Deep Dive E-Book

Table of Contents

Cover

Title Page

Foreword

Preface

Who is this book for?

What can you learn?

Areas of Focus

Why learn OSINT skills?

Introduction

How I got started in OSINT

Part I: Foundational OSINT

Chapter 1: Open Source Intelligence

1.1 What Is OSINT?

1.2 A Brief History of OSINT

1.3 Critical Thinking

1.4 Mental Health

1.5 Personal Bias

1.6 Ethics

Notes

Chapter 2: The Intelligence Cycle

2.1 What Is the Intelligence Cycle?

2.2 Planning and Requirements Phase

2.3 Collection Phase

2.4 Documentation Methods

2.5 Processing and Evaluation Phase

2.6 Analysis and Production Phase

2.7 Reporting

2.8 Dissemination and Consumption Phases

Notes

Chapter 3: The Adversarial Mindset

3.1 Getting to Know the Adversary

3.2 Passive vs. Active Recon

Notes

Chapter 4: Operational Security

4.1 What Is OPSEC?

4.2 Steps for OPSEC

6

4.3 OPSEC Technology

4.4 Research Accounts

4.5 Congratulations!

Notes

Part II: OSINT Touchpoints

Chapter 5: Subject Intelligence

5.1 Overview

5.2 Names

5.3 Subject Usernames

5.4 Subject Emails

5.5 Subject Phone Numbers

5.6 Public Records and Personal Disclosures

Chapter 6: Social Media Analysis

6.1 Social Media

6.2 Continuous Community Monitoring

6.3 Image and Video Analysis

6.4 Verification

6.5 Putting It All Together

Notes

Chapter 7: Business and Organizational Intelligence

7.1 Overview

7.2 Corporate Organizations

7.3 Methods for Analyzing Organizations

7.4 Recognizing Organizational Crime

7.5 Sanctions, Blacklists, and Designations

7.6 501(c)(3) Nonprofits

7.7 Domain Registration and IP Analysis

Notes

Chapter 8: Transportation Intelligence

8.1 Overview

8.2 Vessels

8.3 Railways

8.4 Aircraft

8.5 Automobiles

Notes

Chapter 9: Critical Infrastructure and Industrial Intelligence

9.1 Overview of Critical Infrastructure and Industrial Intelligence

9.2 Methods for the Analysis of Critical Infrastructure, OT, and IoT Systems

9.3 Wireless

9.4 Methods for Analyzing Wireless Networks

Notes

Chapter 10: Financial Intelligence

10.1 Overview

10.2 Financial Crime and Organized Crime, Together Forever <3

10.3 Methods for Analysis

Notes

Chapter 11: Cryptocurrency

11.1 Overview of Cryptocurrency

11.2 The Dark Web

11.3 Methods for Cryptocurrency Analysis

Notes

Chapter 12: Non‐fungible Tokens

12.1 Overview of Non‐fungible Tokens

12.2 Methods for Analyzing NFTs

Notes

Chapter 13: What's Next?

13.1 Thank You for Diving In with Me

Index

Copyright

Dedication

About the Author

About the Technical Editor

Acknowledgments

End User License Agreement

List of Illustrations

Chapter 1

Figure 1.1: OSINT history

Chapter 2

Figure 2.1: Intelligence cycle

Figure 2.2: Pivot chart example

Figure 2.3: NATO Admiralty Code

Figure 2.4: Maltego CE link analysis chart

Chapter 3

Figure 3.1: House1

5

Figure 3.2: House2

6

Figure 3.3: House3

7

Figure 3.4: House

8

Chapter 4

Figure 4.1: Persona Non Grata

Figure 4.2: Security Card

Figure 4.3: Attack Tree

Figure 4.4: OPSEC Steps

Figure 4.5: APT Conti image of chat showing discussion of leaked credentials...

Figure 4.6: VPN

Figure 4.7: Tor

Figure 4.8: Freenet

Figure 4.9: I2P

Figure 4.10: AI artifacts

Figure 4.11: AI artifacts

Figure 4.12: AI artifacts

Chapter 5

Figure 5.1: Accountanalysis.app on Jon Stewart's Twitter account

Figure 5.2: Accountanalysis.app

Figure 5.3: Accountanalysis.app on Stephen Colbert’s Twitter account

Figure 5.4: Accountanalysis.app

Figure 5.5: Benjamin Strick’s photo of an East Algeria natural gas camp

Figure 5.6: Example of an typical Arabic naming order

Figure 5.7: Examples of The Laqab in Arabic

Figure 5.8: Examples of The Nisba in Arabic

Figure 5.9: Pivot chart stemming from a username search selector

Figure 5.10: Google search for username

wondersmith_rae

Figure 5.11: WhatsMyName.app

Figure 5.12: Pivot chart stemming from an email address

Figure 5.13: Username zewensec searched within Sherlock

Figure 5.14: Pivot chart stemming from a Gmail or Google ID

Figure 5.15: WHOIS record for

kasescenarios.com

Figure 5.16: Pivot chart stemming from a domain

Figure 5.17: Emailrep.io showing information it returns on a query

Figure 5.18: HaveIBeenPwned search

Figure 5.19: HaveIBeenPwned showing specific breach details

Figure 5.20: Intelligence X search

Figure 5.21: Pivot chart stemming from a breach data search

Figure 5.22: Pivot chart stemming from a phone number

Figure 5.23: Process used to analyze phone numbers

Figure 5.24: Pivot chart stemming from a public document search

Figure 5.25: UJS Portal

Figure 5.26: Nifty 50's found in

corporations.pa.gov

Figure 5.27: Nifty 50's documents found in

corporations.pa.gov

Figure 5.28: Voter Registration Laws at

ncsl.org

Figure 5.29: Voter Information Lookup Website

Figure 5.30: Municipal Records Search Example

Figure 5.31:

Google.com

Figure 5.32: Pivot chart stemming from a company executive using public docu...

Chapter 6

Figure 6.1: Pivot chart showing how to begin with a subject's Facebook page...

Figure 6.2: Pivot chart stemming from a subject’s name into social media

Figure 6.3: Pivot chart showing how information identified the subject in th...

Figure 6.4: Example of Association Matrix

Figure 6.5: Chart visualizing the data from the association matrix

Figure 6.6: Fake scenario 1

Figure 6.7: Fake scenario 2

Figure 6.8: Fake scenario 3

Figure 6.9: Fake scenario (continued)

Figure 6.10: Metadata included in the post

Figure 6.11: Twitter, Inc. /

https://twitter.com/ByKellyCohen

/ last accesse...

Figure 6.12: Pivot chart illustrating pivots starting from a telegram channe...

Figure 6.13: Telegram /

https://t.me/lemonfortea

/ last accessed 15, Februau...

Figure 6.14: TGStat

Figure 6.15: OSINT Combine's Reddit Post Analyzer

Figure 6.16: Reditr

Figure 6.17: 4chan

Figure 6.18: UAB photo showing how main media sources connect to the three s...

Figure 6.19: Wayback Machine

Figure 6.20: Imagery Analysis Example

1

Figure 6.21: Imagery Analysis Example 2

Figure 6.22: Imagery Analysis Example 3

Figure 6.23: Imagery Analysis Example 4

Figure 6.24: Australia's trace‐an‐object website

Figure 6.25:

https://twitter.com/bayer_julia/status/1513612215143837700?s=20

Figure 6.26: Krzysztof K / www.tripadvisor.com/LocationPhotoDirectLink-g1878...

Figure 6.27: Bing visual search

Figure 6.28: Google Maps

Figure 6.29: Google Street View

Figure 6.30: Google Street View

Figure 6.31:

www.facebook.com/search/top/?q=Staan%20op!%20Registreer%20en%20

...

Figure 6.32: Google

Figure 6.33: Google Maps

Figure 6.34: Google Maps

Figure 6.35: Google Maps

Figure 6.36: CIR analysis of Chernobyl’s exclusion zone

Figure 6.37:

www.info-res.org/post/digging-in-danger-how-russian-forces-buil

...

Figure 6.38:

www.info-res.org/post/digging-in-danger-how-russian-forces-buil

...

Figure 6.39:

www.info-res.org/post/digging-in-danger-how-russian-forces-buil

...

Figure 6.40:

www.info-res.org/post/digging-in-danger-how-russian-forces-buil

...

Figure 6.41: Illustration showing the range of mis/dis/mal

Figure 6.42: Reuters/Hannah Mckay

Figure 6.43: Twitter, Inc. /

https://twitter.com/SoCalTrumpMAGA

/ last access...

Figure 6.44: Bot account analyzed with Twitonomy shows 243 tweets per day av...

Figure 6.45: Node

Figure 6.46: Edge

Figure 6.47: Weight

Figure 6.48: Edge

Figure 6.49: Edge

Figure 6.50: Edge

Figure 6.51: Gephi model on the spread of the debunked

Plandemic

video

36

Figure 6.52: Bellingcat

Figure 6.53:

Original photo of Bill and Hillary Clinton

Figure 6.54: Twitter, Inc. /

https://twitter.com/NavyFlyBoyUSA/status/126325

...

Figure 6.55: Account suspended

https://twitter.com/JohnKStahlUSA

/ last acce...

Figure 6.56: Bing image search on photograph of man

Figure 6.57: Ballotpedia,

ballotpedia.org/John_Stahl

Figure 6.58:

www.pennlive.com/daily-buzz/2020/05/trump-shares-tweest-calling

...

Figure 6.59: Footage from a video game

Figure 6.60: Forensically image showing ELA before

Figure 6.61: Error level analysis

Figure 6.62: Image from the website Forensically showing image manipulations...

Figure 6.63: Pivot chart for puppy scam case showing social media connection...

Figure 6.64: Pivot chart for puppy scam case showing Twitter accounts connec...

Figure 6.65: Full pivot chart for puppy scam case

Chapter 7

Figure 7.1: Pivot chart stemming from a corporate entity

Figure 7.2: Example of organizational structure using the McDonalds Corporat...

Figure 7.3: The Intelligence cycle

Figure 7.4: Screenshot of

OpenCorporates.com

Figure 7.5: EDGAR

Figure 7.6: Tesla Twitter account

Figure 7.7: Tesla Twitter account

Figure 7.8: Tesla Twitter account

Figure 7.9: Good Jobs First

Figure 7.10: Viewing contracts

Figure 7.11: Viewing contracts

Figure 7.12: Viewing contracts

Figure 7.13:

USASpending.gov

Figure 7.14: Viewing contracts

Figure 7.15: CDC

Figure 7.16: Contract opportunity

Figure 7.17: Contract opportunity

Figure 7.18: Contract opportunity

Figure 7.19: Contract opportunity

Figure 7.20: Example of power mapping

Figure 7.21: Contract opportunity

Figure 7.22: LittleSis

Figure 7.23: LittleSis screenshot

Figure 7.24: LittleSis Power maps

Figure 7.25:

LittleSis Power maps

Figure 7.26:

Westbridgfordwire.com

Figure 7.27: County council page

Figure 7.28: PDF documents

Figure 7.29: Nottinghamshire screenshots

Figure 7.30: National enterprise credit information publicity system

Figure 7.31: National enterprise credit information publicity system

Figure 7.32: Pro Publica Inc. /

https://projects.propublica.org/nonprofits/o

...

Figure 7.33: IRS tax exempt organization search

Figure 7.34: Federal audit clearinghouse

Figure 7.35: Federal audit clearinghouse

Figure 7.36: Example statement

Figure 7.37: Charity Navigator

Figure 7.38: URLs

Figure 7.39:

Robots.txt

file for

tesla.com

Figure 7.40: FOCA

Figure 7.41: Whoxy

Figure 7.42:

Nslookup.io

showing Oscar Mayer's site information

Figure 7.43:

www.apnic.net/about-apnic/organization/history-of-apnic/history

...

Figure 7.44: Search in

https://seach.arin.net

Chapter 8

Figure 8.1: Video still from AP story

Figure 8.2: Comparison between SAR and Satellite imagery

Figure 8.3: EO browser in the Singapore strait, a ship‐to‐ship transfer. The...

Figure 8.4: How the AIS on a vessel transmits signals

Figure 8.5: How ADS‐B transmits signals

Figure 8.6: How Mode‐S transmits signals

Figure 8.7: Showing a “dark” vessel path

Figure 8.8: Example of a spoofed signal path

Figure 8.9: Example of a spoofed signal path

Figure 8.10: How an attacker can spoof AIS signals

Figure 8.11: How an attacker can meacon a signal

Figure 8.12: Parts of a vessel

Figure 8.13: Verifying a ship‐to‐ship transfer using EO browser

Figure 8.14: Vessels positioned outside of Al Basrah Oil Terminal

Figure 8.15: Satellite view of vessels positioned outside of Al Basrah Oil T...

Figure 8.16: Verifying a ship‐to‐ship transfer using EO browser

Figure 8.17: Replenishment at sea

25

Figure 8.18: Vessel pulling a NASA barge

26

Figure 8.19: Example berthing report

Figure 8.20: Webcam video from the Port of Rotterdam Amazonehaven West

30

Figure 8.21: Typical vessel industrial control systems

Figure 8.22: Screenshot of Shodan showing sailor 900 devices

Figure 8.23: Screenshot of Subtel forum cable map

Figure 8.24: Examples of rail branding

Figure 8.25: Rail company logos

Figure 8.26: QuizTime

Figure 8.27: Siemens and Comeng trains

Figure 8.28: Stations on Live rail map

Figure 8.29: Exact spot photo was taken

Figure 8.30: Identification marker on front of train

Figure 8.31: Identification marker on side of train car

Figure 8.32: Open railway map

Figure 8.33: Geops

Figure 8.34: Traveltime

Figure 8.35: SCDA and ICS on trains

Figure 8.36: Trackside technology

Figure 8.37: Shodan screenshot showing track technology

Figure 8.38: Parts of a jet

Figure 8.39: Aircraft Registration Number, Photo by Daniel Eledut on Unsplas...

Figure 8.40: Photo by Stephanie Klepacki on Unsplash

Figure 8.41: Photo by Lukas Souza on Unsplash

Figure 8.42: Photo by Daniel Eledut on Unsplash

Figure 8.43: Photo by Todd Macdonald on Unsplash

70

Figure 8.44: Fixed Wing positions

Figure 8.45: Variable geometry

Figure 8.46: Rotary wing

Figure 8.47: Wing tapers

Figure 8.48: Wing shapes

Figure 8.49: Canards

Figure 8.50: Wing slants

Figure 8.51: Jet engines

Figure 8.52: Propeller driven

Figure 8.53: Fuselage shape

Figure 8.54: Canopy shape

Figure 8.55: Number of tail fins

Figure 8.56: Fin shapes

Figure 8.57: Tail flat design

Figure 8.58: Tail flat location

Figure 8.59: Photo by Kevin Hackert on Unsplash

Figure 8.60: Photo by Gerhard Crous on Unsplash

Figure 8.61: Photo by Jatin Singh on Unsplash

Figure 8.62: Drone survival guide

Figure 8.63: DJ Mavic 2 Quadcopter

Figure 8.64: MQ1 Predator

Figure 8.65: Sentinel

Figure 8.66: Boeing 747 cockpit

Figure 8.67: Turkish Airlines engine

Figure 8.68: ANA‐Boeing 747‐8 Dreamliner

Figure 8.69: Airportia

Figure 8.70: LADD

Figure 8.71: NOTAMs

Figure 8.72: NOTAMs for Military

Figure 8.73: safetofly

Figure 8.74: Air base

Figure 8.75: Airfield

Figure 8.76: Airstrip Google Earth 17.55731,‐90.82303

Figure 8.77: The intelligence cycle

Figure 8.78: Guangzhou Shadi Airbase

Figure 8.79: Wellspan Helicopter

Figure 8.80: U.S. License plate examples

Figure 8.81: European License plate examples

Figure 8.82: VIN breakdown

Figure 8.83: Copyright Jürgen Henn –

11foot8.com

Figure 8.84: Technology within an automobile

Figure 8.85: Telematics searched in Censys.io

Figure 8.86: Trimble Telematics in Censys.io

Chapter 9

Figure 9.1: ICS Cyber Kill Chain

Figure 9.2: Pivot chart of critical infrastructure

Figure 9.3: The Intelligence cycle

Figure 9.4: The funneling approach for narrowing information

Figure 9.5: Spreadsheet list

Figure 9.6: Save as a text file

Figure 9.7: import the file

Figure 9.8: Preview file

Figure 9.9: Select columns

Figure 9.10: Specify field type

Figure 9.11: Apply template

Figure 9.12: Select icon

Figure 9.13: Make your file visible

Figure 9.14: Save your place

Figure 9.15: EIA Maps

Figure 9.16: EIA Map

Figure 9.17: Norsk Petroleum map

Figure 9.18: JERA company map

Figure 9.19: World oil map

Figure 9.20: WANO world map

Figure 9.21: Defense Industrial Base Map

Figure 9.22: Pivot chart showing a critical infrastructure company of intere...

Figure 9.23: TikTok

Figure 9.24: TikTok

Figure 9.25: Kamerka Lite

Figure 9.26: Kamerka Lite

Figure 9.27: Kamerka Full

Figure 9.28: Kamerka full

Figure 9.29: MAC address

Figure 9.30: MAC lookup

Figure 9.31: MAC lookup

Figure 9.32: Pivot chart showing pivots while analyzing a wireless network

Figure 9.33: Funnel technique

Figure 9.34: WiGLE

Figure 9.35: WiGLE screenshot of a search query result

Figure 9.36:

macaddress.io

Figure 9.37: NIST database

Figure 9.38: Wireless pings

Figure 9.39: Using Instant Data Scraper

Figure 9.40: Plotted wireless pings

Figure 9.41: OpenCellID

Figure 9.42: Cellmapper

Figure 9.43: Pivot chart focused on wireless and cellular activity stemming ...

Chapter 10

Figure 10.1: Bankfind

Figure 10.2: Press chart for the Kinahan Organized Crime Group (KOCG)

Figure 10.3: Red Notice database

Figure 10.4: Pivot chart showing financial analysis from a username

Figure 10.5: Online BIC search

Figure 10.6: VAT search

Figure 10.7: BIN list

Figure 10.8: List of Banks

Figure 10.9: World Risk Map

Figure 10.10: List of Circulating Currencies Wiki

Figure 10.11: Silk Road

Figure 10.12: Global organized crime index

Chapter 11

Figure 11.1: Centralized and decentralized networks

Figure 11.2: How blockchain works

Figure 11.3:

Cointelgraph.com

step‐by‐step crypto mining process

Figure 11.4: FX image from Always Sunny in Philadelphia

Figure 11.5: Blender.io cryptocurrency mixing process

Figure 11.6: Helix addresses

Figure 11.7: CipherTrace example of Tian Yinyin's accounts

Figure 11.8: Parts of the Web

Figure 11.9: Hydra marketplace

Figure 11.10: Funnel method

Figure 11.11: Pivot chart showing a cryptocurrency analysis beginning with a...

Figure 11.12: Funnel method

Figure 11.13: Pivot chart of cryptocurrency analysis beginning with a wallet...

Figure 11.14: Tracing a “bad” wallet in Etherscan.io

Figure 11.15: North Korea SDN list

Figure 11.16: Transfer of wrapped ethereum

Figure 11.17: Tracking wallet balance over time

Figure 11.18: Narrowing wallet in on anomalous days

Figure 11.19: Funnel method

Figure 11.20: Pivot chart example of cryptocurrency analysis beginning with ...

Chapter 12

Figure 12.1: Ronin Explorer wallet address transactions

Figure 12.2: NFT details

Figure 12.3: User BenColefax on opensea.io

Figure 12.4: Wallet details based on wallet ID search in etherscan.io

Figure 12.5: Other wallet addresses on other chains

Figure 12.6: Wallet number found on

Rarible.com

Figure 12.7: Wallet number found on

Rarible.com

Figure 12.8: Wallet number found on

Rarible.com

Figure 12.9: Reverse image searching an NFT

Figure 12.10: NFT finder

Figure 12.11: NFT finder

Figure 12.12: Ethereum name service

Guide

Cover

Table of Contents

Title Page

Copyright

Dedication

About the Author

Acknowledgments

Foreword

Preface

Introduction

Begin Reading

Index

End User License Agreement

Pages

i

xix

xx

xxi

xxii

xxiii

xxiv

xxv

xxvi

1

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

486

487

489

490

491

492

493

494

495

496

497

499

500

501

503

504

505

506

507

508

509

510

511

512

513

514

515

516

517

518

ii

iii

v

vi

vii

519

Deep Dive

Exploring the Real‐world Value of Open Source Intelligence

Foreword

In a small town in Germany, an 18‐year‐old woman left her family, most of her possessions, and all she had known and struck out in search of a better life. She made her way to Hamburg, Germany, where she boarded the ocean liner S.S. Manhattan on January 17, 1939. The 705‐foot‐long steam ship carried 1,300 passengers and was headed for the United States. The ship's manifest captured the woman's name, age, profession, and abilities to read and write, and on January 26, 1939, she arrived at Ellis Island, New York.

Using the data easily discovered on the Internet, it is simple to follow the woman's journey through life as she married, raised children and grandchildren, and finally, after 98 years, passed away. That was my grandmother whose epic journey from Germany to the United States was recorded in official government and commercial sources that were digitized and put onto the Internet. These online records from 1939 to present day captured snapshots of her life and my family's past. This is just some of the power and depth of open‐source intelligence (OSINT).

As you read Deep Dive: Exploring the Real‐world Value of Open Source Intelligence, you will be learning and honing skills that will become incredibly helpful in your work and, most likely, your personal life. Rae Baker infuses every chapter with stories, examples, and practical applications to help you make mental connections between tools and when to use them.

For some in the OSINT world, genealogical data is core to their work. For others, the transportation data I mentioned may be important. Others of us in OSINT may focus on businesses, social media, and Dark Web resources. This book touches all those topics and much more. The OSINT field is rapidly growing as employers and the public begin to understand what many of us have known for a while: being able to locate, collect, and properly analyze online data are core skills in today's workplaces. This is why you will find this book useful: it presents you with real‐world skills and experiences in an easy‐to‐consume format.

I am honored to have been chosen to write this forward and hope that you enjoy learning from Rae.

             —  Micah Hoffman               Founder, My OSINT Training

Preface

Who is this book for?

This book was developed to be a resource for Analysts in varying stages from entry level to advanced. The content is meant to not only appeal to those seeking to gain a basic understanding of Open Source Intelligence (OSINT) but those wishing to hone their current tradecraft through real‐world examples and insight from the leading experts in OSINT.

My background is born from my experiences in visual arts, true crime, and cybersecurity, but I have intentionally written “Deep Dive” to be as inclusive as possible and to incorporate perspectives not only from the Intelligence Community (IC), Law Enforcement (LE), and Cybersecurity but alternative fields and organizations that may utilize OSINT capabilities. There is intrinsic value in viewing obstacles through a different lens, and my hope is that by the end of this book everyone will come away with fresh knowledge, ideas, and perspectives for developing their tradecraft.

What can you learn?

Reading this book should leave you with a basic understanding of the history of OSINT, how it is practiced at present, and predictions for the future. We will learn how to apply the phases of the Intelligence Cycle and how to use critical thinking and pivoting to enhance our analysis capability. Focusing extensively on the benefits of thinking like the adversary we learn how employing an adversarial mindset when approaching OSINT analysis can make us better Analysts.

Prior to learning tradecraft, we must first learn how to protect ourselves through basic Operational Security tactics and techniques for developing effective and safe research accounts.

Areas of Focus

Part I: Foundational OSINT

This section provides entry‐level foundational OSINT skills through the learning phases of the Intelligence Cycle, how to apply critical thinking skills, Operational Security best practices, writing and disseminating reports, pivoting, mental health considerations, and learning to think like the Adversary.

Part II: OSINT Touchpoints

After building a solid bedrock of core OSINT skills in Part I, we will hone our tradecraft through advanced skills in the following areas of research:

Chapter 5

: Subject Intelligence

Chapter 6

: Social Media Analysis

Chapter 7

: Business and Organizational Intelligence

Chapter 8

: Transportation Intelligence

Chapter 9

: Critical Infrastructure and Industrial Intelligence

Chapter 10

: Financial Intelligence

Chapter 11

: Cryptocurrency

Chapter 12

: Non‐fungible Tokens

Each chapter in this part will first introduce the research area, followed by outlining the fundamental concepts and expert tradecraft techniques, sprinkled with relevant case studies and stories that begin to pull the concepts together through real‐world examples.

Subject Intelligence

Learn the methods that OSINT Analysts use to study, track, and identify humans online using their actions enriched through publicly available data and how to locate and pivot through unique subject identifiers. Then we will find out how, when, and why we should utilize public indexes.

Social Media Analysis

We will walk through various methods for how to identify selectors, collect data points, and pivot through social media data. Learn about misinformation and disinformation identification and analysis and how to verify that information is true or valid.

Business and Organizational Intelligence

Take a dive into the innerworkings of entities both big, small, and non‐profit. Learn how to effectively identify an entity's structure, affiliations, contracts, and lawsuits. Combining organizational data with Subject Intelligence we will learn to utilize social media along with targeted browser searching to locate information leaks.

Transportation Intelligence

Transportation is the crux of society and the data gathered from investigating railways, planes, ships, cars, buses, and subways can be used to enrich many other areas of OSINT Analysis. We will walk through how to make Transportation Intelligence valuable and relevant in our investigations by tracking shipments, movements, and passengers. We will find out what illicit activity takes place in the ocean and ways to identify and analyze these cases using geolocation and pattern tracking. Finally, we will see how easy it is to integrate Transportation Intelligence with the other forms of Intelligence within this book.

Critical Infrastructure and Industrial Intelligence

In this chapter we will look at the public data vulnerabilities within critical industrial systems such as the power grid, water treatment plants, manufacturing, boilers, pipelines, etc. Then, determine what data can be gleaned from Industrial Control Systems (ICS) like Supervisory Control and Data Acquisition (SCADA) and Distributed Control Systems (DCS) and led to solutions by investigating what infrastructure is open to the Internet using Shodan and network enumeration techniques. Discover methods for locating IoT devices that are broadcasting to the Internet including sensors, gadgets, appliances, and cameras. We will learn about challenges with critical IoT devices and how to identify reportable vulnerabilities. Touching on some Signals Intelligence (SIGINT), we will learn to investigate wireless, Bluetooth, MIFI and LORAWAN networks and the related public disclosures.

Financial Intelligence

This chapter will provide an overview of financial open source data the organizations tasked with preventing financial crime. We will cover methods for analyzing and understanding transactions, fraudulent or illegal activity, transnational crime, and other data aligned with other public disclosures.

Cryptocurrency

This chapter introduces the basic concept of cryptocurrency and details how the various forms of cryptocurrency work. Then, we will walk through the ways that cryptocurrency can be used, both good and bad, and how we can use wallet and account information for finding the true owner of the accounts.

Non‐fungible Tokens

Here we learn what non‐fungible tokens are, how they are used, and how we as analysts can use them to gain a deeper understanding of the sellers and buyers.

Why learn OSINT skills?

OSINT is a great practical skill set that translates effectively across many career paths making each Analyst an asset. Many of the skills we use as Analysts also make us very resourceful in our day‐to‐day lives, in fact, we might already be using OSINT and not even know! Many people routinely research their new babysitters, house cleaners, or dates online using all publicly available resources. Volunteer organizations use OSINT techniques to prevent child exploitation or for researching a domestic violence victim's online footprint to develop safety plans. Businesses use OSINT Analysts to keep their organization and employees safe, and governments use OSINT for National Security. OSINT is not only an increasingly attractive career choice but it can also be extremely exciting.

Introduction

How I got started in OSINT

I wish I could say I had been bitten by the OSINT bug at an early age, but the truth is I had no idea what OSINT was until 2019. Unbeknownst to me, the knowledge, passion, and curiosity required in order to excel in this field were being instilled and cultivated within me through seemingly unrelated experiences throughout my life.

Having an Electrical Engineer for a father meant as a child I was constantly fiddling around with electronic toys like multimeters, resistors, capacitors, LEDs and of course, computers. We purchased our first computer, a Commodore 64, back in the late 80s when programs were stored on 16k cartridges and 51/4” floppy disks were the norm. I fondly remember learning how to boot up games in DOS to play Zork II and later, on our 1990's Gateway computer, unsuccessfully trying to code a ball to bounce across the screen. The interest and willingness to learn was there but the mathematical and coding competence was certainly not.

Due to a personal lack of confidence in my technology skills and the frequency with which I skipped High School, I ended up gravitating strongly towards art. Drawing and writing always came very naturally to me and with very little effort I achieved an Associate Degree in Visual Communications and worked in various roles as a Senior Graphic designer for nearly 15 years. Creating artwork day in and day out for years was becoming increasingly banal, and I was desperately seeking a new challenge. Between us, I always felt like I chose to become an artist because I was scared to fail in a technology field.

Going back to college was not an easy decision to make at 36 years old. At this point in my life, I was comfortable in my job as a Senior Designer and I had a 2‐year‐old son with another on the way, but I needed more income, more security, and more of a mental challenge. I promptly enrolled in Pennsylvania State University World Campus to learn Networking and Security and Risk Analysis becoming the President of the Technology Club in the process. While acting as President, I focused on bringing industry leaders in (virtually) to talk about their position in the field and give advice to students. This endeavor led to many talks with important leaders in the field of Information Security and was a great networking opportunity for me. Leveraging these connections, a few club members were graciously invited to attend the Layer 8 Social Engineering & OSINT Conference in Rhode Island where I would first learn what OSINT is.

It is at this point that I find it necessary to stray a bit outside the topic at hand to discuss… murder. Don't worry, I haven't killed anyone despite crime being a fundamental part of my story. You see, outside of school, work, and familial obligations, I have a bit of a dark hobby, I am an enormous True Crime fan. I listen to all the best true crime podcasts, have watched nearly every documentary in existence (I keep a spreadsheet), and even have a tattoo from Damien Echols of the West Memphis Three. I am unquestionably obsessed with true crime, but why? Like anyone else I am pulled into the drama of a good story, but beyond that I am deeply vested in the investigation and analysis of cases. I long to be an insider privy to the who, why, and how behind the scenes. I revel in the minutiae of following each juicy breadcrumb deep into the rabbit hole. This my friends, is why I find OSINT so appealing. For me, OSINT isn't just a job, it is a magnificent nexus between true crime investigation, visualization, and information security‐ an apex of all my personal life experiences that have tailored my skillset to this very position, a field of expertise I had never once heard of before this moment in 2019 at the Layer 8 Conference.

Following the conference, I was determined to focus all my efforts into OSINT and build a brand for myself, I have a marketing background after all so I should use it! Beginning with my first shaky OSINT presentation at BSides Harrisburg, I battled my ever‐present fear of public speaking to deliver my thoughts around OSINT. I have since presented at a slew of conferences including DEFCON, Shmoocon, The SANS OSINT Summit, and my Layer 8 to name a few. In a single whirlwind year, I grew from a Graphic Design Manager to holding a position as Executive Board member of The OSINT Curious Project and working side by side with the top names in the OSINT community. Most importantly, I was hired into an OSINT position at Deloitte, one of the top four consulting firms in the country, to one of the most incredibly talented teams whom I learn from every day.

Everyone dreams about working in a career doing something they are passionate about and for me, OSINT is that thing. I look forward to being able to share with you what I have learned and ignite the same spark for OSINT that I found.

Part IFoundational OSINT

CHAPTER 1Open Source Intelligence

1.1 What Is OSINT?

Open‐source intelligence (OSINT) is the production of intelligence through the collection and enrichment of publicly available information. When we talk about publicly available information, this means any data that is available for public access without the use of a secret clearance or intrusion into a system; however, it may also include data behind a paywall such as a newspaper subscription. This data may be gathered from the Internet, social media, mainstream media, publications and subscriptions, audio, imagery, videos, and geospatial/satellite information to name a few.

It is important to note that OSINT is a purely passive method of intelligence collection, meaning that we view information such as a person's credentials in a database, but we do not use those credentials to access anything or to log in. Using credentials or actively scanning/intruding into a system is active reconnaissance, which should be left to ethical hackers, penetration testers who have the legal authorization to do so, or law enforcement who have prior authorization and approved operational plans. Ultimately, we strive to collect information while making as little “noise” as possible to prevent detection.

OSINT may sound like a career path for only those with a military or intelligence background, but the field consists of a wide variety of experience and education levels. Many well‐established analysts originate from different fields; I held a 15‐year career as a graphic design manager within a marketing team before pivoting toward investigations, developing blogs, and attending conferences related to OSINT. One of the most exciting parts of OSINT is that the field is broad and there is a myriad of specializations. Because OSINT is a relatively new field for many business and intelligence environments to include within their security structure, there are many opportunities to nurture your interests in a niche topic like I have in the field of maritime intelligence.

Many job descriptions and fields incorporate OSINT skills including the following:

Journalism

Intelligence (CIA, NSA, FBI, etc.)

Government

Armed forces

Business

Genealogy

Education (training)

Private investigation

Security assessments

Additionally, several qualities would be advantageous for any OSINT analyst to possess. If I were to choose a single trait for every analyst to possess, it would unequivocally be curiosity. Technical, written, and critical thinking skills can all be taught, but if the analyst doesn't have the curiosity to dig deeper and to know more, they will struggle as an OSINT analyst. Curiosity is a driver for investigation and ultimately intelligence gathering. The following chart outlines several essential qualities of a great OSINT analyst. If none of these qualities sounds fitting, that does not necessarily mean you don't belong in OSINT. We don't need to be born natural investigators to become one; however, in that case it may require further training to learn those skills.

Qualities and Skills of a Great OSINT Analyst

Curious

Analytical

Active listening

Communication

Detail‐oriented

Creative

Technical interest

Methodical

Structured

Self‐motivated

Written/oral skills

Critical thinker

Organized

Tenacious

Individuals interested in a career in OSINT might feel it isn't a possibility for them because they lack the technical skills needed to excel. It can be quite daunting from the outside watching top‐tier OSINT analysts work. The good news is, because OSINT is a mindset, we don't need to get hung up on our proficiency (or lack thereof) with OSINT tools. Being methodical, detail‐oriented, and curious will help us find new and innovative ways to look at challenges.

For example, in the following chart, we have two analysts, both tasked with finding an active email address associated with a subject.

Analyst 1 goes to the browser to search the subject's name in the format “firstname lastname.” In the results she finds a blog called “Subject's Gamer Blog” and notices at the bottom of the page there is an email, [email protected]. Taking this email over to the web‐based email verification tool emailrep.io, she can verify the last date it was used or when it was created.

Analyst 2 takes a different approach beginning with a LinkedIn search to find the company where the subject works. Once she knows the company, Analyst 2 quickly finds the domain name company.com. Analyst 2 then switches to her Linux machine and runs an advanced tool that cross checks the input email with all emails found in breaches. After the tool runs for a minute, Analyst 2 sees [email protected], which matches the name of the subject. Just like the previous analyst, she verifies the last active date of the email in emailrep.io.

ANALYST 1

ANALYST 2

Step 1

Searches in a browser for subject's name.

Uses LinkedIn to determine the subject's employer.

Step 2

Finds a blog related to the subject.

Locates the domain name for the employer:

company.com

.

Step 3

The subject's email is listed at the bottom of the blog.

Runs the domain in a Python tool in Linux to find all breached emails for

company.com

.

Step 4

Verifies the email is active with

emailrep.io

.

Sees subject's name as

[email protected]

.

Step 5

Verifies the email is active with

emailrep.io

.

Both analysts were able to find active emails with the subject's name as the original selector. Analyst 1 kept it simple, while Analyst 2 decided to use an advanced tool she was familiar with. Did one analyst do a better job at completing the task? No, they both completed the task and provided an active email in their report; the path they took to get there is irrelevant. The purpose of this exercise is to illustrate that each method accomplished the goal and that approaching a challenge using overly technical methods is not always the best option. Analyst 2 took an additional step to complete the goal and depending on the criticality of the initial ask, that time may be valuable. On the other hand, Analyst 1 lucked out finding an email with very little digging and could have spent more time finding a lead.

1.2 A Brief History of OSINT

In this section, I'll go over a brief history of OSINT (see Figure 1.1).

The Past

OSINT has been used in various forms by the U.S. intelligence community (IC) for more than 50 years. In 1941, President Roosevelt established the Foreign Broadcast Monitoring Service (FBMS). During World War II, the FBMS's primary task was recording, transcribing, and translating shortwave propaganda broadcasts for military reporting. After the attack on Pearl Harbor in December 1941, the FBMS grew in importance and was renamed the Federal Broadcast Information Service (FBIS). After World War II, Harry S. Truman created the Central Intelligence Group, and the FBIS was moved within it and renamed the Foreign Broadcast Information Service.

Up until the 1990s the FBIS was primarily used for monitoring and translating foreign news sources and analyzing propaganda. It provided critical information to the military during the Cuban Missile Crisis and all throughout the Cold War including the initial reporting on the Soviet removal of missiles from Cuba.

FBIS operated 20 worldwide bureaus to allow it to physically collect material for exploitation. Eighty percent of the information used to monitor the collapse of the Soviet Union was attributed to open sources.1 In 1997, facing budget cuts and lack of funding, the FBIS neared dissolution but was saved by a public cry from the Federation of American Scientists who described the FBIS as “biggest bang for the buck in the American intelligence community.”

Decades then passed with no major changes to OSINT; even during the U.S. terrorist attack on 9/11, nothing shifted until the social media boom of the mid‐2000s. The FBIS collected what was at the time considered OSINT, but this open‐source data was not collected or used the same as we do today.

The 2000s' iteration of OSINT looks vastly different than the OSINT we saw in 1941. This new version of OSINT was born from the breakneck growth and development of Internet usage, referred to as Web 2.0. This substantial shift from static web pages to user‐generated content like social media completely transformed the practice of OSINT collection.

Figure 1.1: OSINT history

In 2005, the director of national intelligence (DNI) created the Open Source Center (OSC) and was entrusted with ensuring that open‐source collection was effectively used and shared by the IC by providing training, developing tools, and testing new technologies. At this time, open source was seen by many as a less structured and decentralized form of collection discipline, and it was believed the IC wasn't fully aware of its potential and had no clear means of sharing the information effectively. Additionally, they grappled with understanding sources and methods, evaluating the credibility of information, and protecting information that can directly reveal a person's identity, also known as personally identifiable information (PII).

Despite the IC's obstacles with OSINT, the 2009 Iranian Green Revolution (dubbed the Twitter Revolution) opposing the contested election of incumbent President Mahmoud Ahmadinejad clearly illustrated the importance of social media's inclusion in OSINT methodology. Despite the Iranian regime's forced media blackouts throughout the violent protests, the world was able to develop a full picture of the uprising through user‐generated content on social media platforms.

“Individuals are making information available in ways that never existed before, including online expressions of personal sentiment, photographs of local places and happenings, and publicized social and professional networks.”2

The Present

As mobile phone and social media use continues to flourish, we have been afforded new and unique ways to harvest open‐source data. The rise of platforms such as Instagram, TikTok, and Snapchat inspires users to upload copious amounts of data to our benefit. Maps and satellite imagery have grown exponentially more accurate and accessible allowing user access to previously classified technology. An emphasis has been placed on security and privacy leading to the mainstream adoption of encrypted communication methods like Signal, WhatsApp, and Telegram making it harder to obtain OSINT data. These data obstacles have created a need for uniquely developed tools that are often offered to the community by way of open‐source repositories such as GitHub. OSINT communities are flourishing on social media, providing free training in the form of blog posts, videos, podcasts, and live streams. There are also several legitimate paid OSINT trainings and certifications available. Not‐for‐profit organizations are using crowdsourcing to combine analysis to tackle things such as humanitarian rights issues and locating missing people.

With the Web 2.0 boom, the field of OSINT has expanded to cover more than just the traditional intelligence community. The lines between intelligence disciplines are blurring as analysts develop skills that cross over into other collection methods. Traditionally, within intelligence there are five main disciplines: HUMINT, SIGINT, IMINT, MASINT, and OSINT. Though in recent years, as technology capabilities increase, we are seeing techniques and disciplines along with the various INTs used within the community begin to blend.

The Five INTs3:

HUMINT is the collection of information from human sources.

SIGINT consists of the electronic transmissions that can be collected by ships, planes, ground sites, or satellites.

IMINT or image intelligence includes geospatial intelligence (GEOINT).

MASINT includes the advanced processing and use of data gathered from overhead and airborne IMINT and SIGINT collection systems.

OSINT is a broad array of information and sources that are generally available, including information obtained from the media (newspapers, radio, television, etc.), professional and academic records (papers, conferences, professional associations, etc.), and public data (government reports, demographics, hearings, speeches, social media etc.).

Due to the advancements in satellite technology, analysts now have access to open‐source satellite imagery at a resolution previously unseen by civilians. Supported by this newly available imagery, analysts can integrate image intelligence (IMINT), geolocation, and geospatial intelligence (GEOINT) tradecraft into their daily work. An example of this can be seen in organizations such as Bellingcat and the Centre for Information Resilience (CIR) where the analysts routinely identify people and places using imagery analysis techniques to illuminate human rights violations and war crimes.

Human intelligence (HUMINT) is another area where the lines of professional information gathering have grown hazy. Data brokers have made personal information cheap and easily accessible to the public, and social media usage has skyrocketed, allowing the tracking of individuals across the Internet. Skip tracers and private investigators, known for tracking down people who are hard to find, previously relied on locating an individual through face‐to‐face interviews with friends and family. Now, a person can be located just by hunting down posts, comments, likes, and check‐ins online. The same private investigator could also use technology to track the individual's Bluetooth or Wi‐Fi transmissions using signals intelligence (SIGINT) techniques enhanced by volunteer databases of unclassified wireless data collected from around the world.

Analysts today have access to a considerable supply of unclassified data repositories, the likes of which we have never seen. Because so much data is now available, we suddenly have to tackle the monstrous task of parsing through it all. Luckily, analysts have begun developing and collaborating on free open‐source tools for the OSINT community that assist with making sense of the mountains of new data. These parsing tools must be developed at the same rapid rate as the Internet and social media platform algorithms change, which has produced an innovative subgenre of OSINT analysts who are also developers.

It is incredible to think that there are individuals living today who have never known a life without the Internet, nor will they know the true pain of trying to connect to a dial‐up connection. Right now, children are being born with a digital footprint, and some are even being signed up for email accounts while still in utero! The full impact of the “social media generation” remains to be seen, and because new forms of media seemingly pop up overnight, OSINT tradecraft continues to evolve to meet it; seemingly for us the Golden Age of OSINT still lies ahead.

The Future

In the coming years, there will be a shift from the present Web 2.0 to what is being called the Semantic Web or Web 3.0. The Semantic Web is meant to make Internet data machine readable through defining and structuring so that computers can make better interpretations of data.4 Big Data, AI, NLP, and ML are just beginning to be applied to OSINT collection, analysis, and reporting. This new technology combined with the power of Web 3.0 will be crucial for enriching the phases of the intelligence life cycle.5 The following are a few ways in which the life cycle may be enhanced and accelerated by these changes:

Planning and Requirements:

Planning and developing requirements at the stakeholder level will be better informed and targeted through sophisticated artificial intelligence (AI) and machine learning (ML) using cues aggregated from previous reporting.

Collection:

As Big Data continues to grow, collection will be further automated and streamlined through AI. ML and natural language processing (NLP) will be used to target collection sources more accurately, and ultimately analysts will be able to find and sort more data in less time.

Processing and Evaluation

: Facial and pattern recognition will grow more mainstream and facilitate analysts to determine suspects faster. NLP will review, measure, and interpret collected data for misinformation and disinformation to vet sources.

Analysis and Production:

Automated tools will provide more accurate analysis of collected information through correlation and clustering. AI may be used to develop detailed graphs of associations enriched with personal and corporate data.

Dissemination and Consumption:

AI will automate and tailor near real‐time alerts and reports for stakeholders and analysts so they can rapidly take the necessary actions. Increasing the speed in which intelligence is consumed will lead to faster response times.

As Big Data grows even bigger and data analytics and mining technology improve, one burgeoning research field to keep an eye on is sentiment analysis, or opinion mining. An overwhelming number of citizens across the globe use social media to discuss their opinions and feelings, and this collection of tone or sentiment can be analyzed using NLP, text analysis, and computational linguistics. Using these tools to analyze a sample of people, including how they speak, write, and use emojis and hashtags, it is possible to estimate the overall feeling of a population on a particular subject. We see this technology being used presently to analyze government elections and events such as citizen protests. In the case of the 2016 U.S. election, a study was performed to determine whether there was a political divide between urban and rural areas or between service and manufacturing zones.6 Using the Twitter application programming interface (API), which allows a program to communicate with an application, researchers collected sentiment based on the geotagged locations within the tweet data called metadata. The results of this study determined that sentiment based on location did reflect the opinion of people on the ground and that this process may have tremendous benefits for predicting overall public opinion. In the future, the use of predictive analysis will become more prevalent within everyday OSINT analysis.

The 2016 election also illustrated how Internet content can sway user sentiment and public perception, and therefore more tools will need to be developed to combat the increasing assault of online propaganda, mis/disinformation, and deep fakes. This type of predictive analytic will be one facet used by the intelligence community and law enforcement for detecting and preventing crime.7 The Tom Cruise movie Minority Report perfectly captured a future where crimes can be detected and prosecuted before they happen. In 2002, when this movie debuted, the concept of “pre‐crimes” was unheard of, but now in 2022 we can see the beginnings of this type of predictive analysis being used widely today in law enforcement and criminal justice. While opinions differ on whether this technology actually reduces bias or whether it reinforces inequality and discrimination, it is no doubt here to stay and being augmented by facial recognition and object detection technologies.8

As detective and predictive analytics increase in popularity, people will become more adept at thwarting them. In 2019, during the Hong Kong protests over a controversial bill allowing extradition from Hong Kong to mainland China, protesters circumvented identification by using laser pointers, masks, and spray paint to block cameras using facial recognition software. According to reports, protesters had reason to be concerned as Hong Kong police were repeatedly accused of forcing citizens to use their face to unlock their phones and reveal their identities.9 This battle between government and citizens on what negates a citizen's right to privacy and the protection of PII will continue to be a hot topic in the future, leading to new laws and training.

For the intelligence community and law enforcement, the future holds deeper and more practical OSINT training that will allow analysts to implement OSINT skills more effectively. Cases of the future will be enhanced through more robust OSINT databases and citizen collaboration.10 While this type of crowdsourcing investigation can gather many leads, it is not without its challenges. Untrained citizens can and often do release the personal information of innocent people, ruin evidence, and even recklessly engage with suspects. As citizen investigations grow in popularity, the OSINT community will need to develop a more productive way to ingest, analyze, and visualize crowdsourced data. As OSINT concepts become more mainstream through movies, documentaries, and podcasts, we must be prepared to preach investigation ethics and passive‐only collection to untrained citizens to maintain ethical standards.

Mark Twain famously referred to the industrial growth period in late 18th century America as the Gilded Age for being “an era of serious social problems masked in thin gold gilding.”11 This is not unlike the oncoming Gilded Age of OSINT that brims with technological advancements and growth underpinned by the tragedy of war, protests, loss of personal privacy, and civil unrest. Much of what drives the current advancements in OSINT technology are deeply rooted in politics and government. As analysts we have a duty to utilize all this exciting new technology to perform ethical investigations without the insertion of bias or politics. Unfortunately, with all this new technology have come many ethical “gray areas” we must address to remain ethical analysts.

One area where the lines of ethics may become muddied is in the online crowdsourcing of investigations. Crowdsourcing is a relatively new method of analyst collaboration used as a way to tackle large and complex cases like cold cases and high‐stakes, real‐time events. Using team collaboration platforms and forums such as Discord, Slack, Teams, and Reddit, volunteers can participate in live ongoing investigations. Although this technique has proven useful for legitimate organizations such as The Centre for Information Resilience and Trace Labs, I would highly caution analysts from engaging in unvetted investigations.

Unofficial cases found in online forums often have no vetting process for members, and very little can be known about the backgrounds, ethics, and motives of the participants. From an ethical perspective, there are concerns that working on unofficial cases with untrained investigators has the potential to cause harm to the analyst as well as the friends and family of the victim or even the accuser. A perfect example of how crowdsourcing intelligence can have serious repercussions is the terrorist attack at the 2013 Boston Marathon.

On April 15, two explosions rocked the annual marathon in Boston, Massachusetts. Three people were killed in the blasts, and 264 were injured, including both participants and spectators near the finish line.12 Soon, the FBI released a statement that they had located pieces of nylon, fragments of ball bearings, and nails at the scene, indicating a possible pressure cooker device was used in the bombing.13 Over the next few days while the FBI worked tirelessly to locate the suspects in the bombing, the Internet began their own investigation.

The popular forum site Reddit hosts several news “subreddits” that began to unofficially crowdsource investigations into potential bombing suspects. A user in one of the subreddits suggested that a depressed man who had been reported missing since April 16 bore a resemblance to the suspect. The user unfairly decided that based on the way missing man Sunil Tripathi looked that this attack might be “religiously motivated.” The post gained traction, and soon Sunil and his family were being harassed, and ultimately their personal information was released by these Internet sleuths.

A week after the bombing, on April 19, the real suspects, Dzhokhar Tsarnaev and Tamerlan Tsarnaev, were located by authorities. After a police manhunt, Tamerlan was shot and killed, and Dzhokhar was critically injured but captured and charged on April 22 of conspiring to use a weapon of mass destruction. After the arrest of Dzhokhar Tsarnaev, Reddit administrators issued an apology to Sunil's family for the misidentification and harassment of Sunil and his family.14 Subsequently on April 23, Sunil's body was found in a river; the autopsy revealed he died by suicide.

1.3 Critical Thinking

Becoming a valuable OSINT analyst requires honing—said in my best Liam Neeson voice—“a particular set of skills.” Critical thinking, or “the analysis of available facts, evidence, observations, and arguments to form a judgment15,” is arguably the most important skill in our arsenal. Without the ability to think critically about the data we discover, we would be unable to make intelligent connections between data points or even to evaluate its legitimacy. Many journalists working in information verification on social media have become the front line in deciphering reality from fiction.