The Reaper
10-07-2014, 18:06
Good read if you are unfamiliar with this sort of biometric and intel/police work.
TR
How They Hunt
Posted on 16/08/2013
by Treaded
http://thelizardfarmer.wordpress.com/
I’ve cobbling this entry together between uptime and downtime over the last couple of weeks so bear with me on this one. I think there’s a fundamental misunderstanding of how counter-insurgency intelligence and exploitation systems work so I’m going to touch on them a bit in this entry. It’s by no means comprehensive as that would take an entire volume to document. So what I’m going to attempt to do here is give the reader some insight into how an insurgency is identified, exploited, and targeted using a fairly simple and brief scenario.
Make no mistake that over the last decade plus the DoD, DoJ, DHS, NSA, and CIA have definitely learned their lessons. From shortly after 9/11 when the new lessons of counter-insurgency still lay ahead to the recent (last few years) capture and killing of Al Qaeda’s top officers the concepts and techniques of counter insurgency targeting have been vastly refined. Lessons learned not only on the battlefield but in the ops center have developed intelligence exploitation systems that are genuinely lethal due to their ability to be comprehensive and timely. Instead of sitting here typing out how these systems work I’m going to throw out a bit of a scenario for you. Not every system is represented but hopefully I’ll depict enough of them to give you an appreciation of just how dangerous they can be.
In this scenario we’re going to assume to perspective of the lead intelligence officer in a built up area with a fairly large population. Austin TX sounds good at this point. Anyway the country has de-stabilized to the point that National Guard units have deployed but martial law hasn’t been declared yet. Over the last few weeks we’ve been faced with a frequent insurgent attacks against logistics columns traveling up and down I-35 in areas around Georgetown and Salado. Additionally this (or other groups) have attacked the infrastructure junctions and in that area as well.
We just happened to get lucky (from our perspective anyway) and kill one of the insurgents and have possession of his body. He had no identification, the serial number on his rifle had been removed, and he had even gone to the trouble to remove his own fingerprints (talk about dedication). Those are some significant hurdles to overcome figuring out who this guy is right? Yeah, but not something we can’t work around. A quick phone call to the field gets us a good high resolution frontal image of the DIs (dead insurgent’s) face. The case officer uploads that image into a work file and sends it off to multiple agencies, say the DoJ (FBI specifically), DHS, and the State Fusion Center (there are more but let’s keep it simple). The Fusion center comes back a few hours later and identifies the individual as Bob Jones of Llano TX. How did they do that? By loading the pic of the DI into a biometric facial recognition program and running a comparison to Texas’s drivers license photo database. If they hadn’t gotten a hit it could have been compared to other states databases as well. It would have taken more time but eventually would have given us the identity. Now we have a starting point.
First thing we do is get a quickie warrant and pull all of Bob’s home and cell phone records for the last 90 days. Then we’ll identify every call he made or received in a certain radius say 200 miles. These calls automatically get categorized into business numbers and residential numbers. All calls will be looked at however we’re going to jump into the residential numbers first. In that pool we’ll separate the numbers into known and assumed family (by last name, tax returns, public records databases, etc.) and unknown reason contacts. In the last 90 days there have been roughly 300 calls to personal numbers which belong to a pool of 125 individuals. These 125 are now our short list for the time being.
Now we have an identification and an address it’s time to generate physical warrants. So the local boys go and raid Bobs home and take any and everything electronic, anything that remotely looks like correspondence, and any credit/debit cards or checkbooks. They even go so far as to search vehicles. But here’s an oddity: Bob’s truck isn’t at his house. And we know his make, model, and plate number by querying the state registration database and we put out a watch for the vehicle. Note at this point we’re not trying to build a case against Bob – hell he’s dead. We’re looking for cross referencing information to identify other remembers of his group. Once those items are collected they are handed over to a team of forensic technicians which begin to dissect the information and cross check other databases. Within 24 hours we have a comprehensive list of who he sent and received emails from, the IPs and cookies of the websites he’s visited, any purchases he’s made online and quite a few of the offline ones as well. Remember this isn’t all encompassing but intended to give you an idea of how it works.
All of this information gets laid out into what we’ll call a virtual “starfish” with each bit of info representing a point. We’ve got systems running the phone records down to individual names associated with those accounts referenced by physical location and date, systems referencing any known purchases referenced by location and date, and any and everything else we can dump into the system to expand the starfish. Once this part is done it’s time to start looking at known associations. We do this by take the folks we’ve already identified and trying to determine their association with good old Bob. For the sake of simplicity we’ll start on phone records – those 125 individuals. Those individuals names now generate their own starfish. As the multitude of systems begin to return information on each individual those starfish grow as well. at 36 hours to keep things simple we’ll reject all information on those other starfish if they do not correspond to any of the kegs on the starfish that represents Bob. That narrows down things considerably. Now it’s time for some human review (most of the action up to this point has been fairly automated. So we get a couple of analysts to start scrutinizing the associated information points between Bob and the other 125 folks we’re looking at. Some of the info can be dismissed fairly easily however other pieces have to be physically researched and even though it’s done via network it still takes some time. A couple of days later the analysts come back with a narrowed list of 16 people that could still be considered suspect however Bob had no contact with those people within 14-21 days of the attack in which he was killed. How did they arrive at the 16 people? Remember when the forensic team tore apart Bobs computer? They took his known data (his IP) and ran it across the stored multiple metadata databases to identify which websites he had been visiting. Of those websites a dozen were considered radical or fringe (at least under TPTBs definition of such). they then ran a cross check against those 125 folks from the phone records and 16 other people on our list had visited some of those websites.
What we have so far isn’t sufficient enough to start kicking doors in and shooting dogs so we’ve got to dig deeper. And for that we turn to financial transactions. Breaking them down into periods working outwards from the attack we find that Bob bought gas in Florence TX the evening before the attack. So now the Florence local boys get a call to specifically look for his vehicles. While that is going on we’re going to start looking at the transactions of those 16 other folks and compare them to Bobs. One thing that is puzzling is the fact that Bob didn’t have any phone or email contact with our new 16 person short list in the period immediately preceding the attack. Attacks are typically coordinated so there had to be some form of communication. By scrutinizing Bob’s debit purchase records we find that he had bought a “disposable phone” at the local big box store one day before his last contact with any of the 16 individuals we’re looking at. Getting the number to that phone isn’t hard at all with a quick warrant for the metadata for that carriers phones that were activated within a 36 hour period in Bob’s area. But for timeliness we’re also going to scrutinize those other 16 individuals transactions for the same type of purchase – disposable phones and we come up with nada for them.
(Cont. at link above, I strongly suggest you read the entire article)
TR
How They Hunt
Posted on 16/08/2013
by Treaded
http://thelizardfarmer.wordpress.com/
I’ve cobbling this entry together between uptime and downtime over the last couple of weeks so bear with me on this one. I think there’s a fundamental misunderstanding of how counter-insurgency intelligence and exploitation systems work so I’m going to touch on them a bit in this entry. It’s by no means comprehensive as that would take an entire volume to document. So what I’m going to attempt to do here is give the reader some insight into how an insurgency is identified, exploited, and targeted using a fairly simple and brief scenario.
Make no mistake that over the last decade plus the DoD, DoJ, DHS, NSA, and CIA have definitely learned their lessons. From shortly after 9/11 when the new lessons of counter-insurgency still lay ahead to the recent (last few years) capture and killing of Al Qaeda’s top officers the concepts and techniques of counter insurgency targeting have been vastly refined. Lessons learned not only on the battlefield but in the ops center have developed intelligence exploitation systems that are genuinely lethal due to their ability to be comprehensive and timely. Instead of sitting here typing out how these systems work I’m going to throw out a bit of a scenario for you. Not every system is represented but hopefully I’ll depict enough of them to give you an appreciation of just how dangerous they can be.
In this scenario we’re going to assume to perspective of the lead intelligence officer in a built up area with a fairly large population. Austin TX sounds good at this point. Anyway the country has de-stabilized to the point that National Guard units have deployed but martial law hasn’t been declared yet. Over the last few weeks we’ve been faced with a frequent insurgent attacks against logistics columns traveling up and down I-35 in areas around Georgetown and Salado. Additionally this (or other groups) have attacked the infrastructure junctions and in that area as well.
We just happened to get lucky (from our perspective anyway) and kill one of the insurgents and have possession of his body. He had no identification, the serial number on his rifle had been removed, and he had even gone to the trouble to remove his own fingerprints (talk about dedication). Those are some significant hurdles to overcome figuring out who this guy is right? Yeah, but not something we can’t work around. A quick phone call to the field gets us a good high resolution frontal image of the DIs (dead insurgent’s) face. The case officer uploads that image into a work file and sends it off to multiple agencies, say the DoJ (FBI specifically), DHS, and the State Fusion Center (there are more but let’s keep it simple). The Fusion center comes back a few hours later and identifies the individual as Bob Jones of Llano TX. How did they do that? By loading the pic of the DI into a biometric facial recognition program and running a comparison to Texas’s drivers license photo database. If they hadn’t gotten a hit it could have been compared to other states databases as well. It would have taken more time but eventually would have given us the identity. Now we have a starting point.
First thing we do is get a quickie warrant and pull all of Bob’s home and cell phone records for the last 90 days. Then we’ll identify every call he made or received in a certain radius say 200 miles. These calls automatically get categorized into business numbers and residential numbers. All calls will be looked at however we’re going to jump into the residential numbers first. In that pool we’ll separate the numbers into known and assumed family (by last name, tax returns, public records databases, etc.) and unknown reason contacts. In the last 90 days there have been roughly 300 calls to personal numbers which belong to a pool of 125 individuals. These 125 are now our short list for the time being.
Now we have an identification and an address it’s time to generate physical warrants. So the local boys go and raid Bobs home and take any and everything electronic, anything that remotely looks like correspondence, and any credit/debit cards or checkbooks. They even go so far as to search vehicles. But here’s an oddity: Bob’s truck isn’t at his house. And we know his make, model, and plate number by querying the state registration database and we put out a watch for the vehicle. Note at this point we’re not trying to build a case against Bob – hell he’s dead. We’re looking for cross referencing information to identify other remembers of his group. Once those items are collected they are handed over to a team of forensic technicians which begin to dissect the information and cross check other databases. Within 24 hours we have a comprehensive list of who he sent and received emails from, the IPs and cookies of the websites he’s visited, any purchases he’s made online and quite a few of the offline ones as well. Remember this isn’t all encompassing but intended to give you an idea of how it works.
All of this information gets laid out into what we’ll call a virtual “starfish” with each bit of info representing a point. We’ve got systems running the phone records down to individual names associated with those accounts referenced by physical location and date, systems referencing any known purchases referenced by location and date, and any and everything else we can dump into the system to expand the starfish. Once this part is done it’s time to start looking at known associations. We do this by take the folks we’ve already identified and trying to determine their association with good old Bob. For the sake of simplicity we’ll start on phone records – those 125 individuals. Those individuals names now generate their own starfish. As the multitude of systems begin to return information on each individual those starfish grow as well. at 36 hours to keep things simple we’ll reject all information on those other starfish if they do not correspond to any of the kegs on the starfish that represents Bob. That narrows down things considerably. Now it’s time for some human review (most of the action up to this point has been fairly automated. So we get a couple of analysts to start scrutinizing the associated information points between Bob and the other 125 folks we’re looking at. Some of the info can be dismissed fairly easily however other pieces have to be physically researched and even though it’s done via network it still takes some time. A couple of days later the analysts come back with a narrowed list of 16 people that could still be considered suspect however Bob had no contact with those people within 14-21 days of the attack in which he was killed. How did they arrive at the 16 people? Remember when the forensic team tore apart Bobs computer? They took his known data (his IP) and ran it across the stored multiple metadata databases to identify which websites he had been visiting. Of those websites a dozen were considered radical or fringe (at least under TPTBs definition of such). they then ran a cross check against those 125 folks from the phone records and 16 other people on our list had visited some of those websites.
What we have so far isn’t sufficient enough to start kicking doors in and shooting dogs so we’ve got to dig deeper. And for that we turn to financial transactions. Breaking them down into periods working outwards from the attack we find that Bob bought gas in Florence TX the evening before the attack. So now the Florence local boys get a call to specifically look for his vehicles. While that is going on we’re going to start looking at the transactions of those 16 other folks and compare them to Bobs. One thing that is puzzling is the fact that Bob didn’t have any phone or email contact with our new 16 person short list in the period immediately preceding the attack. Attacks are typically coordinated so there had to be some form of communication. By scrutinizing Bob’s debit purchase records we find that he had bought a “disposable phone” at the local big box store one day before his last contact with any of the 16 individuals we’re looking at. Getting the number to that phone isn’t hard at all with a quick warrant for the metadata for that carriers phones that were activated within a 36 hour period in Bob’s area. But for timeliness we’re also going to scrutinize those other 16 individuals transactions for the same type of purchase – disposable phones and we come up with nada for them.
(Cont. at link above, I strongly suggest you read the entire article)