Coming soon we will host a webinar updating our use cases for AI and OSINT. In thinking about this, it may be useful to give some example prompts. In the digital age, having a repository of refined prompts for AI tools like ChatGPT 4 (paid), Bing Copilot, Google Gemini, and You.com (free) can streamline your efforts and enhance your investigations. Collecting a few examples that have produced great results can get you started even on unrelated cases. Here are some expertly crafted prompts and tips to boost your OSINT activities.

1. Corporate or People Research

When researching companies, AI excels. It can be a little trickier to research people, but it can be done. The following prompts worked well.

PROMPT: Act as an Open-Source Intelligence (OSINT) Specialist. I want you to gather information from publicly available sources for me. Your answers should be concise and specific to the information requested. Do not include personal opinions or speculation. Find information about the current CEO of Plessas Experts Network, including locations of events, colleagues, and any future events.

I got the idea for the above from an interesting Reddit thread on the topic, and it worked best in ChatGPT and Copilot

PROMPT: Who are the primary customers for Plessas Experts Network?

This query analyzed the company descriptions and provided the types of customers that were likely. Each AI gave a slightly different output, but all generalizties. This might be given further details to try to identify specific customers or entities.

PROMPT: Please find connections between Kirby Plessas and Kyle Elliott based on their online presence and interactions, and list them.

I got the idea for this query from DorkSearch. ChatGPT 4 and You.com (ChatGPT 3.5) did best.

PROMPT: Who owns Pastebin.com

This prompt could be used for companies, mobile apps, etc. Addresses can be queried, and although specific owners were not identified, other pertinent information was, and in most cases, included suggestions on where the owner information can be found.

PROMPT: Create a smart research strategy for investigating a company in Ukraine

While this query was useful in all AIs, Gemini excelled at this task and gave direct links to suggested resources.

PROMPT: Identify 5 experts in the field of cellphone analysis that have worked with law enforcement in the past

Interestingly, each of the AI tools did well with this but gave different experts, so try them all with queries like this one.

2. Craft Advanced Queries for Search Engines

If you're looking to find specific online mentions, consider being very specific about what you want and ask AI to create a Google or Bing “dork” or advanced query. These queries use search language that limit the searches to specific parameters, such as keywords included in titles or results from a specific domain.

PROMPT: Create a Google dork that will help me find posts mentioning Bill Smith but only in conjunction with Las Vegas, NV, Miami, FL, or Phoenix, AZ. They must also have to do with cryptocurrency or the dark web, have the name in the title, and come from government websites.

The above query works wonderfully, but be aware that not every search engine can handle multiple advanced operators like Google can. If the return is too complicated, use it in Google, but then simplify for other search engines.

3. Demographics and Trends

Consider looking for insights into particular demographics and trends.

PROMPT: Generate a detailed profile of the average meth user in Salt Lake City, Utah, including demographic, psychographic, and behavioral traits

The above query was inspired by an article on SocialPilot.

PROMPT: Generate a list of trending topics on Reddit for likely drug users

While queries involving drugs may be a very important topic for some investigators, the AI tools were somewhat cagey with the answers, and ChatGPT 4 refused to provide any answers. The AI tools are building in protections against misuse and are likely trying not to help a user obtain illegal drugs, but you may have to ask follow on questions or reword in some cases.

PROMPT: What are 20 slang words that homeless people in Arizona use?

All of the AI tools returned slang results, but Copilot was the only one that really understood the regional aspect of the question.

PROMPT: Examine the rates of homelessness and the crime rates in Lexington, Kentucky. Are there any patterns over time? Are any regions of the city more susceptible to either homelessness or crime? Provide deep analysis and citations.

PROMPT: Generate a thorough set of addresses and locations within Tucson, AZ where homeless people gather. Include descriptions of activity, such as tents or panhandling locations. Give intersections of street addresses when possible. Explain why each location is included. Estimate the number of homeless people in each location at any given time.

These two examples show more detailed instructions. If your instructions are long and very specific, you will get more specific answers, so don’t be afraid to outline your parameters. Another suggestion would be to ask follow-up questions to get down to the answers you need - but be sure to include the follow-ons when saving to your examples list so you have some guidance next time you run across a similar need. By the way, Gemini absolutely excelled at the second question.

4. Investigative Research

PROMPT: What are some gang names used in Tucson, AZ. Exclude large national gangs.

PROMPT: What street gangs are operating in Tucson, AZ. Exclude large national gangs.

These questions returned some great answers, specifically in Copilot, but be aware of AI hallucinations (incorrect data made up by the AI). Also, be aware that the data may not be complete. Consider this a jumping-off point for further queries or search engine keywords.

5. Technical Tutorials

Prompt: Write a simple step-by-step tutorial on how to install and use ExifTool

Replace ExifTool with whatever tool or website you want to learn. Gemini was very helpful in identifying prerequisite software in this case.

PROMPT: Write a chrome extension that will highlight all email addresses in a webpage

Have the AI create custom software, browser extensions, or Python scripts for your own use. Depending on how technical you want to get, you can create tools for yourself, your team, or the OSINT community.

6. Uploaded Images

Images can be uploaded into the AI tools. Copilot and Gemini allow this for free while Chat GPT 4 and You.com offer this as a premium service. Here are some sample prompts for images.

PROMPT: Analyze this image, identify all text available, translate into English, and provide the locations that are possible according to the street signs

PROMPT: Analyze this image for possible location indicators

PROMPT: Analyze this image and tell me if it is AI generated or not

In the case of the last result, I was able to feed the tool an AI generated image that it could not identify. As before, be wary of the results and double check anything that could be seen as factual.

7. Data Manipulation and Analysis

Excel and other files can be uploaded into ChatGPT4 or pasted into the other AI tools for manipulation and analysis. This can be a huge time saver.

PROMPT: Extract all email addresses from this data. Exclude duplicates.

PROMPT: Extract all phone numbers from this data. Put into a common format.

PROMPT: Clean up this data and return only names and web addresses. No bullets or numbered lists.

Great for getting data ready to input into other tools (Like Custom Search Engines! See my blog post.)

PROMPT: Analyze this data and tell me what this is about and any locations if possible

PROMPT: Analyze and explain this data

Great for mysterious messages, lists of seemingly unrelated content, or computer code.

PROMPT: Identify and analyze patterns in this data

PROMPT: Identify the names that show up on this list more than once

Useful for comparing friends lists, and specifically to find hidden friends lists or the infamous Finstas.

For more insights and prompt ideas, explore these resources:

- OSINT Combine

- ChatGPT for OSINT Investigations on Medium

- DorkSearch's Blog on OSINT

- 103 OSINT ChatGPT Prompt Ideas

- AI Prompt Examples by Formidable Forms

These prompts and resources are just a starting point. As you progress in your OSINT endeavors, adapt and refine these prompts to fit your specific needs and circumstances. Stay informed, stay agile, and leverage AI to enhance your investigative capabilities.

Google Custom Search Engines (CSEs) are an under-utilized resource. They can be made quickly and robustly and shared with the whole team. And they don’t have to be permanent (or semi-permanent) tools. They are easy enough to make, with the help of AI, to create for one time uses.

Let’s first tallk about making CSEs quickly but without AI. My go to for this is to use Instant Data Scraper for Chrome. Any page that has a list of links I would like in my CSE is easily converted into a spreadsheet that I can use to copy and paste content into my CSE. Let me show you an example:

Similarweb lists websites and ranks them by popularity

Using Instant Data Scraper, I grabbed the top 45 online marketplaces worldwide.

Once I had the lists, I removed the extra columns because I only needed the basic web addresses. From here I chose “Copy all”

Next, I took it to the Google page to create a CSE. I named it and put a dummy website as a place holder.

I created the search engine, but next I chose to customize.

First, I removed the dummy place holder.

Then, clicking Add, I was able to paste in the contents from Instant Data Scraper. I remembered to remove the top line (column name), and I added a few online marketplaces I knew were good but were not in the list.

The online link for the search engine is in the top panel of that page. I clicked through to do a couple sample searches.

Now that this search engine works, I added it to our Resource page.

Instant Data Scraper puts things in a nice spreadsheet, making copy-paste into a CSE dead simple. But some lists aren’t scrapable in this way, or, if they are, they need some cleaning up to paste into the CSE. Removing bullets, extra characters, descriptions, etc., is required for Google CSE, and the input field is very specific.

This is where AI comes in. Of the popular AI tools available, I find ChatGPT the best at understanding what I want. I can copy a long list of websites with descriptions and bullet points, easily remove duplicates, clean up the text, and make it easily ready to insert into a CSE. For example, I was able to copy the results page from a Google search into ChatGPT and ask it to list URLs for the results only, without bullets, and it was ready to copy and paste into my CSE. I can even ask ChatGPT for a specific list of resources and add them directly into a CSE. Additionally, I could upload a spreadsheet or a graphic into ChatGPT, have it resolve, and then list the URLs for yet another CSE.

Google allows for 5000 sources across your collection of CSEs. In most cases, my CSEs have between 50 and 100 sources, which means I can have a lot of CSEs, but I still might want to make and delete some for short-term projects quickly. Check out our growing list of public CSEs.

For anyone who has been doing deep searches on Facebook, the ID number of a page is critical information. Recently, I’ve noticed that the employer and education pages IDs were not working in either the advanced search tools like SowSearch or the manual Base64 translation method. I have worked out the change and restored my search capabilities, but I would like to outline how this might be done for anyone should this happen in the future.

First, perform the search as you normally would do. My example will be looking for students named Brian who are attending or have attended Georgetown University. Note that I am choosing an easy-to-access example because restoring the capability requires this to be easily searchable in Facebook - meaning that it will definitely show up as a suggestion in the Facebook filters.

First, using the source code method of getting the ID number for the chosen Facebook page, I will search within the code for container_id and paste that after facebook.com/ in my browser to test that it is indeed the ID number I require. In this case, the ID number for the Georgetown University page on Facebook is 100064869785068. Using SowSearch, I select people in the dropdown menu and add this ID number into the “school” filter, remembering to click “add filter” and scrolling up if needed to double-check the filter has been added. Then I use the search term “Brian” and choose the center choice to open the URL in a new window.

This is where things go wrong. No results. Surely, there is someone named Brian on Facebook who has attended Georgetown University.

Notice on the sidebar of Facebook that there are no filters added. This is the issue. So I manually added Georgetown University in the education search filter, and there are numerous Brians! So, are we stuck using only Facebook's suggestions for that field?

No. Let’s examine the differences in the web URLs for each result.

Our search with no results is https://www.facebook.com/search/people/?q=Brian&epa=FILTERS&filters=eyJzY2hvb2wiOiJ7XCJuYW1lXCI6XCJ1c2Vyc19zY2hvb2xcIixcImFyZ3NcIjpcIjEwMDA2NDg2OTc4NTA2OFwifSJ9

And the search with results is https://www.facebook.com/search/people?q=Brian&filters=eyJzY2hvb2w6MCI6IntcIm5hbWVcIjpcInVzZXJzX3NjaG9vbFwiLFwiYXJnc1wiOlwiODgyNTMzMTI0NVwifSJ9

Comparing just the filters:

eyJzY2hvb2wiOiJ7XCJuYW1lXCI6XCJ1c2Vyc19zY2hvb2xcIixcImFyZ3NcIjpcIjEwMDA2NDg2OTc4NTA2OFwifSJ9

eyJzY2hvb2w6MCI6IntcIm5hbWVcIjpcInVzZXJzX3NjaG9vbFwiLFwiYXJnc1wiOlwiODgyNTMzMTI0NVwifSJ9

They are clearly not the same. But we know both are Base64, so let’s decode using Base64Decode.org.

Our decoded original filter looks like this:

{"school":"{\"name\":\"users_school\",\"args\":\"100064869785068\"}"}

And the decoded working filter looks like this:

{"school:0":"{\"name\":\"users_school\",\"args\":\"8825331245\"}"}

The only difference appears to be the ID number. But what ID number is that? Testing it by using it after facebook.com brings us to… Georgetown University. Try is: https://www.facebook.com/8825331245

Both ID numbers go to the university's Facebook page. Why?

Going back to the source code for the page, searching for 8825331245 should help us identify how to get these secondary IDs.

Searching within the code, I determined that there were 14 times that the new ID showed up in the source code. Looking at the code before the ID number, there are a selection of possible search terms to use in the future, but they must be tested first to make sure they are in use across a number of pages. After testing a variety of business and fan pages across Facebook, I discovered that associated_page_id worked well (and is descriptive). Once I started using that ID number in both SowSearch and via the manual search method, I regained full search capability for those pages.

This has been updated on my Facebook Matrix page. Additionally, if you are having problems with a shifted source code search (in both Facebook and Instagram), watch this video for the solution.

Hey - Kirby here. I love AI, but I am just dreading this election cycle. Please watch and share this video that I have created to increase AI-literacy. It’s going to be bad!

by Sarah Womer

Collecting entities tracking domain visitations can be helpful for OPSEC and OSINT investigations. 

On January 14, 2023, I authored a LinkedIn blog post on “Domain Ads and Ad Analytics as an Information Resource for OSINT Investigations FouAnalytics PageXray for Domain Profiling a Propaganda Outlet.”

At the time, I noted-

“Typically, people will often look at Ad Analytics when visiting a domain for marketing, OPSEC risks, and privacy concerns. However, ad tracking, fingerprint canvassing, and other collection activities that can be viewed are also a resource of information for investigative collection. Just as metadata may be crucial to an OSINT investigation, so may Ad Analytics. Ad Analytics may be used for fraud investigations, Bot Detection, identifying authentication vulnerabilities between login and domain, foreign connections, domain relationships to other domains, domain profiling, and has other uses.” 

Ad Trackers on a domain can be used beyond marketing for user visitation surveillance. Visitors can be tracked after they leave the domain and targeted as a part of an attack. Checking who is tracking visitors on a domain is counter-surveillance and OPSEC. 

It is important to stress that the website owner or maintainer may not even be aware of the extent of the tracking, as many trackers are placed from a package of ads that are purchased through a third-party broker. Likewise, the service, such as a webpage builder or host, may have a built-in network of trackers. Easy website builders, for example, like GoDaddy, Wix, and Squarespace, may come with trackers. Site owners are able to check which third-party services are tracking on their domain but oftentimes don't. The reason for this flaw is simple: the identification and importance of that type of threat has been understated for years.

On May 11, 2023 Jonathan Pidgen at Media Analytics Global noted-

“Ad fraud is everyone’s problem, and there are very few exceptions. The majority of global brands have the same issues, so don't feel alone. You can't be blamed for something you never knew about. Let's learn together and grow together! The root of the problem is the "black box" legacy verification vendors. Their ineptitude has allowed "ad fraud" to flourish and become the "norm." The trade associations (ANA, IAB, TAG, etc.) have rubber-stamped the global epidemic of ad fraud by parroting the 1% IVT reported by legacy verification vendors.”

It is everyone's problem, as this type of fraud does not just impact marketing and branding; it impacts the consumers, customers, and visitors to a domain. In addition, tracking is sometimes a part of something larger or different than advertising. For example, what happens when a government uses browser fingerprinting and tracking as a third-party tracker on a domain? A government oftentimes has a larger budget and can buy ad-tracking technology just like a company, a charity, or anyone else.  In addition, some government sites have ad tracking from third parties, which also may present security concerns. 

For OSINT communities, most practitioners know that tracking is a threat to privacy and that it can compromise collection requirements. Many OSINT practitioners suggest ad blockers, malware removers, VPNs, privacy-enhanced search engines, and other options. However, unless a domain is visited with no-touch research techniques (including air gapping as an option)  or a Virtual Machine with a VPN, there is still much wiggle room for error, especially when some third-party trackers that download to a computer are designed to evade blockers or may be hidden in creative ways. 

Following are some compromise examples and suggestions on how to gauge tracking on a domain for OPSEC and Investigations

Scenario: Not Common But Occurs, Organizational Tracking

Much of the tracking present on the following domain is not ad tracking and is organizational tracking. Tools used in the following example include- Fou Analytics Page XRay, Domain Tools Who Is, and Webbkoll Dataskydd.

National Bugle Neo NAZI Tracking

FouAnalytics PageXRay is used first, as I have found it to be the most comprehensive out of any of the tools for showing ad tracking and malvertising on a domain. It also provides an excellent first stop for OPSEC before visiting a URL and oftentimes provides pivotal information for an investigation.

Below is a description of the tool from Dr. Augustine Fou-

“The PageXray tool is a headless Chrome browser which loads a webpage and allows the javascript to run. A headless browser is a normal browser but one that does not have a screen. These are developer tools used to automate tasks like testing a webpage to make sure it loads correctly. With a headless browser, we go beyond the static code that is visible on the page when a user clicks "views source." We record all the network calls made by the javascript and preserve the "chains" of "what called what." Then we plot these in a tree graph that shows the cascade of what calls what to reveal the shocking number of ads and trackers and other things loaded into a webpage, often without the users' knowledge.”

As of August 7, 2023 FouAnalytics Page Xray showed that visitors to the National Bugle had tracking as depicted on the following graph.

A cursory look from FouAnalytics PageXRay shows this domain had tracking from the United States and Russia. It did not show any browser fingerprinting or supercookies. Of interest is that there are two instances of ad server requests from a Daily Stormer domain out of Russia. The Daily Stormer is not an ad company or ad tracker, it is another extremist Neo NAZI domain that has been banned from multiple other locations. In this instance, confirming the location of the tracker is fairly clear as there is no intermediary tracker between the National Bugle and the Daily Stormer. 

For double-checking the Daily Stormer’s Russia location, there are options. In this instance, a basic WHO IS was conducted with Domain Tools. The WhoIs reconfirmed a possible Russia connection to the tracking domain of Daily Stormer that can be further investigated. A simple Search Engine query of the domain name “dailystormer.in” and Russia provided a VOX 2017 article,”Neo-Nazi site Daily Stormer resurfaces with Russian domain following Google and GoDaddy bans”, by Aja Romano stated that the domain resurfaced in Russia during the 2017 timeframe.

For OPSEC, If tracking is of concern from Russia by a Neo NAZI extremist organization, then enhanced security should be incorporated into visiting the site and in any collection plans. Possible risk mitigation measures include- no-touch research with the Internet Archive Way Back Machine or other measures. If all that is needed is a preview of what is on a particular URL for OPSEC and a screenshot, then Fou Analytics Page XRay provides that with a URL query of the domain. 

In addition, FouAnalytics PageXRay provides a preview of all of the external links hot-linked on a page with their position on a page. This provides further security as the information is provided without touching the domain. The domain is touching Fou Analytics PageXRay. Below are examples of hotlinks that were available for preview with a hover versus a domain click on the FouAnalytics query that provided enhanced OPSEC and possible pivot points for an investigation.

Hovering over “Contact Us” showed that the listed Point of Contact for the National Bugle is Zio Watch. This is a possible pivot point for a domain or organization investigation.

Hovering Over “Join the Conversation” provided a lead for a social media venue for the organization on ChantNGo.

Hovering Over “Donate” requested fundraising donations through cryptocurrency.

In addition to showing where external links are on a page, FouAnalytics PageXray also provides a compiled list of external hotlinks to a URL that can be useful for OPSEC and investigations. Below is an excerpt from the compiled external links of the National Bugle Domain URL as of August 6, 2023, via Fou Analytics Page XRay, including several social media locations from Vokante, a Russian social media platform.  If the domain or organization were under investigation, this information may be useful.

FouAnalytics PageXray also provides a list of the internal links on a page and a list of ad-serving domains.

For the domain of The Daily Bugle, Internal Links provided further insights for fundraising through cryptocurrency. The Adserving Domains showed ads were served through WordPress. 

There are also several other options available on Fou Analytics PageXRay that may be of use. A user can cross-compare the graph with the HTTPs HAR JSON and the Detailed JSON, which are offered for download. Additional insights on the tracking are also offered in the JSON. A download of the domain graph is also offered as SVG.

This is not a complete overview of Fou Analytics Page XRay as that would be an entire user manual, and Dr. Augustine Fou has authored multiple articles about this resource that are available on his LinkedIn page.  This example simply introduced how to use Fou Analytics PageXray for checking a domain OPSEC, privacy, and investigative leads. 

In order to further check OPSEC as it relates to the domain and for further investigative leads, I am now going to pivot to Webbkoll DataSkyDD (Webbkoll).

Webbkoll provides a description of “monitors privacy-enhancing features on websites, and helps you find out who is letting you exercise control over your privacy.”  This resource is useful to domain maintainers and visitors for OSPEC and investigations. 

The following Webbkoll query results of the National Bugle provide additional OPSEC and investigative insights that are broken into sections of- front end summary, Content Security Policy, Reporting, HTTP Headers, Cookies, Third Party Requests, IP Address, and Raw Headers.

The front-end summary on this resource shows that the domain may have some vulnerabilities as it relates to privacy. It also shows that there were 18 requests to unique hosts, which further confirms findings on Fou Analytics PageXray that also depicted 18 “other requests.” It also has conveniently provided the IP for pivoting to IP investigations.

Next, this resource provided insights into a possible vulnerability with the Content Security Policy. A full explanation is provided by Webbkoll highlighting why this may be a vulnerability, including- “Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to distribution of malware.”

In other words, from an OPSEC perspective, this site may not be safe to click on.

The next part of the Webbkoll query showed the CSP, Certificate Transparency, and Network Logging, explaining why they are important.

After that, Webbkoll provides OPSEC insights on the HTTP Headers of the National Bugle and why that may be a problem. Webkoll notes “The referrer header is a privacy nightmare as it allows websites and services to track you across the web and learn about your browsing habits (and thus possibly private, sensitive information), particularly when combined with cookies.”

This resource then showed that no cookies are present, which is a good thing, but the HTTP headers issue is still of concern, and there were 18 other tracking-related requests.

Webbkoll’s  Third-Party Requests data confirmed data that FouAnalytics PageXRay provided and provided the IP addresses of those 18 requests and whether they were secure or insecure. 

In addition, a user can attain additional information from each URL. 

This may be overkill for an OPSEC check, but it can definitely be of use for a domain and organizational investigation and offers additional pivot points.

Webbkoll also offers further IP information and Raw Header data, including software of the server that may be of investigative use.

The FouAnalytics PageXRay Query, Domain Tools Who Is, and Webbkolmay may be enough for an OPSEC assessment prior to visiting the domain. In most instances, a visit to Fou Analytics PageXRay is enough in and of itself if the concern is a tracking check. 

For pivoting in OSINT investigations, multiple leads were provided in this example that could be pivoted to additional resources such as URLScanIO, Joe’s Sandbox (to check for Malware), BuiltWith, a backlinks checker like AHREFs, View DNS INFO, Shodan, and many others. 

Contact Sarah Womer on LinkedIn.

To learn more techniques and how to apply these to your investigations, take Sarah’s full day class “Tracking the Trackers" on February 20 or On Demand.

By Sarah Womer, Senior Analyst, Plessas Experts Network Inc.  

Prior to sharing OSINT products, research techniques, or related information, it is important to gauge whether the information should be shared in the first place. 

Traditionally, although OSINT is created from publicly available sources, the end product is often proprietary and, in some instances, classified based on the collection requirement, tradecraft, and methodologies used. Today, OSINT products are still often proprietary, confidential, and classified. Government Intelligence, Law Enforcement, Business Intelligence, and Private Investigators all create OSINT that may not be for public consumption. In addition, the definition of what is public differs between nation-states, agencies, organizations, and individuals. 

The OSINT Landscape has also radically changed with the open sharing of tradecraft, tactics, techniques, and tools since the early and mid-2000s with the changing digital ecosystem. OSINT practitioners now often collaboratively share inadvertently and directly. Oddly, even OSINT practitioners that may be at odds on a nation-state level through their governments may share tradecraft techniques through Social Media platforms simply by making a social media post on a topic. Investigative journalists have also increasingly become engaged in the OSINT field, as have non-profits, NGOs, and hobbyists. There are still government OSINT practitioners from a variety of governments that most likely lurk and passively collect versus post and engage. Many OSINT practitioners also engage collaboratively outside of work, but their work production remains proprietary.  I also sometimes wonder how many, if any, OSINT hobbyists or non-transparent OSINT social media accounts are government sock HUMINT puppets, as it is a plausible scenario. In addition, social media accounts pretending to be OSINT are engaged in influence activities versus OSINT creation, Fake OSINT. There is also confusion by non-OSINT practitioners on what OSINT is. I have seen many posts where a non-OSINT practitioner will refer to a Google Query as I “OSINTed” it versus I queried it. Researching something, as OSINT practitioners know, is not OSINT; it is a part of the process of creating OSINT.  

Regardless, not just OSINT, but in some instances, the sharing of OSINT tactics, techniques, procedures (TTPs), tools, tradecraft, and research should not be shared in an informal setting on social media as consideration should be given to how data is shared and what the data is.    

In the age of Social Media, where so many things can and are taken out of context, it is critically important to think about what is shared. Depending on the platform, there may be no paralinguistics to gauge, no tone, no physical tells, and sometimes just text. There is much room for miscommunication as one party may interpret the text differently than another. 

There is an opposite extreme - sharing nothing on Social Media. I have been there and practiced the art of passive collection before 2019, in which collection only occurred for research on social media with little to no sharing (because you are always at risk of a response). I did a test a decade ago to see what people would share with an overt sock puppet and found that many people are comfortable sharing information with a non-threatening persona, such as a dog. It was insightful as it showed what others would share, but I was still comfortably unnoticeable online. After the study, I then used that dog for animal rescue activities and made some wonderful friends. Today, there are thousands of dogs, cats, capybaras, and other “fake-identity” social media accounts. Some sock puppet social media accounts even have over a million followers and chat with influencer billionaires and politicians online, which amplifies their narratives.    

However, the art of not sharing in today’s digital environment as an OSINT practitioner may not be advisable for some, as many professional connections are now made on social media. Even though the number of followers should not impact the credibility and reliability of an OSINT practitioner, I suspect that it may. In some instances, the number of followers does reflect the expertise of the person, but in other instances, it does not. For example, there have been some fake OSINT accounts with high numbers of followers engaged in influence activities on social media resulting in far-reaching spread of misinformation. 

The hide-at-your-desk OSINT analyst in today's environment may be ignored simply for not speaking up, which equates to the concept of “if a tree falls in the forest but no one heard it, does it actually exist?” Unless, of course, that analyst is employed at an organization that celebrates a greater level of secrecy and social media silence. Ironically, this can also backfire as someone may then question why there is an absence of social media posts for that person. 

Multiple OSINT practitioners share on social media through the use of a fake persona or a sock puppet, which then raises the question of whether it is Cyber HUMINT and OSINT. If a research account engages with audiences, it is no longer simply an OSINT account, which brings the ongoing debate of where OSINT stops and HUMINT begins. Sometimes, this sock puppet use makes sense, and other times, it also raises the question of motivation. For example, is that OSINT sockpuppet from an adversarial state hiding because of fear of that government, or is that Social Media account a government entity? 

I remember my first feeling of exposure on social media in 2008. I shared a draft report on the potential of Terrorist Use of Twitter that was disseminated to a group of people via official email that had access to “For Official Use Only” who then shared it with larger groups of people within the same community. Someone then shared that report outside of the community and it was sent to the Federation of American Scientists (FAS), Wired, CNN, BBC, and a multitude of other channels. It was also shared on early social media, and pundits commented both for and against the draft report. Regardless, I was mortified and did not engage in social media. Fortunately, my client at the time got to have a wonderful interview with Defense News and received positive feedback for the product. I later got a letter of commendation from a really cool organization. At that time, OSINT analysts were not expected to publicly share collaboration, tools, means, and methodologies online.  We generally had small OSINT cluster communities of interest where we shared with each other, and there was an emphasis on not sharing on social media. 

I have gone back and forth on the limitations of sharing information. Recently, I was reminded that thoughtful consideration should occur before sharing information, and there is still something to be said about the art of not sharing. It does not mean analysts should hide behind a desk, although that is less threatening for some. I have come up with some suggested tips that collaborative community members can consider prior to sharing. 

Please note if you make a social media post it is not an OSINT Product but the OSINT collaborative community on Social Media does share- fact-checking, research techniques, resources, data, and other information that can be used for OSINT. OSINT communities will also sometimes share a product but the full product is generally not the post. For example, Bellingcat shares some outstanding products on Social Media by hotlinking.

Tips

• If the shared data does not represent your company or organization and if it is a personal social media account, make sure to always state on the account that it does not represent anyone other than yourself. Generally, a disclaimer in the social media profile should work. 

• If an observation is made on a resource before sharing, such as an article, it is typically not a stand-alone product and is usually from a larger resource. Always check that resource and cite it.

• If you comment or make an observation on an article, gauge how that hosting resource or other sources may react to it. For example, Elon Musk has sued the Center for Countering Digital Hate (CCH) for presenting research and data. In this instance, the CCDH gauged the risk of presenting the research and decided that sharing was worth the risk. 

• Consider the social media platform that you are on and the sharing limitations. Twitter, now X, as a platform, has a limited character set. If the context for the share can’t be added to a single post, don’t share it, or clearly mark and indicate that it is part of an organized thread. 

• Separately, if someone shares with you on X or another platform, check prior posts and whether they relate to the recent post. 

• LinkedIn generally ties directly to a person's place of employment, and personal opinions should be sparingly shared or shared with greater caution. Information that is shared should be supportive of professional goals and interests. 

• Each platform has a different culture and structure that impacts what and how a user should share. 

• If sharing information from a tool, don’t share the tool’s query response without citing it. If the tool may be unknown to the audience, explain how the tool works and why it is of interest. A tag to the tool may not suffice, as that can just be interpreted as a highlighted address. 

• Reference what intelligence gaps may exist when presenting data from a tool. It does not matter how good the tool is. It can be the best tool, and there is always room for error as humans create tools and humans make errors.

• If additional tools are used for information verification, then go back to the first point on whether the findings should be shared in the first place. Is the verified information important? What will the readers gain or interpret from it? How could it be misconstrued? 

• If the information to be shared is a vulnerability that could help protect others but possibly reflect negatively on a source, consider contacting the source directly versus posting it on social media. Sometimes, this may also backfire as the source of the vulnerability may not react positively. For example, in 2021, the Government of Missouri threatened to sue a journalist for sharing an open public vulnerability with a site. 

• In addition, if a vulnerability is noted but not fixed, highlighting it on social media can lead others to possibly exploit it. The vulnerability may still be exploited by someone at some time, even if not highlighted, as vulnerabilities often are exploited if left unfixed. However, instead of sharing the vulnerability on social media, contact the source of the vulnerability first to give the source a chance to fix it. If the source does not want to fix the vulnerability, then it may not be your problem. There is an exception to this concept, which is when a vulnerability is noted that could harm others, and the source won’t or can’t fix it. Then consideration should be given to whether there is another venue to provide the information to that is not public but that may fix the problem. A personal judgment also needs to be made on the degree of harm.  For example, if a domain had a vulnerability that could allow a visitor to receive a cryptojacker on their visiting operating system, a personal judgment would be made on whether to publicly share the observed vulnerability if it remains unfixed.

• There are instances where a vulnerability can’t or won’t be fixed. This exception is actually not unique and has been observed by multiple members in OSINT, INFOSEC, and hacking communities. I, and other analysts, often have examples of this, but we choose to responsibly not share our 2020, 2021, 2022, etc. epiphany on social media if it were to lead to adversarial exploitation. The important action is that the analyst contacted the appropriate venue to try and fix it. 

• If the observed vulnerability relates to national security, law enforcement, or military activities on Social Media, then the appropriate government channel should be contacted. For example, on August 26, 2021, I, and most certainly, other analysts, noted that there were live updates on Twitter from a user that was providing incremental consistent updates from claimed contact with ISIS-K, including passing a Taliban checkpoint, up to their attack on the Kabul airport with the last Tweet stating that it was to late to stop the attack. Reporting that type of information is a responsibility, even if you think it may have been reported, as you can’t assume it was. However, if the issue is reported in the news, such as BBC or CNN, then a judgment can be made that it does not have to be reported as the mainstream media are already covering it. For the observation on August 26, 2021, it was not reported in the news, and eventually, the account that claimed to be in contact with ISIS K was taken down. 

• Provide the context for why the information is shared. Data without shared context can be and is often misinterpreted. 

• One thing that many people forget in today’s media environment is what Marshall McCluhan said in 1964: “The Medium is the Massage” (sic) in which is meant the “Medium is the Message.” Is the medium that you are sharing the information on the best place to share? In many instances, a good old-fashioned phone call or email may be better than a public share.  Even if someone intends to be helpful, this can be seen as non-helpful to others who may interpret a social media post based on their cognitive biases or worldview.

Find Sarah on LinkedIn.

It is the holiday season and I thought I would give you my guide to the ultimate gifts for the OSINT analyst/investigator in your life. While I am posting this pre-Christmas, this list works for any holiday, even birthdays. Trust me, your OSINT fiend will love these any time.

OSINT gifts should most likely come in the form of software to use in investigations, however I added a couple hardware options as well. In no particular order:

Yubikey - from $25 Your analyst is going to highly value 2-factor authentication methods and Yubikey is the top of the security heap for this. Get this one and if they don’t already have one, it is a guaranteed win. You might go up a few notches in the perceived intelligence ratings as well.

1password - from $2.99/mo Speaking of security, password security is no joke. A password manager is a critical tool for someone with a number of accounts to manage. There are a number of managers out there, some free, like Keepass, and other low cost options like Dashlane and Lastpass. The preferences are subjective, but I find 1password might be the most popular among the security conscious OSINT analysts.

Maltego - from $999/year This one has a hefty price tag and the OSINT analyst will probably want to purchase additional “transforms” available from a number of sources, but it is a killer tool, capable of making a complex case easy to explain. It can trace bitcoin, website registrations or social network contact lists like a dream. It’s a very capable but relatively inexpensive (compared to the others in this class, like Analyst’s Notebook, below) link analysis tool that has weathered over a decade on the favorites list for many an OSINT investigator.

Builtwith Advanced - $99/year Get unlimited domain lookups with Builtwith for a low price. This is a fraction of the total Builtwith tool, but the most critical piece for OSINT analysts and investigators. For this low price, unlimited lookups can get you details like software used in building a website, including past builds, IP addresses and analytic accounts as well as ties to other websites using those IPs and accounts. It covers a good chunk (but definitely not all and not as far back into digital history) of what the DomainTools account does at a fraction of the price.

Norton VPN - $39.99/year There has to be a VPN on this list and Norton is my go to for two solid reasons. First, the price. They seem to always have a sale ($39.99 when I last checked) but even their regular price of $79.99/year is around the price of many of the competitors’ sale prices. The second reason is that Norton has been a trusted name in computer security for decades and you are only as private and secure as your VPN.

DomainTools Personal Membership - $995/year The personal membership for DomainTools has a limited amount of searches per category per month, but can be invaluable for OSINT research. DomainTools has a unique data set of internet history going back into the 1990’s that exists nowhere else. This is an invaluable tool for a researcher who is working with a number of online websites.

Hunch.ly - $129.99/year This relatively low cost tool can help a researcher keep track of the investigation as well as provide reports. Why worry about archiving evidence when Hunchly will do it for you automatically as you navigate the internet. Every page is screenshot and the html recorded and searchable so that no shred of evidence is misplaced. A fantastic value.

Manual to Online Public Records - $44.99 Everything is online, right? Maybe. But some of the online details are not as accessible without the proper guidance, and the author, OSINT subject matter expert, and librarian, Cynthia Hetherington, guides us through public record databases like no one else can. Her books are used as textbooks. Check out her other book, The Guide to Online Due Diligence Investigations.

Extreme Privacy - $41.84 This is the only privacy book on the list, but it’s a doozy. Author Michael Bazzell knows privacy like no other and shows what extremes you can go to to be private in America today. Every OSINT researcher knows the value of privacy. Check out his other unique book, Open Source Intelligence Techniques, used as a textbook in some universities.

ARCGIS - from $100/year If your OSINT friend loves maps and geography, grab a membership to the top of the line geographic analysis tool. The online version for individuals is surprisingly inexpensive and sure to give a big Wow! factor to your gift.

Analyst’s Notebook - from $9610 While it is definitely not cheap, this analyst tool is one of the top of many an analyst wish list. Capable of link analysis, concurrent timelines and geographic analysis and more, this tool is heavily used in corporate and government analysis organizations and has been for years. Considered top of its class, this tool also does not require any expensive addons to fully function but may require some serious training for use.

Shodan - from $59/month Known as the search engine for the “internet of things”, if it connects online, Shodan can help you find it. Shodan is a unique search engine with some crazy capabilities and your OSINT fiend will love being able to identify how many Amazon Echoes you own and whether you have online security cameras or doorbells.

Babel Street or Fivecast - I have no idea $$ If you have a lot of money you don’t know what to do with, your OSINT fiend would love a license to something premium, like Babel Street or Fivecast Onyx. This type of software will allow the researcher to geofence locations or monitor complex concepts, get analytics and more. You know it won’t be cheap and you have to contact their sales team to even get a ballpark price, but if you are looking for a killer gift that will blow someone away, this will do it.

VMWare - from $119.20 I had to add a virtual machine to the list, and VMWare is the top of the heap here. This tool will allow multiple virtual machines in a jiffy and help protect the main machine from malware. But don’t get confused with VMWare’s fancy lingo. Apparently plain English is not a strong suit - you are looking through their long list of products for the Workspace Desktop Hypervisors, and choose the Fusion version for Macs or the Workstation Pro and Player versions for Windows and Linux.

Sophos Home - $35.99/year covering 10 machines Why pay for antivirus in the time of capable free antivirus software? Control, plain and simple. If you have multiple devices (and your OSINT friend probably does), Sophos Home will give you a control point to manage the antivirus accounts on each machine. This means you can tell when one gets infected with malware and you can make sure each gets their software updates. Not only is this great for a user with multiple machines, this is perfect for keeping all the laptops in a family safe.

And of course

We highly recommend you give a subscription to our OSINT News database of curated tools and methodologies along with our premium high value newsletter - $65/year

Or, if you want to splurge, get our Comprehensive Training Bundle, including the OSINT News subscriptions, webinars and the latest full OSINT BASICs Training seminar (50+ hours of OSINTy goodness) for $2499

I wish you all the best in your investigations and happy holidays,

Kirby (and the crew: Kyle, Sarah and Heidi)

In his third and final project for his internship, Alec took a look at Buscador and explored the tools available. Alec, a sophomore CS student at the University of Arizona, provided screenshots and links as he discovered the capabilities of the tool. Here are his thoughts.

In my opinion, Buscador is a super useful tool for OSINT. The virtual machine comes fully loaded with many valuable, diverse investigative tools ranging from analysis of a target’s Twitter feed to searches based on a license plate. Overall, Buscador is an amazing tool, easy to understand, and capable of conducting deep, targeted searches.

To read his full report, click here.