Tips and tricks for anonymous social media investigations

How can professional online investigators securely conduct research on social media without exposing their organizations? Let's look at tools and techniques to help facilitate effective, safe and anonymous social media research.

There are more than 4.65 billion active social media users across the world as of 2022. Facebook, Instagram, Twitter, LinkedIn, Reddit, 8chan and other platforms can be a treasure trove for law enforcement, fraud investigators, corporate security specialists and open-source intelligence (OSINT) analysts. Online investigators need to be able to collect, save and collaboratively analyze data while maintaining adequate operational security — which, of course, is easier said than done. Analysts often operate under strict budget constraints, are under pressure to respond quickly to emerging threats and seldom have the tools and techniques that are up to the task.

Let’s look at how online investigators can improve their tradecraft and get the most out of social media research without revealing their identities or putting their mission at risk. To start, let’s explore why it is important to remain anonymous while investigating on social networking platforms.

When social media research goes wrong: Is the web following you home?

Most OSINT collectors — whether Fortune 100 corporate security teams, fraud investigation units or metropolitan police departments — face two main challenges on the web:

• If researchers try to move too quickly to collect information from all available sources without taking precautions, they risk linking their investigations to themselves and their employers; or accidentally downloading malware that can damage their systems and corporate networks.

• If researchers are required to follow strict security protocols that limit which sites they can visit and what data they can download, crucial time is often lost, allowing bad actors to cover their tracks, deny researchers access to information and erase valuable evidence from their profiles.

Both problems stem from how regular commercial browsers are designed to work. And while most researchers are aware that browsers betray them, they continue to use them to access the web and social media platforms. Our recent survey of law enforcement investigators revealed that nearly all of them need to go online to conduct related research, and yet 73% responded that they lack security and privacy measures and often use their regular computer and browser on their employers’ networks to conduct sensitive online research.

When you have a web browser installed on a local workstation, both browsers and website owners are collecting data that can lead the adversary back to you. We are tracked in many ways:

• Internet address and connection: regardless of your internet provider, if you are not using a managed attribution platform, the information on your internet address and its owner are all stored somewhere and can be linked to you and your organization.

• Attributes of your device and browser: your device type, operating system, installed software, extensions and plug-ins, time zone and language settings and audio and video services – all are unique to you and can be used as identifiers. There are also cookies and other data collected by websites and social media platforms for advertising purposes that can help create and track your individual profile.

• Behavior that’s unique to you: which includes data that’s collected on the search terms you use, times you are active on certain sites, your own social media connections, shopping preferences, website visits and all other web activity that creates patterns and helps paint a picture of who you really are. Even when you are not performing research, data that’s collected during your personal browsing may be tied back to your work-related identity.

The browser really does betray you – it was built without security in mind. It’s great at serving customized content and collecting, storing and sharing information between platforms, which is a red flag for an investigator, whose job is to stay hidden and anonymous when collecting data from social media and other online platforms. Investigating online, especially on social media, requires the same level of precaution as going undercover in the physical world. So, let’s look at what can be done to protect the researcher’s identity and mission.

Is there anywhere left to hide?

One of the most common methods for mitigating these risks for analysts is to isolate research environments from corporate networks. Larger organizations often resort to building separate networks and maintaining a fleet of dedicated hardware to prevent any dangerous files downloaded from the web from reaching their main IT infrastructure and try to decouple researchers’ identities from their organizations. Many organizations and agencies tend to use VPN and/or incognito mode or private browsing mode to keep their location and unique characteristics hidden from the subjects of their research.

Not only are these methods often costly and require ongoing maintenance, like the constant setup, configuration and reimaging of “dirty” machines; researchers report that a typical patchwork of measures designed to protect them are often cumbersome and impede workflows, collaboration and sharing of findings between teams. And what’s more, most of these solutions still don’t do enough to fully ensure investigators’ anonymity. Attributes such as your online behaviors, the history on the laptop you are using and hardware and software configuration can still link your browsing activity with your organization.

Managed attribution: secure and cost-effective way to do social media research without endangering your mission

Managed attribution is the most advanced and mature approach for online investigators who are serious about protecting their missions. It allows you to fully control how you appear online by customizing your browser fingerprint, changing your time zone and keyboard settings to blend in with local traffic and not arouse suspicion. You can choose your network address to appear to be accessing the internet from any place around the globe, as well disassociate your internet provider and subscriber information from your organization to make your location truly untraceable.

Silo for Research is the leading managed attribution platform used by thousands of organizations and government agencies around the world. It combines web isolation with attribution management to give online investigators a secure, geographically distributed research platform across the clear, deep and dark web. All web code is rendered in the cloud and converted into a high-fidelity remote display of the session, protecting endpoints from malware, spyware and drive-by downloads.

Silo’s patented technology has been compared to the “air gap” approach that isolates the IT network of military submarines or nuclear power plants from the outside world. Websites and social media platforms are presented only with the IP address of Authentic8’s server. Silo for Research can be configured to exit to the internet from one of dozens of global exit nodes and spoof different client environments. To the website under examination, Silo appears like another garden-variety browser on a local device on a local network. With Silo for Research, the risk of attribution or de-anonymization when conducting an online investigation becomes a non-issue. Encrypted audit logs and a secure data storage manager help maintain the integrity of the investigation and meet chain of custody evidentiary policy compliance.