The art of open source intelligence


Open Source Intelligence (OSINT) is the art of mining public information, websites, and social media for secrets and insights through the use of open-source tools and publicly available resources. A hacker's treasure trove.

I sit here dual-booted on my Macbook with Linux, listening to Blood Rave by Thunderwolf while hunting a threat actor across the dark web to the clear net. I’m wired in, enraptured by the dopamine coursing through my brain while enthralled by the thrill of the hunt.

My target’s failed OPSEC, or “operational security,” has provided me with the leverage I need to unmask their real identity. They used a unique screen name on a dark web forum that I was able to link to an account on the web, or “clear web,” as we call it, by using a reverse image search.

ADVERTISEMENT

This helps me to uncover where this image has been used before on the internet. Moreover, the dark web account had a unique AI-generated display picture, the same one featured on an Instagram account belonging to my indiscreet target. There were other revealing tells on the Instagram account that helped me confirm that this account was owned by the same person.

Furthermore, I found their Facebook account using this same method. Any Facebook user can affirm just how much information users willingly divulge on the platform, which is why it can be a goldmine. This is how I discovered their name and birthdate. But not much else was useful. Nevertheless, I slowly begin to stitch together a portrait of my quarry.

With the target’s name and details from their social media profiles, I have enough information to begin running search queries in the public records database I have a subscription with. But there’s a catch. Not every public database returns the same information. This happens quite often. That’s why I use a handful of record databases to compare, analyze, and build a factual resume on my target.

As an independent cybersecurity researcher, public records databases have always been foremost in my cyber weapons arsenal. Arguably, I spend more time using these databases for OSINT than anything else. I have used these databases for years for fraud screening and background checks, as well as unmasking scammers and bad actors.

But I haven’t only used these open-source resources to identify and track bad actors. I’ve used them to find the surrogate mother I had as a child, as well as reconnect with my high school friends I’ve lost touch with for decades.

This is for you. If you’ve ever needed to track down a lost loved one, an old high school sweetheart, or even try to identify who owns a phone number, then this is definitely right up your alley.

Doxxing and legality

In the shadowy realm of digital recklessness, there should always be the question of legality, namely regarding the act of doxxing or posting a person’s information online with the intent to cause harm. Simply put, although doxxing is seemingly an element of the internet subculture, it could land you in prison.

ADVERTISEMENT

Effective September 1st, 2023, a new provision called Section 42.074 of the Texas Penal Code, categorizes a form of doxxing as a criminal offense, officially labeled as the "Unlawful Disclosure of Residence Address or Telephone Number." According to this statute, an individual engages in doxxing when they intentionally publish the residence address or telephone number of another person on a publicly accessible website, with the aim of inflicting harm or generating a threat of harm upon that individual or a member of their family or household.

Thus, the legality of it hangs on certain conditions, such as if it becomes instrumental in facilitating other illegal acts such as harassment, stalking, intimidation, identity theft, or even incitement to violence. In many cases where individuals find themselves behind bars, doxxing often fits snugly within a broader tapestry of criminal misdeeds woven together by a web of multiple offenses.

For example, it is a Class B misdemeanor in the State of Texas that comes with a six-month vacation of concrete, razor wire, and an orange jumpsuit, followed by a $2000 fine for those who dare to expose someone's secrets by plastering their personal information on the web, all in the name of sowing the seeds of mayhem or unleashing threats upon them or their family. This offense can get bumped up into a Class A misdemeanor when it involves physical harm.

The consequences are more severe when it involves leaking someone’s social security number. In Texas, Section 32.51 of the Penal Code bans acquiring, transferring, or possessing someone's personal information, like social security numbers, without consent and with harmful intent. Section 33.07 criminalizes sending electronic messages, even on social media, to harass, annoy, or embarrass others. Sharing a link to access someone's personal info without consent is harassment.

On February 23rd, Texas Attorney General Greg Abbott declared that revealing social security numbers in public docs violates both State and Federal privacy laws, leading to criminal penalties of jail and fines.

Public records databases

A public record database is like a big digital library filled with documents and information that's accessible to the public. These records typically contain information about individuals, businesses, and various government activities. Public record databases are maintained by government agencies, courts, and other public entities.

Oftentimes, certain public records services do not have access to the same information. Therefore, it’s important to use multiple resources in order to fact-check the information.

Some databases return no results. Others return some, and still others a goldmine.

Here’s a list of some of the common types of public records found in public record databases:

ADVERTISEMENT
  • Birth and death records
  • Marriage and divorce records
  • Property records (deeds, titles, property assessments)
  • Criminal records
  • Court records (civil and criminal)
  • Business records (business registrations, licenses, financial filings)
  • Voter registration records
  • Government meeting minutes and agendas
  • Environmental records

Reversing phone numbers is also something that the everyday person should know. Especially since cold calling and unsolicited text message scamming is an increasing epidemic. Therefore, this basic but useful skill is a great addition to anyone's cyber arsenal.

Another great way to access vital records is to use Ancestry.com, which can help researchers piece together a subject’s family history. I use this to confirm a subject’s date of birth and cities they’ve lived in. Moreover, these records often contain photographs, which are extremely useful in determining and confirming the appearance of the subject.

Power tools and case management

One of the most important elements when doing OSINT research is organizing and management. Before I began using case management, I would simply organize my screenshots and text files and upload them to Megaupload, which makes it easy to share and collaborate files with others, such as a team. This is a private alternative to Google Drive.

Files and folders are encrypted on your device with unique, random keys and then sent to our servers. These keys are secured with your recovery key, using asymmetric cryptography for user key exchange.

The only issue with this manual approach is that, well, it can be tedious and time-consuming. That is why I personally use Maltego and Vortimo, which is a web page organizer and information management tool.

Maltego is a powerful commercial data mining tool capable of delving into troves of open-source data to unearth valuable insights. It can weave intricate graphs into a comprehensible matrix, revealing connections and patterns between data points such as people, usernames, social media accounts, and public records of all types.

For example, in the Community Edition of Maltego, you can install any number of free modules and connect your API to a vast number of information services to maximize the scope of your investigation or research.

This means you can enumerate social media accounts, create a dossier, and generate a matrix containing data points on your subject based on your search query. Additionally, you can connect relationships between your subject and people they know, such as associates, all within an organized interface and be able to share the data with others for collaboration. Since it is a graphical user interface, it helps eliminate unnecessary information clutter.

ADVERTISEMENT

The sheer volume of open-source OSINT tools and online resources available is so vast that they would amount to a book, if not a series of articles alone. The important thing to note is that, like anything, OSINT can be abused if done for a malicious purpose. Therefore, always remember to be on the right side of the law and never use OSINT to leverage an opponent.