What is OSINT?(part 3): The rules of the trade

30 min readSep 2, 2023

This is the final article in the short OSINT trilogy

So let’s recap: you’ve tried basic OSINT techniques and learned how to protect your privacy on social media, you’ve tried your hand at a few OSINT challenges online, and hopefully enjoyed it. Now, you want to dive deeper and become an OSINT investigator to solve real-world cases. Congratulations!

Before bidding you farewell as you embark on all kinds of adventures, however, we still need to discuss three incredibly important “techniques” that any good OSINT practitioner must possess: a strong sense of ethics, an efficient methodology, and a secure work environment. One of the reasons why Open Source Intelligence is so interesting and attractive is because of the amount of information one can so easily find on almost anything and anyone. But how do you handle all that information? What do you choose to do with it? This is where the line is drawn between OSINT investigators and malicious actors. And crossing that line can be easier than you might think…

Besides, even if you vow to practice OSINT for good and stay on the right side of the law, you may find yourself investigating bad — sometimes, really bad — people, who are not to be messed with. Either as a volunteer or a professional, it’s crucial that you learn how to avoid compromising the investigation and more importantly, your safety.

Ethics, or Code of Conduct

Thou shall not hack: The difference between OSINT and hacking
Thou shall not stalk: When OSINT should not be used
Thou shall not wear a cape: Setting healthy boundaries
Thou shall not pursue infinite knowledge: Selecting relevant information
Thou shall not leave your belongings unattended: Handling private data responsibly

Methodology:

Before the investigation:

Prepare yourself: Defining scope and resources, applying good OPSEC, legal considerations
Protect yourself: Setting up a secure environment (Virtual machine, VPN, browser, sock puppet accounts on social media)

During the investigation:

Stay alert: Practicing good OPSEC on the field
Use a OSINT framework
Manage information properly: Note-taking and data management, Maltego
think outside the box
Avoid rabbit holes and cognitive bias

After the investigation:

Write your report
Take your data offline
Clean your environment
Conclusion
Other resources

Ready? Let’s go!

This article is a bit like Mr. Miyagi’s teachings: complex, philosophical, and not really about karate.

Code of conduct: With great power…

For our final collaborative article on OSINT, allow us to quote directly from the never-ending source of knowledge that is the Marvel Universe and Peter Parker’s’ Uncle Ben, and tell you that “with great power, comes great responsibility” — we know the quote actually dates back to Antiquity, but let us believe.

Uncle Ben said it first.

When you use tools and techniques to gather OSINT, you must be careful not to overstep legal boundaries and reflect on the possible consequences of your findings for everybody. Whether you’re fact-checking a piece of information, working on a background check or a missing person’s case, you will encounter sensitive data that could potentially have a negative impact on the life of your target, but also their relatives, friends or employees. So before delving into methodology and work environment, let’s start by reviewing ethical aspects that need to be taken into account whenever you’re conducting a real OSINT investigation.

Thou shall not hack

Remember, OSINT stands for “Open Source Intelligence”, which means that anything that is not already publicly available is not OSINT. The notion of public availability can sometimes be tricky: for example, you can find documents on the internet that are labeled as “Confidential”, either due to accidental release from the owner’s part or because the platform which hosted the documents was hacked and its contents leaked on the web. So, is that document still open-source intelligence or not? Should we take the owner’s intent into account here?

Similarly, what about Human Intelligence (HUMINT) and the social engineering techniques we outlined in our first article? If you trick someone into revealing something to you, isn’t that a form of hacking? After all, some people refer to social engineering as “people hacking”, so should we consider data collected this way as open intelligence or not?

The truth is that there are many opinions on what “open” or “public” means when it comes to OSINT, and you will hear different takes from different practitioners. To make things even more complex, the legal framework surrounding digital privacy and what is considered public or not. Is very different from one country to another. What is certain, however, is that any technique that requires you to “hack” a platform or device is definitely not OSINT. Installing spyware on your target’s computer or paying someone to hack their social media account is not only illegal in most countries but also not what OPEN source intelligence gathering is about!

Thou shall not stalk

In the same vein, using OSINT techniques to get revenge on your cheating ex or stalk your obnoxious colleague is obviously not okay — and again, not legal. While it can be tempting, acting on your “dark urges” will most likely get you in hot water. Many countries have anti-harassment laws and recognize emotional distress as a legitimate claim nowadays, so even stupid “pranks” could mean trouble. Only malicious actors use OSINT tools and techniques to help them commit crimes — as we have seen in the story of Rafael. So we implore you: don’t go to the dark side, stay with us and use OSINT for good.

Thou shall not wear a cape

Conversely, don’t overstep your role as an OSINT practitioner and go all vigilante. Whether as a volunteer or a professional, your job is to gather information and provide intelligence so that actions on objective on objectives can be enhanced, started, or completed.

For example, this means refraining from directly engaging with your target as much as possible and not serving justice yourself. Don’t harass, doxx or otherwise punish people, even if you’ve found authentic evidence of possible criminal behavior. Depending on the circumstances of your investigation, you may want to pass that data to the police and let them handle it, have it vetted and published in the news, or find another way to alert proper parties so action can be started.

If you are helping on a missing person’s case, don’t contact their relatives or friends, even if you believe you’ve found some significant element. Simply give it to the proper authorities, and focus on doing what you’re here to do.

But depite what I just said its important to note illegal activity/vigilantism and Valid journalism/Osint can be considered same thing. In quite a few authoritarian countries around the world. From Exposing corrupt politicians, to using Osint to out speak against injustice, etc etc all can land you in jail or put you in danger.

Thou shall not pursue infinite knowledge

Over the course of an OSINT investigation, you will likely collect large amount of data on people. This can raise many ethical concerns. To illustrate, let’s imagine for a moment that you’re trying to uncover whether a member of the government has been corrupted by a shady company to give them an unfair advantage on state-sponsored business deals and contracts. Your investigation leads you to establish that this person has indeed received gifts from the company, in the form of luxury trips which they took not with their spouse and children, but with an Instagram model. You now have your answer, but you also know that this person is unfaithful. What should you do with that?

In a blog post aptly titled “Yes we can… but should we?” directed towards journalists and fact-checkers, OSINT essentials proposed three criteria to assess whether an information should be used:

NEED: How essential is the information to the task of verification? Could the information be acquired in another, less ethically questionable way?

VALUE: How important is the information that will come as a result?

CONSEQUENCES: What is the potential fallout of acquiring the information in this way?

Coming back to our example, we can say that while knowing that this member of the government was offered luxury trips by the company is definitely a valuable piece of information, the question of whether they took those trips with their spouse or lover is secondary to the matter (value). Revealing it could even backfire as it could distract the public’s attention from the real issue and focus the debate on this person’s behavior towards their family, who will be publicly exposed (consequences). So unless mentioning the Instagram model is absolutely necessary to proving what happened (need), it’s best to omit this information altogether from our report and not look further into that person’s private life.

When investigating someone, destroying their reputation and family life may sometimes seem like a just reward, particularly if the person is involved in activities which you find truly abhorrent. But try to think about the possible collateral damage to their relatives, and remember what we said about wearing a cape: there’s only one Batman, and it’s not you.

Thou shall not leave your belongings unattended

What is valid for airports also stands for OSINT. Information is a currency, and sensitive data can be really attractive to malicious actors. While you gather intelligence on someone, it’s your responsibility to make sure that this data is protected — as if it were your own. This means storing it securely, limiting the device’s exposure to cyber threats, and generally applying proper cyber hygiene. It also means erasing it or taking it offline once it has become redundant or useless (i.e. past cases); even with the best defenses in place, nobody is “unhackable”, so it’s better to try to limit the potential damage as much as possible.

The topic of data handling is often overlooked when discussing OSINT, but it’s a crucial part of your activity as an OSINT researcher. After all, just like a doctor or an event planner, you are collecting personal data; as such, you should operate in compliance with the privacy and data handling laws and regulations of your country.

This can be very cumbersome to put in place, as Ludo Block demonstrates in his article on OSINT and GDPR, which will be helpful to European practitioners — and others, as it raises many interesting points to consider, wherever you’re based. But even though it may not be as fun as creating a sock puppet account on Instagram, securing your data comes with the package of being an OSINT practitioner.

Really, it’s just like Uncle Ben said: “with great power comes great responsibility.”

Methodology: By failing to prepare…

Conducting an OSINT investigation is a bit like going for a hike in the middle of the wilderness: it’s a cool adventure, but you have to be well-prepared. Without proper preparation and equipment, you run the risk of getting lost, or even getting harmed because you ate something you shouldn’t have or slipped down the mountain — not to mention possible encounters with bears.

A great quote from another Uncle Ben.

So to help you on your OSINT journey, we’ve gathered some best practices, resources and tips for each step of your investigation: before, during and after. As you progress in your OSINT practice, you may refine them and find your own tools of choice or make them. But the following should at least help you get started.

BEFORE THE INVESTIGATION:

Prepare yourself!

As we said, preparation is key, so before even researching your target, start by asking yourself the following questions:

What do I want to find?

Stating the purpose of your investigation is an important first step. While it may sound obvious to you now, losing sight of your goal is easy once your start digging, gathering data and branching out in other possible directions. Granted, some investigations will be pretty straightforward (GEOINT or IMINT comes to mind), but others can drag you down the rabbit hole and make you lose precious time if you’re not clear on what you’re searching for.

Who, or what is my target?

Before you even start Googling the name of your target or looking up a website on “whois”, think of who or what your target is, and the impact your research could have.

Your “target” could be an applicant to a job offer, or it could be a company owned by a crime syndicate. You could be looking for a missing person, or try to uncover the owner of a human trafficking forum on the dark web. You could be working for the due diligence department at a financial institution, or fact-checking pictures of a conflict.

All targets in these scenarios pose different threat levels to your environment — aka, your computer, network and everything that’s on it — and to you. OSINT and threat researchers can be targeted by malicious actors, who don’t take too kindly on people working to dismantle their illicit business. So while being discovered lurking on LinkedIn profiles for background checks is not too bad (but should still be avoided), you can’t risk having your real identity uncovered by criminals or a state-sponsored threat actor. Similarly, while you may use your company inbox to send your findings on a prospective financial partner, you will need a more secure channel to communicate sensitive information about corrupt government activities.

This is where the notion of OPSEC comes in. OPSEC stands for Operational Security, and it’s a military term you hear a lot in the OSINT/cybersecurity community. As Nico Dekens, aka Dutch_OsintGuy, explains “the goal of good OPSEC is to deny an adversary information that could compromise the secrecy and/or the operational security of a mission.” It’s about evaluating the risks and threats posed by your target, and taking appropriate measures to avoid being detected. We’ll come back to it later, but for now, keep in mind that different investigations will require different levels of protection and defense, and that it’s best to think about them sooner than later.

What resources am I going to use?

Once you’ve established the purpose of your investigation and have assessed the potential level of threat posed by your target, you can start thinking about what resources and tools you will need. Are you going to use GEOINT techniques or SOCMINT? Will you be visiting the Clear web, or go to the Dark web?

Planning your resources ahead is particularly important if your target is a person. Referring to the OPSEC notions we just discussed, you have to decide whether you’ll use passive or offensive methods — or a blend of both — for your data collection.

Passive methods are typically low-risk, as you avoid direct contact with your target by looking up third party sources and historical records. A good example of a passive data collection tool would be the Wayback Machine.

Offensive methods imply direct contact with the target, or real-time collection, and pose more risks of being discovered. For example, a SOCMINT investigation can put you into contact with your target, as social networks are designed to bring people together through their algorithm, and not always very efficient at hiding your private information. You could become exposed simply by looking at your target profile regularly, which is why having good sock puppet accounts is crucial — learn how to craft them below!

But the most obvious example of offensive intelligence gathering is HUMINT or social engineering. In our first article, we gave you an example of HUMINT as a possible OSINT tool because A. it’s cool and B. it can be necessary to your investigation — if you’re conducting a pentest, for example. But from an OPSEC perspective, social engineering is the riskiest tool of the trade, especially if you’re up against a criminal actor.

Yeah, Right

Think about it: not only do you have to be superbly good at fooling this person, you also have to make sure that you’re not leaving behind any kind of technical footprint that could lead back to you. And that can get really complicated, as your target could have access to more technical resources than the average person. So without external support, it’s best to lay low and leave social engineering and HUMINT to the professionals — or train to become one!

What legal aspects do I need to pay attention to?

Last but not least, you’ll want to make sure your investigation will not put you in trouble. Make sure the tools you plan to use are not illegal in your/your target’s country, and exercise particular caution when investigating criminal activities: you may be trying to retrieve the name and IP addresses of criminals to take down their network for example, but your activity could get the attention of law enforcement and make you look like one of the bad guys!

So if you’re working freelance, or operating on behalf of someone else, make sure to back it up with a contract specifying the scope, tools and rules of engagement of your investigation.

Protect yourself:

Now that you’ve reflected on what you’re going to do and how, it’s time we get to the nitty-gritty of how to protect yourself and your environment. Whether you’re investigating a government or a criminal organization, if you don’t know how to protect your privacy and hide your identity online, you can be tracked down and identified by anyone paying attention.

Virtual Machine:

A virtual machine (VM) is a virtual environment that works like a computer within a computer. It runs on an isolated partition of its host computer with its own CPU power, memory, operating system (such as Windows, Linux, macOS), and other resources. This ability to have isolation helps to protect you during your investigation.

Depending on who/what your target is, your level of exposure to malicious files and actors will vary. Your host system could catch a nasty case of ransomware, and that will be it for the data stored there. Now you can imagine what would happen if you were working for a large organization and your host machine was part of the network. It would be bad. It’s for this reason that many seasoned OSINT investigators never use their main host machines when conducting an investigation, especially one that poses serious risks.

We personally recommend using virtualbox. There are other vendors out there on the market but virtualbox is a favorite as it is free and easy to use. Here is a beginner tutorial that will get you up to speed on how to properly use virtualbox. Plus, here’s a tutorial for setting up a VM specifically geared towards OSINT investigations: TraceLabs VM.

Don’t try this at home.

VPN/Proxy:

A virtual private network (VPN) is an Internet security service that allows users to access the Internet as though they were connected to a private network. This encrypts Internet communications as well as providing a strong degree of anonymity. It hides your true IP address and replaces it with the VPN’s, which is necessary to conduct your OSINT investigation without being detected.

Note: VPNs are not foolproof. Free VPNs often log your data and sell it to third parties. And even paid popular ones can sometimes be shady… So remember to read reviews online on VPN vendors, ask around the Cybersecurity/OSINT community if needed, and choose VPN companies with locations that have strong user data privacy laws.

Browsers:

As explained by Sven Taylor at Restoreprivacy.com, “unless properly configured, most browsers contain lots of private information that can be exploited — or simply collected — by various third parties:

Browsing history: all the websites you visit
Login credentials: usernames and passwords
Cookies and trackers: these are placed on your browser by some of the sites you visit
Autofill information: names, addresses, phone numbers, etc.

Even using “private” or “incognito” mode while browsing will not protect you. Your IP address will remain exposed and various third parties will still track all of your online activities.

That being said, there are some secure browsers out there. Look around and you’ll find countless recommendations on the Internet. Just like with VPNs, it pays to look for reviews (from multiple sources) and hear what the community has to say, to make sure the privacy offered by the browser is real and not just a marketing ploy.

The Tor browser:

Whenever online privacy is discussed, Tor is a name you’ll come across frequently.

The Tor browser is configured to avoid tracking and browser fingerprinting. It runs by default on the Tor network, which is made up of free volunteer relays all over the world. By routing traffic through those different “nodes”, it effectively hides your true IP address and protects your identity and privacy, as you can see in this video.

Here is a two parts YouTube series by The Hated One on how to use and set up Tor:

(Check out his other videos for more online privacy tutorials.)

Before you decide to use it, however, keep in mind that the Tor project is not without a few drawbacks:

Traffic can be slowed, due to jumping through so many hoops;
Some sites will recognize traffic incoming from Tor network and block it by default. This is the case of a majority of social networks;
The default version of the browser may cause malfunctions on some sites, due to script blocking;
Some exit nodes of the Tor network could be compromised and exploited;
Due to the project being partially financed by the US government, some consider it to be fundamentally compromised when it comes to privacy.

If you’d rather not use the Tor network, you can use a VPN and run the Tor browser with the network disabled. If your VPN is truly secure and does not collect information, this can be a pretty secure solution.

Sock puppet accounts:

Once your machine and connection are secured, you need to protect your identity when conducting SOCMINT investigations. That’s when sock puppets come into play. As per “A sock puppet is an alternative online identity used for purposes of deception. The term, a reference to the manipulation of a simple hand puppet made from a sock, originally referred to a false identity assumed by a member of an internet community who spoke to, or about, themselves while pretending to be another person.” — Wikipedia

These fake social media accounts are used by all colored hats of the cyberspace. You can find hackers, scammers, bots, and other cyber criminals on the dark side while journalists, penetration testers, and OSINT investigators are on the other. Like any decent tool, it can be used for both good and evil. But wait, you ask, isn’t creating a fake account against most Social Network’s Terms of Service (TOS)?

True, but every decent OSINT practitioner will tell you this:

Never Use Your Personal Account To Do A Investigation!!!

As we’ve seen when discussing OPSEC, your investigation should be planned in a way that does not compromise your own safety. By using a real account, you run the risk of being identified and doxed, harassed, and in the absolute worst-case scenario, targeted for lethal retaliation. Depending on your target, bad OPSEC on social networks can also pose threats to the company you work for, and even your family.

And even if your target is unable to find out who’s hiding behind your not so clever Reddit nickname, databases from the social network itself containing your private email and/or phone number it will be leaked at some point It’s Murphy’s law.

So it’s best for all of it to be fake to begin with; the risk is simply too high.

Emails:

Creating an email is the basis for setting up your undercover investigation account, as it will be used for signing up. Any email provider will work. Here are a few:

Burner Phones & Numbers:

Having a burner phone/number is extremely useful and may be required to create accounts on certain websites. The reason some sites require numbers is because they’re trying to prevent fake accounts from being created and will send an SMS validation message upon registering.

There are plenty of free temporary SMS services out there on the internet which you can use. Sometimes, however, it is useful to have a reliable number you can re-use across platforms to create different accounts for your persona.

In some countries, you do not need to present your ID or Passport to buy a SIM card or burner phone. If you are in one of these countries, it’s best to use cash only and let the phone sit for as long as you can before activating it with a sock puppet email.

Sometimes, SIM cards can be purchased on Amazon. Keep an eye out for deals and trial offers. Phone emulators can also work as an alternative.

VoIP Phone:

You can also try generating a Voice over IP (VoIP) account with an online vendor. This will be useful to add another layer of separation, as many online services need to have a “real” phone number to tied to your account. This is really useful if you can’t have access to a burner phone.

Prepaid Credit Cards and Gift Cards:

In some cases, you may need to use a credit/debit card for purchases, account setups, and account verifications. If you are in a country or area that allows you to purchase these types of cards (VISA/Mastercard), use good OPSEC to minimize links back to you, such as paying with cash. You can also additionally use privacy.com masked credit card if Prepaid cards are not an option.

Creating your Persona:

Creating a good sock puppet account takes time, effort, and creativity. There are however a few resources you can use to help speed up the process and spit out a “real person” with a lot of random attributes and content.

Just remember that all information generated is fake. You can change the data to fit your narrative. Generally, you’ll want your account to be as bland and average as possible, but of course different investigations will require different things.

Image generators:

Generating consistent images can be a challenge. You want to create a “realistic” person with history and consistency, but you can’t use your real photos because that would defeat the purpose of the sock puppet account. To avoid this, check out the resources below: all of these AI tools will generate unique faces, that are realistic enough to fool anybody who is not inspecting them too deeply.

Aging the Account:

Like any fine wine, the account needs to be “aged”. This means creating content and history. Don’t forget that many social media sites have TOS that specifically prohibit fake or investigation accounts, as we’ve seen. Organizations like Facebook & Twitter and most other social media sites. Are actively looking for these types of accounts, even if they are used for law enforcement purposes, and banning them on mass.

So make sure to craft a credible persona: give them a family, hobbies, sad news, passions, travels, and heartbreaks. Become the persona and generate some activity. Like posts, make comments, share things, and follow groups.

Try adding content and history following the personality of the fake character. This includes finding banners with image searches, memes, pictures from the location your persona is from.

Consider also the timing of your posts: if your persona is located in Australia and has a regular day job but all their social network activity happens between 2 am and 7 am in their time zone, that’s a bit suspicious. The same goes for your grammar, style of writing, and the linguistic register you will use, which have to be consistent with the identity of your persona — for a crash course on sociolinguistics, head here.

Over time, keep logging into the account and add content to build history. The more authentic your account will look, the less suspicious it will seem to both your target and the social network itself.

And lastly, remember to log out after each session. This is very important and ties into good OPSEC. Not logging out can generate tracking from social networks and potentially leak out unwanted information across the different persona and platforms you use if you’re not careful.

DURING THE INVESTIGATION

Stay alert and practice good OPSEC

Even if you’ve set up the most secure work environment and crafted the most authentic fake online persona, you’ll still need to be careful. Keeping your private and work self completely separated is more difficult than it looks, especially if you have to use offensive methods of data gathering. Expect observation, at all times, behave like your persona would, and strive to stay under the radar.

Practicing good OPSEC is particularly important during the time of your investigation. An excellent guide to the principles of OPSEC for OSINT practitioners is the Berkeley Protocol, originally developed for international criminal and human rights investigations by the Human Rights Center at the UC Berkeley School of Law and the Office of the UN High Commissioner on Human Rights. It establishes minimum standards for OSINT practice, which aim to protect the investigator’s safety.

To sum it up:

Avoid disclosing identifiable elements, and make your activity non-attributable;
Expect to be monitored and analysed by third parties; be consistent with your virtual identity and behave so as not to reveal your investigative objective;
Be aware that over-exploitation of a single online source, such as a specific site, may increase the risk of third-party monitoring and analysis;
Avoid predictable patterns of behaviour, such as repetitive search patterns on identifiable devices; this can reveal your objective to the target;
Keep your professional work separate from personal online activities. If possible, personal equipment should not be used for professional investigations and vice versa (note: a well-configured VM can be a workaround if you don’t have a lot of resources). In this time and age of constant internet use, this is easier said than done, especially if OSINT is part of your day job!
If you conduct multiple investigations, keep different start and end times for each activity, maintain data in separate locations, and use different virtual identities;
Use technical systems or environments that are designed to be minimally affected by potential malicious software or other disruptive influence.

Because it’s impossible to be in a state of hypervigilance 24/7, remember to take breaks and practice selfcare, particularly if you’re investigating criminal activities or conflicts and are exposed to traumatic content. Think of it as part of your OPSEC model: by taking care of yourself, you are becoming more resilient and less likely to perform errors due to distraction or fatigue.

Use the OSINT framework

Gathering information from a vast range of sources is a time-consuming job, but there are many ways of making intelligence gathering simpler. While you may have heard of tools like Shodan, the full range of OSINT resources is too vast to mention, and growing every day. Fortunately, security researchers and OSINT practitioners themselves have begun to document what’s available.

A great place to start is the OSINT Framework, put together by Justin Nordine. The framework provides links to a large collection of resources for a huge variety of tasks. From finding email addresses to searching social media or the dark web, the list goes on and on.

Of course, you are not limited to this framework. There are plenty other frameworks/resources out there, and OSINT researchers regularly post about new techniques. So if you feel stuck in your investigation, don’t hesitate to look around and reach out to the community, as someone somewhere can surely help you.

Manage information properly:

Note-taking:

During an investigation, you will encounter a whole wealth of information, which will be easy to forget if you’re not keeping note of it. Especially if your investigation spans days and even months. Having an effective note-taking method can greatly improve your retention of the constant new information you will encounter. Before we dive a bit deeper into this topic, here is a list of note-taking applications that we recommend:

And when you are taking notes during the course of your investigation be sure to keep track of where you found that piece information. Additionally, provide a short description of that piece of information with any relevant points.

Here is a quick example:

Source(https://www.youtube.com/watch?v=Uj1ykZWtPYI): The User “Rick992” or “Rick Adams” commented under this video stating that he is going to a Star Wars convention in Santa Monica, California. Additionally stating that he is going with a good friend of his, who is also a Star Wars Fan.

Now of course everyone has their own style of note-taking, so it doesn’t have to be formatted this way. But if you are working in a team, you and your teammates should come to an agreement on how notes should be taken for the sake of being organized. Keep in mind that all your findings must be reproducible, in order to be fact-checked by a third-party once you post or publish your research.

Additionally, you’ll want to title your notes and divide them into sections. This will allow you to go back to your notes easily, and make connections during your reporting phase. And it also allows others to effectively read them if needed, without asking too many questions during the process.

As you investigate, leave room in your notes for any question that your research raises. This will serve as a reminder of anything you want to follow up on or research later in your investigation.

Finally, keep in mind that those notes and findings will eventually have to be compiled into a report. Some note-taking tools will let you export tables and graphs directly, which can save you a lot of time. In any case, finding a system to organize your data properly cannot be stressed enough. So get to know your tools before you begin the investigation, it can really pay off when you have to write that report!

Data management and organization: Maltego

From its FAQ: “Maltego is a comprehensive tool for graphical link analyses that offers real-time data mining and information gathering, as well as the representation of this information on a node-based graph, making patterns and multiple order connections between said information easily identifiable.”

The advantage of a tool like Maltego is that it provides a great way of visualizing complex or voluminous data, which can help you stay on top of it all and see patterns or links you would have missed otherwise. Once the investigation is complete, it’s also a cool way of showing your findings to the readers of your report.

Here are some of the links and data that Maltego can process:

People
Groups of people (social networks)
Companies
Organizations
Web sites
Internet infrastructure such as:

○ Domains

○ DNS names

○ Netblocks

○ IP addresses

Phrases
Affiliations
Documents and files

Depending on your status, there are different pricing plans and products. The Maltego Community version, intended for non-commercial use, is free. If you need help with set-up, check out their Maltego Essential videos for tutorials and tips.

Avoid rabbit holes and cognitive bias:

As you gain new information and pivot from one source to the next, you may find yourself unsure on how to proceed further at some point. Should you dig deeper into someone’s Instagram account or use Google dorks to find what you’re looking for? Could the answer be in one of their friends’ post? How long should you dig before deciding that this source is not useful to your investigation?

In order to stay focused, try to go back to the objective(s) you defined at the beginning. What question(s) are you aiming to answer to? Is it still relevant, or has it evolved, due to new information you obtained? If that’s the case, you may want to redefine your objectives. What matters is that you always have some goal to come back to. This should serve as your compass, while you navigate the continuous flow of incoming data.

She went on Instagram and was never seen again. ©Tenor.com

Similarly, don’t rely on instinct alone when deciding what to do next. If you’re sure that your target’s best friend is the key to finding the information you need, ask yourself why. Is it because of concrete facts pointing towards them? Or because you get a general feeling that it has to be them, due to their look, gender, race, personality, or the type of hats they wear? Does your hunch actually match any concrete fact, or is it just that, a hunch?

Before following your gut feeling, take time to examine the evidence you’ve gathered and what cognitive or confirmation bias could be at play. This will not only save you time, it will help you build a good quality, fact-based investigation.

AFTER THE INVESTIGATION

Write your report:

If you’re conducting OSINT investigations on behalf of a company, to assist law enforcement or a non-profit organization, you’ll have to write a full report of what you’ve found and how you’ve found it. Even if you are doing a CTF or OSINT challenge, you may want to do a write-up or a short report, to showcase your investigative skills.

The contents of your report will depend on what type of investigation you did and the audience of the report. But here are some general considerations to keep in mind:

Start by stating the question you investigated, and the methods you used: not everyone who’ll read the report will be familiar with the objective(s) of your investigation;
Make it straight to the point: if you got lost chasing a false lead, no need to indicate it. unless its some how important or give context.
However, don’t omit steps, including minor ones: all the evidence must be reproducible by your reader(s), so make sure you’re not taking shortcuts;
Think in terms of NEED-VALUE-CONSEQUENCES: if possible, avoid mentioning elements that are irrelevant to the investigation; when including screen captures, make sure that irrelevant contents (other people’s pictures, usernames, comments, email addresses, etc.) is anonymized/blurred as needed.
Insert pictures of your findings: this will make the report more concrete, and easier to read;
Find a balanced style of writing: your report should be both compelling to read and straightforward, without personal considerations, bias or embellishment;
Get someone from your organization or a colleague to proofread it, if you can.

Note that it’s always a good idea to provide a summary of your findings at the beginning of your report — an Executive Summary, so to speak — so that people have a general idea of what they’re going to read. You can then present your objective, methods used, steps and findings in details.

Take your data offline:

Once your investigation is done and you’ve published or sent your results as intended, take time to process all the data you’ve collected adequately. As we said earlier, no one is “unhackable”, so it’s your responsibility to make sure the data you collect doesn’t end up leaked somewhere on the internet.

There are two ways to go about this. One would be to delete your data in its entirety, which may be a solution if you work for an organization that has made a copy of it and stored it securely; in that scenario, the data is still accessible, but it doesn’t need to be in your possession or on your devices.

If you conduct your own investigations, however, it may be useful to keep the data somewhere, in case you ever need it again in the future. Let’s say you’ve researched a specific group of people or a company, for example; would it make sense to burn everything and do it all over a couple months to a year later? Of course not.

However, leaving all that data on your device(s) is a significant risk and bad practice should you get hacked, drives fail, or you spill a cup of coffee. To avoid this, do (physical) back ups of all your data and files — you should start doing this during the investigation, just in case. You can use an external storage drive, burn it on a CD/DVD, whatever works best for you. Just don’t put in on the cloud or in Apple’s Time Machine, as the aim is to take that data offline.

How you choose to organize your physical backup collection is up to you ©Pinterest.com

Once you’re done, make sure to fully erase your data on all your connected devices, including cloud services if you use them. You don’t have to go all NIST-compliant on it, but at least make it harder for bad actors to retrieve it should they ever gain access.

Clean your environment:

Cleaning your environment is an essential step in the process of keeping yourself secure. As during your investigation, you may have encountered many shady websites hosting all sorts of types of malware. Typically not encountered by ordinary web surfers. As just visiting some of these websites without downloading any files or anything is enough at time to get you unknowingly infected.

So a step to take to clean your environment is to destroy/delete that Virtual Machine you are hopefully are using and spin up a new one. And or reimage that burner computer that you are using. These two simple steps will make quick work of any hidden malware that possibly sneaked in during your investigation.

Note: You don’t necessarily have to clean your environment after every investigation. If you are investigating a grandma cheating at the bingo tournament. You probably don’t need to go full on James bond super spy. But if your investigation takes you to the dark web along with other shady sites on the clearnet frequently. Then you should probably should consider those two presented steps.

Conclusion: There is no real ending…

The first two articles of our trilogy were intended as a starting point for people interested in OSINT and digital privacy. Knowing how easy it is to gather open-source intelligence on practically everyone and everything is important, because it’s often the first step taken by bad actors. We hope that our articles have helped you become more privacy-aware and resilient in case you become the victim of an attack.

Open-source intelligence gathering, however, should not be demonized as it can be used for good, and with incredible results. With this last article, we hope to have demonstrated that with the right mindset, framework and preparation, OSINT researchers can help people, and support justice and democracy worldwide. Just like “hacking” is not a bad word, intelligence gathering can be done for noble goals — or just for fun!

And the good news is: most of OSINT tools and techniques can be learned for free and online. So whether you’re looking for challenges or eager to join an organization and use OSINT for good, we’ve listed a few resources below for you. If you come across others, don’t hesitate to post them in the comments! The OSINT community is very supportive and collaborative, and we’re always happy to learn from each other.

We wish you a lot of fun in your future investigations and until then…

See you soon, detective!

Sources:

Extra’s

OSINT resources:

CTF and OSINT challenges

OSINT for good

List of people/organisations to follow

Discords: