Henk van Ess has been on my radar for the past few years. He’s a former investigative journalist who’s morphed himself into a social media investigative guru. He’s done work with a bunch of major media outlets and worked as a trainer and contributor to Bellingcat (a group of open source journalist nerds), but these days, he mostly does workshops, which included a whirlwind January tour with media outlets including ProPublica, NBC News and the Wall Street Journal.
For me, Henk came into the spotlight in June 2019, when he became the de facto spokesman for the investigative community when he was quoted in several publications regarding Facebook Graph Search changes, which effectively killed the wealth of public information that Facebook could provide to investigators. Since that time, investigators around the world have been scrambling to find a fix.
In the world of open source investigation and techniques, there are a few people who are at the forefront — Michael Bazzell of Intel Techniques and Henk van Ess are two of them — and I listen to whatever they have to say. So any chance I have to meet one of them or learn from them, I am on it.
While most of Henk’s workshops are closed to the public, the last stop on his monthlong tour was an open event in New York City, hosted and sponsored by SkopeNow. I recently had considered flying to Amsterdam to take one of his courses, so this was a pleasant surprise and an easy choice, being right in my backyard.
According to Henk, I was literally the first person to sign up!
In short, the workshop was extraordinarily informative, and I got to meet some really interesting people. When you are learning from somebody who literally trains the most powerful investigative news reporters in the world and has done some really interesting work himself, you listen.
For me, part of this was a validation of things that I already knew. Some of it was an important reminder of how to think. And some of it was brand new.
Becoming a web search expert is no easy task; the landscape is constantly changing.
Although we were packed in like sardines, the interactive nature of the class was difficult with the large class, and teaching a diverse group at different investigative levels was a challenge, all of this got me really excited.
So, here are some fun tips, tricks and quotes I picked up over the two-day course.
If you are interested in getting some training yourself, Henk does private internal training, but he also has a course in March in Amsterdam and is doing a course in Washington, D.C., in June 2020 that you should be on the lookout for.
(You can follow him on Twitter, Facebook or LinkedIn to get some news on that.)
Investigative Techniques
Think Like a Child
Funny that Henk mentioned this, because this is something I have written about before; it’s one of the favorite blog posts I have ever written. One of our tasks was to identify the location of a photo that contained a partial sign from a park. One of the keys to finding the sign was to type in the color of the sign. Almost nobody in the class thought to do that because it was so obvious and simple.
Behave Like a Computer
Computers are not human. So if you are looking for a map of something, most “maps” don’t have the word map on them. Computers rely on rules; humans use rules too but can infer from experience as well.
Google Triple Search
Henk coined the term “Google triple search,” which effectively looks for three separate terms, for example: “brian” “willingham” “diligentia”
Using Google triple search will help eliminate false positives. So in this case, using the triple search will identify postings relating only to me, as there are a number of other Brian Willinghams out there, including a former police officer and a California real estate agent.
UPDATE: Turns out I had the “Google triple search” all wrong, as Henk later clarified on Twitter:
Falsification
The principle of falsification is trying to disprove a theory or information. So, for example, we went through an exercise of trying to show that a profile photo for a purported Russian spy was not, in fact, taken on the day it was purported to have been taken. In this case, we had to prove only that something was untrue.
Quotes
“For any serious research, I don’t use Google Chrome anymore.” In short, Henk says that Google Chrome skews your results too much; he prefers Firefox.
”It’s important to know that you don’t know everything.”
“To be a great investigator, you need to hop from data to data like Spiderman.”
“Most investigators don’t have time to research research.” So unbelievably true.
“The biggest problem is that you are too experienced. The problem with knowing too much is it’s difficult to detach you from what you already know.”
Tools
I’ve been talking about this for a few years, but Yandex has an unbelievable facial recognition engine. While it sounds like Google has all the technology to do the same, they have to worry about privacy and things like the EUs GDPR (General Data Protection Regulation). Yandex “doesn’t give a shit about GDPR.” Totally makes sense, given that they are based in Russia.
Lots of investigators have talked about Pipl; frankly, they’re mainly international investigators who don’t have access to the kinds of databases we have here in the U.S. But maybe it’s time for another look.
A lot of investigators have been raving about Maltego for quite some time, and I think it’s time to jump on the bandwagon.
4K Stogram downloads Instagram videos and stories.
Video Downloader professional is a Chrome extension that lets you save any online video from any website.
Image Composite Editor creates “stitched” panoramic photos from a video to create a single photo that you can more easily analyze.
Tricks
Trying to find a witness or whistleblower on Twitter or other social media platforms? First of all, “Real witnesses don’t use hashtags; they are too busy being a witness,” says Henk. No person will use the word “witness,” but about 75% of them will use personal pronouns like “I” or “my” or “me.”
Most people know that searching the local country-specific Google website will get you more local results. In times past, you would have to go to, for example, Google.fr (Google France) or sign in through a virtual private network from the specific country to get those results. Now you just need to change the region in the search settings.
Quotation marks have a completely different meaning now. While in the past, you were telling Google to “shut up and listen” and only give results based on what’s in the quotes, now Google likes to think it knows what you want.
If you are looking for witnesses/whistleblowers, there are six times more employers on Facebook than there are on LinkedIn.
Magical formula to find interviews: “said Warren Buffett” OR “Buffett says.”
So You Think You Can Google
I once heard an attorney describe a private investigator as an “expensive Google search.” But I am pretty sure that attorney doesn’t know a fraction of the “ninja” Google stuff that can be done.
The term “Google dorks” refers to specific search queries that use Google’s search operators to find specific information. There are dozens of advanced operators and searches you can try, and there are endless combinations of possibilities.
For example, as I mentioned on LinkedIn last week, if you want to do a quick, down and dirty negative internet string on someone, one of my favorite tricks to see if there is any low-hanging fruit is to run this Google query:
“{person or business name}” (arrest OR assault OR attack OR bribe OR corruption OR criminal OR defraud OR fraud OR illegal OR indict OR investigation OR launder OR misconduct OR misrepresent OR negligence OR violation OR sanction OR terror).
Or if you want to get even nerdier:
“{person or business name}” AROUND(20) (arrest OR assault OR attack OR bribe OR corruption OR criminal OR defraud OR fraud OR illegal OR indict OR investigation OR launder OR misconduct OR misrepresent OR negligence OR violation OR sanction OR terror).The AROUND(20) represents that the “person or business name” needs to be within 20 characters of the remaining terms. The AROUND must be in capital letters and the 20 can be changed to whatever number you want.
Henk went over a number of really interesting Google dorks; in particular, he showed some interesting ways to use a combination of these tricks. For example, we were looking for the name of a river in Phoenix, Arizona, but when typing “River in Phoenix” in Google you get results for the actor River Phoenix.
But you will get the name of the Salt River if you type: River phoenix -“river phoenix”
When doing research on people, there are at least six ways that you will have to search in order to be thorough: “John Doe” or “John” “Doe” or “Doe, John” or “J. Doe” or “Doe, J.” or “John * Doe” (in case there is a middle name or middle initial)
Skopenow
Last, I would be remiss if I didn’t discuss Skopenow. Although the vast majority of people in attendance were Skopenow attendees, I was not. Nevertheless, they were extremely gracious hosts and kind enough (with a little pressure) to invite me to the group dinner.
Skopenow’s platform is really interesting, focusing on social media intelligence in combination with data from data providers like TLO. It’s a pretty powerful set of tools that is not well covered in other databases that I use.
I have always seen this tool as a way to quickly capture lots of data points, social media profiles and links. For example, I would use it for making a quick assessment of somebody or if you were an insurance firm and need to cull through thousands of social media posts or are doing a risk assessment on a number of people.
Given that much of my work is really manual, deeper and thorough because I am interested in every word, like and link, I haven’t seen a huge need for it. In a typical case, I will spend hours looking through one person’s social media, so having a tool that can cull lots of stuff is an interesting but not necessarily indispensable tool for my work.
But I am interested in giving it a shot to see how it fits into my processes.
