A College Project got me Tracking Terrorist on Image Boards

While conduction research for one of my college papers for my Digital Forensics classes on Steganography. I decided to give steganography analysis a go to see how prevalent the found news articles where regarding terrorist organizations using steganography on social media, and have demonstratable information for the paper.

Checking the popular imageboard 4chan, I came across this photo posted by an anonymous user on the Random section also known as /B/ Board of the overall website. The picture was found and stored in a thread about asking for advice about family issues and the original poster was looking for advice on leaving home and starting their life. While looking through the comments, I came across this post that I had to redact as it contained “Not Safe for Work Imagery” in the forum of a nude photograph.

For the thread and conversations that were happening, this photo and comment were very out a context, also checking the poster ID this was the only post from this ID that posted on this conversational thread. The photo was .png and a hash was taken of the file and with some checking around this hash was not found posted or checked in other locations.

Downloading the image in a sandbox and throwing the image trough a tool I downloaded and hosted locally from GitHub, that can be found here.

https://stylesuxx.github.io/steganography/

I was able to pull information from the photo, it had the following text inside the image “My Brother showed them this {mega.nz link}

Researching this tool more, since it is an Open Source tool it would not be useable in court in many cases as I was unable to find any use cases that may have set a precedent for the tool to be used in forensic evidence collection.

So for the purposes of the research and demonstration, I could not leave it just there I had to dig further.

for the purpose of investigations like this, I have a system set up which is an imaged virtual machine hosted on a VM server with all the traffic routed through WHONIX (onion network). The network portion of this system is on a 4G system setup with a 4g router (Non-Wireless) with a burner phone number that’s pay as you go registered to a John Doe of Box Road. The goal of this setup is to investigate these sorts of cases and with an Attempt of Maximum Operational Security making this VM next to un-trackable. For ultra-security of my home network, this network is air-gapped from the home network with the only way to connect to these VM’s via a dedicated CAT-6 cable to a secondary system.

This network can be slow, but important when it comes to investing cases like this. Going through this system I was able to check the link and find out what was on the mega, As you can assume I was very nervous it could be anything from videos, documents, software, or even orders to do attacks. Going to the link I was immediately shown a video player on the mega.nz website, the video started playing automatically.

The video that was displayed and nearly 1 hour long seemed to be a long propaganda video from ISIS meaning there is a possibility that the shared link is being used as a recruitment tool or by a possible “lone wolf” for motivation to perform attacks. This location and attempt at recruitment could be because the original user seemed depressed, lonely, and not feeling part of events or groups.

It is also highly possible with a future investigation that the link may have been posted by a possible internet troll, with the intent to “Troll” users or people looking for this kind of information on the website. Without more in-depth research or time spent searching up linked sources, it is currently inconclusive even though possible evidence was found.

Unfortunately, due to time limitations and legal limitations that would give more information such as IP Addresses and possible accurate location data, I was unable to do any more during this investigation.

The findings were submitted to the appropriate authorities for further investigation, in this case, it was via the Federal Bureau of Investigation to their Counter-Terrorism Center. There was no follow up after the investigation from the FBI so it is unknown the current stats of this evidence. Before someone says about publishing evidence it has been over a year from the submission of this Intelligence to the posting of the information, and the video has long since been taken offline.