So You Want to Do that OSINT Thing – Four Easy Steps
Know Your Goals and Scope
Know Where to Look
Know How to Search
Know What to Do With What You Find
For about 30 years, I’ve been doing something called OSINT, even though I did not know for most of that time, it was called OSINT. And now that I know it, I want to share my wisdom. In a recent post, I teased out some general OSINT thoughts; then I gave some examples of how to approach sources. I realized I should step back and just explain the whole shebang. Everything you need to do OSINT is listed below. Just memorize these four steps, and you, too, can be an OSINT practitioner.
Step One – Know Your Goals and Scope
Research goals and research scope are intertwined and related, but they're not necessarily the same thing. Scope can impact goals and goals can impact scope. Successful OSINT starts with understanding what you are trying to achieve, understanding your capabilities and limits, and understanding the technology and data availability constraints you may face. Do this well, and everything else flows.
Research goals tend to come in two flavors. There are specific requests/goals. A recent case focused on trying to determine whether someone was affiliated with a company. Another recent case had me trying to identify the owners of a company. All the searches in these cases led to one answer, which can often be: we don’t know. The other flavor of research tends to be called “background” or “due diligence”, or sometimes these days, “reputational due diligence.” It is less trying to learn something, and more looking across a lot of things and developing a picture, a sense of who someone is, or what is out there on someone. Remember this, though, background can mean many things. In many cases, it is a “desktop” (online) review of public records and open-source databases, but it can also mean, “tell me everywhere she goes and who she meets.” It can mean reference checks. It can be a criminal history.
See where scope matters? If research goals come in a few flavors, like Culvers, research scopes are akin to Baskin Robbins [ed., do people even know what Baskin Robbins is these days?]. Many things affect scope: how much time you have to finish, how much discretion, how well you need to document findings, and where your subject resides. Be clear upfront about these things to succeed later.
Step Two – Know Where to Look
I’m nothing else, I am a basher of OSINT lists. Although it’s not really the lists of OSINT sources I detest. As I said before, “what’s the value of huge, undifferentiated lists of OSINT resources if people don’t know how to use the tools.” Skilled OSINT practitioners know where to look. We know the places to look for background, and we know where to look to answer specific questions.
Knowing where to look requires a general sense of where to go and a honed ability to get it right. What I mean is, that you will know that you have to get litigation records, but where are the records, which website gets you the “best” records? If you forgot about what is best, go back to here. In a lot of cases, no matter how much you fumble and stumble to get there, there’s only one right answer, e.g., only one Cook County Recorder’s website. Occasionally there are multiple answers, each partially right, as in searching for litigation records in New York. With “people” records, there’s a lot of data out there that may or may not be “right”. To do OSINT is to know these websites, to have a nicely tuned set of bookmarks.
It is not just the obvious things, like criminal histories and newspapers, that OSINTers have and know. It’s checking other kinds of records, other sources. For instance, I use Violation Tracker to do a good scrub of federal regulatory actions. As I mentioned on LinkedIn the other day, I also use a few libraries on Lexis that draw from more obscure sources but produce key findings on their infrequent hits.
Step Three – Know How to Search
If I’m not bashing your OSINT list, I’m sneering at your Google hack. Believe me, it comes from the same dark place in my heart. I know you have good points. You absolutely need to know how to search. But just knowing how to search is not the be-all, end-all of OSINT. You need to know how to search because if you don’t do certain things right, you will flat out miss what you're looking for. More often, good search techniques will save you time and make your research much easier.
It is perhaps to basic to add this, but since this post covers everything, the most important element in searching is that spelling matters. And that names come in many versions. There is Kate and Cate and Allen and Alan and Alain; Bryan and Brian. Also, on last names or surnames, pay attention to spelling. Not every Smith is Smyth. Names can be listed in articles with middle initials, middle names, as full names, and nicknames. If you search on “Bill Clinton” you may not find the article on William Jefferson Clinton. You will need search techniques to handle all this.
Know also that every name is common and some names, especially from certain places, are very common. You need search techniques to manage the common name problem.
A lot of search techniques and strategies come down to personal preference and how you like to do things, which is maybe also why I bristle at focusing on search hacks. The way I like to group my searches, or the publications I focus on, may be different than yours. The basic theory of search is to have a manageable set of items to go through without missing or ignoring something important. You cannot look at everything, but you have to look at everything you need. Right?
Step Four – Know What to Do with What You Find
If I’m busy denigrating link lists and Google hacks, it’s because those things don’t matter without Step One, the goals and scoping, and especially this, Step Four, what you do with your search results.
Too much focus is often put on lists of links and Google hacks because the presumption in a lot of OSINT literature is that you have to work extra hard to find something. The truth is, in nearly every case, you have too much rather than too little. What you need to do as an ace OSINTer is find meaning in all the materials you have. See what’s vital. Find connections. Understand deeper meanings. As they say, turn information into intelligence.
The extra truth is that your task is even less about revealing hidden meanings, and a whole lot more about just putting it together. Sort it. Fill in categories. Extract key dates. How you make sense of your OSINT is how you package the OSINT. It is turning stacks of papers (virtual papers these days), into memorandums and schedules. They are paying you to read and summarize.
There you go. 30 years of OSINT practice reduced to four steps. Let me know what’s holding you back.