Open-source intelligence (OSINT) investigations utilize publicly available sources to collect information as part of an inquiry. As an investigative technique, OSINT leverages the vast amount of data accessible online and through public records to uncover facts and make connections.
With the right tools and techniques, you can conduct comprehensive OSINT investigations ethically and legally. This guide will provide an in-depth look at all aspects of carrying out OSINT investigations.
Overview of OSINT Investigations
An OSINT investigation typically starts with a specific research objective in mind. This could be gathering background details on an individual, learning more about a company’s operations, tracking down cybercriminals, or digging up records related to a court case.
The types of public sources leveraged include:
- Social media sites
- News articles and public records
- Corporate records and job sites
- Satellite imagery
- Domain name registration data
Research objectives can range from the very broad to being highly targeted. An investigation focused on a single person may aim to compile details like:
- Full legal name and aliases
- Age and date of birth
- Current and past addresses
- Criminal history or court records
- Assets and finances
- Education and employment history
- Contact information
- Photos
- Social media profiles and posts
- Connections to other people and organizations
On top of gathering facts, OSINT enables you to uncover relationships between people, organizations, assets, online accounts, and communication channels. Making these connections is crucial for revealing larger patterns and schemes.
Conducting Ethical and Legal OSINT Investigations
Whenever you’re gathering intelligence on specific individuals, ethics and legality need to be top priorities.
You should adhere to the following principles:
- Only access publicly available information that does not require hacking, cracking passwords, or exploiting security holes
- Avoid making direct contact with investigation targets without their consent
- Be transparent in your research aims and methods when possible
- Do not misrepresent yourself or engage in social engineering tactics
- Respect privacy boundaries and sensitive information that could harm individuals
- Follow relevant cybercrime and data protection laws in your jurisdiction
In particular, be very cautious of not crossing legal lines when investigating people for personal reasons rather than professional inquiries with clear necessity and boundaries.
Document your OSINT process thoroughly in case you ever need to demonstrate the legality and ethics. Having detailed notes also helps with organizing evidence and avoiding getting overwhelmed by the data.
Core OSINT Investigation Skills
Mastering a few essential skills will enable you to pursue a wide variety of OSINT investigations effectively:
Advanced Search Techniques
Beyond basic Google searching, you need an arsenal of advanced tactics for public record lookups, social media profiling, geospatial analysis, and all types of targeted data mining. Useful approaches include:
- Crafting search strings with advanced Boolean, proximity, and wildcard operators
- Filtering by filetype, usage rights, and other parameters
- Leveraging site-specific syntax for internal tools like
intitle:
andinurl:
on Google - Using advanced date filters to surface historical information
Link Analysis
Analyzing the connections between data points plays a crucial role in revealing networks and schemes. Tactics like :
- Tracing an email address or username across platforms to associate accounts with individuals
- Reviewing who an account follows or friends to identify associates
- Evaluating metadata from posts and photos to extract geographic locations and devices used
Data Analysis and Organization
As the investigation progresses, the amount of information accumulated can quickly become overwhelming. You’ll need to:
- Record findings in organized notes or case files
- Create visual diagrams to map connections between people, assets, online activity, etc.
- Export social media data, domain lookups, and other records for further analysis
Verifying Information Authenticity
False positives and misleading data is a constant threat when piecing together information from myriad sources. Get in the habit of:
- Corroborating facts using multiple trustworthy sources
- Looking out for fake social media accounts or imposters
- Inspecting metadata to confirm timestamps and locations
With practice, verifying authenticity becomes second nature. Never take anything at initial face value.
Staying Anonymous and Secure
You don’t want your target catching wind of an investigation prematurely or, worse, figuring out your identity. Steps like using a VPN, anonymous browsing modes, and disposable devices will ensure anonymity and security.
For investigations related to cybercrime, additional precautions are necessary when engaging with hacking forums, malware samples, and other sketchy sources. Having an isolated virtual machine and burner devices is crucial for protection.
Go-To OSINT Investigation Tools
While the fundamental analysis skills make the investigator, software tools greatly assist productivity and effectiveness.
Data Mining Tools
For searching and scraping massive data sets, integrate tools like:
- Maltego – conduct link analysis and gather relationship graphs between data points
- FOCA – harvest metadata, identify documents, and map connections in a domain
- SpiderFoot – automate the search and correlation of OSINT data sets
Analysis Tools
DIG deeper and organize findings with tools like:
- AnalytixLabs – machine learning assisted analysis of charts, stats, and visualizations
- Timesketch – collaborate and piece together investigation timelines
- I2 Analyst Notebook – visualize patterns, links, time-frames, and hierarchies with a customizable workspace
Anonymity Tools
Browse and communicate covertly with tools like:
- Tor browser – access the Dark Web and encrypt traffic
- Tails OS – operate anonymously from bootable USB drives
- Signal – encrypt messages, calls, video chats
The list goes on with hundreds of available OSINT tools on GitHub to leverage. Find solutions that fit your skill level and specific investigation needs.
Key OSINT Techniques and Tactics
Now that you have strong fundamentals and tools, let’s explore proven techniques to execute productive investigations:
Identifying and Profiling Individuals
Uncovering accurate information on a person forms the backbone of many inquiries. Methods include:
- Check domain registrars like WHOIS for names and emails associated with web properties
- Comb court record aggregators like SearchSystems for legal disputes and bankruptcies
- Lookup Voter Registration records for age, political affiliation, addresses, and relatives
- Use email address validation services like VerifyEmail to find associated social media accounts
- Leverage facial recognition to match profile pictures across platforms for additional personal details
Company Reconnaissance
Enterprises make abundant information publicly accessible either intentionally for marketing and recruitment purposes or unintentionally through employees’ online activities. Useful company reconnaissance tactics:
- Harvest names, departments, positions, and contacts from corporate sites to build out organizational structures
- Use LinkedIn to flesh out details on leadership hierarchies and employee skills/expertise
- Look up corporate record filings for directors, revenue, expenditures, taxes owed, and other financials
- Monitor job listings to identify new positions, technologies, and business initiatives
- Review Glassdoor for employee sentiments, salaries, and workplace culture details
Geolocation Tracking
Pinpointing the physical location of people, devices, and assets has profound utility for OSINT objectives:
- Look up IP addresses in registries like IP2Location or GeoIP to uncover internet service provider, country, city, longitude and latitude details
- Analyze EXIF data in images routinely posted online from cell phones or other GPS-enabled devices
- Access real estate listing aggregators like Realtor for house characteristics, price histories and neighborhood demographics
- Utilize satellite imagery platforms like Google Earth Pro and NearMap to spot buildings, vehicles, and terrain
Mobile and Cyber Tracking
Mobile devices provide a espionage jackpot for OSINT investigators with access to:
- Install monitoring tools on devices owned to record communications, sites visited, files stored, and location history
- SIM card forensics via carriers to access call logs, contacts added, text messages, voicemails, and internet usage logs
- Jailbreak devices no longer used to scour file systems and intercept messages queued for delivery
- Deploy fake network towers for man-in-the-middle attacks to intercept traffic and insert tracking tools
- Purchase smartphone hacking tools and exploits from vendors if warranted
However, caution is necessary as many of these techniques tread into illegal cybercrime territory depending on use cases and jurisdictions.
This covers the most vital OSINT investigative approaches. Weaving together combinations of tactics creatively is where mastery sets in.
Real-World OSINT Investigations
To appreciate the full spectrum of what’s possible, let’s explore some real-world examples spanning personal inquiries to criminal investigations:
Background Checks
- A cautious homeowner looked up their new neighbors moving in nearby and found past stalking protective orders against the husband by an ex-girlfriend. This discovery led to heightened alertness.
- A woman met a charming date online but felt something seemed a bit off in his stories. An OSINT probe uncovered his real full name, his marriage to another woman, and a recent arrest for financial fraud under an alias.
- Prospective in-laws suspicious of their daughter’s new fiancé were able to confirm some of their gut reservations about him being selfish and exploitative in past relationships. This investigation saved their daughter from years of misery.
Corporate Due Diligence
- While evaluating a startup for venture capital backing, OSINT inquiries revealed the founding team members had filed for multiple business bankruptcies in their past.
- Competitive intelligence researchers commissioned by a telecom uncovered adjacent market opportunities by comprehensively mapping the initiatives and partnerships of prominent rival companies.
- Auditors preparing for a major retailer’s quarterly reporting analyzed executive trades and investments for conflicts of interest needing disclosure.
Criminal Investigations
- The FBI tracked down the specific laptop a child predator used for exploitation imagery by analyzing electrical outlet shapes and furniture seen in photos he distributed on dark web forums. Subpoenas for residences with matching outlets ultimately identified and rescued the abused minor.
- Canadian law enforcement busted a drug smuggling operation by collaborating with shipping manifests to pinpoint suspicious cargo containers lacking import/export documentation for the goods claimed to be transported.
- Police in the UK arrested a stalker terrorizing his victim partly based on evidence from an anonymous blog detailing incidents and contact attempts he made violating a restraining order.
These case examples showcase OSINT’s incredible range and impact across various walk of life.
The only limits are your investigative creativity, resourcefulness, and ethics. With so much scattered data publicly accessible, immense possibility exists if you diligently work to connected the dots.
Expanding OSINT Skillsets
So far we have covered core approaches for conducting ethical OSINT inquiries. However, countless advanced tactics and niche data sources exist to explore as you grow your capabilities.
Advanced Social Engineering
Social engineering broadly refers to manipulating people into divulging information or performing actions unconsciously. For investigations, goals typically center around information gathering from employees, gaining physical access, or getting targets to download malware.
Common social engineering tactics include:
- Impersonating positions of authority like police officers or senior executives
- Creating convincing phishing emails that lead to credential harvesting or downloads
- Pretending to be prospective customers or vendors to gather intel from associates
- Piggybacking off badges through doors, along hallways, or into secure areas
- Reporting fake emergencies or scenarios that require urgent response bypassing security checks
- Exploiting personal details like kids’ names or spouse employers appearing sympathetic
However, recognize many of these techniques border on illegal. Make judgments aligned with investigator ethics and necessity.
Specialized Data Sources
Mastering niche data sources massively expands OSINT capabilities for specific investigation types:
Competitive Intelligence
- ImportGenius – details on suppliers, shipping activity, and global trade patterns
- Sentieo – AI-driven analysis of finances, executives, and market trends
- SimilarSiteSearch – reveals competitor website changes
Cyber Investigations
- Shodan – search engine for unsecured databases, cams, embedded systems
- Censys – scan websites for vulnerabilities and misconfigurations
- DomainTools – domain name registrations, hosting providers, current/past IP addresses
Global Investigations
- Refinitiv World-Check – profiles on heightened risk individuals and organizations
- IHS Markit Maritime Portal – 80+ data sets on vessel movements and shipping patterns
Take time locating niche tools like these purpose-built for unique OSINT needs.
Cultivating Professional Networks
Among the most valuable sources during OSINT investigations are other experienced specialists able to provide unique insights, access data sets privately, or collaborate on inquiries.
Dedicate effort consistently engaging with professional communities like:
- In-person events via associations like HTCIA and OSMOSIS
- Invite-only forums through Sector546
- Email listservs including MISP Groups and AlienVault Open Threat Exchange
- Social media groups on LinkedIn, Reddit, Telegram, Slack, Mastadon
Form trusted reciprocal relationships facilitating collaboration whenever advantageous.
Consulting Legal Counsel
Despite best efforts adhering to ethical principles and laws, legal gray zones still arise during investigations. Developing working relationships with lawyers and privacy/security consultants ensures trusted guidance nearby.
Experts can provide direction on issues like:
- Navigating data protection statutes of various countries involved
- Acquiring user consent properly across jurisdictions
- Anonymizing collected personal information safely
- Responsible disclosure procedures around discovered enterprise system vulnerabilities
- Avoiding harassment and libel risks when publicly reporting findings
Knowing you have specialized legal back-up offers peace of mind addressing dilemmas judiciously.
Fostering Other Essential Skills
Master OSINT gumshoes excel across many interdisciplinary abilities:
Interpersonal skills – Build rapport with sources to gather insights. Persuade partners to share data.
Writing skills – Produce convincing investigative reports. Create factual documentation protecting from accusations.
Research skills – Continually expand knowledge across technologies, tradecraft, laws.
Critical thinking – Assess evidence objectively. Avoid confirmation bias derailing inquiries.
Creativity – Design novel approaches solving mysteries. Devise unexpected ways uncovering obscured facts.
The most effective investigators nurture a truly cross-functional skillset while also knowing personal limits requiring outside specialists.
Final Thoughts
This comprehensive guide summarizes everything you need to pursue OSINT investigations professionally.
The most vital foundations boil down to:
- Mastering advanced search, link analysis, verification, and organizational skills
- Using the right tools optimally for different data types and analysis needs
- Understanding legal limits and ethical boundaries, especially with personal investigations
- Employee creative footprinting, profiling, corporate, geospatial, and cyber tracking tactics
- Persevering through vast data to uncover obscured connections and activities
While OSINT investigations undoubtedly require effort and skill, they enable accessing profound insights otherwise inaccessible. The public data trails people and organizations leave behind create accountability and transparency.
Use these newly gained OSINT superpowers judiciously to uncover truth, drive progress, and better society. The responsibility rests in your hands now.