Site icon Privacy, OPSEC, Obfuscation, Infosec, Digital Profiling and The-OSINT-Toolbox.

OSINT Methodology

It was interesting recently when I read Sector035 WiO newsletter and saw two blogs, by Aaron Roberts (@AaronCTI) and Micah Hoffman (@webbreacher) respectively, both talking about methodology. My first thought was, our great minds think alike or maybe it was the other rather unflattering one, whichever it was, they had both beat me to the post (no pun intended).

authentic8.com/blog/10-steps-osint-mastery

aaroncti.com/my-osint-blueprint-methodology-and-tools-part-one/

I have been in and out of writing a similar blog myself for some time, I now feel like I was the second person to walk on the moon. I can always remember the first person was Neil Armstrong, (Unless you believe in the conspiracy theory that it was the person who put the camera there). I must dig deep to remember who the second person was. I had to double check on Wikipedia that it was Buzz Aldrin. As it stands, I am the 3rd person, whoever that happened to be. But thinking more positively, this can be the trilogy finale.

The letter T just happens to be one of my favourite letters, so I will talk about your OSINT task, toolbox, tactics, tradecraft, techniques, tools and being tenacious. I won’t get as technical as Micah got explaining the OSI model, something I am familiar with and as a result I found the extra 3 layers concept interesting.

I agree with both the methodologies Arron and Micah spoke about and I have my own methodologies. The important thing to remember it is not necessarily who’s methodology you follow, the important thing is to have a methodology. We all think differently, and as a result our brains work differently, so our methodologies will be different.

You can set numerous OSINT practitioners the same task, they will all get to the same result, however they may all have had their own methodology behind how they got there. We are all different, think differently and work problems out differently, that is the key to a methodology. Throw in some experience and you are good to go.

Both Aaron & Micah talk about laws and policy constraints, that may affect your OSINT collection methodology and it is definitely something you need to be aware of, especially when I talk about Donald Trump later. (I know, what does Donald Trump have to do with OSINT, read on)

I share some of the same thoughts as Aaron. Aaron talks about passive OSINT, and whilst the definition of passive maybe subjective, I too believe in only carrying an exploratory investigation on a subject. There appears to be rush by some practitioners to create accounts. Why? There are plenty of ways we can research a subject without touching their digital footprint and contaminating it with our digital footprint. From an OPSEC perspective it is far better to hide in the shadows. And let’s not forget it can be an exhausting experience setting up some accounts, especially those platforms owned by Zuck.

The first part of any OSINT deployment is the task, what it is you are being asked to do. What are the aims and objectives of the task. How many times have I heard, “Can you just do some quick research on…” Yeah sure I can, but I don’t. I always ask questions, “Tell me what it is you want exactly!” “What do you want to achieve?”

Nico Dekens (@dutch_osintguy) often talks about the difference between, information and intelligence. Without clear aims and objectives, can you ever hope to disseminate intelligence. Without clear aims and objectives how can you know what you are looking for? What is important? You may think something is important however when you show it to your client they may disagree. You may reject something as not being important, however had you have shown it to your client, they may have deemed it to be important. One of my favorite fictional characters Jack Reacher has a saying, “Details matter,” and I couldn’t agree more.

Ritu Gill (@OSINTtechniques) wrote a blog on the difference between information versus intelligence in 2023.

https://www.sans.org/blog/what-is-open-source-intelligence/

That then brings us to potentially our first point of failure and we haven’t even started to collect any information. Without clear aims and objectives, we will undoubtable have a dragnet approach to our research. Let’s grab everything we can, in the hope we grab something useful and we will review it later.

The reality is, and my experience is, it does not all get reviewed as too much information has been harvested, and it remains as information, never becoming intelligence. What have we missed? We can’t see the wood for the trees as the idiom goes.

Whilst I am on the subject of analysis. Let’s quickly cover this point of the intelligence cycle. Analysis can sometimes sound complicated. To some extend this is true and it depends on the type of analysis that is being done. Some analysis can be technically complicated and require a completely different skill set. Let’s choose a different word, let’s review what it is we have found. What does the information we have collected mean when compared to the aims and objectives we were set. Can we pivot from it? Can we further enrich it? I am constantly reviewing what it is I have collected; what level of importance I will give each piece of information I have collected and where does it fit into the bigger picture and the aims and objectives set.

Experience has taught me, that I can build my final report as I go, by simply prioritising the important information I have collected, in line with the aims and objectives I have been set. For sure by the time I get to my final report, I may jettison some of it, as I adapt as I have gone. That is the way my brain works. Another OSINT practitioner, may be lucky and have a photographic memory and is able to review everything at the end and remember where everything fits in.

Rolling seamless into reports, I always include in my reports, the aims and objectives I was set. This way I stay on point and the client is reminded of what they asked me to do. Remember your audience, don’t get too geeky or technical as your client may not understand. Be precise, don’t include masses of information which all means the same thing. Depending on your OSINT deployment, I like to explain how I found the information I did, as this helps with understanding threat and risk. Don’t just dump a screenshot from a username tool into a report, dig deeper, verify that the accounts belong to your subject of interest. To the untrained they may mistakenly believe all the accounts belong to the subject.

There is a caveat, and it’s important to remember you need to be able to adapt and respond, as time critical deployments may dictate that you don’t have as much time as you would like, however with experience you can adapt your methodology quickly as you know it inside out.

I am in total agreement with Aaron, before you go looking down the OSINT rabbit hole, look at what you have first, review it, re-review it, understand what it is you have. How can you exploit and pivot of what you already possess. Don’t forget to have your OSINT toolbox ready for the job ahead. Both Aaron and Micah talk about using other people’s resources. You can use my GitHub repos, or the many start.me pages that are available to the OSINT community.

https://github.com/cqcore

Micah talks about filling your knowledge gaps. There are hundreds of places where you may find information about your subject and you may not always be familiar with every platform you visit. Get to understand the similarities between different platforms, a lot of social media platforms operate a similar model, of likes, re-posts, comments, tags etc, they maybe called different things, but the premise is the same. Dark web forums have similar ways of operating and rendering.

Have a quick think of how important the underscore (_) can be in social media when looking for users or groups. So even if you are unfamiliar with a certain platform, you can still work your way round it and understand it. Look at WhatsApp, once just a simply messaging app, it is now becoming  a clone of Telegram. I don’t use WhatsApp, but because I know my way round Telegram, it wouldn’t take me long to work out WhatsApp.

I would be surprised if there is one OSINT practitioner who knows everything about OSINT and the endless tools, techniques, tradecraft and tactics. There are experts in each different field of OSINT. I have no hesitation in admitting that I am stronger in some areas of OSINT than others. I do not do much in the way of website OSINT, so if I need to refresh my knowledge by re-reading blogs or listening to a podcast, or asking, then I will.

A couple of points I have spoken about before in other blogs, is having an investigative mindset and being aware of confirmation bias, the latter very much fits into the importance of verifying and validating any information you find. The rise in fake news and the ability of AI to replicate real people, verifying and validating what you have found has never been as important.

How we interpret what we find is as important as finding it in the first place. Unless you are a subject matter expert or recognised legally as an expert, your interpretation may not stand the test of time.
Point in case, I have been watching the Trump trials in the US, the numerous attempts by the Defense to have evidence omitted or in the latest case, attempting to have a mistrial called. Don’t put yourself in a situation where bias has crept in and even though you may have interpreted something positively to please a client or to suit your case, it may come back to haunt you. Be honest in your interpretation. Don’t make it fit when clearly it doesn’t to an objective third person.

So how do I go about exploring a subject. For the purpose of this blog, we have a username, email address. I will start you off on my path.

I always like to have a look at the following. These are places where people like to aggregate their social media footprint.

If you know the username, simply tag it onto the end of the URL: –

https://keybase.io/USERNAME-HERE
https://gravatar.com/USERNAME-HERE
https://linktr.ee/USERNAME-HERE