Comprehensive Insights into OSINT, Maritime Intelligence, Telegram Investigations, and Cybersecurity Threats

So hello everyone uh good morning and good evening and good afternoon to everyone joining us from around the

world. Uh my name is Hir and uh yeah I'm the founder of Ocean and it is my pleasure to welcome you all to

Ocean Summer 26. Uh what started as an idea to bring together the global question community has really grown into

an international event uh where we bring together investigators, analysts, private security professionals,

journalists, researchers, life forming personals and students who all share a common passion for ocean. Uh today Ocean

is no longer just an each discipline. It has become a critical capability for a lot of different sectors like cyber

security, threat intelligence, investigations, fraud detection, journalism and national

security and a lot of other domains. the amount of publicly available information continues to grow and so the need for

uh yeah so for the the need for like information continues to grow and so the the need for skilled professionals in

the ocean domain our goal with ocean con is simple to create a platform where experts can share practical knowledge

real world investigations experiences and their methodologies that attendees can work and can apply your workload

despite being from a different location removing the geographical barrier because like if we

over the course of today's event you will be hearing from a lot of industry experts covering topics ranging from

artificial intelligence and ocean uh to maritime intelligence telegram intelligence incident response and a few

talks on digital evidence preservation and a little bit on dark so I would like to thank all of our speakers and

attendees for generously sharing their expertise and being part of this community. I encourage everyone

to participate and ask yourselves, engage in discussions and making the most of the knowledge being shared

today. With that, let's begin 26. Thank you all for joining us and I hope you guys enjoy the conference. So to kick

off the conference, I'm pleased to introduce Chris who is head of intelligence at Blackboard solutions,

one of the companies leading in ocean. Uh Chris has over 20 years of military intelligence experience along with a

significant experience in UK's national crime agency and in counter disinformation investigation. Today

he'll be presenting on the talk AI and notion evolution not revolution. So please join me in welcoming Chris. So

the stage is yours. >> Cool. Thank you very much uh Darj. Um okay. So uh yeah, thank you very much

for that introduction. Uh good morning, good afternoon, good evening to everyone that's joining uh the call. Um today I'm

going to be talking about artificial intelligence and open-source intelligence and how I believe it's an

evolution of a process, not necessarily a revolution uh that you may may think it is.

So in terms of who I am and who I represent, um I work at a company called Black Dot Solutions. It's one of the

leading open source intelligence platforms in the world, uh focused in the UK in Cambridge, and it focuses

predominantly on financial and economic crime, but like a lot of open source platforms can be put towards any use

case. Uh I've recently had a look at uh migrant smuggling or drug trafficking, gun trafficking, and the platform is is

fantastic for that. And we use artificial intelligence within the platform. And we use it in a number of

different ways. And I'm going to talk about how uh how you can use uh artificial intelligence in your open

source intelligence investigations and how we use it in our platform as well. Uh like JJ said, in terms of my

background experience, I've got 20 years British military intelligence experience with deployments to Afghanistan, Kosovo,

Iraq, and a few others. um as also working in the National Crime Agency uh predominantly in covert intelligence

collection. So hopefully if there's anything on open source intelligence uh I can help you with please reach out and

uh I'll do my best to help. So in terms of the current state of open source intelligence information volumes

are expanding uh more rapidly than ever before. We've only got to look at social media platforms in terms of just how

many tweets are being put out on X every day compared to this time 10 years ago or 20 years ago. And artificial

intelligence is shaping and reshaping the way that that information is created, that information is collected

and how we interpret that information. And artificial intelligence really is leaning into all three stages uh of of

that part. Organizations are also facing new risks uh in terms of the geopolitical climate. Uh last time I

checked, roughly 20 conflicts have either started or finished in the past five months of this year alone. And this

is a a really uh really chaotic time in terms of the geopolitical environment. And in terms of reputational, the risk

of mis or malinformation targeting a company or a state um is has increased that much more. or an artificial

intelligence is playing a role there and open source intelligence is becoming a strategic int intelligence discipline in

its own right. Quite often we talk about human intelligence, imagery intelligence, um signals intelligence

and open source intelligence is kind of seen as a a lesser intelligence discipline. I completely disagree. Open

source intelligence is a strategic intelligence discipline in its own right. And I think we're seeing that

more and more um you know with recent conflicts how open source intelligence is bringing uh information to the for

much quicker than some of those more traditional intelligence disciplines. So to take you back in time in terms of

the evolution of open source intelligence, it really started it started hundreds of years ago with you

know looking through newspapers and and everything else. But the modern version of open source intelligence came around

really in the 1940s with the foreign broadcast monitoring service um created in the CIA to monitor newspapers and

radio looking at open-source publicly available information um in order to extract relevant information and turn it

into intelligence. During the cold war, the analysis of that foreign media was a good way of gaining information um in

the public domain and again turning it into open source intelligence. Fast forward to the 1990s and the

internet makes so much more data uh available to the general public. Forums, static websites, uh news sites all

coming into their own. By the 2010s, we have social media bringing near realtime userenerated content to the masses

within minutes uh of of events taking place. As we've seen recently as well, sometimes these events are being live

streamed and that that's bringing that content to the user um in lifetime. And this year, artificial intelligence

has really come into its own in the last couple of years, but I think this year is going to be the year that we're going

to see another massive leap forward in terms of the capability of artificial intelligence. And it's offering a new

way to shape the data and also offering a new way to automate open-source intelligence collection and processing.

So my view is that artificial intelligence is an evolution of existing processes, not a revolution.

It doesn't do anything that we couldn't already do. It may be able to collect data faster. It may be able to process

data faster and it may be able to um conduct analysis faster. But all it is doing is accelerating processes that

humans have done for decades. What it does do is it expands reach across a broader range of existing resources. in

the time it takes you to write a prompt for a chat bot to go and collect information for you. Um,

it just allows you to expand that that reach across a broader range of resources.

When it comes to the use of artificial intelligence in any intelligence collection, it's really important that

we retain the role of the human in that whether that's human in the loop or human on the loop. But needless to say,

the human has to be part of the judgment that takes place in the intelligence uh process

and artificial intelligence supports open source intelligence's continued mission that is to gain actual insights

from publicly available information and it's really key that AI supports that. So in terms of um some of the challenges

that are being faced today, as of July 2025, two and a half billion messages were

being sent to chat GPT every day. Now there are queries that normally would have been directed to Google or Bing or

Yahoo or Yandex, but instead they're being leveraged against an LLM, a chatbot. So it's interesting to see that

shift in terms of the public use of AI compared to traditional use of search engines for example.

Investigators are facing an increased organizational push for uh increasing their speed and accuracy and um whilst

facing massive data volumes. When we look at social media um that there is now such a broader range broad range of

social media platforms to to exploit and analyze. Artificial intelligence can definitely help with that. In terms of

the high velocity of events, events are changing the shape of the data landscape on a daily basis. We can only look at

what's going on in Iran over the past couple of months to see just how quickly events can can come out and enter the

open source information domain. Miss, dis and malinformation and deception operations are also increasing

whether that's by hostile state or or lone actors um conducting campaigns in order to change public public opinion

and and influence um you know public discourse. Manual open source intelligence

workflows are unsuited to overcoming these challenges on a on an enterprise scale.

when we look at the the broad range of of um data coming into the analyst, they need something to help help them with

that. So, in terms of looking at artificial intelligence, what can it do? It can

automate collection and triage. We can target an agent to collect on certain topics or from certain sources and

triage that for us in order to reduce how much data we're we're looking at. We can use it to extract entities and

patterns. Artificial intelligence is fantastic, is brilliant at being able to identify entities and pull out um key

entities from from from documents, from websites, from social media, and identify patterns and connections

between them. It's also really good at summarizing, processing very large data sets. If you put 20 or 30,000 lines of

data into a chatbot, it will summarize it in a really good way. um or produce an infographic for you instantly which

just allows you to focus on the analysis and it gives the analyst more time for that contextual interpretation. I think

during my career I've seen a case where analysts will focus 70% of their time on the collect and 30% of their time on the

analysis and the dissemination and that's not how it should be. AI flips that model around.

Artificial intelligence should not be used to conduct end-to-end investigations without any human input.

There has to be human in the loop or human on the loop within any AI process. And it doesn't replace human insight. If

you are an expert in uh American CEO relations, you are an expert in that. An LLM may be able to give an approximation

of an analysis, but it can't replace human context. So, how can AI change traditional

workflows? Uh, for those of you that are familiar with the intelligence cycle, these are the steps of it. In terms of

the direction, the humans define the goal. Humans should craft that question, that information requirement, that

intelligence gap and use AI to scope and explore that problem. When it comes to the collect, the humans should judge

proportionality. They should look at what sources are being used and identify whether it's proportionate for the

investigation that they're carrying out. But AI can go off and enable rapid automated data collection on behalf of

that human. In terms of the processing, the AI can reduce the time spent on manual

filtering. They can carry out mapping, verification, and a degree of analysis um and processing. As part of that, AI

can be used to enhance human insight by pinpointing risk factors, looking through networks, identifying key nodes

and key entities and key relationships for more exploitation. they can identify where patterns exist and and pull those

out to allow the analyst to focus on uh the analysis of that piece of information.

When it comes to dissemination, AI can also be used to um produce reports at speed. They could be automated reports

or they can be used to curate data into such a way that they can be put into a template and disseminated out. But there

has to always be human in or human on the loop depending on the process. So in terms of um ethics and governance

uh a key thing you will have noticed is about the human analyst remaining central to the process. There has to be

transparency and methodology. Sometimes I've seen companies adopt AI in a very untransparent way. they are hiding those

processes and they're not showing the the user how AI is coming up with that determination. One of the ways that we

have built AI within black dot is that it's always transparent. It will show the methodology. It will show the

working out and it will show how it has come to that answer. In terms of bias mitigation, it's really

important that um you know the LLM is not biased towards a particular um answer. Um and that all

comes down to prompt generation and we'll talk about that in a little bit later on. In terms of data protection

and privacy, it's also really important that uh information isn't being leaked out. Sometimes when we use LLMs, there's

a fear that we are training that model in in better ways to to do things. Black Dot takes a very um a very critical view

of this in terms of making sure that the user's data is protected at at all times. So no data is sent to the LLM.

The LLM can't learn from anything. Um it it's very static in terms of that. And in terms of accountability and

decision- making, AI should not be used to make a decision. It can be used to inform a decision, but it shouldn't be

the ultimate decision maker. So AI in practice. So some of the key um platforms that are

out there, people who have heard of chat GPT or Claude. Um these are some of them out there in terms of what they're

really good at. So Chat GPT is really good at summarization. Uh putting in a large amount of information, it can pull

out a really good um short executive summary about all that information. And it's also good at chain of thought. What

I mean by that is being able to have a conversation, being able to refine a question, being able to refine a prompt,

going backwards and forwards with chat GPT, uh, is really, really, really good. Claude is fantastic at kind of ethics

first compliance work or very complex analysis. Look at good at looking at very large data sets and conducting a

very a very detailed analytical process of what that information means. Mistral is um very low latency in terms

of of how quickly it can come up with an answer um but is probably less used than than some of the others. Gemini is

fantastic at um vibe coding if you wanted to to create an app by yourself. Uh people generally use Google's AI

studio using using Gemini. Um it's really good at constructing imagery and videos as well. Um yeah

uh Meta's AI is not being used that much outside of outside of the meta platform in in the same way that maybe Claude uh

Open AI and Google is. Um but it's got really good uh scope for looking across social media.

Grock uh Grock is fantastic at um Grock has been fantastic at analyzing

data from X. It has also come under fire very recently, especially over the winter of

last year. Um, and is very biased. Uh, I don't want to go into too much about Grock. Um, but it's very biased in some

of its outputs. Like I said, it's it's probably the most useless one out there that I've come across.

So, what can AI be used for? It can be used for um conducting person and identity research. It's really good at

looking at social media uh data. It's good at looking at different identifiers and mapping those relationships across

networks. AI can also be used for threat intelligence if you need to do any kind of monitoring or alerting um looking at

a workflow and enriching the data that you've already got. Um, it's really good at

looking at risk monitoring, looking at multiple different sources all at once, social media platforms, forums,

marketplaces, and filtering that data to come up with any risk to to your organization or your country.

It's also really good at looking at um looking at uh indicators of compromise and then adding context to that. So if

you're in a cyber threat intelligence role, it can be really good at looking at those IoC's uh and pivoting across

and looking at other infrastructure as well. One of the ways that we use it quite a lot within Black Dot Solutions

is for due diligence and know your customer. If you're looking for adverse media on a particular organization, a

particular individual, if you're looking at corporate records and providing that audit trail across multiple platforms,

again AI is really useful for for that. So when we talk about uh artificial intelligence uh and prompt generation,

quite often people will just go straight into the prompt and uh relying on the LLM to um kind of fill in the gaps.

That's a really bad way of doing it. A really good way of coming up with a good prompt is to start with the context.

Give the LLM the context by which you want it to operate. In this case, I'm asking to act as an open source

intelligence analyst. I'm telling it that it needs to assist in gathering publicly available information uh and

pull it across. I've also told it to ask me any questions if it needs clarification before it starts. This

just gives it the context, the the boundary to work in um and and kind of stops it from going off and and

gathering information by itself. So, we start with the context. You are an AI. You are an Aussie analyst. The

next thing we're going to do is we're going to look at the objective. This is the exact thing I want it to do. I want

you to to generate a comprehensive summary on the situation in the Middle East, for example.

I will always put constraints into any prompt. Do not lie. Collect only information from a certain time period.

Use only these verified sources or or however you want to do it. Do not lie, do not guess are two very critical ones

when it comes to using LLM. Quite often we talk about um LLM hallucinations and it's really important to minimize that

as low as reasonably practicable. It's impossible to get rid of them completely. But by adding in those

constraints, it reduces the risk um to the user. And then it's also key to identify the

the output. How do you want to see the information that it collects? Do we want to generate a table or create a map,

create an image, a video, produce a report? Um you can also give it frameworks in terms of producing a

report. For example, here I've got pestl um political, economic, social, etc. like the framework for that report. And

for the eagle-eyed people amongst you, you'll notice that this kind of follows the intelligence cycle. I'm giving it

the direction. I'm telling it how to collect the information uh and then how the how I want the information to come

out. So these are some ways that you can use it uh in your own work. So this is using

uh using chat GPT. Um I wanted to create a prompt for exploiting telegram using the way back machine. So this is not

using the telegram API. This is not using a third party platform. This is just using the wayback machine and chat.

So I've given it the context. You to conduct an Aussie style archival investigation into the public telegram

channel War Gonzo. And I've then pulled across a couple of different um uh sources for it to look at by looking at

um t.me but also uh any of the way back machine looking at telegram metrics etc etc.

Bottom left you can see one of the constraints do not claim complete coverage if it's not available. I'm

telling it like not to lie. I've given it its objectives. So build a timeline, identify major major themes, track

changes, note propaganda patterns, and this is how I want it to appear. I want an executive summary, a timeline,

historical message, reconstruction, etc., etc. And that's using chat chat GPT to come up with a prompt. Um, really

useful for looking at a telegram without any, you know, u additional su additional tools.

Another really good platform out there is overpass turbo. So, Overpass Turbo brings in data from

Open Street Maps um but allows you to query the data sets in ways you can't do it elsewhere.

So, for example, um using Open Street Maps, it may have identified CCTV cameras. By asking chat GPT to generate

a prompt for Overpass Turbo, um it will come up with that prompt for me. And you can see how I've entered that in the box

to identify CCTV cameras. So, I'm using chat GPT to create the prompt for another platform. And that's also a

really good way of using AI to speed up your your open source intelligence investigations.

We can also use it for exploiting social media. So, here is a um uh a prompt for exploiting Twitter. Um in this time, in

this case, we're looking at COVID 19 and scandmic. and we're looking for related discourse looking for miss this and

malinformation around COVID. So the task that I gave chat GPT was to generate a highly effective boolean search query

and that's exactly what it did. It came up with the the different keywords, the different hashtags, different themes um

and it generates uh all of these prompts for me. I can then just copy that, paste it into Twitter and conduct, you know,

my investigation from there. Again, I'm not having to use any other platforms, but I'm using chat GPT to create that

detailed boolean search query for me. Google Maps is another really good example.

So, uh, within Google Maps, you can create KML or KMZ files for visualization within either Google Maps

or Google Earth. And in this case, I wanted it to go off and collect information on the Russia Ukraine

conflict. collect any event data that's got latitudes, longitudes, locationational data that I can then put

in to Google Maps and visualize it myself. There are fantastic tools already out there that do this. Live UA

maps, gorilla maps already do it, but I wanted to do it myself and see how that would work. So, the input data would

include things like CSV files, JSON files, Telegram posts, etc. But it allows me to pull all that information

and visualize it myself within Google Maps. So in terms of some tips I've come

across over the past couple of years when it comes to using AI the first one is ask for confidence

scores. As we know LLM hallucinate and we can only reduce that as low as reasonably practicable. But by asking

for a confidence score we are kind of giving ourselves an idea as to whether there is a a chance that it has

hallucinated at any point. The other thing I would do is use the professional head of intelligence analysis's

probability yard stick. If you don't know what that is, Google it. Um, but it's a professional intelligence um,

language that we use in the UK for conducting intelligence analysis. So, every keyword has got a percentage next

to it, almost certain, highly likely, um, etc. And it allows us as the analysts to read

the output of an LLM and decide how much weight it's giving to that particular statement.

By providing stacked prompts, we're telling it to to do certain things uh in in a certain way. So I want you to

conduct this type of collection and then conduct this type of analysis and then conduct this type of output. By stacking

those prompts, you're going to get a much better refined product at the end of it for use within else uh you know

other products. Another way to reduce hallucinations as low as reasonably practicable is to

demand citations and provide direct quotes from any source material that it identifies. Always always check the

citations and always check the quotes. Uh it can still hallucinate but again it does reduce the risk that that will

happen. Do not lie and do not guess. Be really explicit. Um, people quite often say

thank you to an to an LLM when it provides an answer, but you can also be quite direct when it comes to the

prompt. Make it clear. You cannot lie. You cannot guess. And this is where I'd say you can infer. And if you do infer

or make a deduction, use the probability yard stick to back up your reasoning and provide your reasoning. I want to see as

the analyst how the LLM has come up with the answer. So looking at um a couple of quick case

studies. So within uh black dot solutions we use something called Federas automate. This

allows the analyst to do a very minimal input. Um that could be something as simple in this case as Iran and a very

simple prompt create a risk profile uh on Iran and the Middle East. Behind that prompt, the uh the black dot

solutions have created uh a playbook, a workbench that that kind of goes away and collects information in a certain

way. It will go off and collect an executive summary and it will then conduct analysis in this case in the

pestal framework political, economic, social, technological, environmental and legal, a recognized framework used by

intelligence analysts around the world. But the analyst, the user of the platform doesn't need to know any of

that. All they need to do is put in a very basic prompt and it will go off and collect that information. The key thing

here is that means it's a low bar to entry. Any analyst can go off and do this uh using a very simple uh simple

prompt. It reduces the cognitive load. Analysts especially open source intelligence

analysts are subject to such a large cognitive load when they're doing their investigations. anything we can do as a

platform to reduce that means that that focusing on the analysis not the collection and this means we can be

really responsive to the geopolitical climate. I spun this uh this playbook up within a couple of days of the Iran

conflict and already we're producing detailed reporting entity extraction and relationship mapping across uh across

the entire g geopolitical climate of Iran. So, where does AI fit in?

AI fits in within complex investigations. If you're having to do a lot of investigation work and your um a

large part of that is scoping that initial steps, you know, is this something that should be in my

investigation or not? AI can help analysis. Uh AI can help with the analysis of that and kind of conduct

that triage for you at the very beginning of an investigation. any kind of enhanced due diligence. We

can do consistent and repeatable EDDD reports that allow you to focus on the analysis of it rather than with that

collection. It allows that human oversight uh and insight at the end of the process to to look through and make

sure that the the enhanced due diligence report is accurate. any kind of screening and monitoring

whether we're looking out to external data without losing key investigative time again allows the analyst to focus

on the analysis not the collection and any investigation that requires efficiency scalability and accuracy AI

can come in and enable the analysis of the analyst to speed up their investigative process which allows them

again to focus on the analysis and I'll keep saying that it's quite quite So what is the future of open source

intelligence? I honestly believe that artificial intelligence is not um replacing uh the

process. It it it's redefining open source intelligence by revealing processes that can be sped up through

the use of artificial intelligence. I think we are going to see an increased recognition of open source intelligence

alongside traditional intelligence disciplines. We will hopefully see the continued use

of human analysts in the center of investigations and artificial intelligence tools

expanding across open source intelligence allowing organizations to fully achieve um open source

intelligence's full potential. Still we are using manual processes for uh verification of uh geo intelligence

and again that's something I think AI will will speed up this year and allow us to focus on but the output of that

not not the process itself. That is everything from me. Um that's my my LinkedIn. I'm not sure why the book a

meeting QR code hasn't loaded up but but there we go. Uh and we've got the email address uh at the bottom there. So, feel

free to take a screenshot, take a photo. Um, I'm not sure how we do questions, but if you've got any questions, um,

feel free. Okay. So, one of the questions that uh we've had in is uh how do we prevent

sensitive data from not being used by the LLM for future training? Is it possible? Yes. Yes, it is. So within

black dot solutions, our LLM is purely static in terms of what it's interacting with uh within the within the platform.

So no data is being sent back anywhere. So LLMs can be hosted within um segregated parts of AWS infrastructure

for example. Um so it's no longer it's no longer out there in the wild. So it's not it's not collecting data in the same

way that um your your normal user going on to chat GBT and putting in a search query that information is stored

uh stored by by OpenAI. So uh so yes yes it's definitely possible. Um it's better when you've got

it hosted in your own infrastructure. Um, ultimately I go back to the the standard phrase that if you're not

paying for it, then you're the product. So, generally with these LLMs, if you're paying for it, if you've got some kind

of organizational, you know, business um uh membership of that that particular platform, it allows you to to to be

confident that your information isn't being sent off for for further training. Uh hi Chris uh you can see the Q&A in

the comment section like just click on the comments button and there you will see all the Q&As.

>> Okay. So, another question is. Oh, I need to might be lacking.

Sorry, I'm just trying to get the comments up. Cool. Okay. So, um

uh do we just need humans for accountability since AI can predict tonality and truthfulness?

Um really interesting question. Yes, we definitely need humans for accountability in terms of um tonality

and truthfulness. I've seen a lot of platforms talk about sentiment analysis and a lot of

platforms talk about narrative analysis. LLMs are fantastic at doing narrative analysis.

LLMs are not so great at doing sentiment analysis. And I'm very hesitant when I hear a platform talk about sentiment

analysis because LLMs may be good at picking up tonality,

but sometimes they fail at looking at satire. So, um, you you definitely still need the human

in the loop for for that company. Uh okay. Uh Sabiri, please tell me more about your company services. Yeah, so

Blackot Solutions uh provides access to a piece of software called Veraris. Uh Videras is a social media uh sorry a

social network analysis uh centric platform. So we look at entities, companies, organizations, social media

channels uh and pull actionable insights from there. Um, feel free to drop an email uh and we can sort out a demo.

Uh, oh, Deepseek. Yeah, Mr. Anonymous 5107. Um, Deepseek is I I I left Deepseek off

the the list. Um mostly because uh within the UK especially in UK intelligence

Deepseek is just not um a a suitable platform to to use the uh if you go into deepseek and ask it for TM and square

for example you will get a very interesting answer um compared to other platforms

uh and it and it's subject to a similar kind of bias process as Grock. So, um, I'm very loathed to use an LLM that that

has inherent biases built built into it. Uh, narrative frame.

Yeah. Uh, so Drew Rex, um, interesting question about narrative framing, um, narrative framing of conflicts evolving

since the rise of LLMs. So, not not necessarily with regards to the LLMs, although we've seen, you know, the

ability to push out uh AI created um news articles um has massively increased, I think, over the past couple

of years. Uh there have been some stats that have been cited that have been wrong in terms of how much content is is

AI generated at the moment. One of the things I did notice um particularly during the Iran conflict, the early days

of the Iran conflict was the amount of um AI generated Instagram accounts that were pushing

pro-Iranian material um uh predominantly around um Iran's

military uh prowess. And I think that's um that's really interesting thing that's that's happened. We've also seen

as well uh all of the Lego videos that have come out of Iran um for focusing on the United States. Uh all AI generated

obviously um and that's just an interesting an interesting way of using AI during a conflict um

targeting the reputation of of the United States. Um any other questions?

Cool. Uh, I'll just give it another couple of minutes. Uh, Dj, that's all right.

Okay. So, thank you Chris. Uh that was really a very informative talk on how AI is being like how AI is

implementing by option industry and how like we can use AI in our workshop. So, thank you again for joining us and

giving us your valuable time. Uh thanks again. Uh we will see you sometime in future.

>> Thank you very much. Have a good So time for our next session. So now I

would like to introduce our next speakers and shank. Both are a highly respected

ocean and cyber security researcher. Together they will take us into the world of maritime ocean exploring AIS.

So let us welcome Shager and Suang on the stage. Hi everyone. Hello.

So we just start with the very basic things like a few years ago if somebody wanted

to track a ship in the middle of a ocean, right? So they would need access to a very high-profile things like the

government systems, military sensors or even expensive satellite imagery. But today a researcher with a laptop and a

internet connection and with the right methodology which we are going to discuss can do something remarkably

similar. The maritime oent has transformed the ocean from one of the least visible environment on the earth

to the rich source of intelligence. So in the next time we are going to take a deep dive into how ships communicate,

what they unintentionally expose and how we as investigators can use that information to uncover activity be

beyond oceans and that is where our talks comes into play beyond AIS a practitioners verification chain for

maritime. But as we say with great powers come great responsibility. We would like to give some disclaimers

first. So the disclaimer one is that the content discussed on this platform is

meant for educational purpose only. So the misuse of any information herein shall be the sole liability of the

abuser. Disclaimer two is that this talk bears no authorization from speaker's employment. Having said that we would

just go further. >> Uh thank you Shoubam. So like before we start now just understand and take a

step back to look at like how things started. Well, initially it was we are just cyber security enthusiast guy. We

didn't know much about the OSEN. Well, one day we decided to form a CTF team and we started to play competition. At

that time we were playing the online CTF Devcon competition about the maritime uh OSEN and it started to you know the

challenges started to peak our interest. It started to peak our curiosity and something that sprinkled in our mind

that you know something strange is happening and that's where we started to looking more deep and deep into it and

that after that one thing lead to the another and with this curiosity we ended up with a maritime OENT. Now before we

move forward let's clear the agenda first. Now in this talk we're going to deep dive into the parts of how maritime

works. How we are going to track the ships using the EIS as well as we are going to look into the satellite based

EIS. We moving forward to the VSAD CCDV cams and looking into the different resources. The thing is that we need to

make sure that this is not just about the tools. We are going to look into the technique itself because the technique

is what make an ocean practitioner, analyst or a researcher different but we are have to focus on the techniques what

different techniques we can use. So in that way we are moving forward leading to that a short introduction of who I

am. So my name is Saga Diwari. I'm working as an independent cyber security and ocean researcher for the past five

to six year. I'm an enthusiast guy. I'm working with independently with lots of firms including the threat coast,

Maligo, Vicarius and dozens of other firms and with them I have published over 250 articles on cyber security

threat intelligence as well as on the OEN together with Shubam Kumar upon this uh research and training team F society

double O and together we have honored to share the stage of around 30 plus international conferences including the

science open summit activity PH talks and various other over to you Shban. Um so I'm Shbank Kumar and currently I'm

a senior security analyst and uh just like Saga I'm an OSEN enthusiast here just like all of you and moreover a

cyber security evangelist. So together with Saga we have presented a lot of research ranging from science to PH

talks and uh we really love this field and with that we will love to go further and that is the table of contents in

order to make you understand like how we are going to delve deeper. So we will start with the first things that is what

is OSENT we'll try to understand the importance of it and then we will del into the level three that we define as a

basic that is AIS because if we are going from beyond the part we need to understand what it is and then we will

go into the SAT AIS and the human layers and case studies and VSAT and with that we will end the part of the conclusion.

So having said that we'll move forward and that's is the very basic and that is the ops. So even before you start any

investigations you need to you know harden your own machines and yourself too and that is where the first part

comes in that is the sock puppet accounts. So soft puppet accounts are very important because they intend to uh

help you create an identity, help you to protect yourself. How you can do that? You can create your own similar as they

say that fake social media accounts your burner email identities or you can also utilize alternate profiles or forums for

create an alternate identity of yourself. What you can use? You can use uh platforms such as temp main or you

can generate your fake identities by fake identity generators that is where you can also utilize since now AI images

farther that possible you can create GAN images for your localized uh accounts and you can utilize during your own

investigations because they are very much necessary for your open-source intelligence that is there or threat

intelligence or undercover uh or even undercover journalism that you are going to proceed. Then we'll move forward with

a further part of it and that is the basic the VMs the OS that are very much designed to help you during your own

investigations. One of them that we like other than uh TS OS is HUNX. So Hunx is also a privacy focused operating system

which is made to help you improve your anonymity. So as you are gathering further and dwelling deep down into your

own investigations whether it be tracking vessels whether it be trying to uncover any operations out there you

need these oss because they have built-in securities whether it be proxy chains in themselves right so that is

where we widely use during our own investigations so how it is is that its uh it prevents basically your IP

leakages which are there it has a very good compartmentalization. That is a part and it also helps you to

protect unwanted application mistakes which you are continuously opening because as they say whenever you are

delving deep dive into an internet you are leaving footprints that is how you can reduce a bit of them and they are

very much useful for your high risk investigations. Moving further,

we will have something that we uh traditionally utilize a lot and that is a remote browser isolations. They are a

very good ones because there you can access the resources from your web browser which basically runs on your

remote server or even a cloud container that is totally segregated or isolated from your own machine that is out there.

How it is? because these are just uh remotely isolated uh parts. So it is a safe visual information that you can

pull from different web pages and also you can sanitize your own environment during that process. So it helps you to

uh uh be protected from malicious website or even the tracking uh parts of the cookies even themselves or even the

fishing page or malicious scripts that are continuously running tracking you. And having said that once we have

gathered and cleared all our bases from these objects ranging from your sockent to your OS and to your browser

isolations we can move further now and that is the part of maritime oent. So OSENT is what? OSENT is the ability

and more of a art that we would say that enables you to collect, analyze and disseminate the information that is

publicly available to you. These informations can range from your newspaper clips to even the parts of

your social media profiles. So uh taking everything into account it helps you to form a bit of a information part there.

Now when we are dealing with maritime domains whether it be shipping fishing or even the deep research vessels or the

nots which are generally proposed by different governments that is where maritime posting comes into play because

you can now use all these techniques in order to mar uh in order to monitor it. So how does it do? It ranges from your

AIS which we have defined and we will be defining further to the satellite imagery that you have observed to the RF

or the RF or the signal intelligence that we do have and moreover the global records from which we can uh get the

realtime operational picture of the world ocean. Now the further the part where is important.

So as we said and you know much more further that ocean covers basically 70% of our planet right it's vast it's

remote however if you do understand that most of the global logistics flow through your ocean itself that is almost

90% of it and some of these news that you can see here whether it be the rightmost corner of it right whether it

be the homos summary for mariners. This is a very recent

event that happened and is continuously affecting us because it is thus uh it is affecting the global economics

altogether and ranging from not just that to the cyber uh cyber operations that are continuously taking place in

other than that part is a product tanker hijack of Yemen. So there are multiple piracy operations that are continuously

going in which uh drives to through various government organization where different ships and vessels are

continuously hijacked and they also cause a lot of loss in the global chain operations and that is where maritime

motion gives you a very good power in order to understand what is happening where it is happening and how you can

track it. So you can contribute to a much more operationalized safety of our oceans and to our nation itself. And

moving forward now we will take a deep dive into the key importance and for that we have S.

Um yeah so like Shbam has already discussed the key case studies that are being happening the global conflict that

are continuously running show us that that is the need of an R to look into the maritime ocean in a great

perspective and here we'll be discussing the few key importance factors the first as Shubam has already mentioned that 70%

of the entire trade is happening through the seaw routes only which is include the crude oil the logistics the

transportations the cargo and in different formats so it is help it is very much important to track and

identify any kind of illegal illicit activities or maybe the piracy operations that might be happening and

to continuously perform the surveillance to in the international or the territorial waters. So every country,

every nation has their own international water regulations and they need to make sure that the boundaries are in

particular checks, all the kind of activities, all the kind of vessels movement should be in a particular order

to have the particular kind of you know swift trade movement again any sort of uh maybe the destru disruption of the

movement like we have seen because of the conflicts it's always happened that some of the some of the other states is

getting blocked and the global trade might get affected apart from the war scenarios. One of the key factors for

the maritime oent is the environmental protection as there are lots of oil spillage cases or maybe illegal fishing

that is might be happening. illegal fishing in lots of perspective. We are going to cover in subsequent slides that

might be happening and that is also helpful in when we are talking through the perspective of the maritime ocean.

And for the last is the search and the rescue operations that is happening because maritime ocean give you the real

time feed. These time feeds helps you to understand that because you know in a search and rescue operations timing is a

is a very critical moment and every second counts in that matter. So having data in the emergency sections which is

flow through the navex codes like you know these are being the broadcasting codes. So search and description can be

performed in a very quick and quick manner. Moving forward we have like before we you know delve into the

working we'll just cover some basic terminologies that we are going to hear in the subsequent slides. And as you can

see that ships has because ships are like the giant ICS floating because they have lots of internet connectivity, lots

of radio bands connectivity because they they want to be like working it's like a computer computer that is working in

floating a 300 uh gross tonage ship. So starting with we have the very first and the most pivotal is that is the AIS or

the automatic identification system. So basically these are the transponders that are being regulated to transpond

and broadcast certain messages that includes the ship name, the number, the identities, the gross tonnage of the

ship from where it was traveling from where it is going as well as in some cases the recent port calls. We're going

to discuss AIS further on moving forward. The next is the VSAT or as we call the a very small aperture

terminals. So basically these are like the regular satellite dish that we have on our homes and house structures and it

is important for these vessels to connect to the re internet. So all the marine ferals are there they can use and

connect to the internet for that visa terminals are very important. We're going to understand how it is important

from the perspective of maritime investigation. Now coming forward to the third part that is the IMO or the

international maritime organization. So IMO is a unique specific number that starts with the three digit of IM O and

followed by the seven-digit number like 1 2 3 4 5 6 7. So the entire number would be IMO 1 2 3 4 5 6 7 M. This

number is unique and related to a particular vessel. It means that once this number has been assigned to a

particular ship, it's going to remain for them till till the end life cycle of the vessel. Moving forward, we have the

another identity number that is called the MMSI or maritime mobile service identity. It's a nine-digit number and

the first three digit like for example the nine digit would be 1 2 9 and the first three digit 1 2 3 represent the

MID value or maritime identification digit value. Well, this value do change if a vessel decides to flow under a

different flag and under a different organization maybe for a certain time period is being flowing for the country

A and for after certain time period it's flowing for country B it might value is going to be changed. So the very first

and pivotal difference between the IMO and MMSAI number is that where IMO number is meant to be constant for the

entire life cycle, MMSAI number can be changed if a vessel flows under different organization name, country as

and follow on. The call signs are used to understand and identify the ships as a radio operator. So every call sign

helps to identify like a telephonic uh identification for the uh ships to broadcast the messages. So if they have

a inter ship to ship communication or ship to show communication they can identify each other. The hull number is

like a identifying number that is presented on or painted on the hull of the ship and it is used to identify a

particular vessel specifically if you're talking about the military or the government ID vessels. It is used to

identify because every vessel operated by the world governments do have a hole number. So it's easy

identific identify that level. Moving forward we have and let's take a deep dive into the what is AIS. So basically

AIS works on the VHF maritime frequencies under the NMEA0183 sentence structures and it uses the time division

multiple access protocol. The operating frequencies of AIS is 161.975 MHz and 162.025 MHz. The message are being

broadcasted upon 2 to 30 seconds depending on the vessel's pay status. And when the message has been

broadcasted they have the IMO number of the vessel they have the MMSA number of the vessel they have the call send as we

have seen as well as the recent port call. So it is there being broadcasting in any receiver which is has the AIS

based decoder can decode those messages while these number are being broadcast in the open frequency. So one within

just an amateur radio kit can decode and learn this messages. Now we're going to look at some of the commercial AIS

aggregation platforms. So um if you have been familiar with the marine vessel vessel finder these are quite famous

one. So every uh platform that uses the AIS as a backend technology do have its own strengths and do have its own

limitations. So how these structures work is that these are the global centralized structure which is used by

the third party business application. So every receiver around the world receive these AI signals on 165.975 MHz or

162.025 and 025 MHz decode these message and vine API sent sent to a centralized hub where we can see the ships in the

different formats. So the vessel finder marine message traffic or marine traffic all the ships as we can see in the

different color codes that uh tells the DV flag of the ship like are they tankers are they cargo ships are they

private ships or maybe passenger ships maybe government operated. So every uh color decoding tells us what kind of

ships are we looking at. But one of the biggest problem is that with the business model of the AIS ship

is that they are behind the business model like you know you have to pay a subscription fees to get the access of

all the data and that's where the open source platform like EIS hub comes into the picture. Now the biggest problem is

that certain data that could could be important for the investigation purposes or important for the research purposes

might be hidden behind these pay walls. So for that the AIS hub like platform is quite useful because AIS hub gives you

the direct access of the receiver that is receiving this data in in a way when a receiver is receiving this data and is

being decoded in the real time you get the data. So you are accessing directly the receiver antenna kit. So AIS hub is

quite useful because you know you can see from which direction the ships are coming in the entire statistics of the

data how much packets are coming in what those those packets include. So even if some kind of information is being

fabricated as uh described in the commercially aggregate platform you can check this verified this data through

the AIS because as an OSEN practitioner it is always important to look through the different sources of the data not

just believe on one source of the data and where this a service could be quite useful moving forward looking at like

decoding these signals using your own SDR equipment. So you can just have a simple RTL SDR with a web antenna and

the particular decoders in the set. You can use the SDR platforms like you can use radio or you can have VK SDR or

maybe open web RX or KV SDR as uh as required and you can tune it to the AIS frequencies of 16.975 MHz or 162.025 025

MHz and then you can start decoding these signals. In this time you are receiving those signals on your own and

then decoding it and we can see the IMO number, MMSI number or the call sign and includingly you also have the latitude

and longitude that the geographical coordinates and you know in what position the ships are coming from. Now

the biggest problem is this because we are receiving from the land. This is basically the terrestrial AI signal that

we are receiving. It has its own restriction that we cannot listen to the lots of signal that is ranging from a

very long distance. So like 20 to 40 nautical miles that's the basic limitation that we going to listen to

it. Another kind of problem or constraint that do happens is the atm atmospheric interference because the

signal quality might decrease when the signal is being flowing through a very long distances as well as what has

happened is that data dduplication also happens on the receiver resources. So it needs to be happen that it needs to be

dduplicated before it is being sent and analyzed for the research purposes. Now that's where we are talking about

the terrestrial AIS coverage limitation. So as we can see in the image that the ships has a has a big gap. So if the gap

is like 50 or 100 nautical miles because the limitation for this uh this AIS terrestial signals are like 20 to 40

nautical miles. So distance before that the problem is that you cannot might hear the right data or maybe you might

not even know that there is something else in the ocean in that particular area above 100 nautical miles that's

where the limitations comes in and for that the satellite based EI signals do happen so like in the remote polar

region when there is a limited infrastructures because it all depend upon the individual receivers that are

being placed around the globe that is listening to this particular frequency and then then decoding the data and

providing to maybe the centralized here marine traffic vessel finder or maybe the EIS or even if it's you get into

that those places and put your engine and set up the SDR setup to receive those signals then you can might listen

to those signals but apart from that listening through then open source part of the terrestrial AI signal it's not

possible and that's where the satellite AIS comes into the picture the satellite AIS basically generally use the lower

earth orbit satellites to collect AIS transmission so it's a collection of multiple satellites that do happen

because maximum the VHF happens in the line of sight communication the terrestrial areas but instead of that

satellite just receive those signals and broadcast it and these are satellites are being orbiting around 400 to 800

kilometers above the earth and for thousands of nautical miles they can spread the data around it. So how it is

being useful is that it uh the substantial fees that is being covered by the platforms this is one of the

problem because you cannot might you might not found satellite a data on the commercial aggregator platform. So that

is one of the biggest challenges that the investigator faces. Now let's understand that how the satellite AI

basically works. So let's say that these ships are being sending the AI signal to the satellite that is that is just

receiving. It might hold the data. It might just rebroadcast this data to the satellite station that is on the ground.

It might be thousands of nautical miles away. On the this satellite station get the data. It tells to the ground station

and then it distributed to the broadcasting near to the ship and ship or ship to shore communication. So these

ships that are being so far away in the vast oceans they might know that where the ship is particular position is and

instead of depending upon the terrestrial areas data they are being depending upon the satellite based

system. So that is about like how the AIS work. Now let's move forward to the vis.

Now uh now we have started with uh the basic hunting right that we have reached a point where AIS is no longer helping

us as Saga said that AIS does have its own limitation. So as investigators we do need another source of information

and that is where VSAT comes into play. Now VAST stands for very small aperture terminal and it acts as a ship's

internet connection while it is at at sea. Now think about this for a moment because all of the ships that we do have

they also they will require internet access whether uh it be for the crew connectivity that is out there or giving

an update to the headquarters themselves about their own locations or whether it be downloading important logs. So even

when the AIS goes into silent these communications needs to continue and that is where it creates a a opportunity

for us to utilize something known as VSAT. Now a VAST is basically a terminal communication that utilizes the helps of

satellites and where the satellite basically relays this information or the traffic back to the ground station when

they are connected to the internet. So most of the uh maritime providers that we do have basically utilize two types

of frequencies whether it be the KU band or the KA band communications and each provider basically deploys a slightly

different equipments altogether but from this intelligence perspective we need to understand that we need to

care about the fingerprints that they are creating. So what does it do? It helps to provide you the voice over

phones back to the shore navigation that we do have or the remote monitoring of the u ship's engine that and the various

systems that are linked to it. So as Saga said that ships are more like a giant floating IC in themselves and that

is where the part is. Now we'll move further where we will try to understand the key

technical points that we do have. First of all for um VAST itself we need a geostationary satellite that needs to be

connected right they needs to transmit the data that we do have there needs to be a stabilized antenna that we do have.

So the VSADs are basically like slight antenna dishes that you have in your homes and these are basically rotatable

and uh since they are rotatable they are particularly aligned with the satellite they are linked to continuously and

since they're utilizing the frequencies of KUK or even the C bands that we do have because different vendors will have

different part so it provides a reliable communication out there whether it be from the 12 to 18 GHz or 25 to 40 GHz

altogether. Now there is a part of the latency too because the signal travels a lot of these distances up to the

satellites. So it does create a bit of a latency whether it be from ranging from 500 to 700 milliseconds as other than

that we have something as called as implemented into is BU or LNV. Both of these what you can think about is that

they amplify the signals out there itself because if you are getting the low signals or there are lot of noises

they basically cancel out each other amplifies your signal all together and that is where the communication be far

more reliable than you can expect into the vast remote ocean even where the AIS is not working at that having moving

forward with that part we will utilize something called as for the VSAT communications that we do have. Now what

the strategies you can utilize these are basically the dashboard that you can see in front of you. One it says of a

Cobbahham one. So, Kobaham is one of these V vendors for these VSAT communications that are deployed on the

vessels or the ships that we do have and it provides different kinds of information ranging from your location

to your positions to the frequency being utilized to even the speeds that we do have and it provides different other

functionality depending on the level of the access that you do have. Now since all of these uh vat we are much more

interested in the fingerprinting of it. Uh so that is where we are going to utilize different techniques. So we are

going to understand about the banner analysis that we do have or even the port scanning. So different platforms

ranging from shenan to census they basically systematically catalog all of these dashboards into themselves and

there you can utilize your techniques such as banner grabbing in themselves because all of these dashboards the VAT

one for example the kobahham one will have something as cobraham and the version written into it whether it be uh

the 600 or 900 different series of Having goes further.

Yeah. So going further you can see there is a part of the ocean that you can utilize and see. Now once you have