Strategy & Governance

Core OSINT Philosophy and Methodology

Overview: Open-Source Intelligence is fundamentally defined by its analytical output, requiring analysts to prioritize actionable insights over indiscriminate gathering.

• OSINT is defined as an outcome, not merely data collection or tool acquisition, emphasizing a focus on end results.
• The discipline is currently maturing and lacks standardized practices, suggesting that analysts should mirror frameworks used in digital forensics as a model for growth.
• Investigators must build redundancy into their workflows to mitigate the risk of outages in native search capabilities or reliance on single platforms.

Security Notes/Recommendations

Collection Modalities Deep Dive

Advanced Search Engine Techniques (Dorking)

Overview: Search dorking uses specialized operators to target specific data, increasing search precision beyond standard keyword queries.

• The technique helps uncover hard-to-locate public data, such as content from misconfigured servers or open directories.
• Leveraging Alternative Engines: Utilize Bing and Yahoo alongside Google, as they use different indexing logic, have fewer restrictions on certain dorks, and offer stronger regional/non-English content coverage.
• Example Dorking Syntax: Combine operators like site: and filetype: for highly targeted results.

  site:.gov filetype:pdf "keyword phrase"
  

• Search Localization: A browser extension exists to modify the locale and language of Google Search results to match the area of interest during investigations.
• China OSINT Tip: Monitor the news and social media feeds of infrastructure companies based in China that conduct overseas business.

Image and Video Investigation Tools

• ShadeMap: Web application used to analyze shadows in an image to chronolocate a photo (determining time/date when the photo was taken).
• GeoVLM: A GitHub tool that uses Gemini’s API (requires key) to assist in geolocation by performing bulk checking of photo catalogs to narrow down potential locations.
• Deepface UI: A user interface version of the DeepFace CLI tool/library, used for facial recognition and investigating images at scale.
• YouTube Video Finder: Aggregates multiple sources for checking video archives online, useful for accessing metadata and information from taken-down YouTube content.
• Reverse Image Search Strengths:
  • Yandex: Excellent at recognizing faces, matching landmarks, and particularly effective for Eastern Europe and Russia.
  • PimEyes: Advanced public facial recognition, capable of high match accuracy even on low-resolution images.
  • [Lenso.ai](http://Lenso.ai): AI-powered facial recognition that handles altered, edited, or angled photos and can provide alerts for new matches.
  • TinEye: Excels at finding older duplicates and detecting image edits (cropped, flipped, or filtered versions).

Email and Identity Tools/Techniques

• Email Lookups:
  • Email Lookup (Discovery): Starts with a name/company/domain to discover an email address.
  • Reverse Email Lookup: Starts with an email address to find the owner, linked accounts, and breach hits.
• Email Validation Methods:
  • Mail Exchange (MX) Lookup: Verifies that the domain exists by checking DNS records.
  • SMTP/TCP Handshake: Probes the server to see if the mailbox is accepted, though automated probing can trigger abuse filters.
• doxcord: A GitHub tool that scans Discord servers to extract social media links, specifically looking for UTM parameters that can reveal a user’s device type.
• Username Variation Generation: When investigating usernames, generate variants based on predictable heuristics (e.g., birth year digits, location, job title, significant numbers).
  • Plausible variants include Delimiter swaps (e.g., changing dots to underscores), Numeric tweaks, Leetspeak substitutions, and Platform-specific suffixes (e.g., _ig or _x).

Data Processing and Infrastructure Tools

• Artemis Auditor: A desktop application for analyzing large volumes of unstructured data (Office documents, PDFs, TXT, email mailboxes) to create a private, searchable, offline knowledge base.
  • Features include AI-powered entity extraction (names, organizations, emails) and link visualization similar to i2 Analyst’s Notebook.
• JSON Crack: Web application designed to help visualize complex JSON dumps in a more readable format, improving efficiency when handling large datasets.
• Validin: A DNS intelligence platform that provides a community edition for analysts performing domain reversal.
• Waybien: A specialized search engine for locating online group activity across platforms including Telegram, Facebook, Discord, and WhatsApp groups.

Verification & Integrity Report

Image and Media Verification

Overview: Effective image analysis requires maximizing tool capability and validating hidden temporal details.

• Image Optimization Techniques: To improve reverse image search results, analysts should:
  • Remove busy backgrounds from images.
  • Test the full version of the image before cropping to isolate specific details (e.g., a logo or a watch).
  • Use AI image restoration tools to reconstruct blurry or obscured pictures.
• Chronolocation Practice: The application WhenTaken provides a method to test and improve both geolocation and chronolocation skills by having users guess the location and year a photo was taken.
• LLM Geolocation Fidelity: Testing of 24 LLMs for geolocation capabilities has been updated, providing current data on performance benchmarks.
• Misinformation Monitoring: A detailed guide is available for monitoring conflict zones online, covering identification of military armory, country flags, group insignias, and drones.

Applied Intelligence Briefing

Operational Case Studies

Overview: Recent investigations demonstrate the critical role of structured analysis and attention to small details for identity resolution and threat validation.

• Room Double Identification: Analysis of presidential photographs, demonstrated in a case study regarding Vladimir Putin, shows how tiny details in photo backgrounds can expose the use of “room doubles” (replicating rooms for security) to disguise a subject’s true location.
• Transnational Crime Fingerprinting (Kinahan Cartel): An investigation successfully mapped the digital footprint of a cartel associate by analyzing activity logs from fitness tracking app Strava and posts on Instagram.
• Financial Identity Resolution (Binance): Utilizing a phone number or email address on the Binance platform can yield additional identity information, including the user’s display name and connected PayPal ID.
• Fraudulent Job Posting Detection: Analysts confirmed a job posting scam by sequentially:
  • Checking the company domain with a site: dork.
  • Using reverse image search to confirm the recruiter’s profile photo was stolen from a stock photo website.
  • Searching LinkedIn with dorks to compare alleged employee profiles against the suspicious job posting.

Pivoting and Timeline Construction

Overview: Pivoting is the process of chaining leads from one data point to the next (e.g., username → email → location) to build a complete profile.

• Key Pivoting Rules:
  • Collect contact clues and follow all linked accounts for verification.
  • Extract and check metadata from any images found.
  • Perform manual searches combining the target handle with potential locations or keywords using site:dorks.
  • Document every step, screenshot results, and note all URLS/username variants.
• Google Maps Timeline: A specific method exists for finding the exact date and time a Google Maps review was posted, allowing analysts to construct a precise timeline of presence at a location.

Security Notes/Recommendations

The OSINT Frontier & Dev

Emerging AI Trends and Capabilities

Overview: The role of AI in OSINT is rapidly expanding, necessitating new validation methods and the integration of machine learning across the intelligence cycle.

• 2026 Trends Forecasted: Key trends expected for the next year include advancements in AI-generated content validation, proliferation of agentic AI, and the rise of synthetic influence campaigns.
• Strategic Importance of Data Quality: Open source intelligence is viewed as a national asset, requiring efforts to train LLMs on high-quality, hard-to-find data.
• AI-Powered Aggregation: The tool Noimosiny uses generative AI for email/username lookup and face matching, allowing analysts to paste various structured inputs into a single interface for sorting.

Tools and Resources for Development

• Anna’s Archive: A large, searchable, free, and crowdsourced archive of books, papers, and magazines that is suitable for training LLMs.
• Offline Source Awareness: The most valuable intelligence may sometimes originate from offline sources, such as obscure books, underscoring the need for broad research.
• DocuFinderJS: A tool designed to scan target domains to locate publicly accessible documents like PDFs or spreadsheets, which can expose sensitive data.
• Council Meeting Transcript Search: This application makes static data easier to find by allowing searches of auto-generated transcripts of Council meetings across the UK and Ireland.