Skip to content
wiki.fftac.org

Enhancing 2Ia For Civil Libertarians - Source Excerpt 04 - Combating Tactical Network Interception: IMSI Catchers

Back to Enhancing 2Ia For Civil Libertarians

Summary

This source excerpt begins near Combating Tactical Network Interception: IMSI Catchers and preserves the surrounding evidence from 2IA.org/agent-file-handoff/Archive/2026-05-17-civil-liberties-overhaul/Improvement/Enhancing 2IA for Civil Libertarians.md.

**Source path:** 2IA.org/agent-file-handoff/Archive/2026-05-17-civil-liberties-overhaul/Improvement/Enhancing 2IA for Civil Libertarians.md

To automate and scale the detection of these asymmetric threats across the 2IA network, analysts must heavily leverage the Mobile Verification Toolkit (MVT).26 MVT is an open-source, Python-based modular tool released alongside the Pegasus Project.26 Installed via standard package managers (pip3 install mvt or uv tool install mvt), it decrypts encrypted iOS backups and parses system databases against known public Indicators of Compromise (IOCs) formatted in STIX2, generating exhaustive JSON logs of forensic traces.26 However, 2IA must acknowledge the limitations of public IOCs; relying solely on open-source indicators can provide a false sense of security against novel zero-day exploits. Therefore, 2IA must establish deep intelligence-sharing networks with specialized civil society groups and the Access Now Digital Security Helpline to acquire non-public threat intelligence telemetry.26

### **Combating Tactical Network Interception: IMSI Catchers**

While advanced spyware attacks the endpoint software, state actors concurrently target the localized telecommunications grid using Cell-Site Simulators (CSS), colloquially known as Stingrays or IMSI catchers.27 These portable surveillance arrays masquerade as legitimate mobile carrier towers, transmitting signals that force all cellular devices within a specific geographic radius to connect to the rogue equipment.28 Once a connection handshake is initiated, the CSS logs the International Mobile Subscriber Identity (IMSI) and IMEI hardware numbers of targets and countless innocent bystanders, pinpointing physical locations with devastating accuracy and occasionally intercepting unencrypted control data or call metadata.28

To monitor, map, and aggressively defend against the deployment of IMSI catchers—particularly critical when 2IA journalists meet with sensitive sources or monitor political protests—2IA operatives must deploy open-source detection tools such as Rayhunter.29 Developed by the EFF, Rayhunter disrupts the traditional paradigm of CSS detection, which historically required expensive software-defined radio (SDR) rigs or rooted Android phones vulnerable to exploitation.29 Instead, Rayhunter is engineered to operate natively on modern 4G networks using inexpensive, off-the-shelf Orbic mobile hotspots (widely available for under $20).29

The technical ingenuity of the Rayhunter deployment lies in its real-time, non-intrusive analysis of the signaling control traffic exchanged between the mobile hotspot and the cellular base station.29 The software strictly monitors baseband protocol behaviors without intercepting the user's underlying web traffic.29 The system algorithmically flags suspicious network anomalies indicative of an active CSS deployment. These events include a base station abruptly attempting to downgrade the cellular connection to an insecure, legacy 2G network (a common tactic employed by older Stingrays to bypass modern cellular encryption protocols) or a base station repeatedly requesting the device's unique IMSI number under irregular network conditions.29

Operating via a highly accessible visual interface on the Orbic device, Rayhunter displays a green (or blue) line during normal operations.29 If an anomaly is detected, the line turns red, simultaneously logging the event into an industry-standard PCAP file format stored locally on the device.29 2IA security personnel can subsequently download these PCAP logs via a local web interface for deep packet inspection, allowing them to map the operational deployment of state surveillance gear and immediately advise targets to power down their mobile endpoints to preserve operational security.29

## **The 2IA OSINT Verification Engine: Transforming Data into Intelligence**

An intelligence apparatus is only as valuable as the veracity, depth, and actionability of the information it curates and publishes. In an era saturated with sophisticated disinformation campaigns, digitally manipulated media, and immense volumes of fragmented public records, rigorous Open Source Intelligence (OSINT) verification is paramount.30 The challenge for 2IA analysts is no longer data scarcity, but overwhelming information overload.30 Manually analyzing data scattered across the surface web, deep web databases, dark web forums, and disparate corporate registries introduces critical operational delays, degraded intelligence quality, and analytical blind spots that allow threat actors to exfiltrate assets before exposure.30 2IA must establish a formalized, heavily automated OSINT verification engine.

### **Advanced Geolocation and Image Forensics**

Verifying the physical authenticity and context of visual media provided by anonymous whistleblowers requires a disciplined, multi-layered forensic workflow.32 2IA investigators must initiate the process by examining the digital provenance of the file through automated reverse image search engines to isolate the earliest index of the media on the internet.31 Subsequently, metadata extraction via ExifTool is employed to uncover hidden coordinates or creation timestamps, while acknowledging that sophisticated adversaries may intentionally spoof EXIF data.32 To detect subtle digital manipulation or composite imagery, analysts must employ Error Level Analysis (ELA) using platforms like FotoForensics. ELA computationally highlights discrepancies in image compression rates, pinpointing localized areas of a photograph that suggest post-processing alterations or inserted elements.32

Geolocation—the precise mathematical and visual deduction of where an image or video was captured—has evolved into a highly specialized discipline pioneered by organizations like Bellingcat.34 Beyond merely matching background topographical landmarks, coastlines, or highway configurations to satellite imagery, 2IA analysts must master chronolocation to determine the exact time an event occurred based on environmental data.31

A prime example of this advanced methodology is the deployment of Shadow Finder logic.35 By calculating the sun's azimuth (its horizontal angular measurement relative to the earth's surface), analysts can correlate shadow lengths, object heights, and angles with specific geographic coordinates and times.35 The underlying mathematical relationship governing this analysis relies on tracking the continuous change in the azimuth over a specific duration. In complex scenarios where the precise height of the object casting the shadow is unknown, 2IA analysts can still deduce the location if they possess two images of the same area with known capture times.35 By calculating the difference in the shadow angles between the two timestamps, analysts can leverage the fact that the rate of change in the sun's azimuth varies uniquely across different latitudes and longitudes globally. This calculated delta drastically narrows the potential geographic locations of the footage, allowing investigators to pinpoint human rights abuses or troop movements with stunning precision.35

### **Corporate Accountability and Database Mining**

To effectively trace transnational corruption, organized crime syndicates, and illicit financial flows traversing offshore tax havens, 2IA must interface with massive, structured intelligence databases. The primary vector for this research is Aleph, the preeminent investigative data platform hosted by the Organized Crime and Corruption Reporting Project (OCCRP).36 Aleph consolidates over 400 million documents and distinct entities pulled from more than 200 datasets, including global corporate registries, court filings, and historically significant leaks such as the Panama Papers and Cyprus Confidential.12

By cross-referencing Aleph's powerful network visualization tools with APIs from OpenCorporates—a global database providing the incorporation dates, registered physical addresses, and comprehensive board member lists of corporate entities—2IA investigators can seamlessly unravel complex webs of shell companies domiciled in opaque jurisdictions.37 To augment this, 2IA must utilize specialized regional databases such as CompanyInfo.ge (which tracks Georgian corporate leadership changes since 2010\) or the Barbados Supreme Court public records portal to map localized legal and financial anomalies.40