Transcript

Hello and welcome to the next edition of, the Forensic Impact blog. I’m Amber Schroader. I have been off the video blog for a hot minute because I have broken my ankle, as you can see by my scooter. This is the best background I can get going right now.

So, this week I am going to go through creating a good sock puppet or actor. Now, if you don’t know what a sock puppet is, these are investigative accounts often used in OSINT of fake people that we create to be able to investigate other parties, look into what they might be doing in different social networks, different things like that.

I also call them actors because I feel like I’m a director telling them what to do. I like the term actor as well. When you go through and you create a sock puppet and you’re using it in either OSINT investigations or for my DFIR, for people out there, I use my same sock puppet to create all of my test validation data.

In order to have the information about a particular app, different things like that, oftentimes I have to create some test data. I might as well create a good sock puppet that allows me to use it for both sides of my investigative practice or issues that I may be looking into.

Step number one, what you’re going to do for a good sock puppet requires not only your intellectual investment in time, but it also requires just a tiny bit of financial investment. I say that because to have an excellent sock puppet, what you want to do is you want to go out and get an active burner number that you can then use to be able to do two-factor authentication with all these different apps and social networks.

Now you’re thinking, great, I don’t want one more phone number in my life. But believe it or not, this is going to be beneficial to both parties, both OSINT and DFIR, because you’re going to be able to create a full, well-rounded sock puppet and testing account. I always have two different devices that I use when I’m going and doing a good sock puppet account.

You can see based on this one, you know, this is my sock puppet phone because on the back of it, I have the identity, the phone number, and some of the basic details associated with it. Because I always have a lot of phones on my desk, and let me tell you, I won’t remember which one is which. I invest heavily in my test accounts because I want to use them for the DFIR side as well. You might have noticed this is a Pixel device. I also have an iPhone device. I picked up from eBay.

I added a burner account, sim card, or account into each one of them, and I chose to maintain it. Now everyone’s like, okay, great, I get it. I need a burner phone number, but I’m not going to pick something close to my location in Tennessee. I’m going to pick something far away from it. I’m going to pick a phone number that goes to California. That’s where you start making mistakes. A good sock puppet must have legitimate details that come from the different posts that match up with that number. Remember, technology is getting smarter. This is the whole rise of AI, the rise of the machine. We’re going to have a terminator moment at any time. Just wait for it. Skynet is on its way. So, keeping that in mind, I picked a phone number for where I can lay down geolocation data. I only turn on geolocation data with my sock puppet when I’m in the legitimizing stage of it.

So that’s the first 30 days of having that sock puppet account. I will go through, and I pick a number that is with many of the different phone number options that I have here in Tennessee. And then I make sure that I go and get geolocation data associated with it. I’ll take a picture of a landscape. I’ll do those different things. I make sure I’m legitimizing what that sock puppet is. The next thing after I get that phone number and I pick the area code that it’s associated with, and I know I’m going to give it its legitimacy in that 1st 30 days is I start a Gmail account.

 Everything in the world starts with Gmail. It’s kind of funny. Um, I very rarely meet anyone who doesn’t have a Gmail account. So, your sock puppet needs one too. When you go through and you do your sock puppet Gmail, make sure you pick a good name. And I know you’re thinking, Ima Bell or something clever like that. Those are good names for your sock puppet. They’re not. Be boring and legitimate. Don’t go with Smith or Jones or things like that. Try to pick something that you know is going to be relatable and something that’s going to be easy for you to remember. So, pick that accordingly. I’m going to pick a stupid name right now because it’s not a good choice. I’m going to pick, um, John Jones. Very generic, very normal. Sorry if anyone out there, your name is John Jones, not picking on you, but that’s not usually a choice I would make with my sock puppet. I try to be slightly creative and not too far off of the range. I don’t go with anything like, Ima Bell I want to keep it legit. As I pick that, I get my Gmail account associated with it. Next in our Gmail stage, I go in and sign up for different newsletters that are going to give more value to what my sock puppet has for you.

DFIR investigators this will start populating your email account. Remember, you can always transfer your email account to a different mail client to immediately have test data for it. So, I sign up for everything from the different crafting ones if I’m working with a woman, to all the sports ones if I’m working with a male sock puppet. Depending on what their interest might potentially be, I still keep it relatively generic and stereotypical and get them so they’re receiving some emails in there that’s going to get them interested.

The next thing I’m going to do is to give them a face. So, when I give them a face, um, I’m not going to give my sock puppet my face. That would be silly. That’s going to eventually come back at me and make it, so my sock puppet is no longer legitimate. But what I do is I get a little bit creative. I did tell you had to invest a tiny bit in your sock puppet. So, with me, what I do is I will go, and I have a wig and I can put on that wig. It changes my hairstyle, and I can take off glasses, I can add glasses. I do a little bit of that costuming side of my sock puppet for you men out there. You might add a hat, or you might add glasses. I get that you’re probably not going to want to do a wig, but you can do those little things. And sometimes different styles of glasses will make a world of difference. And I will go and invest $30 in one of the new AI engines that will go through and produce 30 different headshots for my sock puppet. It’s still using legitimate features of the face. I don’t go 100% AI, and the reason for that is we’re not quite at that point where the AI is made perfectly. It’s getting there and this is probably going to change. Who knows? In the next 30 days, they could be made perfect, and they won’t have any more wonky ears or extra fingers or all those different things. But I’ll make sure that I put legitimate features into one of the AI tools and generate the additional headshots because it will change hair, it will do all those different things for it. Give different backgrounds, I pull those down. I always can edit them in different tools. But then I’m going to create my primary profile picture. I typically use the same profile picture across all the social networks when I’m initially starting my sock puppet. Then after those 30 days you’ll see little variances where I’ll put a more friendly picture, maybe on Facebook, because that’s that type of network, and a more professional picture over on LinkedIn. I always wait until after that first 30 days as I’m building up and creating that sock puppet. Now I’ve got a picture, I put it into my profile, and I put it in Gmail as well.  

Now I’m going to go through and create my social networks. When I’m doing all the different social networks, obviously I have my name and my sock puppet that I’m going to use across all of them, with one exception. When I go through, I do the general meta platform, so I’m doing Facebook, I’m doing Instagram, I’m doing WhatsApp because I have a phone number. Again, you’re going one step further to legitimize this sock puppet. I get all of those set up and then I start expanding out that network. I get the friendly socials, that’s what I call the actual social ones. And then I add the professional network in. When I use LinkedIn, this is my shift with my sock puppet. Again, I’m just making them as legitimate as possible, so I added a middle initial. I know it sounds silly that that would make an impact, but it’s expanding the identity of that fake individual you’re putting together for testing and for investigations to make them come up legitimate with all the different algorithms out there that are trying to find you.

 If you want to create additional email accounts that again expand that identity out to one more tier of the network. And you’re getting larger and larger as you go in. Once you’ve created these different social media accounts and you’re like, okay, I’m up on them. I put a background image with all my profiles. You need to put a background image, invest in creating a proper profile, create an education, and all those different things associated with that sock puppet. I try to stay very generic to make sure that it’s not going to ping if someone were doing an investigation against my puppet.

Next, it is time to invest in those posts. By the way, I hope throughout your entire creation process, I keep a document that is each one of my different sock puppets that exist as I go through and change or expand their existence. I will keep notes in there so I can keep them alive for a long time.

I’ve had some of my sock puppets alive for ten years because I want to make sure that they are able to get me rich data when I’m doing my testing or good investigative data when I’m going out and having them look, uh, and investigate an individual. So, our posts, that’s our next part of making a legit sock puppet or a legit individual posting is important, and it’s also important what you post.

I mentioned I will geotag within those first 30 days. I only do one to two images that are geotagged to the location associated with the area code of my phone number. I try to pick something that’s a drivable one that’s hours away from my physical location, but it’s not obnoxious to be able to maintain.

When you keep doing posts try to keep all my posts very generic. I will make sure one of my sock puppets has my dog and I will pick, I have four dogs, so I have one dog for each sock puppet. And that’s what they post pictures about, is that individual dog and that is that sock puppet’s dog. I don’t mix it. I make sure that’s the only dog that they have identified with them and we will post pictures about those. Very generic, very easy. Also, it makes your sock puppet very likable to have an animal. If I had cats, I would do the same thing with cats.

The other thing is I always make sure I shoot landscape pictures or pictures of plants, things that are not going to tie it to an individual or a person. I can do food pictures, there are lots of things. This is just you are building your identity up of who that sock puppet is going to be.

When you go into the different apps, if you’re using this for DFIR, you want to make sure that they can relate to whatever that app is about because that’s going to create conversations with other individuals. That’s going to generate some of your test data. That brings me to my next area, which is interacting as your sock puppet with real people.

You might interact with other people’s sock puppets, I don’t know. But when you’re interacting with other real people, the biggest rule to keep in mind, and I’ve said this before, is to be kind. Don’t go crazy, don’t be an a**hole, nothing like that. And I know that was a colorful phrase, I’m sure everyone will get over it, but don’t be like that. Keep yourself kind and friendly. It’s going to make it so your sock puppet is going to live for a longer time. Even when I go through and I have my sock puppet join Tinder, I’m always kind to the people that end up swiping on me. It’s, uh, the best way to make sure that, oh, I’m just looking for a friendship. I’m looking forward to just hanging out with someone. I keep it very neutral to make sure that no one is going to feel that they were taken advantage of or that you were being unkind to them. So please keep that in mind when you’re going and joining these different networks.

As you are interacting with real people, make sure you’re being extra nice, because again, it’s an investigative account. Then you’ve got to regulate your posts. So, in the initial 30 days of having a sock puppet, you need to do three to four posts a week. That’s going to start giving them somebody behind them that shows that they’re active, they’re doing things.

The algorithm will then pick you up for different things, for shopping, and start filling in your cache with all the other data that happens when you join a social network. So that’s one of the things you want to watch for. One of the reasons, again, I start with that mobile phone is our phones are always listening to us. I make sure I do some supplemental, internet searches on the phone that’s associated with each sock puppet that matches what might be happening in my social network. I might say things like, “I’m looking for a Hawaiian shirt” which will then change what I’m getting in my social feed to see, okay, it’s listening to me, it’s seeing I’m a real person with a voice.

All these different things can lead to a successful sock puppet that you know is going to make it through all the different algorithms that are trying to attempt to find false accounts. Let’s focus on the last thing, besides making sure you’re being kind, how do you keep it alive?

The final thing to keep a stock puppet alive, is you need to keep posting with it. I have Outlook reminders that say, hey, make sure you go and post in so and so’s account or it’s their birthday. Make sure you say woohoo, it’s my birthday. Different things like that. I make sure I keep track of that again on my master document for everyone that I have created. I keep their posts going a couple of times or more a month. I can’t quite keep up with the three to four posts a week when I initially create them. I make sure that I’m doing probably a total of five a month just to keep them up and going. And occasionally, after I’ve had the identity going for a while, I will have my two sock puppets meet and then they’re able to message one another. I like to keep it where they’re separate for a while. The reason for that, especially on the digital forensic side, is I want to get legitimate test data based on how real users are using the different apps and systems out there versus how I, as an investigator look at it and use it, because those styles are going to be different.

The final thing, which is kind of a fun thing, is you can also start to get your family involved, uh, to be able to generate more messages, be friends with them, just be selective on how they’re going to do it. So, you don’t have your entire family suddenly become friends with your sock puppet. And it’s like, well, that’s weird. Why are they friends with all these people? But it allows you to generate some of that test data again, to have more and more information, especially on the deeper side because you like to work with a larger volume of test data than when you have a small volume.

But that’s it for this week. It’s a quick method to create a good sock puppet or actor and the uses for both OSINT and DFIR. Again, a good investigator has these active accounts going because it’s going to help you learn and especially helps you stay on trend end where you might have different interests than what your sock puppets might have.

So best of luck to you. I hope you enjoy creating your sock puppets, and I’ll see you next time. Bye.

Steps Summarized

1. Get a Burner Phone Number.
   • Select an area code where you can add geolocation data to the device.
   • Take pictures with geolocation in the first 30 days of creating the sock puppet to post to establish the identity.
2. Get a Gmail Account.
   • Be careful not to be too creative with your name choice. Try to be general and generic, but not so much that it looks obvious—the balance between your selection from boring and approachable.
   • Sign up for newsletters that fall in the interest of your sock puppet. This will start populating the email account.
3. Give them a face.
   • Try to use a real face as your baseline that can be changed through wigs, hats, glasses, etc.
   • Take the real pictures through Ai generation to get a selection of profile pictures that can be used in the different social networks as your sock puppet identity grows.
   • Use the same profile picture for all the social networks for the first 30 days and then vary those images based on the type of social network it is after that time.
4. Add them to social networks
   • Use the same initial profile picture.
   • When joining LinkedIn add a middle initial.
   • Get additional email addresses for the individual for the different social accounts.
   • Change the background image.
   • Add additional vague details for your sock puppet.
5. Time to start posting.
   • In the first 30 days make sure, and post those geotagged pictures to get your accounts going. Vary their posts throughout those 30 days.
   • Keep data posts generic.
   • If you use a pet only use it with the single sock puppet not with multiple. Animals as posts typically are more likable for connections.
   • Try posting general items such as landscapes, plants, food, etc. Avoid having people in the pictures that could risk the identity of your sock puppet.
6. Interacting with others.
   • Always be kind. Kindness brings in followers and allows you to have more interactions.
   • Surf on the mobile device for different items. This will start filling your social feeds with shopping suggestions, etc.
   • Verbally talk about needing certain items while you have your sock puppet phone. Apps that have access to your microphone will pick up those items and update the socials.
7. Continuing posts after the first 30 days.
   • Set reminders so you are doing posts at least five times a month.
   • Keep your profile posted on important days like birthdays.
   • Have your sock puppets meet to keep maintaining them or to generate more DFIR test data.
   • Potentially have your sock puppet connect with family members who can help keep the account active by liking posts, etc.

General note: keep a diary of your activities with your sock puppet to be able to be consistent in the use of them in an investigation.

Paraben Corporation offers a comprehensive solution for capturing, analyzing, and sharing data in any digital investigation. Contact us today to learn more! 1.801.796.0944