How the cops find you
Posted: Tue Jan 16, 2024 9:39 pm
Hello, in this article I will talk about how the state/security agencies find you and how they document what you do after they find you and how they understand your other actions.
NOTE: IN CASE OF INCORRECT USE OF THIS TOPIC, RESPONSIBILITY LIES WITH THE PERSON.
This way, you can understand how judicial units work and take appropriate precautions. Let me get to the point without further ado because this is going to be quite long.
1 - How does the state find ordinary people?
In fact, if we were in the 2010s, it is natural that you would not know about this issue, but now everyone is conscious about this issue, everyone knows that the day after what they write on Twitter , they will be known, and that as a result of this message they will be found. Let me explain the working process of the system with an example. Let's say a person named Ali Safkan wrote something on Facebook that he shouldn't have written, he was reported, and the article was sent to the cyber department. What they should do in this case is now very simple. account They don't even need to analyze this Facebook because Ali is registered under his real name and there is a photo of him on his profile. This is not conclusive evidence that Ali is himself or that he has a fake account, but they still call him to testify, he explains the situation, and even if it turns out that it is him and he deletes his twitter, to this evidence can be accessed in any way because the backup copies are in Facebook . If it is confirmed that Ali is not Ali, but someone forged his identity and wrote something similar in his name, then this time they will request data from Facebook. From this data they will be able to obtain all the logs of his device, IP and MAC addresses, location data, etc. and so on. I would like to put this question aside because Facebook and other platforms are required to transfer data to Turkey and allow its backup in Turkey from the moment the obligation to open a representative office in Turkey was introduced . Previously, the system worked like this: if you did not close your account, then the prosecutor's office could somehow gain access to your data, but if you closed your account and the reason for your persecution is not considered a crime in the country where Facebook is headquartered , then he is obliged to provide this data.
he doesn't have to.
For example , if a person was a terrorist sympathizer and the US did not designate the group as a terrorist group, Facebook was not required to provide data. Naturally, if this person did not directly provide his name, photograph, etc., it was impossible to find him. Now that this data is stored in Turkey , it can be accessed by anyone and transferred to government agencies. Let's say we got the data, but he used a VPN, so even if he got the data from Facebook, his real IP address is masked. In this case, the procedures provided for in Article 2 apply.
2 - VPNs and Proxies
In this case, the police have a fake account and IP address belonging to a regular VPN server. There are several ways to gain access to this person depending on the situation. Let's continue the example with Ali Safkan: the name of a person named Ali was forged, inappropriate posts were made in his name, and after receiving account details, it became clear that he was using a VPN service. This VPN company may offer a VPN service that may or may not keep (claim to not) logs.
If a company clearly states that it stores your data and shares it with third parties, then it will share everything about you, and I mean everything. Although this depends on the VPN service's user agreement, it may include the following information and the time it was received; The sites you visit Your search history Your cookies Your keyboard history (?) The information you used when opening your account Your location information... Even if it doesn't provide this information, it has already shared your IP and MAC address. The person who opened the account under the name Ali Safkan turned out to be his 60-year-old teacher at school and was taken from his home/summoned to the police station. For VPN services that claim to keep no logs , things are different: they may not share your information ( they need to have data to do so, but they claim to keep no logs ). In fact, in most countries it's against the law and they have to state it in a disclaimer that you never read.
They must take some precautions to avoid incurring crime and for this they can do the following; they lie to you and work in partnership with the police; they can be hacked They don't really share data, but since each country has different laws, the situation may develop differently in some countries. ( I'm completely making this up; it doesn't store your data when you connect to a US server, but it can store your data on a Dutch server, it's not where you connect from, but what you connect to that matters ). Of course, you can't know whether they do this or not. Needless to say, the founder of the entire company is not found guilty, there is another way out, they can punish them just fine.
For example : Mega Upload ( now Mega ) was closed in 2011 and its founder was jailed for several years. The reason for the imprisonment was that the attackers uploaded low-quality content, so all uploaded data on the site was deleted and its owner was sent to prison. Since then, I don't store my important data in the cloud on one cloud service ( if I do, they might suddenly delete it ).
3 - TOR
Secret services and vulnerabilities of the TOR protocol; As you all know, the TOR network moves you around three nodes and encrypts you every time, making your data much more difficult to find because it is encrypted at three levels. There are also servers/sites that can only be reached using the TOR protocol. These are called hidden services.
Actually this term does not only refer to TOR , there are also hidden services like I2P, YGGDRASIL, LOKINET which are actually part of the Deep Web.
Even if you use multi-level encryption + external anonymization tools , you know that you will most likely be found sooner or later. In fact, contrary to popular belief, TOR is not perfect; you can be found using 4 different types of attacks.
A - User Analysis: As we know, TOR has an input node and an output node. Websites can see your exit node, and your ISP can see that you are connecting to the input node and exchanging data. Using this information, they can also obtain information about you. is analyzed HTTP traffic between the exit node and the target site . If you log into your personal and non-anonymous accounts through TOR , then it is assumed that all traffic you made on that exit node belongs to you. They calculate the time you use TOR and the regular Internet and obtain information by observing your actions.
They compare anonymized and non-anonymized users, and if you have similar characteristics, they can match you. ( I'll cover this in future articles .) Government agencies can de-anonymize you by examining the cookies in your browsers. As you can see, this method is actually very simple.
B - Passive traffic analysis:
This analysis is similar to user behavior analysis, but has differences: User behavior analysis depends on unsafe user activities, while passive traffic analysis scans the activities between the computer, browser and network. For example, a user has a combination of software and hardware, such as an operating system and its version, installed patches, browser version, screen resolution, system clock, language, and other similar hardware and software characteristics. If these combinations occur both in TOR and in regular Internet traffic, then it is possible to link them together and identify the user. However, separating and classifying billions of Internet users in this way is very difficult and tedious. For maximum protection, do not use TOR in full screen mode , keep TOR Browser and other software up to date, and ensure that you do not share your data with third-party companies in your daily life.
C - Malicious penetration of nodes:
network The TOR is made up of thousands of volunteer chains, and data is distributed by passing through these nodes in a random order. At this time, a person may appear between the TOR nodes, who can add his own network and then host his node. Thanks to its own network traffic, it can see the data coming in and going out, the users, but since it's all encrypted, it can't decrypt it, and in order to decrypt it, it needs to have the entire network you're passing through. To do this, it must add other nodes and have a large percentage of nodes in TOR . In other words, all communications from your input node to your output node must occur between that friend's nodes; if he can do this, he will be able to know who you are and your network traffic. But the probability of this is very low, let me give you the pre-calculated probabilities. As of 2021, there are 9000 nodes running on the TOR network , if a guy added 3000 nodes to that 9000 network, if he is talented and rich enough to add 3000 nodes, then he owns 30% of the network, right? Yes, but in this case, to be identified, you need to leave the remaining 60% intact, and the probability of this is only 2.7% when connecting 3 nodes. It is not impossible but it is rare. Additionally, TOR is not a continuous process as it constantly receives active updates, but this is not impossible. Just 1 year ago, if 3-4 large countries tried to implement this and planned it secretly from the TOR team , no one would have heard a word. There is money, volunteers have been found, although they have not carried out any activities for several years. Maybe one day they will identify everyone and try to take everyone from the house. These are just assumptions, but the likelihood of this is not so small. Although the protection against this is limited, you can reduce it by using a bridge, VPN, VDS, Proxy can also help you with this. Also, keep your identification up to date, just in case.
D - Knot formation
In fact, there is another attack method that partially contradicts the above article. In this case, an attacker can rearrange TOR to allow you to pass through their nodes if the node you are visiting is their node. However, to do this, it must force you to download a modified and unofficial version of TOR . Preventing this from happening is also up to you. In the same way, it can succeed in infiltrating your network, onto your computer, but buzaten is dangerous in all likelihood. You can also check the TOR signature and make sure you are downloading the original file. I don't know the exact Turkish equivalent of the signature, but the idea is that any file you download is encrypted and random characters are assigned to it. Therefore, if you change even the slightest detail of the TOR Browser installation file , then this hash will change from beginning to end: Naturally, it will not pass verification.
4 - Search for as anonymous as possible using OSINT;
Actually, I'm too lazy to say this, they can find you somehow using your online data and the information you disclose. This includes the metadata of the files you upload, the writing language, your interests, and the methods that I mentioned in other articles. In other words, they can find you by turning everything you own into concrete evidence. Honestly, OSINT has given me the information I need on a lot of people and it has worked out very well. If you want, I can share another post about live examples of OSINT , but this article is too long, I don't want to lengthen it for the sake of something famous. The next article is already quite long.
5 - Collection of evidence from physical devices, recovery of deleted data, recovery of broken equipment;
Let's say you are found guilty and your devices will be confiscated for examination ; They'll look at your web search history first, but they can get that from your web data, so they don't necessarily need to access the data on your hardware. This data is not limited to search history. Browsing history, Google accounts, Mail, WhatsApp, Meta, Discord, conversations and everything else you can think of is checked one by one, and after checking, all this can be used against you according to the crime you committed.
Let's talk about the hardware. Let's say they took your computer and started hacking it, if there is a password in front of it, they can ask for it, but there is no need, cracking the windows password is very easy ( Linux is not very difficult either, but if they are not used to it, they may try a little, but it won't hurt ). They retrieve the information you need through various applications and don't bother to manually search one by one, the process is just waiting for the data to be retrieved and made available, so it only depends on the processing time of the installed software. It doesn't require much technical knowledge, and something similar can even be found in Kali.
They can document data that will be useful here as evidence and also successfully complete the recovery process. As you know on older hard drives, files can be overwritten 34 times to make them unrecoverable. If you don't, they can still recover your data using simple programs, it's not a complicated process, it can take a long time, but it won't bother them much. And you know why it won’t get boring: the main task was to find you, and since they successfully completed it, there is very little left. How will they recover the data you encrypted? This is perhaps the most difficult part for them, they can also crack your passwords by brute force, but it's not that easy my friend, if you have a long character password, then it becomes harder and harder for them to find your password in every character of -for exponential growth. Hacking the password of archive files RAR, ZIP, etc. is not too labor-intensive, since trying to guess a password does not require much time, but cracking it using brute force may not work. At the same time, you should remember that they can be hacked using supporting software such as HashCat. Therefore, use reliable and modern encryption methods.
If you want to use a truly unbreakable password, encrypt the drive on which the data is stored (easier - USB or external SSD). If you encrypt it with the second version of LUKS, then even HashCat and similar programs will not be able to crack it. A few weeks before this article was written, activists were raided for storing their data in an encrypted Tails OS storage they had installed on a USB drive, and the police had no concrete evidence.
I hope I was able to help somehow, you can ask questions in the comments or in a private message.
NOTE: IN CASE OF INCORRECT USE OF THIS TOPIC, RESPONSIBILITY LIES WITH THE PERSON.
This way, you can understand how judicial units work and take appropriate precautions. Let me get to the point without further ado because this is going to be quite long.
1 - How does the state find ordinary people?
In fact, if we were in the 2010s, it is natural that you would not know about this issue, but now everyone is conscious about this issue, everyone knows that the day after what they write on Twitter , they will be known, and that as a result of this message they will be found. Let me explain the working process of the system with an example. Let's say a person named Ali Safkan wrote something on Facebook that he shouldn't have written, he was reported, and the article was sent to the cyber department. What they should do in this case is now very simple. account They don't even need to analyze this Facebook because Ali is registered under his real name and there is a photo of him on his profile. This is not conclusive evidence that Ali is himself or that he has a fake account, but they still call him to testify, he explains the situation, and even if it turns out that it is him and he deletes his twitter, to this evidence can be accessed in any way because the backup copies are in Facebook . If it is confirmed that Ali is not Ali, but someone forged his identity and wrote something similar in his name, then this time they will request data from Facebook. From this data they will be able to obtain all the logs of his device, IP and MAC addresses, location data, etc. and so on. I would like to put this question aside because Facebook and other platforms are required to transfer data to Turkey and allow its backup in Turkey from the moment the obligation to open a representative office in Turkey was introduced . Previously, the system worked like this: if you did not close your account, then the prosecutor's office could somehow gain access to your data, but if you closed your account and the reason for your persecution is not considered a crime in the country where Facebook is headquartered , then he is obliged to provide this data.
he doesn't have to.
For example , if a person was a terrorist sympathizer and the US did not designate the group as a terrorist group, Facebook was not required to provide data. Naturally, if this person did not directly provide his name, photograph, etc., it was impossible to find him. Now that this data is stored in Turkey , it can be accessed by anyone and transferred to government agencies. Let's say we got the data, but he used a VPN, so even if he got the data from Facebook, his real IP address is masked. In this case, the procedures provided for in Article 2 apply.
2 - VPNs and Proxies
In this case, the police have a fake account and IP address belonging to a regular VPN server. There are several ways to gain access to this person depending on the situation. Let's continue the example with Ali Safkan: the name of a person named Ali was forged, inappropriate posts were made in his name, and after receiving account details, it became clear that he was using a VPN service. This VPN company may offer a VPN service that may or may not keep (claim to not) logs.
If a company clearly states that it stores your data and shares it with third parties, then it will share everything about you, and I mean everything. Although this depends on the VPN service's user agreement, it may include the following information and the time it was received; The sites you visit Your search history Your cookies Your keyboard history (?) The information you used when opening your account Your location information... Even if it doesn't provide this information, it has already shared your IP and MAC address. The person who opened the account under the name Ali Safkan turned out to be his 60-year-old teacher at school and was taken from his home/summoned to the police station. For VPN services that claim to keep no logs , things are different: they may not share your information ( they need to have data to do so, but they claim to keep no logs ). In fact, in most countries it's against the law and they have to state it in a disclaimer that you never read.
They must take some precautions to avoid incurring crime and for this they can do the following; they lie to you and work in partnership with the police; they can be hacked They don't really share data, but since each country has different laws, the situation may develop differently in some countries. ( I'm completely making this up; it doesn't store your data when you connect to a US server, but it can store your data on a Dutch server, it's not where you connect from, but what you connect to that matters ). Of course, you can't know whether they do this or not. Needless to say, the founder of the entire company is not found guilty, there is another way out, they can punish them just fine.
For example : Mega Upload ( now Mega ) was closed in 2011 and its founder was jailed for several years. The reason for the imprisonment was that the attackers uploaded low-quality content, so all uploaded data on the site was deleted and its owner was sent to prison. Since then, I don't store my important data in the cloud on one cloud service ( if I do, they might suddenly delete it ).
3 - TOR
Secret services and vulnerabilities of the TOR protocol; As you all know, the TOR network moves you around three nodes and encrypts you every time, making your data much more difficult to find because it is encrypted at three levels. There are also servers/sites that can only be reached using the TOR protocol. These are called hidden services.
Actually this term does not only refer to TOR , there are also hidden services like I2P, YGGDRASIL, LOKINET which are actually part of the Deep Web.
Even if you use multi-level encryption + external anonymization tools , you know that you will most likely be found sooner or later. In fact, contrary to popular belief, TOR is not perfect; you can be found using 4 different types of attacks.
A - User Analysis: As we know, TOR has an input node and an output node. Websites can see your exit node, and your ISP can see that you are connecting to the input node and exchanging data. Using this information, they can also obtain information about you. is analyzed HTTP traffic between the exit node and the target site . If you log into your personal and non-anonymous accounts through TOR , then it is assumed that all traffic you made on that exit node belongs to you. They calculate the time you use TOR and the regular Internet and obtain information by observing your actions.
They compare anonymized and non-anonymized users, and if you have similar characteristics, they can match you. ( I'll cover this in future articles .) Government agencies can de-anonymize you by examining the cookies in your browsers. As you can see, this method is actually very simple.
B - Passive traffic analysis:
This analysis is similar to user behavior analysis, but has differences: User behavior analysis depends on unsafe user activities, while passive traffic analysis scans the activities between the computer, browser and network. For example, a user has a combination of software and hardware, such as an operating system and its version, installed patches, browser version, screen resolution, system clock, language, and other similar hardware and software characteristics. If these combinations occur both in TOR and in regular Internet traffic, then it is possible to link them together and identify the user. However, separating and classifying billions of Internet users in this way is very difficult and tedious. For maximum protection, do not use TOR in full screen mode , keep TOR Browser and other software up to date, and ensure that you do not share your data with third-party companies in your daily life.
C - Malicious penetration of nodes:
network The TOR is made up of thousands of volunteer chains, and data is distributed by passing through these nodes in a random order. At this time, a person may appear between the TOR nodes, who can add his own network and then host his node. Thanks to its own network traffic, it can see the data coming in and going out, the users, but since it's all encrypted, it can't decrypt it, and in order to decrypt it, it needs to have the entire network you're passing through. To do this, it must add other nodes and have a large percentage of nodes in TOR . In other words, all communications from your input node to your output node must occur between that friend's nodes; if he can do this, he will be able to know who you are and your network traffic. But the probability of this is very low, let me give you the pre-calculated probabilities. As of 2021, there are 9000 nodes running on the TOR network , if a guy added 3000 nodes to that 9000 network, if he is talented and rich enough to add 3000 nodes, then he owns 30% of the network, right? Yes, but in this case, to be identified, you need to leave the remaining 60% intact, and the probability of this is only 2.7% when connecting 3 nodes. It is not impossible but it is rare. Additionally, TOR is not a continuous process as it constantly receives active updates, but this is not impossible. Just 1 year ago, if 3-4 large countries tried to implement this and planned it secretly from the TOR team , no one would have heard a word. There is money, volunteers have been found, although they have not carried out any activities for several years. Maybe one day they will identify everyone and try to take everyone from the house. These are just assumptions, but the likelihood of this is not so small. Although the protection against this is limited, you can reduce it by using a bridge, VPN, VDS, Proxy can also help you with this. Also, keep your identification up to date, just in case.
D - Knot formation
In fact, there is another attack method that partially contradicts the above article. In this case, an attacker can rearrange TOR to allow you to pass through their nodes if the node you are visiting is their node. However, to do this, it must force you to download a modified and unofficial version of TOR . Preventing this from happening is also up to you. In the same way, it can succeed in infiltrating your network, onto your computer, but buzaten is dangerous in all likelihood. You can also check the TOR signature and make sure you are downloading the original file. I don't know the exact Turkish equivalent of the signature, but the idea is that any file you download is encrypted and random characters are assigned to it. Therefore, if you change even the slightest detail of the TOR Browser installation file , then this hash will change from beginning to end: Naturally, it will not pass verification.
4 - Search for as anonymous as possible using OSINT;
Actually, I'm too lazy to say this, they can find you somehow using your online data and the information you disclose. This includes the metadata of the files you upload, the writing language, your interests, and the methods that I mentioned in other articles. In other words, they can find you by turning everything you own into concrete evidence. Honestly, OSINT has given me the information I need on a lot of people and it has worked out very well. If you want, I can share another post about live examples of OSINT , but this article is too long, I don't want to lengthen it for the sake of something famous. The next article is already quite long.
5 - Collection of evidence from physical devices, recovery of deleted data, recovery of broken equipment;
Let's say you are found guilty and your devices will be confiscated for examination ; They'll look at your web search history first, but they can get that from your web data, so they don't necessarily need to access the data on your hardware. This data is not limited to search history. Browsing history, Google accounts, Mail, WhatsApp, Meta, Discord, conversations and everything else you can think of is checked one by one, and after checking, all this can be used against you according to the crime you committed.
Let's talk about the hardware. Let's say they took your computer and started hacking it, if there is a password in front of it, they can ask for it, but there is no need, cracking the windows password is very easy ( Linux is not very difficult either, but if they are not used to it, they may try a little, but it won't hurt ). They retrieve the information you need through various applications and don't bother to manually search one by one, the process is just waiting for the data to be retrieved and made available, so it only depends on the processing time of the installed software. It doesn't require much technical knowledge, and something similar can even be found in Kali.
They can document data that will be useful here as evidence and also successfully complete the recovery process. As you know on older hard drives, files can be overwritten 34 times to make them unrecoverable. If you don't, they can still recover your data using simple programs, it's not a complicated process, it can take a long time, but it won't bother them much. And you know why it won’t get boring: the main task was to find you, and since they successfully completed it, there is very little left. How will they recover the data you encrypted? This is perhaps the most difficult part for them, they can also crack your passwords by brute force, but it's not that easy my friend, if you have a long character password, then it becomes harder and harder for them to find your password in every character of -for exponential growth. Hacking the password of archive files RAR, ZIP, etc. is not too labor-intensive, since trying to guess a password does not require much time, but cracking it using brute force may not work. At the same time, you should remember that they can be hacked using supporting software such as HashCat. Therefore, use reliable and modern encryption methods.
If you want to use a truly unbreakable password, encrypt the drive on which the data is stored (easier - USB or external SSD). If you encrypt it with the second version of LUKS, then even HashCat and similar programs will not be able to crack it. A few weeks before this article was written, activists were raided for storing their data in an encrypted Tails OS storage they had installed on a USB drive, and the police had no concrete evidence.
I hope I was able to help somehow, you can ask questions in the comments or in a private message.