Open Source Intelligence - OSINT - has become an oft-used phrase in recent years, cropping up in everything from state intelligence reports to corporate marketing meetings. This is largely due to the egalitarian nature of OSINT as a tool. With the correct knowledge, OSINT opens up the world of intelligence to practically anybody, with all the benefits that it brings. OSINT can now provide information on virtually anything one could wish for- tracking ships and planes, geolocating any spot on the planet to within metres, creating enormous, pliable databases on consumer behaviour, and so on; the list is extensive. Once the domain of mass media, the rise of the internet has allowed OSINT to expand beyond radio, television, and print news, and into a new age of information. In this guise, it also becomes a valuable reconnaissance aspect of cyber security. Huge amounts of information on potential cyber targets can be gleaned from open sources, leading to a much higher likelihood of a successful cyber attack.
However, with the increase in the use and efficacy of OSINT comes a decrease in ease of access. A few examples are the dark web, big data, and algorithmic approaches, which have rendered various aspects of OSINT incomprehensible or intimidating to the layman. The fact is that without specialised OSINT analysts, many firms and departments use OSINT on an ad hoc basis, and the increasingly technical nature of OSINT means that it runs the risk of losing its primary attraction – its open nature. An OSINT framework is therefore needed, or at least a toolkit of sorts, in order to maximise the potential of OSINT in the internet age. Many organisations have developed such a toolkit for their own purposes, but it is possible for even the most casual of OSINT investigators to learn how to use a variety of third party tools and techniques, with hugely beneficial results. We refer to a collection of OSINT methods such as this as an ‘OSINT framework’.
An OSINT framework documents collection methods into an easy to use format, with tools and websites listed in a logical order, allowing an OSINT investigator to follow a step by step process to achieve their goals. There are a few existing examples of OSINT frameworks. I-Intelligence’s ‘Tools and Resources Handbook’ is a good start, as it provides an exhaustive list of OSINT tools for any possible scenario. The downside is that it can be hard to navigate effectively, considering its list format and sheer number of tools listed. An easier to use framework is called literally ‘The OSINT Framework’. It provides a more user friendly interface in a tree format, allowing practitioners to click through to their desired outcome. The downside is that it is not particularly extensive or in-depth, providing many commonly used sites but less dedicated tools and plugins with which to manipulate openly available source code and data. It is also worth bearing in mind that many people-finding tools provided in frameworks are country-specific, often based in the U.S, making it harder to conduct land and registry searches in other jurisdictions. When using OSINT frameworks, or providing them to employees during training, it is also worth noting what your particular framework will be used for. OSINT is a wide field, with many applications. For instance, a cyber security firm concerned with OSINT penetration testing may wish to use tools such as those listed here. State security actors using OSINT may wish to use resources such as satellite imagery and cargo manifests, as another example – many examples of which can be found on Bellingcat’s toolkit. As such, developing a tailored OSINT framework is the easiest way to make the best use of OSINTs potential. This is also relatively straightforward for non-practitioners. By simply browsing existing frameworks – such as those mentioned above – and cherry picking tools for your requirements, the basics of an effective framework are established. It is important to then format these tools in an easy to use, signposted format, so that those without OSINT experience find it as easy to use as just searching for someone on Facebook.
Here are a few basic, useful tools to add to your OSINT framework (UK-based).
Companies House – this is the easiest way to acquire information about a person or company. Companies house provides information and accounts for firms registered in the UK, as well as information on their senior staff, such as addresses, birthdates and contact details.
Land Registry – provides information on property sales, prices and landowners.
Births, Deaths and Marriages – provides information on births, deaths and marriages in the UK, also providing maiden names and parents names.
Fotoforensics – help analysing doctored imagery
Metapicz – reverse image searches
Webcams.travel – live webcam feeds from across the world
Wikimapia – user annotated global maps
Finally, a point on safety. The saying remains true that if you don’t have to pay for something, then you’re the product being sold. For many open sources provided by large corporations or governments, information is either free due to subsidisation, or available for a fee. However, many third-party tools and websites are free. Unless truly altruistic, these tend to make their money via advertising, which uses user recognition and cookies to store, use and sell information on web traffic. Therefore, an effective OSINT framework should also provide advice on online safety. Basic precautions, such as the use of VPNs or Virtual Machines, can ensure a reasonable level of anonymity for the practitioner using the framework. Other negative indicators of a tool can include the requirement for unnecessary details during user registration, the need for unknown additional software, or an antiviral/malware response. Positive signs to look for are cyber security accreditation, the protection of user data, freely available source code and no requirement to register.
With all the above in mind, a safe, comprehensive and easy to use OSINT framework can turn anybody into an OSINT practitioner overnight. Keep looking out for new tools on existing frameworks and lists – OSINT is a constantly innovating field, and not all tools and websites stay relevant.