Greetings investigators! In this blog post, we will cover some of the basics of using LinkScope, and see how it can assist with online investigations. Our target for this investigation will be AccentuSoft, and we will aim to uncover some details about where this website is hosted. Feel free to follow along this tutorial – the best way to learn is by doing.
Starting from the beginning, let us create a new project. Click on the ‘Select Directory…’ button, and pick a folder to store the project in (or create a new one). Then replace the ‘Untitled’ text with a name that describes your current investigation. We chose the name ‘AccentuSoft Footprint’ for our project. Once you have picked a name, click ‘Create’ to create your new project.
Once at the Main Window, there are a few things to note about the software’s interface. The software utilises Entities and Resolutions to display and resolve information. Entities are small, discrete amounts of information for any particular thing. They are broken down in the categories you can see in the ‘Entities’ section, which is by default on the left side of the window, under the ‘Node Operations’ tab on DockBar One.
Let’s begin by defining an Entity to represent AccentuSoft’s website. In the ‘Entities’ section, we will expand the ‘Infrastructure’ category by clicking on the arrow next to this category’s name. After locating the ‘Website’ entity entry, we will drag it onto the canvas at the center of the Main Window, to create a new entity object. Upon releasing the mouse button, you should see the Properties Editor appear. In the ‘URL’ field, we will replace the ‘None’ value with the URL of AccentuSoft’s website: ‘https://accentusoft.com’. We don’t need to alter any of the other fields, so we click ‘Confirm’ to apply our changes.
Note that we could also have dragged the URL from our browser’s navigation bar into the canvas to achieve the same effect. In this case however, we opted to define our entity manually.
If you have followed along thus far, your project should look similar to this:
If you currently have selected the Website entity we just created, on the Entity Details pane in DockBar Two (by default, on the right side of the window), you should be able to see a detailed breakdown of the entity’s attributes.
With our target defined, let’s now actually start extracting some information about it. The acquisition, extraction or resolution of data in LinkScope is done through Resolutions. Resolutions take as input a set of Entities of particular types, on which they perform their operations. These operations could result in additional information being acquired, represented as new entities that are then displayed in the software.
Back to DockBar One, we will now move to the ‘Resolutions’ section, and expand the ‘Core’ category. Locate the ‘Get External Urls’ resolution:
While making sure that we have the website entity selected (we can click on it to re-select it if we de-selected it), we double-click the resolution’s name to launch it. This particular resolution can be fine-tuned by configuring some of its parameters, so we are shown the Resolution Wizard to help us do so:
We will however leave everything as it is, and simply click ‘Accept’ to launch the resolution. While that resolution is running, we will locate the ‘Hostname To IP’ resolution (which is again under the ‘Core’ category), and double-click it to launch it. Note that this resolution does not require any configuration, and it is launched immediately. It also completes its execution faster than the ‘Get External Urls’ resolution. Different resolutions require different levels of configuration, and have different execution speeds that largely depend on the set of operations that they perform.
After waiting for the ‘Get External Urls’ resolution to finish, we observe what we have discovered:
Note that your results may differ from these, depending on when you performed the investigation. As of the date of writing this article, we can see that AccentuSoft’s site points to two external domains. One link points to what appears to be the company’s YouTube channel, where we could keep up to date with new video releases of informative content by subscribing, and clicking on the ‘bell’ icon next to the subscribe button to change the notification settings for new content to ‘All’. The other links point to the company’s Github page, where the source code for the LinkScope Client software is hosted.
The external URLs of a website can give us an idea of what sites the owner of the original website is affiliated with, or hosts content on. This can help us discover the extent of the company’s web presence, and in the process, help us get more information about our target. Do note that while LinkScope is extracting publicly available information, we should be careful to constrain our investigation to the scope we defined. This is not only because companies other than our target may not appreciate users indiscriminately scraping data, but also because being careful with what we investigate also minimizes the traffic we send over the internet, which reduces the size of our footprint on any logs that companies might collect.
Let us now turn our attention to the IP addresses we collected. These should help us answer our original question of where AccentuSoft’s website is hosted. We will first clear any entities we have selected by left-clicking on an empty spot on the canvas. Then, we will right click near the IP addresses, and make sure to hold the right mouse button down. This way, we can create a selection box, which we can expand by moving our mouse until it covers both the IP address entities, before releasing to confirm our selection. We don’t mind if we also select the links that point to them in the process.
In the ‘Resolutions’ section in DockBar One, under the ‘Core’ category, we will now run the resolution called ‘IPv4 WhoIs Information’ by double-clicking on its name. We should see the following result:
The software automatically rearranges the Nodes on the canvas in a way that tries to maximize information density. We may however sometimes feel that a different configuration is more clear or intuitive. By clicking and dragging the nodes around, we can rearrange them like so:
We can see that both the IP addresses belong to Namecheap, which is a domain name registrar that also provides hosting services. We can tell that the server that the website is hosted on is in the United States, and we have some emails that were mentioned in the WhoIs entry for this domain.
If we felt like it, we could export a picture of our current Viewport (as in, the section in a canvas that we are currently viewing) by selecting the ‘Save Picture of Canvas’ option, which is under the Export menu at the top left side of the window. This can be helpful if we wish to show graphically what we discovered in an investigation in a report or presentation. No need to fiddle around with screenshotting tools!
And with that, we have answered our original question, and concluded our investigation. We hope that this blog post helped you understand the fundamentals of using LinkScope, and given you an idea of how it can help investigators uncover information, discover how it is interconneted, and report on their findings. Keep an eye out on this blog for more news, tutorials and examples of how LinkScope can improve and streamline investigations.