My inbox is full of requests to teach Open Source Intelligence (OSINT) techniques, especially from new recruits to W1nterSt0rm, an #OpChildSafety initiative. Having OSINT skills in a data-driven environment is vital and can help you navigate a world that tries to hide and obfuscate the truth.
OSINT fundamentally involves using good investigative skills to analyze publicly available information. It’s that simple. But how you go about an OSINT investigation may not be so simple, as it's easy to get lost in the data.
If you still aren’t sure, let me break it down into something I think we’ve all done before: look up a Facebook user. If you’ve ever come across a suspicious website and started searching the web for reviews or checked if it’s been blacklisted as fraudulent, then you’re already acquainted with some basic OSINT techniques. You used public resources to verify the authenticity of something you questioned.
In this article, I am going to cover the following elements for setting up and running an organized OSINT investigation:
- Organizing the investigation
- Advanced Web searches
- Username and public records
- Breach report databases
- Cross-referencing and fact-checking
FBI OSINT: fun fact?
When the FBI arrested me for hacking 15 years ago, they employed OSINT methods that successfully unraveled my identity. They found my email address. Although I subscribed and accessed it using a VPN, they discovered my CraigsList post containing my résumé.
I had posted my work history with three security companies, the names of my former employers, along with the dates of my employment. For the contact information, I left my email address and a burner phone number.
At first glance, I thought I had carefully sanitized the résumé of any identifying information. I was too focused on hiding my identity to consider that the résumé itself was enough to burn my anonymity.
The FBI called all three security companies, and using the dates I provided, they were able to successfully connect my name with the employment dates. The rest is history. That’s how using an email address associated with my hacking lifestyle and sharing my obfuscated résumé ultimately became my undoing.
Organizing your toolkit
If you don’t organize your tools, you’ll waste your time running around without direction. This will hamper your productivity and maybe even the investigation itself.
I have used Start.me for years because it’s free and easy to personalize as a bookmark management tool. Mine still needs a bit more organizing, as you can see from the example below. Case management apps and services are abundant, but don’t spend money if you don’t need to.
If you’re working with a lot of data and need a free way to manage it, I use Obsidian. Advertised as a project management app, it’s typically used for writing, note-taking, and as a way to organize your thoughts.
However, its ability to create a visualized graphical view of the information you add gives structure to your OSINT investigations, which helps you connect data relationships. What’s more, if you’re working with a team of investigators, your projects can be shared, as well as opened for collaborating with others.
Now, you’re organized. You now have the tools to quicken your response time so you don’t get lost in the clutter. Regardless of your needs, you’ll find these tools useful to get the job done. The problem is, that most of the tools on the scene are redundant. They do the same things, with only minor differences.
Using advanced search methods
If the information can be found without paying for any services, you should start your OSINT search in the public domain – the web. For example, if you want to search for specific keywords in Google and eliminate results that are similar to your search query, use quotation marks, which are an advanced search operator, eg. “Cybernews.” For those of you familiar with Google Dorks, this is the same thing.
Try searching “Cybernews” “OSINT” which will combine results by displaying every instance on the web where Cybernews was mentioned along with the term OSINT. To refine your search terms by searching only cybernews.com with the same keyword, searching site:cybernews.com “OSINT” will do the job.
Another useful search operator example that may give you a bit of nostalgia is "hacktivism" before:2001-06-26 (YYYY-MM-DD). This advanced search operator instructs Google to return results from sites mentioning hacktivism published before June 26th, 2001. To learn more about advanced search operators and how to use them, navigate here.
AI OSINT GPT searches
OSINT tools with integrated AI are still kind of novel, but they are heading in the right direction. Cylect.io is advertised as the “Ultimate AI OSINT Tool,” and has lived up to this billing so far. When researching hacktivist groups, trying to find common links between multiple entities, or even when I just want to learn more about an IP address, it’s been formidable, thorough, and always cites its sources.
I asked the AI to provide me with the contact information for a company I was researching. Its results were factual. There was no direct method for contacting the company. However, it provided links to resources the company had published elsewhere, which contained information on ways to establish contact, which saved me time digging.
Username search and eliminating redundancy
While there are scores of free Linux scripts available on GitHub, most of them are kind of redundant, with minor variations. I prefer Instant Username Search due to its robust search across vast social media networks.
At this juncture, fact-checking is everything due to the potential for false positives. You don’t want to put the cart before the horse. Having an enumerated list of online profiles creates new research possibilities on account of whatever information you can glean from each new data point.
Because I’m always on the go, I use free mobile apps like Hackerman: Find Socials and Maigret for deep username searches. Both allow you to save your searches. You can also find the Github repository for Maigret here.
Public records
People always ask me, which is better? Intelius or BeenVerified? Here’s the deal. I always need a second opinion to compare my search results with. Accuracy is everything. That is why I use both. The information I uncover from one, I cross-reference with the other. Sometimes, information is missing from one but found in the other. This is because these services don’t rely on the same databases.
Both BeenVerified and Intelius are both regulatory-compliant and pull information from user search queries from public sources. This includes public records, and social media, as well as information from other data brokers. This excludes confidential information unless it has been made public, and through legal means.
Breach report databases
Companies are generally required to notify customers of any compromise to their personal data in compliance with US federal and state laws, the General Data Protection Regulation (GDPR) of the European Union, the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), and the Australian Notifiable Data Breaches (NDB) scheme.
This is why breach report databases like Dehashed exist.
Each piece of information it returns can be searched, potentially uncovering additional email accounts, breached passwords, addresses, phone numbers, aliases, and IP addresses contained in the breach. This is an incredible resource for finding and fact-checking, as the cross-referencing possibilities are almost endless.
Lastly, whichever way you choose to dice it, organizing your investigations will help it flow more naturally, where there will be less frustration and more discoveries. Don’t be afraid to purchase subscriptions for better quality results. And never forget: research everything because the world is sitting on a mountain of secrets.
Trust, but verify.
Your email address will not be published. Required fields are markedmarked