Every good investigator or analyst has a toolbox full of useful techniques, sources and methods that they use to ensure thoroughness and optimal accuracy of the information they collect and ultimately disseminate. As recently as ten years ago, these techniques were more traditional and “old-school”. Going to a courthouse to pull a file for review was part of normal day for an investigator. This was pre-internet OSINT in its rawest form; collecting publicly available information and ultimately analyzing it to see where it could lead. While the availability and techniques to obtain such information isn’t a secret, having the knowledge, skills and ability to locate and collect this information is what made the investigator different from the general public. Prior to the digitization of these public records, and long before the internet was nearly as prevalent in our lives as today, this is how OSINT worked. We argue that public records, although separate from what we think of today as true OSINT were the precursors to a discipline that has merely moved into the digital world. And while there are true public records experts, OSINT is inclusive of these records, with similar techniques and the same keen investigative mindset used in both fields. Today, we have access to millions of individual public records at our fingertips; that is, if we know where to look and how to use the data.
Then there is the issue of sharing; people didn’t share nearly as much as they share now and our online footprints were very limited, usually to an email address, AIM or forum username! Today our Twitter and Instagram alerts vibrate our cell phones constantly, mostly with people we know, and often don’t, sharing information; data available for collection and analysis. So what is OSINT? OSINT in its most technical form refers to Open Source Intelligence, a military term now more associated with hackers, penetration testers, intelligence analysts and yes, investigators. Even your local PI -probably a retired law enforcement officer of some kind- likely dabbles in OSINT even if he or she doesn’t even realize what they are doing. OSINT is simply one area of investigation comprised of unlimited individual tools that is utilized in a non-invasive manner; we are simply collecting what is available often through advanced techniques not otherwise well known to the general public. Much of this can be done from anywhere by anyone with the knowledge, despite the techniques being fluid due to changes in technology.
An Investigator’s Definition of OSINT
There is no “one-stop shopping” in OSINT. OSINT is created as a result of a collection of tools, tricks and techniques, each with a limited use – on a case-by-case basis. Most tools will not apply in every situation. Such tools, combined with the investigative and logical mindset, creativity and the tenacity to keep trying, create an investigator’s OSINT toolbox.
OSINT also comes from and is used by a number of different professional disciplines; the most common being Penetration Testers, Investigators/Intelligence Analysts, Journalists and “Hackers” of all hat colors. Their targets may vary, but ultimately the techniques can be used by any number of professionals from these groups and beyond, and scalable to anything from small local investigations to international terrorism cases. On the most technical end, “Hackers” and Penetration Testers spend a lot of time focusing on networks, cybersecurity vulnerabilities and intrusion points, looking for weaknesses to exploit. Their discipline often tips the scales at the most technical end of OSINT, often requiring coding knowledge or at the very least a solid grasp of the Linux operating system and command line computing. This is often technically over the heads of a lot of investigators, but given some of these tools (the best of which feature GUIs), Investigators too can utilize some of the more high-tech aspects of the OSINT world. Our endeavor is to become a resource for the OSINT Investigator, the US based investigator, working on cases in the United States; people, places and businesses. We weed through the highly technical jungle of GITHUB, command line and Kali Linux to bring you those tools that can be used by your team everyday. While some of the more technical experts like Bellingcat focus on Terrorism and identifying the time of day a Russian tank crossed over the 45th parallel, we will focus exclusively on those things that bring value to everyday investigations, be it local, national, big or small.
So how does your average Professional Investigator use OSINT? Well, let’s keep in mind that while these techniques are used around the world to help capture terrorists, solve international criminal cases, locate missing persons, identify technological weaknesses by penetration testers and exploit the same by hackers, an investigator can take aim with the same resources or a variety of local cases as well. Take for example the need to prove where a person was in a specific time-frame, something we do regularly. OSINT tools often allow investigators to gather and then verify evidence that can make or break these type of cases. Geo-location of images, or even just the collection of social media posts, comments and connections
Explaining Social Media Metadata
A quick conversation about metadata capture versus the authentication of social media. There is no more simplistic way of saying this; just because you can capture the hash values of a social media post does not mean you have identified when an image was taken. The values contained in the MD5 of SHA hash values merely verifies when and where an image or post was captured by the person collecting it, namely the investigator. This is a valuable tool, with the potential to be made more important by recent federal court rules (902) regarding the self-authentication of digital evidence. We say potential because at this moment, local circuit and district courts have yet to adopt this rule and even more importantly are simply unaware of the position of the federal district courts update. For now,
Posts and images found on Facebook, Instagram, VSCO, SnapChat and for argument sake Twitter do not contain metadata related to the time, date, device or location of the images found on an individual’s profile. There is no way through metadata to prove when an image was taken. For this we must get more creative – more on this in a moment. To be perfectly clear, if you expect to identify and prove when an image posted to any of the most popular social media platforms was actually taken, you will not find it in the metadata. It is simply unpossible.
Welcome to the OSINT Digest for Investigators
While some of the more technical experts often focus on Terrorism and identifying the time of day a Russian tank crossed over the 45th parallel, we will focus exclusively on those things that bring value to everyday investigations, be it local, national, big or small. Our monthly digest will include the most applicable techniques and searches that can be put to use immediately by anyone looking to gain advantage by using advanced OSINT tools and techniques. We endeavor to steer away from providing the most technical side of OSINT, often reserved for penetration testers and various hackers, which often times are not applicable to most investigators and would require greater resources reliability present. We Scour the web and keep up with the community of OSINT investigators to ensure we can help provide some of the most cutting edge tools and techniques within our monthly digest, this will include the best articles from the prior month the most recently developed tools and information about the future of OSINT investigations. The best part? We work hard to ensure that these digests are simple, one-page downloads for easy digestion. If you enjoy this content, and would like to be alerted to future digests, please give us a follow on Twitter, Facebook and LinkedIn.