Spooky time is among us, so for this Halloween I’m going to talk about ghost hunting the InfoSec way. This is something I’ve wanted to do for years even before Bsquared Intel existed.
While, I’m no ghost hunter, I’m going off of shows I’ve seen about ghost hunting and I’m going to apply my knowledge in multiple areas of Information Security from OSINT, Threat Intel, Pen Testing, and Digital Forensics.
Let’s get started.
Part 1: Planning the Ghost Hunt
Perhaps it’s the abandoned hospital that has decades of stories of hauntings. Maybe you’re helping a family figure out to see if they have a ghost in the house, or if there’s some simple natural explanation for the strangeness they’re experiencing.
Regardless of what the experience is, you need to plan out your hunt.
First you’ll want to learn about the building you’ll be investigating in, or around, for several reasons:
First is for the safety of you and your team. Equally as important is the safety of your clients.
You’ll want to dig into public records about the house, history of the town, and anything else related to the property.
If there’s claims of hauntings, you’ll want to learn about what you’re up against in the paranormal world.
You’ll also want to learn if there are any legal issues you might encounter with the investigation.
In the InfoSec world, this is the OSINT phase of risk assessment or Pentest. This is the kind of approach I take when I help my business clients or personal clients.
And in a way, this is like putting together a cybersecurity framework for compliance because you need to reduce your risk ask much as possible. You don’t want to go into the abandoned hospital prepared to only get evidence of a residual haunting and instead get tangled up with a malignant intelligent haunting. You can’t leave yourself exposed like that.
Once you’ve done your risk assessment, put controls in place, and did your preliminary research of what you’re investigating, you’ll know:
What tools you’ll need (e.g. cameras, thermal imaging, mics, audio recorders, motion sensors, laser grid, EMF detectors, flashlights, headlamps, batteries, first aid kit, and walkie-talkies)
Where you might want to place stationary cameras and audio equipment and where you might want to set up your command center.
What potential physical dangers to plan for so that everyone is safe.
Once you’re confident that you’ve got all your bases covered, you can start the investigation.
Part 2: Arriving on the Scene
You’ve just pulled up to the site where you’re investigating. Here are somethings to do:
Before you start setting up your equipment, you’ll want to physically lock down where you’re investigating. If it’s that creepy abandoned hospital, you’ll want to make sure no one else is there. If it’s a client’s house, you’ll want to make sure that they are off the property.
Once you know that someone can’t come into your investigation site, you’ll need to make sure that you’re able to keep noise and light to a minimum. In short, you want to limit potential contamination of evidence at the site.
Lastly, before you starting loading in your gear, you’ll want to take baseline measurements like temperature, EMF and RF readings, and heat mapping. This is so that you can compare any later findings to your baseline.
This is kind of like running a vulnerability scan and conducting a risk assessment. This gives an organization, or a person, a baseline of the current security posture.
This is also venturing into digital forensics territory because you’re creating a known state where you can observe any changes to document. You’re reducing the chances of things getting tampered with by locking the scene down.
Now it’s time for setting stuff up.
Part 3: Setting up Your Gear
You’re getting closer to launching your ghost hunt.
Before you venture off into the dark, you want to start placing your stationary cameras and audio recording devices around the site.
You’ll also want to test that your batteries are still fully charged and that you have your tools that produce readings/measurements calibrated (e.g. thermometers, EMF/RF detectors, motion sensors, etc).
Also, don’t forget to check your communications, night vision, flashlights, and any other tools you need to safely navigate the site.
This part of the ghost hunt is like prepping for a pen test or an investigation. You’ve created your plan of attack during the planning phase of your ghost hunt before you got on site. Now all that’s left to do is get your tools laid out to use before you start.
I love this stage of a risk assessment for an InfoSec engagement or when helping out with a legal case because of the anticipation of what lies ahead. Will I find a juicy misconfiguration in a client’s digital footprint? Will I pull on a thread during a legal case investigation that leads me down a crazy path with some serious evidence to preserve?
I won’t know until I put my plan into action.
Maybe you feel the same way when you go on a ghost hunt.
Your tools are already to go and you have your plan for the investigation.
Will you see some strange phenomena?
Will you have an entity interactively answer your questions like making your EMF meter readings spike?
Only when you kick off the investigation will you know.
Part 4: Conducting Your Experiments
You get the green light to investigate your alleged haunted site.
This is where you start capturing readings from your trifield EMF meter and your FLIR thermal camera.
This is where you start asking questions to any apparitions that may be present in hopes that your audio recording device picks up an EVP.
This is also where you might start provoking any ghosts and testing theories to debunk or validate that the place is haunted.
In a way, in the InfoSec world, this is like conducting a penetration test. You find something of interest in an application, or network and then you test that thing to see how it behaves. Then, based on output, you might find an opening to exploit the app.
Part 5: Analyzing Your Evidence
Before you get to reviewing your evidence, you’ll want to pull all the files (audio, video, image) from any digital devices onto your evidence machine. Then create hashes for each file. This helps protect the integrity of your evidence digital.
The reason for the hash is to detect if a file’s been tampered with. This is done by comparing the hash signature of what you first documented for a file and what the current hash is. If both are the same, this indicates file integrity remains unchanged. If the hashes don’t match, this is a sign of tampering.
When watching video, you’ll want to identify any false positives first. That white floating orb may be a speck of dust. The light that zips by could be a bug.
Eliminate what is easily explained away.
What remains is the evidence you want to closely examine. You’ll want to look for anything that’s a change to your baseline readings.
Some events you see might play out across multiple cameras and audio recorders, so you would need to cross reference that data from other devices. This could create some compelling findings of your paranormal investigation where multiple team members capture the same evidence.
You can even create a timeline of the event experienced by multiple team members. This timeline might show where the incident actually started and when each team member saw, heard, or felt something paranormal.
Part 6: Digging Into History
After you’ve collected your digital evidence and analyzed it, you’ll want to:
Do a deeper dive into historical records than you did during the planning stage of the ghost hunt to look for things that corroborate your evidence. This is using OSINT (Open Source Intelligence) when looking through public records.
You’ll want to interview people in town, residents, and those who’ve witnessed paranormal activity of the place you’re looking into. This is HUMINT (Human Intelligence) because you’re actively gathering information from a person through interviews.
After you’ve dug through the history of the house and town, you’re ready for reporting.
Part 7: The Report
When presenting your report to a client or to peers, have an executive summary to recap what was done and to highlight some of the main findings.
In the findings themselves you want to present things in a clinical kind of way. Remove emotion from your reporting and don’t inject bias such as “Our team believes the voice in the EVP says …” Instead say something like “After multiple reviews we were not able to understand what the voice in the audio says.”
Document failed attempts of capturing evidence. Note when your batteries for your camera were drained or any equipment malfunction.
Detail steps you took to debunk claims so that your clients test things out for themselves. This might give them peace of mind. For example, the door that appears to open itself could be due to a draft.
For the unexplained, describe ways the client can attempt to protect themselves. Provide them resources that help deal with what they’re experiencing.
And for readability, make sure the report flows logically so that your client, or peers, can easily follow along.
Wrapping Things Up
This was interesting to write about.
For any readers that come across this that are ghost hunters, do any of you knowingly apply InfoSec practices to your investigations?
If you do, feel free to share.
Also, what did I get right and wrong? What did I completely miss?
Use the contact form at the end of this post to share your thoughts.
And before you go:
Subscribe to Bsquared Intel’s newsletters to stay up to date with what’s going in Information Security and OSINT. Here’s the link: https://bsquaredintel.com/newsletter-signup/
Check out our services for personal needs, business needs, or litigation support.
I hope you found ghost hunting the InfoSec way entertaining and that you have a safe and happy Halloween.
-B2
Contact Us | Bsquared Intel
Please fill out the form below, or call 203.828.0012, to learn how Bsquared Intel can assist you.