What is OSINT?

OSINT (Open Source Intelligence) is the process of collecting information from publicly available sources and subsequently analyzing it. The latter plays a crucial role in obtaining results because it’s essential not only to gather information but also to process it correctly, analyze it, and draw conclusions.

In this article, I would like to emphasize the sequential process of OSINT. This is important because comprehensive data collection should include several stages, specific objectives, and ways to achieve them. Today, we will explore one of the possible approaches to OSINT and what to use in the initial stages to conduct effective searches in open sources and analyze the gathered information.

How to Structurally Approach Open Source Data Searches?

This is not an exhaustive list, but I see the process roughly in the following sequence. If you don’t need to complete all the steps for a specific task, you can skip some.

Stage 1: Task Formulation

At this stage, you need to have a clear understanding of what you ultimately need to obtain. It could be, for example, the usernames used by the target or a comprehensive search for all available information about a person on the internet.

Stage 2: Planning

This is a crucial stage. Here, you need to determine all possible directions and sources that will be used for the search. Typically, there are three main categories:

  1. Personal Sources (social networks, blogs, websites, usernames, etc.).
  2. Government Sources (registries, databases, courts, taxes, border databases, diploma databases, invalid passport databases, etc.).
  3. External Sources (friends, acquaintances, media, employers, recommendations, etc.).

It’s essential to visualize this process. You need to create a roadmap for each target, but here is a general outline:

OSINT Map: A MindMap for Your Investigations - WebBreacher.com

Source: https://webbreacher.com/2018/07/12/osint-map/

Stage 3: Data Collection

This stage is perhaps the most labor-intensive, but it is mainly accomplished with the help of software and online services. It’s highly beneficial when you have some preliminary information to start with. For example, knowing that someone uses their first teacher’s surname as a password. Suppose, hypothetically, you find this teacher in your target’s VKontakte (a Russian social network) friends list. This significantly narrows down where you should look first.

However, sometimes you may lack such information, and you need to search for absolutely everything. It’s usually a good idea to start with the person’s name, surname, and username. From there, you can expand your search to find a phone number and friend list, establish connections on social media, and explore forums. However, practice shows that almost all search results are based on three things: a phone number, email, and username.

Key Directions for Information Retrieval:

  1. Social Networks (VK, Facebook, Twitter, Instagram): You can extract photos, usernames, geolocation data, friends, contacts, city, connections with other users, interests, groups, and more from average user profiles.

  2. Search Engines: By using different operators, you can gather a significant amount of information. However, this requires the use of advanced user operators, which we will discuss in detail in practical cases.

  3. Forums: Forums can reveal interesting topics of discussion, interests, connections with other users, and political leanings.

  4. Judicial Websites: You can check if the person has been involved in any legal proceedings based on their name and place of registration.

  5. Specialized Websites: For instance, search engines like Shodan and Censys can be useful if you have the target’s IP address.

  6. Diploma Databases.

  7. Bailiff Databases.

  8. Invalid Passport Databases.

This is not an exhaustive list, and what you search for depends on your specific goals. Sometimes, a person may not have a presence on social networks, and all their interactions take place solely on forums, while in other cases, it may be the opposite.

Stage 4: Results Analysis

All the information you find should be well-documented. It’s better to add notes to your roadmap. For instance, if you see something interesting during the information-gathering stage, make a visual mark. This way, during the analysis stage, you can thoroughly examine and conclude it.

If you find files during the information-gathering process, extract their metadata. You can use programs like FOCA, for example. You can also export data from social networks and work with it. In practical cases, we will discuss how to obtain essential and interesting data using graphs and visual tools.

It’s essential to save conversations, public messages, or posts for later analysis. This is crucial because by reading these messages, you can roughly understand the psychological profile of your target, and then you can work with it and use it for attack planning.

By the end of this stage, you should have a clear understanding of who your target is interacting with, what they do, who they like on social networks, who they communicate with, where they hang out, and what their geolocation is on social media. Essentially, you should have information about everything, down to the smallest details.

Stage 5: Drawing Conclusions and Preparing Results

At this stage, you have what’s known as a “persona map.” You know the basic information, preferences, interests, social circles, sphere of influence, social media activity, and other online resources. As a result of this work, you can gain insights into who the person is, how much they earn, and what assets they have. Depending on this information, you can plan your approach.

For example, if someone is interested in fishing, you can come up with an interesting story and offer them a free fishing trip, a fantastic book, or a club membership. You can create a well-prepared fake website, send a high-quality email, and ask the target to register on the site to claim their free trip. This way, you can potentially discover what kind of passwords the target uses. You can also check if they have the same password policy across multiple websites.

It’s essential to revisit your roadmap, as it allows you to understand what information you have in general and where the person spends most of their time. If they are active on social media and frequently post photos from art exhibitions or the same bar, for example, you may have opportunities to encounter them there. You can even offer them something special on behalf of that establishment via email, potentially meeting them in a specific place at a specific time. This all depends on your creativity.

Visualization

In handling large volumes of data, working with visualization is crucial. It helps you stay organized and extract more information. Therefore, I’ll show you a few services that facilitate this function:

  1. Wisemapping: It provides a convenient set of icons, note-taking capabilities, formatting options, hierarchical structuring, and the ability to share maps for collaborative work. However, one drawback is that you can guess URLs to access other maps.

  2. Mindmeister: This tool offers a combination of free and paid features. It includes standard features like icons, images, notes, and links. Collaboration is possible as well. It’s a decent service with intermediate functionality.

  3. Mindomo: While it offers paid features, you can use the free version. It provides more extensive options for formatting and organizing elements. You can also use ready-made templates for creating maps. There are example maps available via the provided link.

  4. Maltego: You’ve probably heard that this is a powerful OSINT tool for automating searches. It comes pre-installed in Kali Linux, and the free version is sufficient for most tasks. However, it can also be used to establish connections and visually represent information manually. You can add various entities like people, usernames, servers, ports, images, and more using Maltego’s nodes. However, this topic deserves its article rather than just a paragraph.
    Introduction to Maltego Standard Transforms : Maltego Support

Conclusion

The main idea of this article is to approach OSINT as a well-planned process. When you plan, gather, and analyze the necessary information systematically, you can focus your efforts and avoid wasting time on irrelevant things. In the upcoming articles, we will take specific tasks and delve into each stage, exploring what can be done and how to use tools for a more precise and understandable analysis.

So, be patient, plan, set your goals, and we will gradually work through them. Good luck, and stay tuned for more articles!

OSINT Framework