It was interesting recently when I read Sector035 WiO newsletter and saw two blogs, by Aaron Roberts (@AaronCTI) and Micah Hoffman (@webbreacher) respectively, both talking about methodology. My first thought was, our great minds think alike or maybe it was the other rather unflattering one, whichever it was, they had both beat me to the post (no pun intended).
authentic8.com/blog/10-steps-osint-mastery
aaroncti.com/my-osint-blueprint-methodology-and-tools-part-one/
I have been in and out of writing a similar blog myself for some time, I now feel like I was the second person to walk on the moon. I can always remember the first person was Neil Armstrong, (Unless you believe in the conspiracy theory that it was the person who put the camera there). I must dig deep to remember who the second person was. I had to double check on Wikipedia that it was Buzz Aldrin. As it stands, I am the 3rd person, whoever that happened to be. But thinking more positively, this can be the trilogy finale.
The letter T just happens to be one of my favourite letters, so I will talk about your OSINT task, toolbox, tactics, tradecraft, techniques, tools and being tenacious. I won’t get as technical as Micah got explaining the OSI model, something I am familiar with and as a result I found the extra 3 layers concept interesting.
I agree with both the methodologies Arron and Micah spoke about and I have my own methodologies. The important thing to remember it is not necessarily who’s methodology you follow, the important thing is to have a methodology. We all think differently, and as a result our brains work differently, so our methodologies will be different.
You can set numerous OSINT practitioners the same task, they will all get to the same result, however they may all have had their own methodology behind how they got there. We are all different, think differently and work problems out differently, that is the key to a methodology. Throw in some experience and you are good to go.
Both Aaron & Micah talk about laws and policy constraints, that may affect your OSINT collection methodology and it is definitely something you need to be aware of, especially when I talk about Donald Trump later. (I know, what does Donald Trump have to do with OSINT, read on)
I share some of the same thoughts as Aaron. Aaron talks about passive OSINT, and whilst the definition of passive maybe subjective, I too believe in only carrying an exploratory investigation on a subject. There appears to be rush by some practitioners to create accounts. Why? There are plenty of ways we can research a subject without touching their digital footprint and contaminating it with our digital footprint. From an OPSEC perspective it is far better to hide in the shadows. And let’s not forget it can be an exhausting experience setting up some accounts, especially those platforms owned by Zuck.
The first part of any OSINT deployment is the task, what it is you are being asked to do. What are the aims and objectives of the task. How many times have I heard, “Can you just do some quick research on…” Yeah sure I can, but I don’t. I always ask questions, “Tell me what it is you want exactly!” “What do you want to achieve?”
Nico Dekens (@dutch_osintguy) often talks about the difference between, information and intelligence. Without clear aims and objectives, can you ever hope to disseminate intelligence. Without clear aims and objectives how can you know what you are looking for? What is important? You may think something is important however when you show it to your client they may disagree. You may reject something as not being important, however had you have shown it to your client, they may have deemed it to be important. One of my favorite fictional characters Jack Reacher has a saying, “Details matter,” and I couldn’t agree more.
Ritu Gill (@OSINTtechniques) wrote a blog on the difference between information versus intelligence in 2023.
https://www.sans.org/blog/what-is-open-source-intelligence/
That then brings us to potentially our first point of failure and we haven’t even started to collect any information. Without clear aims and objectives, we will undoubtable have a dragnet approach to our research. Let’s grab everything we can, in the hope we grab something useful and we will review it later.
The reality is, and my experience is, it does not all get reviewed as too much information has been harvested, and it remains as information, never becoming intelligence. What have we missed? We can’t see the wood for the trees as the idiom goes.
Whilst I am on the subject of analysis. Let’s quickly cover this point of the intelligence cycle. Analysis can sometimes sound complicated. To some extend this is true and it depends on the type of analysis that is being done. Some analysis can be technically complicated and require a completely different skill set. Let’s choose a different word, let’s review what it is we have found. What does the information we have collected mean when compared to the aims and objectives we were set. Can we pivot from it? Can we further enrich it? I am constantly reviewing what it is I have collected; what level of importance I will give each piece of information I have collected and where does it fit into the bigger picture and the aims and objectives set.
Experience has taught me, that I can build my final report as I go, by simply prioritising the important information I have collected, in line with the aims and objectives I have been set. For sure by the time I get to my final report, I may jettison some of it, as I adapt as I have gone. That is the way my brain works. Another OSINT practitioner, may be lucky and have a photographic memory and is able to review everything at the end and remember where everything fits in.
Rolling seamless into reports, I always include in my reports, the aims and objectives I was set. This way I stay on point and the client is reminded of what they asked me to do. Remember your audience, don’t get too geeky or technical as your client may not understand. Be precise, don’t include masses of information which all means the same thing. Depending on your OSINT deployment, I like to explain how I found the information I did, as this helps with understanding threat and risk. Don’t just dump a screenshot from a username tool into a report, dig deeper, verify that the accounts belong to your subject of interest. To the untrained they may mistakenly believe all the accounts belong to the subject.
There is a caveat, and it’s important to remember you need to be able to adapt and respond, as time critical deployments may dictate that you don’t have as much time as you would like, however with experience you can adapt your methodology quickly as you know it inside out.
I am in total agreement with Aaron, before you go looking down the OSINT rabbit hole, look at what you have first, review it, re-review it, understand what it is you have. How can you exploit and pivot of what you already possess. Don’t forget to have your OSINT toolbox ready for the job ahead. Both Aaron and Micah talk about using other people’s resources. You can use my GitHub repos, or the many start.me pages that are available to the OSINT community.
https://github.com/cqcore
Micah talks about filling your knowledge gaps. There are hundreds of places where you may find information about your subject and you may not always be familiar with every platform you visit. Get to understand the similarities between different platforms, a lot of social media platforms operate a similar model, of likes, re-posts, comments, tags etc, they maybe called different things, but the premise is the same. Dark web forums have similar ways of operating and rendering.
Have a quick think of how important the underscore (_) can be in social media when looking for users or groups. So even if you are unfamiliar with a certain platform, you can still work your way round it and understand it. Look at WhatsApp, once just a simply messaging app, it is now becoming a clone of Telegram. I don’t use WhatsApp, but because I know my way round Telegram, it wouldn’t take me long to work out WhatsApp.
I would be surprised if there is one OSINT practitioner who knows everything about OSINT and the endless tools, techniques, tradecraft and tactics. There are experts in each different field of OSINT. I have no hesitation in admitting that I am stronger in some areas of OSINT than others. I do not do much in the way of website OSINT, so if I need to refresh my knowledge by re-reading blogs or listening to a podcast, or asking, then I will.
A couple of points I have spoken about before in other blogs, is having an investigative mindset and being aware of confirmation bias, the latter very much fits into the importance of verifying and validating any information you find. The rise in fake news and the ability of AI to replicate real people, verifying and validating what you have found has never been as important.
How we interpret what we find is as important as finding it in the first place. Unless you are a subject matter expert or recognised legally as an expert, your interpretation may not stand the test of time.
Point in case, I have been watching the Trump trials in the US, the numerous attempts by the Defense to have evidence omitted or in the latest case, attempting to have a mistrial called. Don’t put yourself in a situation where bias has crept in and even though you may have interpreted something positively to please a client or to suit your case, it may come back to haunt you. Be honest in your interpretation. Don’t make it fit when clearly it doesn’t to an objective third person.
So how do I go about exploring a subject. For the purpose of this blog, we have a username, email address. I will start you off on my path.
I always like to have a look at the following. These are places where people like to aggregate their social media footprint.
If you know the username, simply tag it onto the end of the URL: –
https://keybase.io/USERNAME-HERE
https://gravatar.com/USERNAME-HERE
https://linktr.ee/USERNAME-HERE
I have chosen 3 different accounts from the OSINT community. (Normally I obfuscate the profiles, so I have asked their permission to show them in full.)
There are plenty of information and links to explore. If you are more technically minded or work in LE, there are also some golden nuggets.
Now it maybe that your subject does not have a footprint on any of these sites. How many of you will think in the negative, “I haven’t found anything.” Stop! What could that tell you about your subject though, does it maybe suggest that your subject is OPSEC aware, likes to obfuscate their social media presence. Save that thought, it may prove useful to you. It may mean you change your methodology approach. See what else you find, or don’t as the case may be.
I accept that nefarious subjects on Telegram may not use social media aggregation websites, but think of the effort versus the possible reward, it would take you about 60 seconds to tag a username onto the end of those URLs. What of your subject before they became nefarious and OPSEC aware. Have they left a previous digital footprint for you to pick up on. OPSEC is a full-time business and a pain to keep on top off, look for the mistakes.
I am interested in social engineering; Micah mentions it too. My interest in social engineering is borne out of the need to understand what the information I find is telling me about a subject, will it help inform me where I need to look next. Do they give snippets of leads away in what and how they post. Don’t misunderstand my interest in social engineering, I am still exploring passively, I have no interest in interacting with a subject or even creating accounts at this stage either.
Over on my GitHub I have a repo dedicated to Username & Email OSINT: –
https://github.com/cqcore/Email-Username-OSINT
There are numerous resources available that will enable you to obtain free information. Yes, some are paid for however they will give you a certain amount of information for free, take the freebies and build a picture. You may have to create a burner account, but the point being you are able to access free information on a subject without touching their digital life. Some will give you the same information, but you may also harvest different information.
There are numerous username search tools available, all do very similar things. Don’t reply on just one though. Some are slightly different and return slightly different results. Use more than just one to fully exploit this OSINT technique. Understand false positives, verify and validate your findings.
Tradecraft can also form part of your methodology too. From the articles I have read, non-OSINTers very rarely click the second page of returned search results, (This is why I find auto-scroll useful). The question is how many of you play around with the username?
This comes back to the psychology of social engineering, we like to have an identity, so we want to carry that identity with us where we go. But others may also want or use that identity, so we compromise and adapt to keep as close to our identity as we can. An identity is also good for your reputation, especially in forums or in the commercial world.
Do you change an E to a 3, do you change O to a 0, to you use Cyrillic letters? The possibilities are endless. A good OSINTer always clicks the second page of results though.
Don’t forget email addresses too, some email companies do not use case sensitive characters and allow a (.) to be used, however they all point back to the same email account. I wrote a blog on this a few years ago, if you want to read it.
Using uppercase characters and (.) is a simple obfuscation method for your subject to use. Not the best OPSEC practice but easy to do and no need to create burner accounts or use an alias service. Again remember, a diligent and tenacious OSINTer always clicks the second page of search results.
This is not an exhaustive example of my methodology, I would need to write a book; Aaron has covered off what I would have continued with further. I wanted share some of my thought processes. Take what works for you and leave what doesn’t, but enjoy your OSINT.