Open Source Intelligence (OSINT)
Every good investigator or analyst has a toolbox of useful techniques, sources, and methods that they use to ensure thoroughness and optimal accuracy of the information they collect and ultimately disseminate. These tools and techniques have gotten highly technical, but as recently as ten years ago, how we currently deploy “OSINT” was unheard of and investigators and analysts operated on a more traditional and “old-school” basis. “Back in the day”, going to a courthouse to pull a file for review was part of normal day for an investigator. This was pre-modern-internet OSINT in its rawest form; collecting publicly available information and ultimately analyzing it to see where it could lead. While the availability and techniques to obtain such information isn’t a secret, having the knowledge, skills and ability to locate and collect this information is what made the investigator different from the general public. Prior to the digitization of these public records, and long before the internet was nearly as prevalent in our lives as today, this is how OSINT worked. We argue that public records, although separate from what we think of today as true OSINT were the precursors to a discipline that has merely moved into the digital world. And while there are true public records experts, OSINT is inclusive of these records, with similar techniques and the same keen investigative mindset used in both fields. Today, we have access to millions of individual public records at our fingertips; that is, if we know where to look and how to use the data.
Looking at the past, it is readily apparent that the key advantage investigators today have is SHARING and the advent and proliferation of platforms available for doing so. Today, people voluntarily share some of the most intimate details of their lives without a second thought; and the online footprint of the average user is incomparable to what was previously available. Ten year ago, we were lucky to find an email address, AIM or forum username whereas today a single email address could lead to volumes of data available for analysis. Today our Twitter and Instagram alerts vibrate our cell phones constantly, mostly with people we know, and often don’t, sharing information; data available for collection and analysis. The issue today isn’t always finding this data, although the art of OSINT includes this in its scope and dedicates a great deal of effort automating the search and collection process; it is analysis of this data that is key in obtaining meaningful and actionable intelligence.
So what is OSINT? OSINT in its most technical form refers to Open Source Intelligence, a military term now more associated with hackers, penetration testers, intelligence analysts and yes, investigators. Even your local PI -probably a retired law enforcement officer of some kind- likely dabbles in OSINT even if he or she doesn’t even realize what they are doing. OSINT is simply one area of investigation comprised of unlimited individual tools that is utilized in a non-invasive manner; it is simply finding and collecting what is available, often through advanced techniques not otherwise well known to the general public. Much of this can be done from anywhere by anyone with the knowledge, despite the techniques being fluid due to changes in technology.
Our Definition and Usage of “OSINT”
There is no “one-stop shopping” in OSINT. OSINT is created as a result of a collection of tools and techniques, each with a limited use – on a case-by-case basis. Most tools will not apply in every situation. Such tools, combined with the investigative and logical mindset, creativity and the tenacity to keep trying different angles, create an investigator’s OSINT toolbox.
OSINT also comes from and is used by a number of different professional disciplines; the most common being Penetration Testers, Investigators/Intelligence Analysts, Journalists and “Hackers” of all hat colors. Their targets may vary, but ultimately the techniques and tools can be used by any number of professionals from these groups and beyond, and are scalable to anything from small local investigations to international terrorism cases. On the most technical end, “Hackers” and Penetration Testers spend a lot of time focusing on networks, cybersecurity vulnerabilities and intrusion points, looking for weaknesses to exploit. Their discipline often tips the scales at the most technical end of OSINT, often requiring coding knowledge or at the very least a solid grasp of the Linux operating system and command line computing. This is often technically over the heads of a lot of investigators, but given some of these tools (the best of which feature GUIs), Investigators too can utilize some of the more high-tech aspects of the OSINT world. Our endeavor is to become a resource for the OSINT Investigator. We are speaking to you, the US based investigator, working on cases in the United States; people, places and businesses. We cull through the highly technical jungle of GITHUB, command line and Kali Linux to bring you those tools that can be used by you and your teams everyday. While some of the more technical experts like Bellingcat focus on Terrorism and identifying the time of day a Russian tank crossed over the 45th parallel and what the tank driver had for breakfast, we will focus exclusively on those things that bring value to everyday investigations, be it local, national, big or small.
So how does your average Professional Investigator use OSINT? Well, let’s keep in mind that while these techniques are used around the world to help identify capture terrorists, solve international criminal cases, locate missing persons, identify technological weaknesses by penetration testers and exploit the same by hackers, an investigator can take aim with the same resources on a variety of local cases as well. Take for example the need to prove where a person was in a specific timeframe, something we do regularly. OSINT tools often allow investigators to gather and then verify evidence that can make or break these type of cases. It is these everyday investigative tools that we aim to bring to you in in this platform.
Explaining Social Media Metadata
Before we go any further, it is important to have a quick conversation about metadata capture versus the authentication of social media. There is no more simplistic way of saying this; just because you can capture the hash values of a social media post does not mean you have identified when an image was taken. Please don’t explain to your clients that these two things are one and the same. The values contained in the MD5 of SHA hash values merely verifies when and where an image or post was captured by the person collecting it, namely the investigator. This is a valuable tool, with the potential to be made more important by recent federal court rules (902) regarding the self-authentication of digital evidence. We say potential because at this moment, local circuit and district courts have yet to adopt this rule and even more importantly are simply unaware of the position of the federal district courts update. For now, posts and images found on Facebook, Instagram, VSCO, SnapChat and for argument sake Twitter do not contain metadata related to the time, date, device or location of the images found on an individual’s profile. There is no way through metadata to prove when an image was taken. To be perfectly clear, if you expect to identify and prove when an image posted to any of the most popular social media platforms was actually taken, you will not find it in the metadata.
Welcome to the OSINT Digest for Investigators
While some of the more technical experts often focus on Terrorism and identifying the time of day a Russian tank crossed over the 45th parallel and what the tank commander had for breakfast, we will focus exclusively on those things that bring value to everyday investigations, be it local, national, big or small. Our monthly digest will include the most applicable techniques and searches that can be put to use immediately by anyone looking to gain an edge by using OSINT tools and techniques. We endeavor to steer away from providing the most technical side of OSINT, often reserved for penetration testers and various hackers, which often times are not applicable to most investigators and would require greater resources and knowledge than are normally available. We scour the web and keep up with the community of OSINT investigators to ensure we can help provide some of the most cutting edge tools and techniques within our monthly digest, which will include the best articles from the prior month the most recently developed tools and information about the future of OSINT investigations. The best part? We work hard to ensure that these digests are simple, one-page downloads for easy digestion. If you enjoy this content, and would like to be alerted to future digests, please give us a follow on Twitter, Facebook and LinkedIn.