Law enforcement investigations are adapting with the changing times as people increasingly put themselves “out there”
By:
Eric De Grasse
Chief Technology Officer
18 June 2020 (Paris, France) – Data is like water: it leaks. Often, it leaks from unexpected places. Cameras are everywhere, whether it’s protestors’ iPhones, news organizations covering the crowds, or the surrounding buildings’ CCTVs. And your social media chatter is everywhere.
So if you set a cop car on fire, the chances are the cops will eventually find you. It’s just a question of how quickly. Law enforcement investigations are adapting with the changing times as people increasingly put themselves “out there” online in ways they don’t fully appreciate at the moment or even remember later on. They pull one thread in the morning … and they’ve got it all figured out by lunchtime. Or in this case, in two days.
Protests over the police killing of George Floyd have swept the U.S. for weeks. Thousands of people have filled the streets of cities all over the U.S. to protest systematic police brutality and racism, ignited by the video of a Minneapolis police officer kneeling on Floyd’s neck for more than eight minutes.
A small minority of the people in the streets have vandalized property, and the police are finding novel ways to use social media and other internet breadcrumbs to find and arrest them, highlighting how some people can be identified and arrested via scant, obscure information on the internet.
Yesterday, prosecutors announced that they charged a woman for allegedly burning down two Philadelphia police cars on May 30, accusing her of arson. FBI agents were able to identify her thanks to an investigation that largely relied on data freely available online, based on aerial video taken the day of the protests, Instagram pictures, photos taken by an amateur photographer, and – crucially – a forearm tattoo and an Etsy t-shirt.
A series of photos and videos taken at the scene show a woman using a burning piece of wood from a police barricade and throwing it on the rear window of a police sedan that was already on fire. The woman then takes the burning wood and uses it on a police SUV that was not on fire.
This case highlights how law enforcement is getting better at using open source intelligence – or OSINT – on the internet, how hard it is to blend in and protect your identity when protesting in public, and how videos and photos posted of protests can help amplify them, but also come with risks for people who are there.
The FBI agents analyzed on-the-ground video, aerial video and photographs recorded by local news and posted to Vimeo and Twitter that showed the scene: people breaking windows in Philadelphia on May 30, and a woman burning down two cop cars, according to an affidavit signed by one of the FBI agents investigating the case.
NOTE: the techniques utilized by the FBI were understandably brief in the criminal complaint but will surely be scrutinized during the course of defense’s pre-trial investigation of the case.
The agents were able to find Instagram pictures of the incident (some seen above), but then obtained more than 500 photos from an amateur photographer who was at the protests that day. One of the pictures showed the writing on the woman’s t-shirt: “KEEP THE IMMIGRANTS, DEPORT THE RACISTS,” the FBI agent explained in his affidavit.
The police searched social media sites (Poshmark, Reddit, etc.) and as it turned out, this was a custom made t-shirt sold on Etsy. Since then, Etsy has removed the tee shirt from its site.
Then it got interesting ….
The FBI agents saw that an Etsy user named Xx Mv, whose personal Etsy URL was “alleycatlore,” which described herself as living in Philadelphia, had posted a review after apparently purchasing the tee-shirt.
The FBI then Googled “alleycatlore” and found a user named “Lore-Elisabeth” on the mobile fashion store Poshmark. Another search for “Lore Elisabeth Philadelphia” led the agents to a LinkedIn page for a woman who works as a massage therapist for a company in Philadelphia.
On that company’s website, there are videos of massages hosted on Vimeo. One of the videos shows the tattoo that is visible on the woman’s forearm in one of the Instagram pictures that the FBI found.
The agents found a phone number for the woman on the website and then used a “reverse phone book” (there are scores of these on the web) to identity the woman’s address. Then they used the DHS Electronic System for Travel Authorization, a government system that tracks U.S. foreign travel, to find her DMV photo and confirm her address, according to one of the court-filed documents.
At the same time, Etsy provided purchasing records following a subpoena, which confirmed the “Xx Mv” user had purchased two “KEEP THE IMMIGRANTS, DEPORT THE RACISTS” t-shirts, one in the same color as the shirt that appeared in the photos. The subpoena also revealed the shirts had been sent to a Lore Elisabeth in Philadelphia, according to the FBI agent.
At that point, the FBI had enough evidence to arrest the woman, who is now in jail and appeared in federal court on Tuesday.
This investigation is a great (if unnerving) example of just how much one can find out with just an internet connection. In the past, news organizations such as Bellingcat or The New York Times Visual investigations team have used similar techniques to break major news stories such as the identity of several Russian spies, or to reconstruct the murder of journalist Jamal Khashoggi. And this story just lightly scrapes the surface of the OSINT tools that are available in the open market. market. We use 10 such tools for our media work to collect and correlate information across audio, video, image, text file, etc. Just attend events like Black Hat or FIC and you’ll learn about all of the tools out there.
And this “setting a cop car on fire” story is also a great reminder that any image of protests that users share on social media could help inform law enforcement investigations, even if that wasn’t the user’s intention.