OSINT Field Handbook by Taiwo Owolabi

Scope

This manual is meant to serve as a companion document to every Open-Source Intelligence Analyst or Investigator, Red Team, Cybercrime investigator and Search Party CTFs programmed. If you come across this little rich publication, i want you to take this material as the printed version of one of my research projects done in my Cyber Lab. All techniques and considerations put forth in this manual will be in compliance with the Search Party Rules of Engagement (ROE). The techniques will be passive in nature and every effort will be made to protect the participants, the subjects of the investigation and the investigation itself while applying maximum OpSec. Are curious to know about more about OpSec? Don’t worry, we will discuss more about it later.

This manual will be focused on People-centric OSINT investigations. (People-centric OSINT (Open-Source Intelligence) investigations focus on gathering and analyzing publicly available information about individuals or group of people). So, I want you to expect discussions on investigation techniques focusing major social media platforms, including the surface web, deep web, and dark web, including geolocation tracking, network analysis, and web server investigations.

LET’S GET STARTED

What is Open-Source Intelligence?

To me, i think of OSINT as any information that a regular citizen could access to without possessing special clearances. For example, in the Federal Republic of Nigeria, personnels who serves under the Nigerian arm forces or Law Enforcement will have access to databases contains with the information an average citizen. These type of databases does not fall under OSINT.

What is or is not OSINT will differ based on your Country/State policy.

Based on the definition stated above, information considered as “open source” in a country like United States, Luxemburg etc. may be protected under the Nigeria Data Protection Regulation (NDPR or GDPR) Nigeria, so what is OSINT in the Nigeria may not be OSINT in other countries.

OSINT is commonly associated with electronic research, but this doesn’t have to be the case. Some pieces of OSINT may only exist as paper records in a courthouse or as microfiche in a public library. Microfiche is a little, flat sheet of film that contains reduced images of printed documents. Public libraries use microfiche to archived newspapers, government records, historical documents.

What background or skills do you need to conduct OSINT?

Anyway, the most two common important characteristics an OSINT analyst have been Curiosity and Discipline. Apart from these two characteristics, having a basic background or understanding about your subject of investigation will give you more leverage.

For example:

It is important for every OSINT analyst who focus on social media intelligence gathering to have a good understanding of how social media platforms works or how the subject of their investigation communicates and interacts with others.

Being a Real Estate OSINT analyst requires an understanding of how property buying and selling work in your area, where to find real estate records, and how to access them.

- A networking device focused investigation requires to have an understanding of how network systems work and communicates with each other. You would need to understand things like Network protocols, ARP, OSI models, IP/TCP model, DHCP connection, Network commands like ping, etc., DNS and how to find WHOIS records.

The bullet points i mentioned above are just a few out of the different domain of investigation you could come across. Also, a real-world investigation could blend multiple types of OSINT together. What starts out as a Network/Infrastructure based investigation could quickly evolve into a People based OSINT investigation as go further trying to understand who is behind a particular block of an IP addresses (be it IPv4 or IPV6) associated with a website or attacker.

The fundamentals of investigation haven’t changed, but as technology evolves, so do investigative patterns. No crime is entirely new. Even popular crypto-related frauds follow the same structure as traditional frauds like MMM, Ponzi schemes among others. The only difference is that the bad guys replaced the traditional payment methods with cryptocurrencies like Monero, Bitcoin, and others.

Why Do We Need to Use OSINT?

The amount of information available to the average person today is exponentially higher than what the people of previous decades have. Not only are we putting more and more information “out there” willingly, but more and more information is being collected, cataloged and sorted every single day. This explosion of accessible data has opened up the realm of investigation to an audience that would have been prohibited from it in years past.

Leveraging Open-Source Intelligence allows not only the average person to participate in an investigation but can also augment and enrich a more “traditional” style of investigation. The Law Enforcement agencies (LEAs) around the world are now incorporating OSINT in to more conventional “police work”. Agencies like the CIA, FBI-IC3, EFCC, Homeland Security and etc. have taken an interest in having dedicated OSINT analysts or investigators within their Digital Forensics departments.

Cooperate Businesses leverage OSINT to protect and monitor their product and reputation. Cybersecurity teams around the world also use OSINT during reconnaissance to unmask the bad actors behind malicious infrastructure or connect different pieces of network infrastructure back to a certain central threat actor.

Individuals can use OSINT when buying properties, going on a date or selecting a care giver for a child, pet or parent. The list could go on and on. Here is an interesting thing, almost everyone with a smart phone have been conducting OSINT without even knowing it. People just don’t know was to call it.

Let us look into the ethics of OSINT

The Legal Vs the Illegal: Before going further, i will like to make it clear that i am not an Attorney or a legal professional and i can’t tell anyone about the legality of a potential investigation. This manual assumes you will stay in compliance with all applicable laws withing your jurisdiction. However, in many parts of the world, it is not illegal to collect publicly available information. But, like we do say in the world of offensive security, “Just because something is not illegal doesn’t mean it’s right to do.”

Just because something isn’t illegal doesn’t mean it’s ethical. In your jurisdiction, it might not be against the law to stalk your ex and their new partner or to dig into your coworkers’ social media to compile dossiers on their political views. But we all know that does feel right?

Couple of time people ask me what tool they can buy to spy on their spouse. My answer always remains the same, instead of invading people's privacy, it is better to have an honest conversation with them. At the end of the day, we all have something to protect, and privacy matters to all of us. I will stop here, to save our time, but i hope you get my point. Just because there is no provision of law stopping you from collecting publicly available information doesn’t mean you shouldn’t have your own ethical guidelines.

Below are the common responsibilities of an investigator.

1. You are responsible for your investigation results.
2. You are responsible for the impact of your investigations.
3. You are responsible for the potential blowback and fallout from your investigations.
4. You are responsible for how the insights provided by your investigation report are leveraged.

The “responsible” term used above are in the moral sense not the legal sense. I will love to remind you again that I am not qualified to give anyone legal advice.

Below are the common question to ask yourself before conducting investigation;

1. Who is this investigation for? (is it for myself, a client, law enforcement, or an organization?)
2. What is the objective? (like verifying information, or uncovering fraud?)
3. What information do I already have about the target?
4. What tools and sources do I need to obtain relevant data?
5. Who will use my findings, and where will they be presented? Because you must write two reports for every investigation, one for tech savvy people and the other one for the executives who have no clue about tech.
6. How would my investigation impact the subject or others involved?
7. I’m I satisfied with my answers to these questions before proceeding?

If yes, then you are good to go! If you take your time to reflect on the above points, your work would be more ethical, effective, and well-structured.

Let's Talk About Your Safety (OpSec).

OSINT is so amazing and magical because anyone can do it. As far as you are passionate and also have some level of curiosity, you are capable to track down all kinds of information related to an individual or a group of people. As the world has gone more digital, so the world of Open-Source Intelligence has become more approachable than ever. Realistically, anyone anywhere with a web browser and internet network can begin an investigation anytime.

Every skill has its pros and cons, and OSINT is no exception. Here are some of the potential downsides.

1. A keyboard and monitor make it easier to separate yourself from the subject of an investigation.
2. Closing your laptop or logging off a social media platform can make you feel like you’ve “disconnected” from the actions of your investigation.
3. But this cheap sense of security or sense of detachment can still put not only yourself at risk but also the subject of your investigation or even the investigation itself.

Your Safety

Before going further, i want you to ask yourself the following questions first:

1. What happens if someone else finds out what I’m doing?
2. What happens if the subject of my investigation finds out about my investigation?
3. I’m I mentally prepared for the subject matter i might encounter along the way?
4. How do you feel about your answers to the questions above?

Safety of Others

Ask yourself the following questions:

- Are my actions potentially jeopardizing someone else’s wellbeing?

- How do you feel about the answers to the questions above?

Safety of the Investigation

Ask yourself the following question:

- Are my actions potentially jeopardizing the integrity of an ongoing criminal investigation?

- How do you feel about the answers to that question?

Importance of Passive Reconnaissance (Intelligence gathering)

The sections above are typed out to drive home the importance of passive reconnaissance.

Passive reconnaissance protects not only you but other people and the investigation as a whole. What does this look like in real world?

• No interaction with ANYONE during an investigation. This includes DMs, emails, friend requests and interaction of social media posts of not only the subject of your investigation but anyone adjacent to your investigation.
• No talking about your investigation outside of safe channels
• Did we mention no interaction? Yeah. Note this down because it's very important.

Planning and Preparation

The first stage of the Intelligence Life Cycle involves planning. Before you start investigating anything at all, you need to do some pre-work. This planning will not only make your investigations more efficient but will enable you keep your investigation discreet and focus on the techniques to employ during your analysis.

Define Your Mission

What are you trying to do? Write it down. Some useful prompts for the planning stage:

1. What question are you trying to answer?
2. What specific information/data are you looking for?
3. What connection are you trying to make?

The more detailed and focused you are, the better fruitful your investigation will be. The information you will be collecting are just facts. The Intelligence is a collection of facts that support a specified mission or request for information.

Define Success

When do you stop? Digging forever wouldn’t be productive.

You need to ask, “At what point would my investigation be over?”. Ideally, it should be when you are satisfied with the requirements laid out in the planning stage. Knowing when to stop is a skill every investigator needs.

Define “Red Lines”

Similar but different to “Define Success” you need to define certain “red lines” that should never be cross and some certain triggers that will end your investigation prematurely. Example of this could be.

1. Discovering evidence of a serious crime.
2. Discovering subject matter, you personally find triggering.
3. Your “online” investigation” spilling out in to the “real world”.
4. Finding yourself spending too much time thinking about an investigation.
5. Logging into your target’s social media account is a serious violation of privacy and ethics. Additionally, such accounts may be monitored by government agencies, and in this situation, a VPN won’t protect you.
6. Conducting an investigation having an adverse effect on your quality of life or of those around you

Operational Security

By the time you realize you need to be better at it it’s already too late. Operational Security (OpSec) directly supports the Safety guidelines discussed previously. It’s also something that must be planned for before beginning and investigation.

Think of OpSec as a spectrum:

The far left of the spectrum represents no effort at all. People at this end of the spectrum don’t care if everyone knows who they are, what they’re doing, what they’re saying, where they live, etc. The far right of the spectrum represents maximum effort. People at this end of the spectrum are employing habits, routines and countermeasures to actively hide from organizations with nation-state level resources.

Every investigation will require you to be somewhere on this OpSec spectrum. The place you need to be on the OpSec spectrum will be dictated by your threat model in the context of the investigation you are conducting. Simply put, your threat model is you sketching out what threats you will encounter over the course of an investigation. The “amount” of OpSec you need you will be dictated by the threats you define in your model.

Some good prompting questions to define your threat model are:

1. Who/What are you hiding from?
2. Will the subject(s) of your investigation be actively monitoring for investigations into them?
3. What action (if any) will the subject(s) of your investigation take against you if you are discovered?
4. What are the consequences of your true identity being revealed?
5. What are the consequences of your investigation being discovered?

I designed my approach with “OpSec by default.” My Rules of Engagement for investigations are shaped directly by the answers to the key questions outlined earlier.

In crowdsourced missing persons investigations, the risk to individual investigators is relatively low since most of the work happens on social media platforms. In this context, the goal isn’t to hide your identity from the platform itself but rather to obfuscate your true identity from other users who may be monitoring the investigation.

Sock Puppet Account and Burner Phone.

What is Suck puppet account? According to Wikipedia, a sock puppet are online identities used for disguised activity by the operator. While a burner phone is a prepaid phone number specifically purchased to be used briefly and then replaced is known colloquially as a burner phone.

“Sock Puppet” accounts mandatory for every social media intelligence investigator. I encourage this practice for safety purposes. During the good old days, creating a sock puppet account was much easier, all you needed was an email or phone number, along with fake identity details generated from certain websites like the underlisted ones.

1. datafakegenerator.com
2. fauxid.com
3. generated.photos
4. thisxdoesnotexist

But nowadays, with new technologies and advanced detection systems, creating a sock puppet account has become increasingly difficult. In fact, successfully setting one up without getting banned is rare. Let me give some tips about how i get around this challenge. Now, that is where burner phones come in. To create a reliable sock puppet account, follow these steps:

1. Get a new phone (preferably one that hasn’t been linked to you).
2. Obtain a fresh phone number through apps like Ding tone or Text Now, or better yet, use a new SIM card.
3. Use the new SIM card to register your social media sock puppet account, ensuring minimal traceability. Good luck! (I hope Mark, Elon Musk and the likes never get to see this handbook 😆)

Note: This manual is written under the assumption that all platforms being interacted with are large commercial entities like Facebook, Twitter, Instagram, TikTok and etc. If your investigation takes you to infrastructure being managed by actors, you will prefer to stay concealed from then consider using a VPN. Creating an account from your residential IP address without a VPN and using a vanilla Chrome browser will appear less suspicious (from the platform’s perspective) than someone coming out of a Tor exit node.

- Don’t put in more effort than you have to. If your sock account doesn’t need an epic origin story, political affiliations and a personality than don’t worry about it.

- Using other people’s headshots or profile pictures can get you into serious trouble. For instance, in Nigeria, this is consider identity theft under the Cybercrime (Prohibition and Prevention) Act, 2015.

- Don’t get too attached to these accounts. They will get burned. And if it happens, move on.

- Don’t mix up your sock accounts with your “real” accounts. Download and set up a Virtual Machines or get yourself a burner phone.

Virtual Machines

VMs could fill out their own manual. A few bullet points around them:

Virtual Machines offer you a great way to keep your investigation “isolated” from your normal computer usage. If you’re only signing in sock puppet accounts from within a VM there much less risk of your real account and your sock account “cross pollinating”. Meanwhile, VMware also faces challenges such as Escape Attacks, where malicious software can break out of the virtual machine and infect the host system, compromising the physical computer environment.

VMs offer you a great way to stay organized. All the information around your investigation like notes and screenshots can be saved within your VM

VMs can be disposable. When you’re done with an investigation you can easily delete the VM you were using.

Let us review what we have covered so far. If you have taken your time to go through this material, i believe by now you should:

• Understanding the various uses of OSINT and its applications.
• Evaluating the ethical and moral implications of your investigation.
• Recognizing the importance of Passive Reconnaissance in gathering intelligence without alerting the target.
• Establishing a clearly defined goal or mission to determine when investigation is completed.
• Setting “red lines” boundaries that, if you crossed, it would signal your target which may cause immediate end to your investigation.
• Identifying the platforms where the investigation will take place and creating sock puppet accounts accordingly.
• Developing a threat model for the investigation and implementing countermeasures to mitigate potential risks.

Now that all that preparation is done, we can begin discussing various techniques you may find beneficial over the course of a people focused OSINT investigation.

Reminder: All techniques discussed will be in the context of Trace Lab’s rules of engagement and my personal experience. You will find some legitimate techniques missing from this list. I’ve chosen to expand on the techniques and principles i see another professional analyst used often.

Understanding What You’re Starting With

What information do you have to start with?

This will differ from investigation to investigation but in the context of a people-based investigation you might have: Name, Photo, Physical description, social media profiles, Hobbies, Keyword containing social media post and any other information about target.

The information you begin your investigation with will be the “source of truth” which you’ll use to validate everything else you find over the course of your investigation. This validation is critical because, if an incorrect piece of intel ends up in your investigation, it can send you off in a completely wrong path. So that's why it is very important to ask necessary questions before conducting your investigations.

Become very familiar with the information you are starting with as this will be the foundation of your entire investigation.

Look at the information in front of you seriously.

1. What do you see?
2. Go back to your original mission or original question.
3. Does anything in front of you answer that question?

Every piece of intelligence you come across online needs to be run through this “decision matrix”. Once you can reliably answer your question, just know that the investigation is over.

Enumeration

Enumeration is defined as “the act or process of counting something or a count made of something”

In the context of my investigations, i will take something i already know, like a username, and try to find as many other places as possible where it exists. Username enumeration is a powerful technique in the early stages of an investigation.

If you know a person’s preferred online handle, you will want to enumerate that handle across as many sites as possible. People reuse things all the time and names are no different.

You can also enumerate their real name. Type it in to the search bar of your social media platform and see if you get any hits. For me, each time i want to filter out unwanted information i make use of the quotation marks (“ “) or the minus (-) operator. For example:

• “Obasanjo” (searches for exact matches of the word “Obasanjo”)
• Obasanjo -block (excludes results containing the word “block”)

This technique is called Google Dorking which is commonly withing the OSINT Community. Open your browser now and try it; it works like magic.

WARNING!

Enumeration ≠ Validation.

Just because you’ve found a person’s preferred handle on a website does not prove it belongs to them. All you’ve done is prove that their preferred name exists on the social media or website.

Digging into the new page you’ve found and find other information that ties back to an individual:

1. Same pictures from other social accounts?
2. Same like/dislikes as your person?
3. Same website link and bio listed on this new account.
4. Followed or Friended by another account belonging to your person
5. Same group of people following and interacting with this new account as you’ve seen across other accounts.

Here is a fact: If you build your entire investigation on enumeration alone, you’re going to have a very flimsy final product.

Pivoting

Pivoting is finding a piece of information that will send you somewhere else (likely another social media account)

Now that you’ve taken the time to find their social media accounts, what other information can you find that will send you somewhere else?

Some pivot points might look like:

1. Links to other accounts. For example, on their Facebook page linking to their TikTok.
2. Friend or Follower accounts. It’s possible the subject of your investigation will be interacting with their friends under a different name on the same platform.
3. Friends and Followers mentioning other accounts in comments.

WARNING!

If you find yourself in situation like this, don’t pivot immediately. Take some time to absorb what is in front of you. Maybe there is a stronger or better pivot point further down the page. If you begin pivoting immediately you may find yourself going down a rabbit hole where you keep pivoting and forgot where you came from and how you got to where you currently are. To avoid such issue, use Maltego, a powerful OSINT and link analysis tool for mapping relationships between people, organizations, domains, IPs, and social media accounts. Click here to see the set-up tutorial

Go wide before you go deep.

Photos + Videos: Some social media platforms will be more media driven than others. Ask yourself two things:

1. What do I know about the photo/video?
2. When was it taken/made?
3. Who posted it?
4. Who is interacting with it (like, emojis …)?
5. When was it posted?
6. Does the content of the media sync up with when it was posted?

For example, if it’s winter and they’re posting pictures with snow you may assume that the post was made recently.

1. What is the photo telling me?
2. Does the media give clues to someone’s location?
3. Does the media give clues to someone’s state of mind?
4. Does the media give clues to someone’s friends or associates?
5. Does the media give insight into someone’s habits or addictions?
6. Are there any other pivot points or pieces of intelligence in the media? Think license plates, identification, work badge, business cards & etc.
7. Does the media answer your beginning question or accomplish your mission?

Geolocation:

Geolocation mapping is the process of determining and visualizing the real-world location of an object using data from Global Positioning System (GPS), Wi-Fi, cell towers, or metadata. The goal here is to determine the location featured in a piece of media.

While carrying out GEOSINT investigation, question like:

1. Where is it taking place at?
2. What do you know about the media?
3. Who took the photo or created the video?

Will make your work easy, and if you have additional information to support this, it will make it easier. This method could be a useful pivot point or something to at least narrow your geolocation. If your subject lives in Lagos state and frequently posts on social media with “Victoria Island” location tag, then this would be a good place to start your geolocation. And if you know the poster was on vacation when the picture was posted, then go back to their social media and find out where they were on vacation and start your geolocation there.

Questions to Ask Yourself During GEOINT Investigation are:

• When was the media posted or shared?
• Does the timestamp align with other known activities? (Using the techniques mentioned earlier, you may narrow down your search or even find the answer.)
• What information does the media provide? Analyze the image or video metadata and content. The resources to do this will be listed below.
• Are there any notable landmarks? Look for recognizable buildings, signs, or objects in the background. I have once narrow down my target’s location with a Hotel Logo.
• If outdoors, what does the geography indicate? Mountains, deserts, oceans, and vegetation types can help pinpoint a location.
• If indoors, what architectural details stand out?
• Light fixtures, power outlets and vehicles plate number can hint at a specific country or region.
• Furniture and decor may suggest a hotel, office, or private home.

If you will love to see a live demonstration of GIOSINT, Click Here To Watch the Video

The End

I sincerely appreciate you taking your time to go through my little handbook. I would also like to give credit to Trace Labs, as they published the first and original version.

RESOURCES: While this section is not exhaustive, I will include the links to some useful investigation tools and webinars i have put together below.

1. OSINT Tool Page
2. Crypto/Blockchain Investigation Tool Page
3. Sock Puppet Panel Discussion by TraceLab
4. Sock Puppet explanation by TraceLab

If you are curious to know me, you read about me here About Taiwo