Welcome to this FAQ on investigative journalism.
Here we collect tips/trics and methods that have proven useful over the years.
Click the relevant section below to see relevant text.
- Digital security – where to know more
- Passwords and two-factor authentication
- Passwords and two-factor authentication
- Maltego, NC Investigative cloud, mm.
- Databsen
- https://docs.k9mail.app/en/current/security/pgp/
- ‘Wiki for research library
- UG research
- Tools
- Föreläsningar
- Research triangeln
- Reportage:
- Telia “The black boxes”
- Jas Gripen bribes
- Egyptierna
- Ericsson and ISIS
- REFERENS
- AP stylebook
- LBL manual
- TT språket
- Evert Phones
- Ta evert PM och uppdatewra dess METODER med aktuella URL/appar. Skapa ett “så här kan du göra för att dkydda DIN telefon bättre – inte “här har du en säker telefon”
- Tella
- Other simliar projects like the GErman “Neutron”
# Media access
# To handle web-adresses, shorten them, hide them, etc
Shorten URL
To shorten a URL, (webadress) is often practical. Either because its too long and takes up space, or because its hidden or complicated.
An online service often used is bit.ly
Its and ok service, but offers limited numbers of URL:s to shorten without having to pay.
An alternative is to install a software, like the Open source URL shortener software: https://yourls.org/
Hidden URL
Hidden URL:s are a way to obfuscate your site/database whatever it is.
One can create a “crazy” URL like https://www.mysite.org/xsiauydfiasdnjsfd.html instead of the real URL: https://www.mysite.org/thesecretproject.html
HTACCESS
On can also useHT acess a simple first-step-login to reach the acutal website. with a id/pw authentication that leads one to the real URL: https://next.virtualroad.org/fairyrobot
HTACCESS files can be created for redirecting a URL, preventing directory listing, banning specific IP addresses, preventing hotlinking, and more.
Another common use for this file is for pointing to an HTPASSWD file that stores credentials preventing visitors from accessing that particular directory of files.
***
Both methods obfuscate in a simple way and is by no means the ultimate security, but makes you online resource “fly under the radar” and not bee seen or indexed easily.
# Using scanners and phones to process and read documents – OCR
Problem: a bunch of documents with text you want to search and/or copy paste or just read in a flowin-text mode – like the text of a book.
1. Just put the paper on a table, light coming from the side, window or lamp.
2. Take a picture of the page with your phone, filling the viewfinder with the documents sides. Never mind if picture is including some extra on the side of the document, but try to make the document straigt. If its crumbled flatten it by rolling it counter to the original crumbles.
You can easily take pics of many many pages in a short time with this method.
Attach the phone to a computer with a USB cable to transfer the files.
Alternatively send the pics with a message service like Signal to the desktop version of the same software. In signal you can adress to “Note to self” to create a message only to yourself. A Signal message can handle many MB so many pictures can be attached to one message.
Store all pictures of the same doc in a folder named Document#1 or similar.
Make a PDF
An useful and easy way of handling the document in electronic form is to create a PDF of the images.
There many softwares for that, the most common being Adobes Acrobat (that is paid software).
Open source and free versions are:
- PDF Mod does split and merge
- Xournal annotations and stamp images
- LibreOffice doing some edition but breaks styles
- Okular read and annotations
- OCR (optical character recognition)
- Use a OCR (optical character recognition) software like Adobe Acrobat (paid software) or use the OCR software ofen included in the phones. iPhone do OCR in camera, and Google Lens is an app for android.
- There are also open source versions to install on your computer:
Tesseract is a well known open source OCR-software that can be installed on a Linux/Unix/Ubuntu machine, but is best handled with command line access – CLI
# Operational Security – how to stay safe
There are three things to remember for ALL missions, interviews, travel, door step etc.
1. Have a plan A
2. Have a plan B if plan A fails
3. Have several means of communication
Plan A – checklist
Make a schedule for the trip and book flights, and at least some hotel in advance to have a planned route/safe stops.
Save copies of the bookings online in NextCloud/Dropbox/GoogleDrive and share the folder with your designated contact – POC – Point of Contact.
POC – Point of Contact.
Select a seasoned and reliable person who will be in a safe environment and have multiple means of contact. Several phone-no, land line, NextCloud/Googledrive access.
Daily contact
Make a schedule for contact with POC.
An SMS every night at 22:00 “All is well”.
A pre-defined alert message “send more money” – to signal that its time for the POI to get into action – that something is wrong.
Have a pre-defined list of actions for the POI if contact is lost.
– calling the hotels, fixers, interview persons within an our of missed contact
– alerting the embassy within 6 h of lost contact
– alerting local police if there is sign
Have all your pertinent detials, passport, Social Security, current and valid insurance etc in a readily available Memo/folder for colleagues, family and/or PoC.
Here is a more thorough walk through of OpSec routines:
Security course for journalists (OPEN IN NEW PAGE?!)
#Digital security
https://laurin.xyz/mimers/digital-security/
# Phone security
Is a vast area. And hard to cover, both as researcher and user.
In general, its wise to realize that almost all information concerning your life and work passes through the phone. Banking, travel, personal details, contacts with sources.
The key to keeping that safe is: compartementalization.
Encrypt the emails so they cant be read if the phone is lost or the emailaccount is breeched by bad guys or the government.
Turn on features like encrypting the SD card and the phones internal memory.
Learn what the phone is sharing in the cloud. If its an iPhone, all of it is shared with Apple. Sometimes with good security, but only until the police arrive with a court order. Or your login credentials are breeched.
Hence, try to use cloud services that you control, or is controlled by people you trust. A Nextcloud server can sync just as well with your phone as Apple can. But you control it.
There are a number of NGO:s and companies that try to solve this for you. Some better than others.
Nitrokey
Nitrokey GmbH in Germany is doing a good job with their phones, laptops and encrypted devices.
Evert phone
Your own setup might be the cheap, and not so bad way to go. Here is a setup that was working well a few years ago but where a lot of the software is now outdated. Still, it can serve as a template for taking a used phone and setting it up as a second project phone.
A very important area is having a secure login to your devices and accounts. The solution is two factor login – that you use a randomly created code to login as with Google authenticator, or a physical key, like Yubikey, to give the second answer to the system that you are really you.
# Encrypting your messages and traffic
There are now many many ways of sending more or less secure messages.
The first thing to consider is who is the opponent? Is it “just” keeping your communication out of the public? – just stay off Facebook , messenger and iMessage.
Is it keeping it out of the hands of a potential police investigation, which can happen even if your not the target. F. ex if the masts you have been using while moving around is emptied in a ANOTHER criminal investigation, then stay off SMS/Text messages.
The tradititional and still working mtehod is to send an encrypted email. There are services like Proton that offers this, but you can just as easily install OpenPGP that will work with most email software that allows encryption like Thunderbird and K9 (for the Android phone) . An easy option if you´re on webmail is using Mailvelope that will handle textmessages well and your keys as well.
Very good guides, in many languages which is good if you are setting up communications withe people in other far-away countries is provided by XXXX
A very old school methos is writing your messages as drafts on an email account where you share the log-in with your communication partner.
But, if one of you is caught up, like Assange, his collaborators like Birgitta Jonsdottir, the icelandic parlamentarian, and the journalists covering the making of Collateral damage. Google, Twitter, Microsoft will all share emails, tweets as and drafts as well with the authority asking for it. And they will share alla IP adresses that ever connected with the account… thus giving the NSA:s of this world a target for their intrusions.
“No Secrets” By Raffi Khatchadourian The New Yorker May 31, 2010
Telegram is an interesting service. Created by two Russian brothers who still control the source code, is used by many, among them 50 million iranians… But are these russian brothers sharing the code/contents with FSB or the iranians. No one knows. Reason enough to stay away.
Signal publishes its source code, which gives knowledgeable peoiple the opportunitu to check for back-doors. A good measure to ascertain some kind of security. Signal also implement very important featurs like hashing the contents of your phone book. Meaning they only make a mathematical operation on the contents of your phone book, and only keep the result to be able to send you a sign that X in your phone-book also is on Signal. This is a vital back draw of most other systems like Whats app, who even if its using the same encryption as Signal, monetises its access to your phonebook. Not to speak of Messenger who openly declares that in return for their popular service the data-mine not only your phone book but also the contents of the messages themselves.
In the end, its only meeting withg your phone turned off while going there, under the old oak tree in the park.
But again, that way not much work can be done, so estimate who the opponent is and adjust your communications accordingly.
# To record a phone call
Q: How do you record a phone call 2023?
This is a major issue. I stayed with Android/ Google b/c they for a long time did not hardcode that possibility away, like Apple did.
The best software/app then was Total recall from Killermobile.
Worked beautifully for years. Then Google also hardcoded no recording and all solutions became “bad solutions ” like making every call a three party call with a server as the third party and recording the call. But then all recording was on someone’s server…
I have given up following the issue since every “solution” has drawbacks that I can’t accept as a journalist with respect for my own and my sources integrity. And if you get some new solution to work you can be sure it stops at the next upgrade of Android.
And since I’m, like many emp0loyed journalists, are using a corporate phone I don’t own the control of the phone and can’t for example go Android open source and use a custom ROM (A true open source Android version on a rooted phone – meaning you leave the security being integrated in Googles world) to keep using Total recall.
But that’s one alternative if you are willing to leave Googles Android.
The people at Killer mobile covers this issue, phone by phone and the current status of things.
My solution has become going back to legacy systems like keeping a Olympus TP8 microphone ready in the dirty tricks bag i always carry. With that in the ear and using my second phone as recorder one can record all calls and even use it as a semi-hidden microphone under the shirt for reference recording of a conversation.
If you can us the loudspeaker on the first phone and recording with your second phone that´s another option that works well.
None of them is as good as Total recall was which was reliable and recorded everything (if you wanted).
With that turned on you could go back and find a recording of when someone said something unexpected in the call.
Another issue is Signal/WhatsApp etc who are taking over a lot of the phone calls. My legacy options are the only ones working for voip apps as far as I know.
There are several good reasons for any journalist to record their conversations. One is for safekeeping when the person speaking denies having said it, but another is sending it to a transcribation service like My Good tape who with a promise of integrity and a nominal cost will make it a searchable and easily consumed text-reference of what was said. It´s often remarkable how much you missed when you go back to only your memory of a conversation or even notes.
Others Toolkits
Bellingcat’s Online Investigation Toolkit
20240116
Bellingcat has in recent years come forward as a very competent and therefore hailed open source research collective.
Its founder, Elliot Higgins, has written a book about how Bellingcat grew out of his bedroom to an internationally recognized and trusted source for OSINT – open source investigations.
The book is a good lecture in how to think, rather than how to be a rocket scientist.
The beauty of Bellingcat is really that they ACT on their knowledge and research to the bottom. And are not afraid to learn or use new tools. Thats where they outshine traditional media where these methods have existed for a long time, but often in the shadow of traditional “reporter-tells-how-it-is”.
Another repository for OSINT tools is OSINT framework
#7 Passwords – how to keep track in a safe way
Useful Computer commands
To check disks is important to know if they are going to fail soon or not.
Recommendation is smartctl
GUI för check disk
Every modern hard drive has an option to monitor its current status and health via SMART attributes. SMART stands for Self-Monitoring, Analysis, and Reporting Technology. The SMART test can be performed on your HDD to detect any potential problems with the hardware itself. Tests such as these are run using SmartCTL. According to the Linux man page, SmartCTL is a command-line utility designed to perform SMART tasks. Examples of these tasks would be printing error logs or enabling and disabling automatic SMART testing.
https://www.liquidweb.com/kb/how-to-install-and-configure-smartctl/
GSmartControl is a graphical user interface for smartctl (from smartmontools package), which is a tool for querying and controlling SMART (Self-Monitoring, Analysis, and Reporting Technology) data on modern hard disk and solid-state drives. It allows you to inspect the drive’s SMART data to determine its health, as well as run various tests on it.
#6 Finding people
Finding persons, living or dead is quite a different challenge in different countries and jurisdictions.
A few tips/trics/services that have been helpful in the past sorted by country:
SWEDEN
Skatteverket.se Tax authority, is also resonsible for keeping the census of the population, whos living in Sweden, who´s a Swedish citizen.
The basic facts on a person are public and can be asked most easily and effectively by phone, or email.
USA
Whitepages
FRANCE
MOLDOVA
You need to find the persons ID-n umber, not a public document per se, but can be found in court records.
The passpoert number is also useful, but its a different number.