Resilient OSINT Environment: System for Resisting Powerful Adversaries

How to Investigate a High-Profile Target and Mitigate Risks

Primary Audience: OSINT Investigators
Secondary Audience: Investigative Journalists
Level: Advanced

Building a Robust (OSINT) Framework for Investigations Against Powerful Adversaries

Much is said about digital security. As an investigative journalist and/or OSINT investigator, the need for vigilance is constant, given the increasing complexity of threats and ever-evolving risks.

In this article, drawn from my cybersecurity experience, I will guide you through a step-by-step process in constructing a dedicated machine for advanced investigations.

I will address a range of potential issues that may arise during an investigation. I emphasize that, in the realm of protection in the digital world, it is imperative to understand whom we aim to safeguard ourselves from. Unfortunately, this in-depth discussion does not fit within this text, which already has a substantial focus. Fortunately, a few weeks ago, I crafted a specific article on how to protect oneself and, primarily, understand who our adversary is. The link to identify the adversary and assess the threat level is available here.

Considering the online battlefield in which we are immersed, we will focus on a fictional team of researchers engaged in a project investigating disinformation campaigns orchestrated by hostile governments. These countries represent advanced adversaries, with significant ties to criminal groups, including mercenary militaries, terrorist organizations, mafias, and highly specialized hacker groups (APTs).

In this challenging environment, it is vital for the team to adopt stringent measures to mitigate various risks, thereby ensuring the success of the project.

Within this context, two crucial aspects emerge: First, the people involved and, second, the technologies employed in the project.

People are the backbone, representing a critical mass for the project. They possess feelings and emotions that need to be handled with care. Before any outcome, it is essential to shield them from the collateral effects resulting from the power and malice of adversaries who can attack or traumatize mercilessly. We will address some key points in this regard, seeking the best strategies to circumvent or mitigate the negative effects on individuals.

On the technical front of the project, it is imperative to apply the best configurations, utilize high-quality tools based on available resources, and create an advanced plan to address each technical risk aspect. Given the capacity, knowledge, and determination of the adversary, at some point, they will undoubtedly carry out attacks, infiltrate our systems, and gain unauthorized access. We need to ensure that, when this happens, we are prepared to thwart their success, mitigating significant losses. In this aspect, ensuring that our crucial investigations, research, and data remain uncompromised, and that the identities of team members are not exposed, is of utmost importance.

Protecting People

To begin, crucial risk aspects for the investigators deserving attention include:

• Identity Protection: Safeguarding the researchers’ identities is paramount in the face of persistent threat actors. Employing VPNs, proxies, and the Tor network effectively conceals the origin of our investigations.
• Vigilance Against Social Engineering: The team must remain vigilant against potential social engineering attacks, exercising caution in online interactions, and employing techniques to recognize and counter such attempts.
• Source Anonymity Protection: As individuals become sources in the project, maintaining their anonymity is essential. This requires providing training, implementing encrypted communication channels, and minimizing the sharing of sensitive information.
• Secure Online Activities: Awareness of the team’s online activities is critical. Utilizing secure browsers, privacy tools, and advanced techniques helps protect their digital footprints.
• End-to-End Encrypted Communication: Internal communication should prioritize security. Implementing end-to-end encryption in messages and calls ensures that sensitive information remains protected during transit.
• Critical Evaluation of Information Sources: Throughout the project, we must remain vigilant against counterintelligence or directed disinformation attacks. Continuously evaluating the credibility of information sources is crucial to prevent the spread of false or biased information that could jeopardize the project.
• Addressing Psychological Implications: Disinformation projects can take an emotional toll, especially when facing sophisticated adversaries. Providing adequate support to researchers to cope with these implications is essential. Andy Carvin’s work on this subject is highly relevant, and I recommend reading one of his articles. The link is available here
• Ongoing Risk Assessment: Regularly conducting risk assessments is essential to adapt to evolving threats and enhance security measures as the project progresses. A tool from the Global Investigative Journalism Network can aid in this process. The link is available here.

Mitigating these risks is fundamental for the success of the team’s investigative projects, especially when facing global disinformation actors with vast resources. Security and privacy must remain top priorities to protect the researchers and their well-being.

Therefore, the project should incorporate a meticulously devised plan to address these concerns, offering countermeasures, confronting issues head-on, openly discussing the challenges faced, seeking guidance from experienced team members, maintaining unity, and fostering a culture of mutual support. Additionally, seeking expert advice and assistance from support organizations, as recommended by Andy Carvin in his article, is highly recommended.

Technical Environment Issues

Building upon the concepts introduced earlier, let’s delve into technical aspects using the digital security manuals from the Kicksecure Project as a reference. As outlined in these guidelines, the most critical aspects for a computer include the following:

• Man-in-the-Middle (MITM) Attacks: These occur when an intruder intercepts communication between OSINT team members, potentially accessing and manipulating confidential information.
• Malware Injection: This involves inserting malware into messages, documents, or emails shared among the OSINT team with the aim of compromising systems.
• Phishing: Phishing attacks, part of the social engineering mentioned earlier, involve technical aspects where adversaries aim to trick team members into divulging personal information or sensitive credentials, often through deceptive emails.

Note: Phishing and social engineering are related concepts, but each addresses a different approach to manipulating individuals to obtain confidential information. Here are the fundamental distinctions between the two terms:

Phishing: Refers to a specific type of cyberattack where attackers try to deceive people into disclosing confidential information, such as passwords, credit card details, or banking information. This is typically accomplished through emails, instant messages, or fraudulent websites that impersonate legitimate organizations.

Social Engineering: It’s a broader approach encompassing various techniques to manipulate or deceive people, not limited to the digital realm alone. It involves leveraging human vulnerabilities to gain access to confidential information, whether in person, over the phone, email, or other means.

• Ransomware Attacks: Ransomware is a type of malware that encrypts files on personal computers or file servers, potentially compromising key project files and folders.
• Outdated Applications: These vulnerabilities exploit gaps in outdated applications or systems, potentially leading to the breach of personal computers.
• Distributed Denial of Service (DDoS) Attacks: In this type of attack, servers and communications are overwhelmed with fake traffic, rendering services inaccessible.
• Attacks against Remote File Servers: Attacks targeting remote file servers where the team shares data, aiming to access, modify, or exfiltrate confidential data.

We’ve outlined the primary types of attacks on host computers, while there are many others. Nevertheless, implementing the correct settings and maintaining a cautious mindset can reduce most digital threats.

Unfortunately, investigative journalists and OSINT investigators often lack the expertise to implement the correct settings and usually don’t have the time to learn how to do so. These settings require expertise in cyber defense to implement properly.

Therefore, this project seems infeasible due to the threats and risks inherent in such an ambitious undertaking. But does our security journey end here? Not quite; fortunately, there’s a reasonably simple solution, and I’ll show it to you next. Follow along!

Host Operating System

A host operating system, also known as a host OS, serves as the primary operating system in a computing environment. Its primary function is to manage the computer’s physical resources and provide support for various operations, including the execution of virtual machines.

In a virtualized environment, the computer’s physical resources, including the central processing unit (CPU), memory, storage, and networking, are abstracted to a higher level. This enables the simultaneous execution of multiple operating systems, termed guest operating systems, on the same physical hardware.

The host operating system assumes the responsibility of managing these resources and facilitating guest operating systems’ access to the required physical resources. Additionally, it plays a critical role in ensuring that guest operating systems function independently without interfering with each other’s operations.

Examples of host operating systems include:

• KVM (Kernel-based Virtual Machine)
• XenServer
• Proxmox Virtual Environment
• Citrix Hypervisor
• Red Hat Virtualization

In a virtualized environment, the host operating system plays a crucial role in the efficient and secure operation of virtual machines. It establishes the essential infrastructure for the smooth and secure execution of guest operating systems.

However, in the pursuit of a more secure environment for our OSINT application, it is essential to consider aspects of digital security. Solutions like Qubes and Linux Kicksecure stand out for this purpose.

Qubes, theoretically, is designed to provide enhanced security due to its more robust design. However, its use may require a more advanced level of cybersecurity expertise, and it faces hardware limitations, as it is not compatible with all hardware setups.

As an alternative, the team that developed Qubes also created Kicksecure, a system that is simpler to use and understand and offers a significant security enhancement.

Therefore, to achieve the required level of security for our OSINT operations, the chosen option is Linux Kicksecure. However, it is important to recognize that implementation requires an intricate setup process.

The Kicksecure Project describes the system as: “Kicksecure is a free and open-source Linux distribution that aims to provide a highly secure computing environment. It has been developed from the ground up according to a formidable — and time proven — defense in-depth security design. In the default configuration, Kicksecure provides superior layered defenses of protection from many types of Malware.

Kicksecure is a complete desktop operating system designed. Numerous applications come pre-installed with safe defaults which can be used immediately upon installation with minimal user input.”

For detailed information on Kicksecure, refer to their ‘About’ page here.

Important Considerations About the Operating System

Windows is globally used, offering ease of use and familiarity for most users. However, its popularity also makes it a constant target for malicious actors, resulting in frequent vulnerabilities and attacks. Due to its commercial nature and focus on software delivery speed, security often isn’t the primary priority. Additionally, Microsoft’s business model emphasizes data collection for marketing and advertising purposes.

In a scenario where security and privacy are of utmost importance, high-level teams should dedicate themselves to exploring systems that prioritize these aspects. This is where Linux distributions come into play, some of which are specifically designed with a primary focus on security and privacy from their conception.

For the purposes of this article and tutorial, where we’re constructing a host machine resistant to determined adversaries, we’ve opted for a Linux distribution.

But don’t worry: the transition can be conducted with ease as the step-by-step process is intuitive and well-detailed.

You can find more about vulnerabilities in the links below:

• Common Vulnerabilities and Exposures
• Microsoft Security Update Guide
• NATIONAL VULNERABILITY DATABASE

Kicksecure Inside Debian

In this guide, I will provide a detailed explanation of the process of installing the Kicksecure system on Debian, also known as “Distribution Morphing,” which is the transformation of one Linux distribution into another.

The objective is to strengthen and protect the system against a wide range of cyber threats, as mentioned earlier.

Kicksecure addresses a variety of security concerns, including:

• Advanced Security Features, including entropy: Improved security through random number generators for enhanced unpredictability.
• Live Mode: Secure operation in a temporary environment where data is erased upon session closure.
• Onion Network Browsing (Tor): Facilitating secure and anonymous browsing through the Tor network for enhanced connection protection.
• User Account Separation: Strengthening user account isolation within the system.
• Console Lockdown: Disabling obsolete login methods for enhanced security.
• Swap File: Implementing encrypted swap files to mitigate security risks associated with RAM.
• And many more.

For a deeper understanding of advanced security and Kicksecure, please consult their comprehensive documentation here.

Initial System Setup

Before we continue our journey, it’s important to clarify that: First, we’ll download and install the Debian Operating System, and Second, we’ll undergo the Morphing process, transforming Debian into a security-hardened operating system by default. Its primary mission is to mitigate most of the security problems faced today.

Note: This ‘paranoid’ level, for some, is indeed necessary because we’re talking about an investigation into hostile governments with unlimited resources. Governments that have a history of hacking other governments worldwide, including various instances where they even hacked the government of the United States of America.

Therefore, our journey begins now, with the mission of having an extremely secure HOST computer for our investigations.

Debian Download (ISO)

### MINI TUTORIAL ###

Access the official Debian website: https://www.debian.org/

On the website, scroll down to find the ‘Download’ section; please note that below this large button, there is a link labeled ‘Other downloads.’ Click on it.

Now, on the next page, click on ‘Complete Installation Image’:

Next, click on ‘Download CD/DVD images using HTTP.

Now, click on ‘Official CD/DVD images of the “stable” release.

Now, note that on one side it’s labeled CD, and on the other side, DVD. Go to the latter and click on the option that corresponds to your architecture:

You will be redirected to the download page:

Role até o final e clique na imagem “.iso”

Great, now just wait for the download of the Debian ISO image to complete: “debian-12.2.0-amd64-DVD-1.iso”.

Now that you’ve saved the Debian installation file, let’s create a Bootable USB Drive.

Creating a Bootable USB Drive (Using Ventoy)

Installing Ventoy on Windows, Linux, and macOS:

### MINI TUTORIAL ###

Download Ventoy: Visit the official Ventoy website at https://www.ventoy.net/ and download the version suitable for your system (Windows, Linux, or macOS).

Extract the File: After downloading, extract the ZIP file contents to a folder on your computer.

Connect the USB Drive: Insert the USB drive you want to use with Ventoy into your computer.

Run the Installer: Within the Ventoy folder you extracted, locate the appropriate executable file for your system (for example, “Ventoy2Disk.exe” for Windows, “VentoyGUI.x86_64” for Linux and macOS).

In Linux, for instance, I referred to the file VentoyGUI.x86_64 as it’s the architecture of my computer, you should choose the file that represents your architecture.

Install Ventoy on the USB Drive: Open the installer and select the USB drive where you want to install Ventoy. Make sure to choose the correct drive as all data on it will be erased. Click the ‘Install’ button or execute the corresponding command.

Copy ISO Files: After the installation is complete, copy the ISO files of Linux distributions or operating systems directly to the USB drive.

Remember in the previous step you downloaded the Debian Netinst from the Debian website? It’s this file that you’re going to copy into your USB drive where you just installed Ventoy.

Start from the USB Drive: Now you can restart your computer, select the USB drive as the boot device, and choose which operating system or distribution to start from the Ventoy menu.

Now you’ll need to restart your computer (ensure the first boot option is the USB drive).

Here’s a video showing how to install Ventoy if your operating system is Windows:

Required Reflection

If you’ve made it this far, congratulations! You demonstrate resilience in the face of challenges and potentially possess the mindset required to be alongside individuals who can effectively bring about changes in the world. Now, it’s crucial to consider what to do from this point on.

If you choose to follow the steps in the article and reboot your computer from the USB drive, it’s important to be aware of the risk of losing all data on your hard drive. However, there are several available solutions, the best ones being:

Option 01 — Disk Partitioning:

You can use partitioning software to create a virtual drive on your hard disk, essentially forming a “second HD” to install the new operating system. Many computers already have an additional partition named “Backups,” usually created by technicians to store important data. If this partition isn’t in use, you can install Debian on it. Another option is to create a new partition on your original hard drive and name it “Debian,” “OSINT,” or any other preferred name. Learn how to do this below:

Note: At minute 4:14, you will change from NTFS to ext4 (which is recommended for Linux)

Option 02 — Purchase a New Disk:

An alternative is to acquire a new hard drive for installing Debian. On the internet, it’s possible to find hard drives at affordable prices. In this case, you’ll have two disks, keeping one with your current system and using the new hard drive exclusively for your investigations. It’s a good option to keep sections separate, avoiding inadvertently accessing sensitive information during your investigations.

Option 03 — Purchase, Assemble, or Upgrade:

Here, you’ll have a computer or laptop solely dedicated to your investigations, which can be an excellent choice. Additionally, you can acquire the necessary parts on Aliexpress. Personally, with less than $600, I managed to assemble a reasonable desktop computer equipped with 64GB of memory, a 128GB SSD for Debian, and a second 1TB hard drive for documents, backups, and virtual machines. With a 1TB hard drive, it’s possible to test various virtual machines without overloading the machine’s performance.

I believe the third option to be the most advantageous, especially if, like me, you spend more than 14 hours a day working. Having a good computer is essential in this case. Additionally, during your investigations on projects, it may be necessary to simultaneously access personal accounts and other day-to-day activities. If this happens and you inadvertently access services that could reveal your identity, everything will be compromised, resulting in the loss of anonymity.

System Boot-Up (Boot Options)

Now that you’ve decided how to proceed with setting up your machine for investigation, let’s install Debian. If you watched the video on creating a bootable PenDrive (Ventoy), you’ll know that upon booting, you’ll be faced with a Ventoy screen where you’ll need to select ‘Debian,’ something like: ‘debian-12.2.0-amd64-netinst.iso’ and press Enter.

Note: If you’re unfamiliar with booting from a PenDrive, refer to this link: https://youtu.be/V95s-vxZL3k

Debian Installation

Note: The following screens are purely illustrative, as they may have slight variations depending on the Debian version. Sometimes the screen might not be printed below, but don’t worry; simply read the instructions. Believe me, if you read, you’ll understand what it’s asking for. Generally, they’re questions requiring a response, and you’ll need to select one of the answers.

Observation 02: I want to make it clear that the Debian installation is not covered in my article. However, I’ve included the following screenshots as a courtesy to assist in the process. It’s important to note that if you’re not already familiar with installing Debian on your own, you may not be ready to follow this tutorial. I’m not saying you won’t be able to do it, especially since, after the installation, the rest involves copying from my tutorial and pasting into your terminal, making it straightforward. In my understanding, the installation is the most complex part, as you can’t simply copy and paste it like the other steps from this article.

THE GOOD NEWS IS, IF YOU CAN INSTALL DEBIAN, THE REST IS EASY — JUST COPY AND PASTE INTO YOUR TERMINAL…

Throughout the process, it will ask you to create passwords; jot them down on paper so you don’t forget (you’ll destroy the paper once you memorize them).

The following screens are part of the WikiHow tutorial; you can follow along directly there if you wish: Link here.

### TUTORIAL ###

This screen is where you’ll select the priority device (as shown in the video above).

Choose the graphical mode, as it’s the ‘easiest’ way to perform the installation.

Here, you’ll select your language.

You’ll give your machine a name here; you can leave it as ‘debian.’

This is where you’ll choose the Root password; select a strong password and jot it down on paper to avoid forgetting.

Above, you see a name identifying the person, but you won’t do as they did. You’ll choose a random name, keeping in mind that this is the user that will always appear as the computer user. On the next screen, which isn’t shown, it will ask for a password. Create a not overly complex password, it can be numbers, I recommend between 9 and 12 digits.

What’s your time zone? You can use your own or use the region’s time zone you’re investigating.

At this point, you’ll choose the third option: ‘Guided — use entire disk and set up encrypted LVM.’ In the NEXT SCREENS (not shown), it will ask you to choose a password to encrypt your DISK. Choose a STRONG PASSWORD using the Diceware technique, with at least 7 words + numbers.

Here, you’ll choose ‘yes.’

Here, you’ll choose ‘no.’

This screen will ask you to mark some options. Keep the option ‘Debian desktop environment’ checked, mark ‘Xfce’, uncheck ‘print server’ if it appears, and keep ‘standard system utilities’ checked. Do not check anything else.

Finally, you’ve finished the installation. Click ‘continue’ and remove your pen drive when the screen goes blank.

Choose the option ‘*Debian GNU/Linux’ and press Enter…

Complete System Cleanup

When you chose the option ‘Guided — use entire disk and set up encrypted LVM,’ you must have noticed that the system wiped all content from the disk and rewrote it to prevent data leaks. This means the disk lost all previously stored data; even experienced digital forensic experts, with the best data recovery tools, may find difficulties and will hardly be able to recover the previous data.

If you handle sensitive data, you might consider adopting a policy of reinstalling Debian regularly, wiping and rewriting the disks.

Procedure for Morphing (part 01)

Open a terminal and execute the following command:

su

Install the sudo and adduser packages:

apt update

Note: It’s possible the terminal may generate an error and not update; if this happens, follow the next 2 steps below.

sudo nano /etc/apt/sources.list

Erase whatever is there and paste the code below:

deb http://deb.debian.org/debian bookworm main non-free-firmware
deb-src http://deb.debian.org/debian bookworm main non-free-firmware

deb http://deb.debian.org/debian-security/ bookworm-security main non-free-firmware
deb-src http://deb.debian.org/debian-security/ bookworm-security main non-free-firmware

deb http://deb.debian.org/debian bookworm-updates main non-free-firmware
deb-src http://deb.debian.org/debian bookworm-updates main non-free-firmwar

Press ctrl + O to save
Press Enter
Press ctrl + X to exit

Note: If the update error doesn’t occur, ignore the above procedure and continue to the command below:

apt full-upgrade

apt install --no-install-recommends sudo adduser

Create a group called ‘console’:

/usr/sbin/addgroup --system console

Add your Linux username to the ‘console’ group. Be sure to replace ‘user’ with your actual username (or your sock puppet’s):

/usr/sbin/adduser user console

Add the user ‘user’ to the ‘sudo’ group. Depending on your level of experience, follow the appropriate instructions:

/usr/sbin/adduser user sudo

Restart the system:

/sbin/reboot

Installing the Tor Browser

You are probably already familiar with the Tor Browser, a web browser based on Mozilla Firefox designed to provide anonymity and online privacy to its users. It is an essential part of the Tor Project (The Onion Router), a global anonymity network. The Tor Browser routes Internet traffic through the Tor network, which consists of a network of volunteer servers (nodes) distributed around the world.

In our Resilient OSINT Environment project, we will also use the Tor Browser for some research purposes.

However, when downloading software from the Internet, there is a risk of being a victim of tampered software. This means that a powerful adversary may have compromised the server where the software is hosted and made malicious changes. To mitigate this risk, it is always recommended to verify the package signature and compare it to the signature of the software developer. I recognize that this process may seem challenging for those with limited technical knowledge, but there is a reasonable solution. I will provide a step-by-step guide below:

The Tor Browser Downloader, developed by the creators of Whonix, is a tool that automatically performs the download, signature verification, and then installation. Learn more here.

### MINI TUTORIAL ###

Open the terminal and type:

sudo apt update

After the update, enter the following command:

Download the APT Signing Key:

wget https://www.kicksecure.com/keys/derivative.asc

Users can check the Signing Key for better security.

Add the APT Signing Key:

sudo cp ~/derivative.asc /usr/share/keyrings/derivative.asc

Add the derivative repository:

echo "deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.kicksecure.com bookworm main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list

Update your package lists:

sudo apt-get update

Install tb-updater:

sudo apt-get install tb-updater

You will ask if you want to install, you accept typing Y

Once the terminal completes, it may be necessary to go to “Applications -> Internet and click Tor Browser (AnonDist)”

Click in YES

Click in YES

Now just wait……

It will do all the work for you (Stay alert, it will display some windows with warnings ‘READ ALL,’ you will understand, and when it re-verifies the signature, it will print something like: ‘Good Signature.’ If it doesn’t show this, abort the installation.

Ok, Good signature.. click in YES

Once the installation is complete, open the Tor browser

Open the Tor Browser: Launch the Tor Browser on your device.

Access settings: In the upper right corner, click on the icon to open the menu and select “Settings” or “Preferences.”

Select “Connection”: Within the settings, you will see the available configuration options.

Bridge Configuration: Go to the “Select a Built-In Bridge…” button and click on it.

Choose obfs4: Within the bridge options, choose “obfs4.”

It should look like this screen.

Click OK and Restart: After entering the bridge information, save the settings and restart the Tor Browser.

To restart Tor, go to the ‘broom’ icon in the upper right corner.

Test the Connection: After restarting, check if the configuration is working correctly. Open the Tor Browser and confirm that you are using the obfs4 bridges to access the Onion network.

Installation Virtual Machine

When establishing a robust host infrastructure for conducting OSINT investigations, it is undeniable that we want to incorporate virtual machines into this environment. As mentioned earlier, the purpose of the host is to provide hardware resources to virtual machines, enabling them to operate at a secondary level. This approach offers a range of crucial advantages to the investigator, allowing for the execution of investigations through often disposable or dedicated test machines.

By employing virtual machines in this context, the security of the host is substantially reinforced. In the event that a virtual machine is compromised during an investigation, the underlying structure of the host remains resilient, making life more difficult for the attacker, as they will have to exert much more effort to reach the host machine. This additional layer of security provides the user with the ability to easily delete the compromised virtual machine and recreate it from scratch with just a simple click. This convenience not only minimizes the impact of potential breaches but also adds a significant barrier to the success of malicious attackers.

Therefore, in our investigation environment, we will install VirtualBox, as it is a user-friendly tool and, with proper precautions, a relatively secure one. Learn more here.

Open a terminal

Update the package lists:

sudo apt update

Install the Debian fasttrack signing key:

sudo apt install --no-install-recommends fasttrack-archive-keyring

Add the Debian fasttrack repository:

echo 'deb https://fasttrack.debian.net/debian/ bookworm-fasttrack main contrib non-free' | sudo tee /etc/apt/sources.list.d/fasttrack.list

Add Debian the backports repository:

echo 'deb https://deb.debian.org/debian bookworm-backports main contrib non-free' | sudo tee /etc/apt/sources.list.d/backports.list

Update the package lists again:

sudo apt update

Install VirtualBox and Linux kernel headers:

sudo apt install --no-install-recommends virtualbox-qt linux-headers-$(dpkg - print-architecture)

Add your current user to group vboxusers:

sudo adduser $(whoami) vboxusers

Done.

The procedure of installing the VirtualBox host software is complete.

To open VirtualBox, go to Applications -> System and click on VirtualBox.

A window like this should open, still without any virtual machine.

Install Applications

In our journey to build a resilient Open Source Intelligence (OSINT) machine resistant to powerful adversaries, the implementation of additional software plays a crucial role. These tools are designed to ensure security and efficiency in information collection, thereby strengthening the integrity of our investigation.

Among the selected applications for this stage, notable ones include Veracrypt/ZuluCrypt, Bleachbit, Kleopatra and OnionShare. Each of these plays a specific role in protecting sensitive data, cleaning digital traces, ensuring online anonymity, and creating secure virtual environments, etc.

Note: There are other tools commonly used for OSINT, such as: Maltego, theHarvester, SpiderFoot, Recon-ng, Telepathy, and more…

But let’s remember that our goal here is to build a resilient machine for investigations. In my understanding, installing these tools is beyond the scope of what we are proposing here.

Continuing, let’s explore the installation of each of these 6 ‘standard’ applications to ensure that our OSINT machine is a robust and reliable platform in the pursuit of information securely and effectively.

Fortunately, there are two easy ways to install software on Linux, and in the case of Debian, which has been transformed into Kicksecure, we can do this through the terminal (which may involve additional steps, such as knowing the correct name of the software or downloading it before using the terminal, etc.). For this reason, let’s install our software using the Synaptic Package Manager, a user-friendly package manager.

### MINI TUTORIAL ###

Opening Synaptic:

You can find Synaptic in the applications menu or start it by typing ‘synaptic’ in the terminal.

Run Synaptic with administrator privileges using the command:

sudo synaptic

Exploring the Interface:

Synaptic will open with an interface divided into three panels: Categories on the left, Package list in the middle, and Package details on the right.

The Synaptic interface is attractive and intuitive. Just click on ‘Search’ and enter the name of the software.

Use the search bar to find specific packages.

Installing Packages:

Browse the list of packages until you find the desired software.

Mark the package for installation by right-clicking or checking the box to the left of the name.

Click ‘Apply’ to start the installation process.

Install the following applications: Zulucrypt, Bleachbit, Kleopatra and OnionShare.

Finishing.

After completing the desired operations, close Synaptic.

Remember that the Synaptic Package Manager provides granular control over package management on Linux, making the process of installing, removing, and updating software efficient and user-friendly.

Restart the computer (optional).

Installation / Procedure for Morphing (part 02)

It is necessary to install the “curl” package.

To do so, follow steps below:

Update the package list:

sudo apt update

Update the system:

sudo apt full-upgrade

Install the “curl” package. The use of the — no-install-recommends parameter with the apt command is, in most cases, optional.

sudo apt install --no-install-recommends curl

Done.

The installation procedure for “curl” has been completed.

Download the Kicksecure signature key and add it to the system with the following commands:

Download the Kicksecure signature key and add it to the system with the following commands:

sudo torsocks curl --output /usr/share/keyrings/derivative.asc --url http://www.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion/keys/derivative.asc

Done.

Add the Repository

Add the Kicksecure APT Repository.

Choose Option A; there are three options as listed below, and we will choose Option A as it is the most secure.

A: Onion Repository
B: Clearnet Repository via Tor
C: Clearnet Repository

Option A: Add the Kicksecure Onion Repository.

To add the Kicksecure Repository via Onion, install the “apt-transport-tor” package from the Debian repository.

sudo apt install apt-transport-tor

Next, add the Kicksecure APT Repository to the default Kicksecure, using the stable Debian (at the time of writing, it was “bookworm”):

echo "deb [signed-by=/usr/share/keyrings/derivative.asc] tor+http://deb.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion bookworm main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list

Done.

Install the Kicksecure Package

Choose a Kicksecure package.

CLI Version: Exclusive command-line interface (CLI) version. This version does not modify the graphical environment of the system. It provides kernel enhancement, increased entropy, and other security features.

GUI Version: Similar to the CLI version, but installs the Xfce graphical environment and default applications. Useful if Debian was installed without a graphical environment, and you want the Kicksecure graphical environment (Xfce). This is the one we will choose!!

For host operating systems: kicksecure-xfce-host

Install a Kicksecure package, such as “kicksecure-xfce-host.”

To do this, follow steps below:

Update the package list:

sudo apt update

Update the system:

sudo apt full-upgrade

Install the “kicksecure-xfce-host” package.

The use of the --no-install-recommends parameter with the apt command is, in most cases, optional.

sudo apt install --no-install-recommends kicksecure-xfce-host

Done.

You can follow the Kicksecure installation tutorial within Debian directly from the Kicksecure website by clicking here.

Post-Installation

Move the original file “/etc/apt/sources.list” to a temporary location (or delete it) as it will be replaced by “/etc/apt/sources.list.d/debian.list” from Kicksecure:

sudo mv /etc/apt/sources.list ~/

Configure the onionized Debian repositories. Open the file “/etc/apt/sources.list” with the text editor “nano” and replace the existing content with the following:

sudo nano /etc/apt/sources.list.d/debian.list

An file like this will appear; take note of the green lines. If yours doesn’t have green lines, simply go to the beginning of the line and remove the # (also known as uncommenting the line).

If you don’t find it in your file, just copy the lines below, paste them into the file, and save.

deb tor+https://fasttrack.debian.net/debian bookworm-fasttrack main contrib non-free

deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bookworm main contrib non-free
deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bookworm-updates main contrib non-free
deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/debian-security bookworm-security main contrib non-free
deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian bookworm-backports main contrib non-free

Press ctrl+O to save.
Press Enter.
Press ctrl+X to exit.

Confirm that the onionized repositories are functional.

sudo apt update && sudo apt full-upgrade

If it appears like this screen, it means the onionization has worked.

Ready, your Debian has now gone through the Morphing process and is now Kicksecure, with the security features of a system hardened by default.

Congratulations if you’ve made it this far!

Now let’s continue our journey. Despite having Kicksecure ready, before restarting your computer, let’s make some essential small configurations.

Installing and Configuring the Firewall

To simplify the process, we will use an intuitive firewall, UFW/GUFW.

UFW (Uncomplicated Firewall) is a firewall tool for Linux-based systems that simplifies the process of configuring and managing firewall rules. It provides a command-line interface to control Netfilter, the Linux kernel’s firewall subsystem. UFW is designed to be user-friendly, even for beginners, allowing system administrators to protect their systems from unwanted traffic by intuitively defining firewall rules.

On the other hand, GUFW is a graphical interface for UFW. It provides a more friendly and visual way to configure the firewall on Linux systems, eliminating the need for the command line. GUFW further simplifies the process of creating and managing firewall rules, making it accessible to users who are not familiar with the command line. It is a useful tool to streamline firewall configuration on Linux desktops and servers, making network security more accessible to a broader audience.

### MINI TUTORIAL ###

To install GUFW, open the terminal and type the following command.

sudo apt install gufw

This command will install the firewall. Once the installation is complete, go to the “Applications” menu, point to “Settings,” and in the submenu, click on “Firewall Configuration.”

It will open the following window:

Enable the Profile:

• Click on “Status” to activate the profile.

Incoming and Outgoing:

• Mark both as “Deny” to block all incoming and outgoing traffic.

Access Rules:

• Click on “Rules.”

Add a Rule:

• In the bottom-left corner, when pointing the mouse, click on the “+” sign that will appear as “Add a rule…”

Rule Type:

• Click on “Simple.”

Outgoing Configuration:

• Select “Outgoing” and choose the “Allow” option.

Set the Direction:

In “Direction,” select “Out” (do not change the other options).

Add the allowed services and their associated ports:

“Name”: DNS, “Port”: 53 —Click on “+ Add”.

“Name”: HTTP, “Port”: 80 — Click on “+ Add”.

“Name”: HTTPS, “Port”: 443 — Click on “+ Add”.

“Name”: PRIVOXY, “Port”: 8118 — Click on “+ Add”.

“Name”: TOR, “Port”: 9050 — Click on “+ Add”.

Done, your firewall is configured with the defined rules, it should look like the image below:

Click on the X to close GUFW.

To enable the Uncomplicated Firewall (UFW) at system startup, you can use the following command:

sudo systemctl enable ufw

Restart your computer.

During the boot screen, you will notice a change; you should see something similar to the image below:

Note that your screen layout may appear different.

Note that now GRUB displays text related to Kicksecure and no longer to Debian. Also, observe that there is an option “LIVE mode USER (For daily activities.)” Soon we will see how to use this option. For now, keep the option “Kicksecure GNU/Linux” selected.

Wait for the system to start, log in with your user.

Tor Service and Privoxy Configuration (Step by Step)

Tor is an anonymity network that allows users to browse the internet more securely and privately by hiding their identity and location. It works by routing internet traffic through a series of volunteer servers (nodes) worldwide, making it extremely difficult to trace the origin of the traffic. Tor is often used by activists, journalists, privacy advocates, and individuals who want to avoid internet censorship or surveillance.

Note: We are not talking about the Tor browser you installed earlier; now we are referring to Tor as a service. (Learn the differences).

Privoxy, on the other hand, is an open-source proxy server that further enhances privacy and security while browsing the internet. It acts as an intermediary between the user’s browser and the internet, allowing users to filter and customize web traffic requests. Privoxy can be used in conjunction with Tor to enhance privacy protection by blocking ads, malicious scripts, and other unwanted content. Learn more about Privoxy here.

Together, the Tor service and Privoxy form a powerful combination to ensure online anonymity and privacy. They enable users to browse the internet more securely, avoiding surveillance and tracking, while controlling and customizing web traffic according to their preferences. These tools are often used by those who value online privacy and want to keep their identity and web activities as anonymous as possible.

### TUTORIAL ###

Installation of Tor and Privoxy:

Install Tor and Privoxy with the following commands:

Note: Since you installed the Kicksecure Package, the Tor Service was automatically installed by default. However, to confirm, simply enter the following command in the terminal:

sudo tor --version

An interface similar to this should appear, displaying the Tor Service version and additional information.

If it doesn’t appear, you will have to install it with the command below:

sudo apt install tor

Now install Privoxy with the command below:

sudo apt install privoxy

Tor and Privoxy Configuration:

Enable the Tor service to start automatically with the system:

sudo systemctl enable tor

Enable the Privoxy service to start automatically with the system:

sudo systemctl enable privoxy

Configure Privoxy to forward connections to Tor:

Open the Privoxy configuration file in a text editor, such as Nano:

sudo nano /etc/privoxy/config

Locate the line containing “forward-socks5” and remove the “#” at the beginning of the line to uncomment it.

As shown in this image, be persistent, as it may take some time to locate this line.

Save the changes by pressing Ctrl + O to save, confirm with Enter, and press Ctrl + X to Exit.

Start the Tor and Privoxy services:

sudo systemctl start tor && sudo systemctl start privoxy

If necessary, restart the services:

sudo systemctl restart tor

sudo systemctl restart privoxy

DNS Configuration:

Open the DNS configuration file in a text editor, such as Nano:

sudo nano /etc/resolv.conf

Remove all existing lines and add the following lines to configure the DNS servers (use DNS servers of your preference if desired):

nameserver 9.9.9.9
nameserver 149.112.112.112

Save the changes to the file.

Protect the DNS configuration file against accidental modifications:

sudo chattr +i /etc/resolv.conf

Restart the services:

sudo systemctl restart tor

sudo systemctl restart privoxy

Now let’s configure the proxy on the system. Some people prefer to set it up in the browser, but I prefer to apply it system-wide. For this, I recommend installing the Gnome-Control-Panel, which is an intuitive tool.

Open the terminal and type the following command:

sudo apt update

sudo apt install gnome-control-center

Once it completes the installation, continue in the terminal and type:

gnome-control-center

A screen will appear as below:

Go to “Network Proxy” and click on the “gear” icon for settings.

HTTP Proxy: 127.0.0.1 — Port: 8118

HTTPS Proxy: 127.0.0.1 — Port: 8118

Socks Host: 127.0.0.1 — Port: 9050

Ignore Hosts: localhost, 127.0.0.0/8, ::1

Now, as shown in the image above, configure your computer settings. When you finish, close the windows by clicking on the X.

Open Firefox and type: dnsleaktest.com

You should see an IP different from yours, meaning it’s not from your ISP.

Note: Some people don’t like to use a proxy in countries of the 5 or 14 Eyes, but don’t worry, you are an investigator for good and in the service of justice, so the NSA won’t come after you unless you are threatening U.S. security (laughs). Oh, and remember that Privoxy is rotating, meaning every few minutes, you can refresh this page, and a new IP address will appear.

Where are we?

You have installed a quality operating system;

You applied security settings by morphing your Debian with Kicksecure;

You implemented basic firewall security settings;

You configured a proxy under Tor with Privoxy;

Made some configurations and tested…

Password Manager

Password managers play a crucial role in digital security, allowing users to securely store and manage passwords. In the context of an OSINT (Open Source Intelligence) investigation machine, the importance of a password manager, such as KeePassXC, is particularly significant.

KeePassXC is an open-source tool that provides encrypted and secure password storage, which is crucial for protecting confidential information during OSINT investigations. The sensitive nature of the collected information requires researchers to have full control over the passwords used to access data sources, such as social networks, news websites, and public databases.

KeePassXC allows users to create strong and unique passwords for each service, thus avoiding risks of account compromise and information leakage. Additionally, the password manager facilitates organization and secure access to the necessary credentials, making OSINT investigations more efficient and reliable. This is especially important as the quality of the collected information and the security of operations are crucial in investigations involving the analysis of open data sources.

To use KeePassXC, no installation is necessary as it is a default tool in Kicksecure. You can simply go to the ‘Applications’ menu -> ‘Accessories’ and click on ‘KeePassXC.’ The KeePassXC initial screen will open, as shown below:

### MINI TUTORIAL ###

Open KeePassXC

User manual link for KeePassXC. Click Here.

Launch KeePassXC on your computer.

Create a New Database In the main menu, click on “File” and select “New Database.”

Choose the Location and Name of the Database

Select where you want to save the database and give it a name.

Remember to choose a secure location.

Set a Strong Password

Create a strong password for your database. I recommend using a password generated by a password generator like Diceware. Ensure the password is long, unique, and includes special characters. Learn more here.

Securely Store the Password As suggested, it’s a good practice to write the password on paper and store it in a secure location until you memorize it. Make sure this paper is in a private place.

Complete the Database Creation

After entering the password, click on “Create Database” to complete the process.

Start Adding Passwords

Now that the database is created, begin adding your passwords and important information to KeePassXC.

Click on “Entries” and then “New Entry…”

Simply follow the steps.

Remember, the security of your database heavily depends on the strength of the master password. Ensure to protect it properly.

User manual link for KeePassXC. Click Here.

Conclusion:

In the analysis of challenges inherent in high-impact investigations against determined adversaries, exemplified by the context of autocratic countries with ties to criminal groups, we identified the complexity and sensitivity of these situations. We faced both critical technical issues that demand seriousness and responsibility, such as the possibility of sophisticated attacks and compromise of the team’s devices, which could potentially result in significant damage and risks to the investigators’ identity.

Throughout the journey, we meticulously explored the most robust HOST systems and, ultimately, detailed a complete step-by-step guide. This guide provides the foundation for creating a resilient HOST machine, crucial for operations in high-risk environments.

In this context, setting up a secure HOST environment becomes not only an essential measure but the indispensable foundation for team protection, ensuring effective defense against determined adversaries with almost unlimited resources.

NOTE ON TECHNICAL ISSUES

I understand that building a HOST machine resilient to determined adversaries, especially autocratic governments and criminals, can be challenging, as I mentioned at the beginning of the text. This material is advanced, and it’s completely understandable if you couldn’t follow all the steps. I recognize that what may seem easy for some people can be complex for others. So, if you encountered any difficulty at any point in the tutorials and had to interrupt the process, please don’t hesitate to contact me. I am here to assist you in overcoming any technical issues, ensuring that you successfully complete your journey. My email is: mauriciolimaosint@protonmail.com

Fontes:

1. National Security Agency (NSA) — Document on Deprecated Signature Algorithms in Network Security Devices — https://www.nsa.gov/portals/75/documents/what-we-do/cybersecurity/professional-resources/orn-deprecated-signature-algorithms.pdf
2. Wired — Article on Google Hackers’ Capability to Modify Source Code — https://www.wired.com/2010/03/source-code-hacks/
3. Washington Free Beacon — Report on a New Chinese Intelligence Unit Associated with Extensive Cyber Espionage — https://freebeacon.com/national-security/new-chinese-intelligence-unit-linked-to-massive-cyber-spying-program/
4. Wikipedia — Information on Operation Aurora — https://en.wikipedia.org/wiki/operation_aurora
5. Whonix Forum — Discussion on Boot Clock Randomization — https://forums.whonix.org/t/boot-clock-randomization-bootclockrandomization/2200/3
6. GitHub Repository — Boot Clock Randomization Tool — ttps://github.com/kicksecure/bootclockrandomization
7. Whonix Wiki — Details on Local Clock Leaks and Whonix — https://www.whonix.org/wiki/dev/timesync#local_clock_leaks
8. Kicksecure Wiki — Hardened Kernel for Host and Virtual Machines — https://www.kicksecure.com/wiki/hardened-kernel
9. GitHub Repository — TCP ISN CPU Information Leak Protection (Tirdad) — https://github.com/kicksecure/tirdad
10. University of Cambridge — Research Paper: “Hot or Not: Revealing Hidden Services by Their Clock Skew” — https://www.cl.cam.ac.uk/~sjm217/papers/ccs06hotornot.pdf
11. University of Cambridge — Research Paper: “Embedding Covert Channels into TCP/IP” — http://www.cl.cam.ac.uk/~sjm217/papers/ih05coverttcp.pdf
12. Kicksecure Wiki — Strong Linux User Account Isolation — https://www.kicksecure.com/wiki/dev/strong_linux_user_account_isolation
13. Imperva: Man in the middle (MITM) attack — https://www.imperva.com/learn/application-security/man-in-the-middle-attack-mitm/
14. ResearchGate — https://www.researchgate.net/figure/Denial-of-Service-Attack-ii-Cloud-Malware-Injection-Attack-This-attack-happens-when-a_fig3_317495866
15. GitHub Repository — Brute Force Attack Protection (Security-Misc) — https://github.com/kicksecure/security-misc#brute-force-attack-protection
16. Kicksecure Wiki — Entropy, Randomness, /dev/random vs /dev/urandom, Entropy Sources, Entropy Gathering Daemons, RDRAND — https://www.kicksecure.com/wiki/dev/entropy
17. Kicksecure Wiki — Live Mode for Kicksecure™ — https://www.kicksecure.com/wiki/live_mode
18. Whonix Forum — Discussion on Using sudoedit in Whonix Documentation and Software — https://forums.whonix.org/t/use-sudoedit-in-whonix-documentation-and-whonix-software/7599/9
19. Wikipedia — Article on Side-channel Attack — https://en.wikipedia.org/wiki/Side-channel_attack
20. Kernel.org (Archived) — Documentation on Kernel Self-Protection — https://web.archive.org/web/20220320172536/https://www.kernel.org/doc/html/latest/security/self-protection.html
21. Whonix Forum — Guidelines for Posting in the Qubes-Whonix Forum — https://forums.whonix.org/t/what-to-post-in-this-qubes-whonix-forum-and-what-not/2275
22. Kicksecure Wiki — Information about Man-in-the-Middle Attacks — https://www.kicksecure.com/wiki/Warning#Man-in-the-middle_Attacks
23. Whonix Forum — Discussion on Tor Connection Padding — https://forums.whonix.org/t/tor-connection-padding/7477/11
24. Whonix Forum — Disabling TCP SACK, DSACK, FACK — https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109/5
25. Whonix Forum — Issues with SWAP, SWAP FILE, Whonix-Gateway Freezing During apt-get dist-upgrade, Encrypted Swap-File-Creator — https://forums.whonix.org/t/swap-swap-file-whonix-gateway-freezing-during-apt-get-dist-upgrade-encrypted-swap-file-creator/8317
26. Kicksecure Wiki — Operating System Software and Updates — https://www.kicksecure.com/wiki/operating_system_software_and_updates
27. Kicksecure Wiki — System Hardening Checklist — https://www.kicksecure.com/wiki/system_hardening_checklist
28. Kicksecure Wiki — Strong Linux User Account Isolation — https://www.kicksecure.com/wiki/dev/strong_linux_user_account_isolation