **physical transfer** (encrypted external drives) over cloud uploads. 770 | - When digital transfer is unavoidable: 771 | - Use **end-to-end encrypted channels** (OnionShare, Magic Wormhole, SecureDrop). 772 | - Split large datasets into **encrypted shards** and send separately. 773 | - Always verify hashes after transfer. 774 | 775 | ### 9.6 Verification & Validation 776 | - Verify evidence authenticity with cryptographic checksums. 777 | - Use multiple hashing algorithms (SHA-256 + BLAKE2b). 778 | - Cross-check timestamps with OSINT tools (Wayback Machine, archive.today). 779 | - Document validation results in case logs. 780 | 781 | #### 🔥 Extreme Practices (Optional) 782 | - Collect evidence only on **air-gapped forensic workstations**, never connected to the internet. 783 | - Transfer via **one-way data diodes** or write-once optical media. 784 | - Use **plausible deniability containers** (hidden VeraCrypt volumes, deniable LUKS headers) for the most sensitive datasets. 785 | - Store evidence in **geographically distributed vaults**, with key shares split across multiple trusted custodians (Shamir’s Secret Sharing). 786 | - Implement **time-release encryption**: evidence can only be decrypted after a defined period or quorum agreement. 787 | - Maintain **parallel chains of custody**: one real, one decoy, to mislead adversaries during audits. 788 | - After mission completion, conduct a **forensic wipe** of all temporary analysis environments and destroy intermediary drives physically. 789 | - Treat all evidence as **toxic data**: access only when strictly necessary, minimize copies, and assume adversaries may attempt **supply-chain poisoning** (inserting false data into your evidence pool). 790 | 791 | ## 10. Social & Behavioral OPSEC 792 | 793 | ### 10.1 Threat Landscape 794 | Even when devices, networks, and personas are secure, **behavioral patterns** can betray an operator. 795 | Adversaries often exploit: 796 | - Writing style and tone (stylometry). 797 | - Posting times and activity windows. 798 | - Choice of topics and vocabulary. 799 | - Cross-platform behavior overlaps. 800 | - Psychological manipulation via social engineering. 801 | 802 | ### 10.2 Digital Hygiene 803 | - Avoid posting from personal and operational accounts on the same device. 804 | - Vary posting times to avoid time zone correlation. 805 | - Avoid consistent idioms, emoji use, or unique phrasing across personas. 806 | - Do not recycle avatars, bios, or interests between identities. 807 | - Strip metadata from uploaded images and files. 808 | 809 | ### 10.3 Stylometry Awareness 810 | - AI and forensic tools can match authorship based on writing style. 811 | - To reduce risks: 812 | - Shorten sentences, vary structure, and change punctuation habits. 813 | - Use different spelling variants (US vs UK English, etc.) across personas. 814 | - Randomize vocabulary and tone (formal vs casual). 815 | - Use text transformation tools sparingly; verify for naturalness. 816 | 817 | ### 10.4 Social Media Behavior 818 | - Keep strict separation: one device/VM per persona per platform. 819 | - Do not link accounts via friends, likes, or follows. 820 | - Rotate platforms used by different personas (one may use Reddit, another Twitter). 821 | - Avoid uploading unique personal photos (landmarks, personal items in background). 822 | - Treat every interaction as potentially monitored or archived. 823 | 824 | ### 10.5 Human Interaction Risks 825 | - Adversaries may attempt to draw you into **voice or video calls**. 826 | - Be cautious with interviews, “friendly” chats, or insider approaches. 827 | - Assume **every DMs log is permanent**, even on platforms promising ephemerality. 828 | - Use **decoy behavior** when necessary to build plausible context for a persona. 829 | 830 | 831 | #### 🔥 Extreme Practices (Optional) 832 | - Operate under **multiple behavioral covers**: 833 | - One highly active and noisy persona (decoy). 834 | - One quiet observer persona (low-profile). 835 | - One sacrificial persona ready for controlled exposure. 836 | - Employ **linguistic camouflage**: deliberately switch language families (e.g., Slavic → Romance) or adopt regional slang consistent with cover identity. 837 | - Use **behavioral randomization schedules**: randomize log-in times, activity durations, and content posting intervals via automated scripts. 838 | - Employ **machine-assisted text rewriting** to generate diverse styles per persona — but cross-check for unnatural consistency. 839 | - For maximum safety: maintain **non-digital covers** (real-world identities, safehouse routines) to backstop online personas. 840 | - Introduce **contradictory digital traces** deliberately (red herrings) to pollute adversary attribution attempts. 841 | - Assume all platforms perform **cross-device correlation** — therefore, rotate **hardware, IP, and behavioral signatures** in sync. 842 | ## 11. Travel OPSEC & Physical Security 843 | 844 | ### 11.1 Threat Landscape 845 | Travel introduces unique risks that combine **digital, physical, and human vulnerabilities**. 846 | - Border searches may include device confiscation, forensic imaging, or forced account access. 847 | - Hotels, airports, and conference venues often have **compromised Wi-Fi and surveillance systems**. 848 | - Physical surveillance teams may track movement, habits, or meeting patterns. 849 | - Carrying sensitive data across jurisdictions increases exposure to **lawful intercept and coercion**. 850 | 851 | ### 11.2 Pre-Travel Preparation 852 | - Define the mission’s **minimum digital footprint** — take only the devices and data you truly need. 853 | - Use **burner devices** instead of personal hardware. 854 | - Prepare devices with **minimal local data**; everything else should be in encrypted containers stored offline. 855 | - Research local laws (encryption, journalism, data handling) to anticipate risks at customs. 856 | - Use **dummy accounts or benign identities** to handle casual inspections. 857 | 858 | ### 11.3 Devices in Transit 859 | - Assume all luggage is subject to search; carry sensitive items on your person if possible. 860 | - Power down devices before travel — reduces risk of live memory extraction. 861 | - Use **encrypted drives** with plausible deniability (hidden volumes). 862 | - Carry only **throwaway SIM cards**; avoid roaming on personal accounts. 863 | - Keep devices in **Faraday pouches** when not in active use. 864 | 865 | ### 11.4 Hotels, Airports & Venues 866 | - Treat all public Wi-Fi as hostile; use VPN/Tor. 867 | - Avoid logging into sensitive accounts on hotel or conference networks. 868 | - Use tethered mobile data instead of shared networks. 869 | - Be cautious of **room safes**; many can be opened with default codes. 870 | - Watch for physical tampering on locks, doors, or devices left unattended. 871 | 872 | ### 11.5 Meetings & Movements 873 | - Use varied routes and schedules to avoid pattern detection. 874 | - Arrange meetings in neutral locations with multiple exits. 875 | - Limit use of taxis or rideshares that log identity and travel patterns. 876 | - Keep situational awareness: surveillance cameras, suspicious observers, or unusual activity. 877 | 878 | #### 🔥 Extreme Practices (Optional) 879 | - Travel only with **single-use, anonymous devices** purchased specifically for that trip. Destroy them afterward. 880 | - Carry **no sensitive data across borders**; instead, transfer via trusted couriers, encrypted cloud dead-drops, or steganographic methods. 881 | - Pre-stage equipment in the target country (purchased anonymously by proxies). 882 | - Use **Faraday bags** at all times except during active operations; assume all radios (Wi-Fi, Bluetooth, GSM) are beacons. 883 | - Employ **anti-surveillance techniques**: detect tails, use counter-surveillance routes, monitor for hostile surveillance gear (RF detectors, thermal sweeps). 884 | - Use **layered decoy devices**: a “clean” laptop for inspection, another hidden and encrypted for actual work. 885 | - Maintain **false travel narratives** — prepare cover stories, benign digital accounts, and plausible explanations for all devices carried. 886 | - In hostile states: avoid carrying any digital equipment; rely entirely on **non-digital tradecraft** (paper, codes, human couriers). 887 | ## 12. Source Protection & HUMINT Interactions 888 | 889 | ### 12.1 Threat Landscape 890 | Human sources (HUMINT) are among the **most vulnerable assets** in any operation. 891 | - They can be exposed by **metadata leaks** (calls, chats, location). 892 | - Surveillance or interception may compromise meetings. 893 | - Mishandling evidence can reveal identities. 894 | - Psychological pressure or social engineering can extract information. 895 | 896 | Protecting sources requires **both digital and physical OPSEC**, as well as strong interpersonal tradecraft. 897 | 898 | ### 12.2 Digital Protection of Sources 899 | - Avoid storing source identities on personal or operational devices. 900 | - Use **secure communication channels** (Signal, Session, Briar, SecureDrop). 901 | - Strip metadata from all files before storage or transfer. 902 | - Maintain **separate digital compartments** for each source. 903 | - Never reveal one source’s existence to another. 904 | 905 | ### 12.3 Physical Meetings 906 | - Select safe meeting locations with multiple exits and low surveillance coverage. 907 | - Avoid predictable schedules; vary routes and timing. 908 | - Pre-establish emergency signals and fallback procedures. 909 | - Never bring personal or unnecessary electronic devices to meetings. 910 | - Minimize time together to reduce exposure. 911 | 912 | ### 12.4 Trust & Relationship Management 913 | - Build trust gradually; never overload a source with sensitive tasks early. 914 | - Protect their psychological safety: avoid paranoia-inducing practices unless necessary. 915 | - Ensure clarity of expectations: what is shared, how, and under what risks. 916 | - Use **need-to-know principles**: sources should not have more context than necessary. 917 | 918 | ### 12.5 Handling Information 919 | - Always verify source claims with independent evidence. 920 | - Keep detailed logs of source interactions, but anonymize identifiers. 921 | - Store sensitive notes in encrypted, compartmentalized archives. 922 | - Protect against internal leaks: limit who has access to raw source intelligence. 923 | 924 | #### 🔥 Extreme Practices (Optional) 925 | - Never carry any digital record of a source’s identity — commit identifiers to memory or use **deniable physical ciphers** (e.g., codes hidden in innocuous notes). 926 | - Use **non-digital dead drops**: physical objects, chalk marks, coded signals. 927 | - When digital transfer is unavoidable, use **multi-hop anonymization**: source → disposable device → one-time relay → analyst. 928 | - Conduct **pre-meeting counter-surveillance sweeps** (RF scanners, thermal cameras, observation detection routes). 929 | - Employ **psychological decoys**: run parallel fake meetings with sacrificial sources to divert adversary attention. 930 | - Use **air-gapped communication kits**: encrypted messages transferred only via offline devices and removable media. 931 | - Establish **multi-layered deniability**: if the source is caught, their digital and physical traces must point to a benign cover. 932 | - In hostile regimes: avoid in-person meetings entirely; rely on **proxy intermediaries** or **coded public signals** (graffiti, innocuous online posts). 933 | 934 | ## 13. Advanced Topics 935 | 936 | ### 13.1 Air-Gapped Analysis 937 | - Use **dedicated offline workstations** for the most sensitive tasks. 938 | - Transfer data only via **unidirectional methods** (write-once optical media, data diodes). 939 | - Always verify with cryptographic **checksums (SHA-256, BLAKE2b)** after transfer. 940 | - Never re-encode or alter originals — maintain pristine copies. 941 | 942 | ### 13.2 Deception & Canary Tokens 943 | - Deploy **honey identities**: decoy personas designed to lure adversary attention. 944 | - Use **canary documents and URLs** embedded with invisible trackers. 945 | - Monitor unauthorized access attempts to detect leaks early. 946 | - Service: [https://canarytokens.org/](https://canarytokens.org/) 947 | 948 | ### 13.3 Data Broker & People-Search Suppression 949 | - Regularly submit **opt-out requests** to data brokers and people-search engines. 950 | - Maintain a **removal calendar** (quarterly or semi-annual). 951 | - Log confirmations and track re-appearance of records. 952 | - Where opt-out fails, consider **flooding profiles with false but benign data**. 953 | 954 | ### 13.4 Stylometry & Linguistic OPSEC 955 | - Vary **sentence length, punctuation, and structure** across personas. 956 | - Randomize **time-of-day posting patterns**. 957 | - Avoid **rare idioms, unique expressions, or specialized jargon** that can fingerprint you. 958 | - Test against **stylometric analysis tools** like JStylo or Writeprints. 959 | - Consider **author obfuscation tools**, but validate for naturalness. 960 | 961 | ### 13.5 AI-driven Deanonymization 962 | - Adversaries use: 963 | - **Facial recognition** (Clearview, PimEyes). 964 | - **Voiceprints** (speaker ID databases). 965 | - **Gait analysis** (CCTV motion profiling). 966 | - **Camera sensor PRNU fingerprints** (unique hardware “noise” signatures). 967 | - Mitigation strategies: 968 | - Minimize fresh biometric uploads. 969 | - Apply **face blurring, voice masking, or redaction** where lawful. 970 | - Use multiple devices to avoid consistent sensor fingerprints. 971 | 972 | ### 13.6 Cross-Domain Integration 973 | - Avoid cross-contamination of OSINT, HUMINT, SIGINT — each domain must remain compartmentalized. 974 | - Verify intelligence via **multi-domain corroboration** (technical + human + contextual). 975 | - Use strict **data segmentation policies** between investigations. 976 | 977 | ### 13.7 Adversary Simulation 978 | - Conduct **red team exercises** against your own setups. 979 | - Simulate device seizure, phishing, metadata correlation, and stylometry attribution. 980 | - Use frameworks like **MITRE ATT&CK, Caldera, or custom adversary playbooks**. 981 | - Log results and adjust SOPs accordingly. 982 | 983 | ### 13.8 Psychological Resilience 984 | - Recognize **stress and fatigue** as leading OPSEC failure points. 985 | - Rotate operators to prevent burnout. 986 | - Train with **stress inoculation drills** (role-play interrogation, surveillance pressure). 987 | - Maintain peer review and debrief culture to normalize mistakes. 988 | 989 | #### 🔥 Extreme Practices (Optional) 990 | - Run **continuous deception environments**: parallel fake infrastructures that adversaries can discover and waste resources on. 991 | - Maintain **multi-layered canary networks**: fake identities that report back when touched. 992 | - Use **machine-assisted camouflage**: AI models to generate realistic but distinct writing styles, browsing histories, or fake photos. 993 | - Flood OSINT and search engines with **false leads** about your personas (AI-generated filler content). 994 | - Deploy **plausible decoy hardware**: carry a benign laptop/phone for inspection while keeping real hardware hidden and encrypted. 995 | - Create **false sacrifice operations**: deliberately burn one persona to validate adversary methods. 996 | - Implement **instant kill-switches** for infrastructure: one action wipes devices, burns keys, and retires personas simultaneously. 997 | - Train operators in **psychological deception techniques**: stress role-play, false narrative embedding, covert signaling under interrogation. 998 | 999 | ## 14. Monitoring, Audits & Incident Response 1000 | 1001 | ### 14.1 Importance of Continuous Monitoring 1002 | Even the best OPSEC setups degrade over time. Software updates, new adversary capabilities, and operator mistakes introduce fresh risks. 1003 | Regular monitoring ensures that vulnerabilities are caught **before** they become catastrophic failures. 1004 | 1005 | ### 14.2 Self-Audits 1006 | - Perform **monthly audits** of all OPSEC compartments. 1007 | - Use a structured checklist: 1008 | - Verify browser fingerprints via [Cover Your Tracks](https://coveryourtracks.eff.org/) or [BrowserLeaks](https://browserleaks.com/). 1009 | - Confirm VPN, Tor, and proxy routing; test for **DNS/WebRTC leaks**. 1010 | - Inspect devices for **unauthorized services, rootkits, or persistence mechanisms**. 1011 | - Check logging and metadata retention policies. 1012 | - Test kill-switches and emergency wipe mechanisms. 1013 | - Document results and track changes over time. 1014 | 1015 | ### 14.3 External Red/Purple Team Drills 1016 | - Conduct **red team tests**: allow trusted analysts to attempt deanonymization or correlation attacks. 1017 | - Run **purple team drills**: simulate persona compromise and measure detection + containment time. 1018 | - Scenarios should include: 1019 | - Device seizure. 1020 | - Metadata correlation across personas. 1021 | - Stylometric attribution. 1022 | - Social engineering or phishing. 1023 | - Maintain written after-action reports with **lessons learned**. 1024 | 1025 | ### 14.4 Incident Response Workflow 1026 | When compromise is suspected or confirmed: 1027 | 1028 | **1. Containment** 1029 | - Isolate compromised devices or accounts immediately. 1030 | - Trigger kill-switches if supported (wipe storage, disable accounts). 1031 | 1032 | **2. Rotation** 1033 | - Replace compromised credentials, encryption keys, and devices. 1034 | - Retire affected personas and migrate operations to fresh compartments. 1035 | 1036 | **3. Notification** 1037 | - Inform stakeholders who may be affected (team members, trusted partners). 1038 | - Share IOCs (indicators of compromise) with relevant internal parties. 1039 | 1040 | **4. Threat Model Update** 1041 | - Reassess adversary capabilities in light of the compromise. 1042 | - Identify what information was likely exposed. 1043 | 1044 | **5. Post-Incident Review** 1045 | - Conduct root cause analysis: what failed — tool, process, or operator discipline? 1046 | - Update SOPs and training to prevent recurrence. 1047 | - Maintain records for accountability and long-term tracking. 1048 | 1049 | 1050 | #### 🔥 Extreme Practices (Optional) 1051 | - Run **continuous monitoring agents** inside disposable VMs to automatically alert on fingerprint drift or unexpected outbound connections. 1052 | - Deploy **canary personas** that exist solely to act as early-warning systems when touched by adversaries. 1053 | - Use **decoy infrastructures** (fake servers, dummy accounts) to track intrusion attempts. 1054 | - Maintain **parallel redundant infrastructures**: if one network or device stack is burned, instantly switch to a cold standby. 1055 | - Practice **instant evacuation drills**: operators rehearse what to do if devices are seized in real time. 1056 | - Automate **nuclear kill-switches**: one command wipes devices, revokes keys, disables accounts, and retires personas across multiple jurisdictions. 1057 | - Treat every incident as an opportunity for **adversary intelligence gathering** — capture their TTPs (tactics, techniques, procedures) during the breach. 1058 | 1059 | ## 15. Tools & Utilities Reference 1060 | 1061 | ## 🖼️ Image Analysis 1062 | 1063 | **Common needs:** detect manipulation, verify authenticity, inspect metadata. 1064 | 1065 | - **Check EXIF metadata** → [ExifTool](https://exiftool.org/) – extract, analyze, and compare image metadata fields. 1066 | 1067 | - **Detect editing or cloning** → [Forensically](https://29a.ch/photo-forensics/) – error level analysis, clone detection, noise analysis. 1068 | 1069 | - **Sensor-level verification** → [Noiseprint](https://github.com/isi-vista/noiseprint) – identify device PRNU fingerprint. 1070 | 1071 | - **Verify text/logos in images** → [OCRmyPDF](https://ocrmypdf.readthedocs.io/) or [Tesseract](https://github.com/tesseract-ocr/tesseract) – OCR for suspicious text. 1072 | 1073 | 1074 | ## 🎥 Video Verification 1075 | 1076 | **Common needs:** analyze frames, detect deepfakes, validate context. 1077 | 1078 | - **Extract keyframes / thumbnails** → [InVID Plugin](https://www.invid-project.eu/tools-and-services/invid-verification-plugin/) – frame capture, reverse search, metadata inspection. 1079 | 1080 | - **Inspect encoding & frames** → [FFmpeg](https://ffmpeg.org/) – codec analysis, frame-by-frame breakdown. 1081 | 1082 | - **Detect deepfake manipulation** → [SensityAI](https://sensity.ai/) or [Reality Defender](https://realitydefender.ai/) – ML-based deepfake detection. 1083 | 1084 | - **Cross-check weather & lighting** → [SunCalc](https://www.suncalc.org/) + [Meteostat](https://meteostat.net/) – shadow and weather validation. 1085 | 1086 | 1087 | ## 🔊 Audio Verification 1088 | 1089 | **Common needs:** detect synthetic voices, validate background context, inspect signals. 1090 | 1091 | - **Spectrogram & waveform inspection** → [Audacity](https://www.audacityteam.org/) – generate spectrograms, detect anomalies. 1092 | 1093 | - **Phonetic & acoustic features** → [Praat](https://www.fon.hum.uva.nl/praat/) – jitter, shimmer, pitch contour analysis. 1094 | 1095 | - **Detect synthetic voices** → Intel [FakeCatcher](https://www.intel.com/content/www/us/en/research/ai-fakecatcher.html) or [Deepware Scanner](https://www.deepware.ai/). 1096 | 1097 | - **Validate ambient audio** → Compare environmental sounds with expected context (traffic, birds, etc.). 1098 | 1099 | 1100 | ## 📝 Textual Verification 1101 | 1102 | **Common needs:** detect AI-generated text, check citations, validate style. 1103 | 1104 | - **Spot AI-generated scaffolding** → [GLTR](http://gltr.io/) – token probability analysis. 1105 | 1106 | - **Alternative AI detection** → [DetectGPT](https://github.com/eric-mitchell/detect-gpt) – detect likelihood of LLM text. 1107 | 1108 | - **Stylometric comparison** → [JStylo](https://psal.cs.drexel.edu/index.php?n=Software.JStylo) – author attribution & writing style analysis. 1109 | 1110 | - **Check fabricated citations** → Manual validation + [Crossref](https://www.crossref.org/) or Google Scholar. 1111 | 1112 | 1113 | ## 🌍 Contextual & Cross-Modal Checks 1114 | 1115 | **Common needs:** validate time, place, and consistency across modalities. 1116 | 1117 | - **Verify location** → [Google Earth](https://earth.google.com/) + [Street View](https://www.google.com/streetview/). 1118 | 1119 | - **Check shadows & sun position** → [SunCalc](https://www.suncalc.org/). 1120 | 1121 | - **Weather validation** → [Meteostat](https://meteostat.net/) or [OGIMET](https://www.ogimet.com/). 1122 | 1123 | - **Narrative consistency** → Manual cross-check across text, image, video, audio. 1124 | 1125 | 1126 | ## 📊 Metadata & Technical Fingerprints 1127 | 1128 | **Common needs:** check provenance, file signatures, hidden markers. 1129 | 1130 | - **Extract all metadata** → [ExifTool](https://exiftool.org/) – universal metadata extraction. 1131 | 1132 | - **Provenance verification** → [C2PA](https://c2pa.org/) or Adobe [Content Credentials](https://contentcredentials.org/). 1133 | 1134 | - **Watermark detection** → Google [SynthID](https://deepmind.google/technologies/synthid/) (when supported). 1135 | 1136 | - **Sensor noise & compression** → [Noiseprint](https://github.com/isi-vista/noiseprint). 1137 | 1138 | 1139 | ## 🛡️ OPSEC & Workflow Support 1140 | 1141 | **Common needs:** maintain anonymity, secure comms, manage personas. 1142 | 1143 | - **Anonymous file transfer** → [OnionShare](https://onionshare.org/) or [Magic Wormhole](https://magic-wormhole.readthedocs.io/). 1144 | 1145 | - **Password management** → [KeePassXC](https://keepassxc.org/). 1146 | 1147 | - **OS isolation** → [Tails](https://tails.boum.org/) for amnesic sessions, [Qubes OS](https://www.qubes-os.org/) for compartmentalization. 1148 | 1149 | - **Browser fingerprint testing** → [AmIUnique](https://amiunique.org/) or [CoverYourTracks](https://coveryourtracks.eff.org/). 1150 | 1151 | 1152 | ## 16. Checklists 1153 | 1154 | ### 16.1 Daily Analyst Hygiene 1155 | 1156 | - Boot hardened environment; verify VPN/Tor; minimal extensions; check firewall/kill-switch. 1157 | 1158 | - Use persona-specific profiles; no personal logins; rotate session cookies. 1159 | 1160 | - Update, backup encrypted vaults; verify hashes; review task list and risk flags. 1161 | 1162 | 1163 | ### 16.2 Pre-Operation (L2/L3) 1164 | 1165 | - Refresh threat model; define objectives; select personas; confirm devices and VMs. 1166 | 1167 | - Test fingerprint; confirm metadata scrubbing; prepare case log and hashing plan. 1168 | 1169 | - Establish comms plan and emergency contacts; legal review if needed. 1170 | 1171 | 1172 | ### 16.3 Post-Operation 1173 | 1174 | - Archive evidence (write-once, hashed); export logs; rotate credentials/keys as scheduled. 1175 | 1176 | - Peer review of OPSEC; update lessons learned; schedule next audit. 1177 | 1178 | 1179 | ## 17. Templates & Automation (Snippets) 1180 | 1181 | - **Hash all files in a folder:** `sha256sum * > hashes.txt` 1182 | 1183 | - **Strip metadata:** `mat2 *.pdf *.jpg *.png` 1184 | 1185 | - **PGP key generation (GnuPG):** `gpg --quick-gen-key "Persona X " ed25519 cert sign 2y` 1186 | 1187 | - **Tor-only egress (Linux iptables example):** 1188 | 1189 | - **Test DNS/WebRTC leaks:** visit `https://ipleak.net/` and ensure no IPv6/WebRTC disclosures. 1190 | 1191 | 1192 | ### 🔖 Credits 1193 | 1194 | Maintained by **Oryon** + **[OSINT360](https://tntpp9.short.gy/osint360-gpt)**. 1195 | This document is part of the **Cyber Intelligence Toolkit** project. 1196 | 1197 | 1198 | --------------------------------------------------------------------------------