What is OSINT? Open Source Intelligence Explained

Open source intelligence is information gathered from public records. Social media posts, news articles, government databases, and satellite images all qualify.

The "open" in OSINT refers to where the data comes from, not how it's analyzed. You can derive very sensitive insights from public data. Individuals, organizations, events - all can be researched.

That's the value of OSINT. Anyone can do it.

Where OSINT Comes From

Social media platforms Twitter, LinkedIn, Facebook, Instagram, Reddit, TikTok, YouTube offer a wealth of public data. Profiles, posts, location tags, connections, likes, and comments are available. Public records in the US are extensive, including court filings, property records, business registrations, voter rolls, government contracts, lobbying disclosures.

Domain and network data leave a trail. WHOIS records, DNS history, SSL certificates, IP registrations, and hosting provider information are publicly available. Data breaches leak billions of credentials, which circulate in breach databases and dark web markets, getting indexed by OSINT tools.

News archives document events and statements through published articles, press releases, and broadcast transcripts. Satellite imagery tracks changes, such as construction, military movements, and infrastructure shifts, from providers like Planet Labs, Maxar, and Google Earth.

Academic publications reveal capabilities through patents, scientific papers, and conference presentations. The dark web is a source, comprising forums, markets, and Tor channels.

Who Uses OSINT

Agencies tasked with keeping people safe, such as law enforcement and intelligence, turn to OSINT. They use it to track down fugitives, assess threats, find missing persons, and unravel fraud schemes. Corporate security teams do similar work, including vetting potential executives, vendors, gathering intel on competitors, shielding brands from reputational risk, and sniffing out fake claims.

Penetration testers use OSINT to comb public data during recon to find where an attack surface might be hiding. Private investigators use it for skip tracing, digging into someone's background, and shoring up surveillance operations.

Researchers and academics sift through public data to study patterns, document events, and cross-check claims. Regular people use OSINT too. They research dates, employers, and business partners. They even take a look at their own digital trail.

Core OSINT Techniques

Username and Identity Tracking

Username tracking is about feeding a single username into a tool and getting a list of matching accounts across different platforms.

You plug in a username, and the tool queries multiple sites at once - social networks, forums, services. Instantly, you get a list of associated accounts. OSINT Industries works like this.

The goal is to see where else your target has a presence online. No single platform tells the whole story. You need to connect the dots.

Operators often overlook some accounts. Systematic tracking helps ensure you don't miss key profiles.

Email Investigation

Email addresses can reveal a lot about a person. Services they use, associated usernames, breach history. Sometimes, even phone numbers and locations.

Breach data and service registrations are the sources. They contain this information. It's there for anyone who looks.

Domain and IP Research

Domain and IP research. You start by identifying the owner of a domain. Then you find other domains registered to that person. And you figure out what's actually hosted on an IP address.

Tools like Shodan index the internet's infrastructure, making it searchable. It is like a giant catalog of all the devices connected to the internet.

Domain registrars keep records. DNS history logs show what's been queried. Certificate transparency logs reveal what certificates have been issued. These pieces form the technical footprint of an organization.

The payoff is a clear picture. You see what a target has exposed, what's running on their servers, what domains they own.

It works.

Social Network Analysis

Social network analysis reveals who connects to whom. It uncovers ties through shared work history, co-authored papers, and followers. Maltego helps to visualize these relationships.

Geolocation and Imagery Analysis

Geolocation from imagery works when you have photos, videos, or satellite images that reveal location clues. You look for identifiable buildings and landmarks. The sun's angle and shadow directions help place the scene. Cross-reference with map services to pinpoint the location. That's it.

Archive and Historical Research

Archive and historical research is about seeing what a website used to look like. What got deleted. Changes over time.

The Wayback Machine has billions of old web pages on file. For active cases, tools like Hunchly let you build a private archive.

OSINT vs. Other Intelligence Types

Intelligence gathering comes in various forms, categorized by how the information is collected.

OSINT is one of them, standing for Open-Source Intelligence. This type involves collecting data from publicly available sources, including websites, social media, and forums.

Other types are Human Intelligence, or HUMINT, Signals Intelligence, or SIGINT, and Imagery Intelligence, or IMINT. Each has its own methods and tools. The key difference is access. OSINT is unique in that it taps into information that anyone can see.

| Discipline | Source | Example | |---

|---|---| | OSINT | Open/public | Social media, public records, news | | HUMINT | Human sources | Informants, interviews, undercover operations | | SIGINT | Signals | Communications intercepts | | IMINT | Imagery | Satellite and aerial photography | | CYBINT | Cyber operations | Hacking, intrusion, technical exploitation |

When it comes to gathering intelligence, civilians usually can't tap into SIGINT or CYBINT. Those are locked down tight. HUMINT requires boots on the ground and a network, which most investigators don't have. That leaves OSINT, open-source intelligence. It's often the only option available.

Legal and Ethical Boundaries

OSINT operates within legal and ethical boundaries. Public data doesn't mean no rules apply.

Laws on stalking, harassment, and privacy vary by location, and they can still apply to OSINT activities. Scraping data from platforms usually violates their terms. Collecting and combining public data raises privacy concerns.

Intent matters. Investigating fraud or finding a missing person is different. Using OSINT to harass or stalk is not.

Getting Started

Getting started with OSINT requires a solid foundation. Versatile tools help you cover ground quickly.

OSINT Industries is a good starting point. Plug in an email or username and see what pops up. They offer a free tier to test it out.

Shodan scans exposed internet infrastructure, no login required. Get a quick look at what's out there.

SpiderFoot automates searches across a range of sources, good for recon.

New to OSINT? The TCM Security OSINT course provides a structured intro to OSINT practices, designed for beginners.