OSINT in the Intelligence Era E-Book

First edition July 2023

ISBN 9788896069547

©2023 THEMIS S.R.L.

via Veturia, 44 – 00181 Roma [email protected] THEMIS CRIME

All rights reserved

Reproduction, translation, adaptation, even partial or in extracts, for any use and by any means, including photocopying, microfilm, electronic storage, etc., are strictly prohibited without the prior written authorization of Themis s.r.l. Every abuse will be prosecuted to the full extent of the law.

Preface

The world of intelligence gathering has undergone a massive transformation in the last few decades. With the advent of technology, it has become increasingly easier to access information that was once thought to be elusive. Open-source Intelligence (OSINT) is one such method that has gained immense popularity over the years. While OSINT may seem simple on the surface, it requires a multidisciplinary approach. Firstly, experts in data analysis are needed to sift through the vast amounts of information and identify patterns and trends. Secondly, linguists and cultural experts can provide insights into the nuances of language and behavior displayed online. Thirdly, cybersecurity specialists can ensure the integrity of the data being analyzed. By combining these different areas of expertise, a more comprehensive understanding of OSINT can be achieved. This is crucial for law enforcement agencies, intelligence services, and other organisations that rely on accurate and timely intelligence to make informed decisions. Failure to adopt a multidisciplinary approach to OSINT can result in the oversight or misinterpretation of vital information, potentially leading to dire consequences. Additionally, in order to be successful in the field of OSINT, possessing a diverse range of expertise from various disciplines is equally important. This is because OSINT requires knowledge and skills from various fields, such as computer science, information technology, data analysis, social sciences, and more. A good understanding of how the internet works and how to link data is needed, as well as the comprehension of the psychology of human behavior, which is helpful in analyzing and interpreting open-source data effectively. Finally, having knowledge of legal and ethical considerations related to OSINT is crucial for ensuring that all activities are conducted within legal bounds. Therefore, it is crucial for undergraduate students to develop skills in OSINT. Regardless of the degree they are pursuing: OSINT provides the ability to gather and analyze information from publicly available sources and valuable insights into global events and trends, which can inform decision-making processes in various fields. This book, as a result of many years of international courses and trainings worldwide held by the author aims to provide readers with a methodological approach to OSINT and practical recommendations to use it effectively for intelligence gathering. Whether you are a law enforcement officer, a private investigator, or just someone looking for to learn more about intelligence gathering, this book aims to provide the needed background to rigorously approach OSINT.

Who Is This Book For?

This introductory book on OSINT (Open-source Intelligence) is designed for anyone who wishes to explore the vast world of intelligence gathering and investigation through publicly available information. Whether you are a professional in the fields of cybersecurity, law enforcement, journalism, or private investigation, this book will equip you with essential knowledge and techniques to leverage open-sources effectively.

If you are a beginner with no prior experience in OSINT, fear not! This book provides a solid foundation, guiding you through the fundamental concepts, tools, and methodologies of OSINT. It assumes no prior technical expertise, making it accessible to individuals from various backgrounds.

Are you a digital enthusiast curious about the hidden world of online information? This book will unravel the secrets behind searching, analyzing, and verifying information from social media platforms, websites, forums, and other digital sources. Discover how to harness the power of search engines, social network analysis, and data visualization to extract actionable intelligence.

Furthermore, if you are a concerned individual aiming to protect your online privacy and enhance your digital security, this book offers valuable insights. Learn to safeguard your personal information, identify potential threats, and adopt best practices to navigate the digital landscape safely.

Regardless of your motive for diving into the realm of OSINT, this book serves as your comprehensive guide. By the end, you will possess the skills necessary to conduct effective investigations, uncover hidden connections, and make informed decisions based on the intelligence gathered.

Embark on this enlightening journey and unlock the potential of open-source intelligence with this introductory book, suitable for professionals, enthusiasts, and individuals seeking to enhance their understanding of the ever-evolving information landscape.

To my family and my parents

Contents

Preface

I Introduction

1. Intelligence

1.1 The concept of Intelligence

1.1.1 Levels of Intelligence

1.2 A brief historical evolution of Intelligence

1.3 The Intelligence Cycle

1.4 Warfight domains in military context

1.5 The 5th Dimension: The Cyberspace

1.6 Network Centric Warfare

1.7 The 6th Dimension: Cognitive Warfare

2. Types of intelligence

2.1 National Security Intelligence

2.2 Criminal Intelligence

2.2.1 Functions of criminal intelligence

2.2.2 The Europol EMPACT policy cycle

2.3 Intelligence collection disciplines

2.4 OSINT as a cross Intelligence discipline

2.4.1 OSINT value in the intelligence era

2.5 OSINT support for Cyber threat intelligence

2.6 Ethics and Law in OSINT activities

2.6.1 The privacy respectful OSINT

3. Limitations of Intelligence

3.1 Limitations of intelligence

3.2 Cognitive biases in Intelligence and OSINT

3.3 Data Quality

3.3.1 News bias

3.4 The primary OSINT evil: fake news

3.4.1 The OSINT latter evil: deepfake

3.5 Artificial Intelligence

3.6 AI impact for online investigations and intelligence

3.7 NLP, transformers and ChatGPT support to OSINT

4. The basics of IP networking for OSINT

4.1 Introduction

4.2 Preliminary background

4.3 Network protocols

4.4 The OSI blueprint and Internet

4.5 The Internet

4.6 The TCP/IP protocol suite

4.7 The IP protocol

4.8 The TCP protocol

4.9 The DNS

4.10 Hypertexts and World Wide Web

4.11 The Email service

4.11.1 The SMTP protocol

4.11.2 The POP3/IMAP protocol

5. The must have: machine preparation and text extraction

5.1 OSINT machine preparation

5.2 Virtual machines

5.3 OSINT prebuilt virtual machines

5.4 Using GitHub repositories

5.5 Anonymize yourself

5.6 Regular expressions

5.7 Regex quick reference

5.8 Some OSINT Regexes examples

5.8.1 Extracting mobile phone numbers

5.8.2 Extracting email addresses and URLs

5.8.3 Extracting bitcoin wallets

5.8.4 Entity extraction from tweets

5.8.5 Standardizing extraction groups in text

Bibliography

Index

List of Domains

List of Figures

1.1 The Intelligence cycle

1.2 Search graph starting from search engine

1.3 Warfight domains

1.4 Network-Centric Warfare Domains

2.1 Routine Activity Theory schematization

2.2 EMPACT policy cycle

2.3 The Overlapping Nature of Intelligence Disciplines

2.4 OSINT cycle, as in [36]

2.5 Offensive and Defensive OSINT

2.6 Threat intelligence levels

3.1 Confirmation Bias

3.2 Dunning-Kruger effect

3.3 Data quality 4x4 system (Europol Information management handbook)

3.4 News bias by Adfontesmedia

3.5 Common expressions of social media information

3.6 The fake news cycle carried out by Russia during the war against Ukraine

3.7 Mapping OSINT news on EyesOnRussia.org

3.8 Some of the ways that AI can fit into the intelligence cycle

3.9 Language transformers evolution

3.10 ChatGPT snapshot developing python software

4.1 Analog and Digital communications

4.2 Circuit vs Packet switching

4.3 Network protocol by human metaphor

4.4 Seven-layer architecture of ISO OSI

4.5 OSI communication

4.6 Internet communication

4.7 Comparison of TCP/IP and ISO OSI network models

4.8 TCP IP stack

4.9 IP packet

4.10 IP addresses classes

4.11 TCP packet

4.12 3-way handshake

4.13 DNS domain hierarchy

4.14 DNS domain name example

4.15 HTTP interaction in case of user sending username and password (POST method)

4.16 HTTP request header (GET method)

4.17 HTTP response header

4.18 Number of sent and received e-mails 2017-2025

4.19 How email works

5.1 VirtualBox Linux CSI Desktop

5.2 Visual regex to extract mobile phones number

5.3 Visual regex to extract email

5.4 Visual regex to extract URLs

5.5 Visual regex to extract Bitcoin addresses

5.6 Visual regex to extract Twitter author

5.7 Visual regex to extract tweet mention

5.8 Visual regex to extract hashtag

5.9 Visual regex to extract URL from a tweet

List of Tables

2.1 Intelligence disciplines

2.2 Media usage in an internet minute as of April 2022

2.3 Example of difference between data, information and intelligence

2.4 Example of difference between OSD, OSIF and OSINT

4.1 Port numbers and related services

4.2 DNS records

5.1 Regular Expression Quick Guide

“Real education is about getting people involved in thinking for themselves and that is a tricky business to know how to do well, but clearly it requires that whatever it is you’re looking at has to somehow catch people’s interest and make them want to think, and make them want to pursue and explore.”

Noam Chomsky, Understanding Power: The Indispensable Chomsky

1. Intelligence

In wartime, truth is so precious that she should always be attended by a bodyguard of lies.Winston Churchill

1.1 The concept of Intelligence

Intelligence has played a critical role for mankind since the earliest humans began to think and process information. In fact, the information and the derived intelligence directly influence the daily decisions of individuals, businesses, industry, the military, and the government.

In particular, intelligence is a crucial component of the modern military, law enforcement and business because it refers to potential enemies, their intentions, capabilities, and vulnerabilities. For example, military intelligence helps commanders make informed decisions and enables them to plan and execute successful operations.

Conversely, in the context of business, intelligence refers to the gathering and analysis of information about a company’s internal and external environment. The goal of business intelligence is to provide decision-makers with actionable insights that can inform strategic planning, resources allocation, and operational decisions. Many nations have risen and fallen on the power of intelligence and the decisions that have resulted from it. Thus, the ability to know, anticipate, and plan is very powerful.

In fact, decision-makers should be able to anticipate what will happen next, and how different courses of action are likely to play out over time. They should be able to think creatively about potential solutions, and weigh the costs and benefits of each option. Finally, they should be able to communicate their decisions clearly and persuasively, both to their subordinates and to external stakeholders.

Improving decision-making skills is a complex process that requires ongoing training and development. But by focusing on situational awareness, anticipation, creativity, and communication, decision-makers can become more effective leaders who are better equipped to navigate the challenges of an ever-changing world.

In particular, decision-makers typically have the expectation that intelligence will offer them a comprehensive understanding of both quantitative and qualitative factors, providing valuable insights into abstract and intangible aspects. When this happens, intelligence can describe existing situations and identify or confirm capabilities that will shape future conditions.

As a consequence, intelligence is itself a dynamic concept that does not have just one definition or application. As mentioned above, the ultimate purpose of the intelligence product is simple: provide an edge to the decision-maker.

No single definition of intelligence is accepted by all. The term itself is used in a variety of ways, which makes it difficult to come up with a single definition. Moreover, complicating the problem, different agencies have particular missions and operate under different rules.

Definitions carefully formulated by intelligence experts do exist, but all seem deficient in one aspect or another; the concept remains as sprawling and thorny as a briar patch. Each expert tends to view the term through the spectacles of his specialty.

In particular, some definitions consider intelligence solely a product., others recognize that intelligence is also a process, even lacking fundamental aspects, as, e.g. counterintelligence, which is like that entailed in explaining an automobile in terms of its motor without reference to its bumpers or brakes.

For example, the focus of the Central Intelligence Agency (CIA) is international. It has an entirely different set of guidelines than a domestic law enforcement organisation, such as the Federal Bureau of Investigation (FBI). Hence, both define intelligence some-what differently.

In fact, CIA defines1 the intelligence as

Intelligence is the collecting and processing of that information about foreign countries and their agents which is needed by a government for its foreign policy and for national security, the conduct of non-attributable activities abroad to facilitate the implementation of foreign policy, and the protection of both process and product, as well as persons and organisations concerned with these, against unauthorized disclosure.

while FBI defines2

Simply defined, intelligence is information that has been analyzed and refined so that it is useful to policymakers in making decisions—specifically, decisions about potential threats to our national security.

Apart from the definitions provided by NIST3, for the scope of this book, we adopt the generalization of the definition of Intelligence formulated by the U.S. Director of the National Intelligence (DNI):

Intelligence is information gathered within or outside the country that involves threats to the nation, its people, property, or interests; development, proliferation, or use of weapons of mass destruction; and any other matter bearing on the national or homeland security. Intelligence can provide insights not available elsewhere that warn of potential threats and opportunities, assess probable outcomes of proposed policy options, provide leadership profiles on foreign officials, and inform official travelers of counterintelligence and security threats.

It is the product resulting from the intelligence cycle, a process whereby raw information is acquired, converted into actionable information, and disseminated to the appropriate consumers. Generating reliable and accurate intelligence data are a fundamental requirement; for this reason, the Intelligence cycle, detailed in section 1.3, is a dynamic and sophisticated process through which information is processed in an accurate and usable way, in order to provide secure sources and to make good national decisions. The aim is to develop information into finished intelligence for consumers, including policymakers, law enforcement executives, investigators, and patrol officers. These consumers use this finished intelligence for decision-making and action. Typical intelligence activities are commonly referred to as “covert actions” and represent fundamental component of national power and decision-making in national security, defense and foreign policy (Pringle and Ransom, 2021) [28].

In order to further clarify when a secret information is accessed/disclosed or, simply, it is discovered, a clear distinction between espionage and intelligence is needed, because they are related concepts, but they are not the same thing.

Espionage refers to the practice of gathering information, often secretly, from a foreign government or organisation with the intent of obtaining strategic, political, or military advantages. It is often associated with covert operations, including the use of spies and other forms of espionage.

On the other hand, intelligence refers to the collection, analysis, and dissemination of information to support decision-making and other activities related to national security, foreign policy, and law enforcement. Intelligence gathering can include not only traditional espionage activities but also more overt methods, such as satellite imagery, intercepted communications, and open source research Champagne, 2006) [5].

Every State, in order to ensure the protection of its citizens, has multiple intelligence agencies, due to several factors, including the complexity of national security threats, the need for specialized expertise, and the historical development of intelligence agencies.

National security threats are often complex and multifaceted, requiring different intelligence capabilities and expertise. As detailed in the following sections, one agency may specialize in human intelligence (HUMINT), while another may focus on signals intelligence (SIGINT) or geospatial intelligence (GEOINT). Each agency brings a unique perspective and expertise to the intelligence landscape, which can help to provide a more comprehensive understanding of national security threats.

In addition, the historical development of intelligence agencies may also contribute to the need for multiple agencies in the same country. Some intelligence agencies may have been established to address specific threats or historical events, and have developed unique capabilities and expertise that are difficult to replicate in other agencies.

Nevertheless, the presence of numerous intelligence agencies can give rise to concerns regarding the coordination and exchange of information, which are vital for the success of intelligence operations. Divergent priorities and interests among these agencies can lead to the creation of information silos and hinder the sharing of crucial intelligence data.

States may bring together intelligence functions of different government services to ensure security around them and forming the so-called intelligence communities (IC), which are networks of government agencies and organisations that are responsible for gathering, analyzing, and disseminating intelligence information to support national security and foreign policy objectives. These communities exist in many countries around the world and are typically led by a central intelligence agency or organisation) [1].

In the United States, the Intelligence Community (IC) is comprised of 18 separate agencies and organisations, including the Central Intelligence Agency (CIA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI). These agencies work together to gather and analyze intelligence information and share it with policymakers and decision-makers to support national security objectives.

The European Union (EU) does not have a single intelligence agency or community, as national intelligence agencies in EU member states are responsible for collecting and analyzing intelligence information related to national security and foreign policy objectives. However, there are several institutions and mechanisms in place at the EU level that support intelligence cooperation and information sharing among member states.

Intelligence sharing among EU member states can be traced back to at least the 1970s, although it was done in a less formal or standardized way (Walsh, 2006; Cross, 2020) [29], [7]. In the late 90s, after the Bosnian War, intelligence sharing in Europe became more institutionalized, and then increased significantly after the major terrorist attacks in New York (9/11), Madrid (2004), and London (2005). This resulted in the launch of the EU’s centralized intelligence centre, now known as IntCen (Todd, 2009) [27], which serves as a hub for intelligence analysis and information sharing among EU member states.

One of these institutions is the European External Action Service (EEAS), which is responsible for implementing the EU’s foreign and security policy, which includes EU INTCen.

The EU also has several specialized agencies that support intelligence-related activities, including- the European Union Agency for Law Enforcement Cooperation (EUROPOL) and the European Defence Agency (EDA). These agencies work closely with national intelligence agencies to coordinate activities related to counterterrorism, cybersecurity, and defense.

In addition, the EU has established several mechanisms to promote intelligence cooperation and information sharing among member states (Champagne, 2006) [5], including the Joint Situation Centre (SitCen), which is responsible for monitoring global events and providing strategic intelligence analysis to EU decision-makers (Pindják, 2014) [23]. .

Despite the lack of transparency, it is clear that there exists a fundamental dilemma in the realm of EU intelligence. Member states are very hesitant to share intelligence because it has traditionally been a core part of national sovereignty. Simultaneously, their comparable security concerns, particularly the borderless nature of the Schengen area, the reinforcement of the Common Foreign and Security Policy (CFSP), and emerging security challenges in the region, have fostered a robust inclination among them to engage in intelligence sharing.

1.1.1 Levels of Intelligence

Intelligence plays a crucial role in aiding decision-making across various levels and for diverse consumers. Consequently, decision-makers require diverse types of intelligence that rely on distinct sources of information, collection methods, and analytical approaches.

Additionally, different types of intelligence may require various sources of information, such as open-source intelligence or human intelligence.

Ultimately, the need for different types of intelligence reflects the complexity of decision-making and the importance of having accurate and relevant information to support those decisions: being able to effectively gather and analyze different types of intelligence is fundamental to gain better positions to make informed decisions and achieve strategic goals. For the above-mentioned reasons, intelligence types can be layered and conducted on three different levels:

– the broadest, which is the strategic one (also known as national) entails broad topics, such as economic projections, and often looks out into the future. For example, the DNI has produced a series of studies concerning whether Iran intends to produce nuclear weapons, which represents a severe issue concerning the highest levels of the chain-of-command, possibly driving decisions of whether to carry out a military strike. Thanks to strategic intelligence it is possible to determine where, when, and in what strength the adversary will stage and conduct his strategic unified operations. In particular, it includes identifying potential threats, assessing foreign capabilities and intentions, and evaluating trends and developments that could impact national security. Examples of strategic intelligence activities might include analyzing global economic trends, monitoring political developments in foreign countries, or assessing the military capabilities of potential adversaries. Strategic level intelligence results, intrinsically, require much more lead time than tactical ones;

– Tactical intelligence focuses on the collection, analysis, and dissemination of information that supports short-term decision-making and operational planning. This level of intelligence is used to inform the actions of military units or law enforcement agencies at the operational level. Tactical intelligence includes the identification of immediate threats, enemy strengths and weaknesses, and the assessment of local terrain and infrastructure. Therefore, tactical intelligence results are designed for near-term use, usually by on-the-ground personnel. For example, an army unit on patrol would be interested in whether the enemy is over the next hill; likewise, drug agents may want to know the background of the suspected drug dealers they are about to meet. Such intelligence has a great deal of immediacy. As a result, the process by which it is converted from information to intelligence is often short-cut.

– The operational intelligence, as the term suggests, focuses on assessing the effectiveness of operations, maintaining situational awareness of the military disposition, capabilities and intentions of adversaries. In particular, intelligence at the operational level refers to the collection, analysis, and dissemination of information that supports the planning and execution of specific military or law enforcement operations. Operational level intelligence is used to inform decision-making and actions at the tactical level, and to ensure that strategic objectives are being met.

Examples of operational level intelligence activities might include identifying enemy troop movements and positions, assessing the terrain and infrastructure of an area of operations, or determining the capabilities of an adversary’s weapons systems. This information is used to develop plans for specific military operations, such as raids, ambushes, or patrols, or to support law enforcement activities, such as investigations or tactical operations.

Operational level intelligence is often collected by specialized units, such as military intelligence or law enforcement intelligence units. These units are trained to collect and analyze information from a variety of sources, including human intelligence (HUMINT), signals intelligence (SIGINT), imagery intelligence (IMINT), and open-source intelligence (OSINT), better detailed in chapter 2.

All the aforementioned intelligence levels have to constantly cope with a hidden enemy, represented by the wrong, misleading information that can severely impact on the intelligence product. Sometimes this enemy is really invisible and undetectable, because of a precise counterpart strategy on information poisoning, leading to its information superiority by driving the enemy towards wrong decisions.

This is a subtle information battle, whose winner is the player with the most qualitative information, providing the information superiority defined4 as

the operational advantage derived from the ability to collect, process, and disseminate an uninterrupted flow of information while exploiting or denying an adversary’s ability to do the same.

Hence, detecting and preventing espionage, sabotage, and other intelligence activities that are carried out against an organisation or nation becomes crucially important. In fact, the consequences of failing to detect or prevent these activities can be severe, including loss of sensitive information, damage to infrastructure, and even loss of life.

In order to cope with this information poisoning threat, a further and separate intelligence service should be set up, whose efforts should typically involve a range of activities, including monitoring and analysis of intelligence activities, conducting investigations, and taking action to disrupt or neutralize hostile activities, mainly using a variety of tools, such as electronic surveillance, undercover operations, and cybersecurity measures: The Counterintelligence.

In fact, the counterintelligence, according to NIST definition5, refers to

information gathered and activities conducted to protect against espionage, other intelligence activities, sabotage, or assassinations conducted by or on behalf of foreign governments or elements thereof, foreign organisations, or foreign persons, or international terrorist activities.

Hence, counterintelligence involves the identification, prevention, and neutralization of foreign intelligence activities that could harm national security. This includes activities such as espionage, sabotage, and terrorism.

The defensive measures used to achieve this goal are mainly investigations and surveillance checks, while the offensive counter-espionage measures used on particular occasions include penetration operations and especially the manipulation of other organisations.

The evolving landscape of intelligence necessitates counterintelligence to fulfill various functions, which may involve distinct processes. However, there is no doubt about their significance as an integral component of national security strategy. (Pringle and Ransom, 2021) [28].

As can be seen, intelligence action is not unique; rather, it is a set of joint functions that range from helping commanders in integrating, synchronizing, and directing joint operations to acting with command and control, fire, movement and maneuver, protection, and support.

1.2 A brief historical evolution of Intelligence

We can assume that the fundamental purpose of intelligence analysis has not changed over the centuries, although in former times the task would have been conducted instinctively and would certainly not have been conceptualized as a distinct set of disciplines. From historical records, however, we can see how the analytic task began to require specialized training as types of intelligence sources multiplied with advances in technology, most recently the digital revolution.

We envisage their development in ancient Greece, where the oracles covered the role of consultants in situations of enemy attacks and for the launching of military campaigns, and in the Sub-Saharan African tribes; as for ancient Greeks, the spy networks were particularly important in the bureaucratic systems of the Romans, Byzantium, Persian and Chinese, through the infiltration of spies to assess the strengths of other civilizations.

In the Middle Ages, the Church exploited its network of spies to identify heretics, political dissidents and practitioners during the Inquisition in Italy, France, and Spain, but has lost its central role during the Renaissance, where the use of espionage became a tool of emerging states and played a key role in the explorations mainly to support military campaigns against new peoples. It was Niccolò Machiavelli who praised the use of intelligence services in his book The Art of War, in which he advises rulers who are at risk of being spied to utilize counsels to confer with, underlining the essential role that intelligence tasks started to play in the governance sector. Furthermore, the author stressed the importance of influencing and deceiving messages rather than employing force, because using influence and driving the consensus of large masses rather than physical violence could be deemed far more efficient in terms of power.

In the late Renaissance, the two outstanding historical examples of evolution of the intelligence models come from England in the reign of Queen Elizabeth I and from France under King Louis XIII.