Resources for OSINT professionals
If you are new to OSINT, and are interested in becoming an OSINT professional, here are some links to resources that have been helpful to new people in the past.
The Techncyber blog has a good introduction to OSINT.
SANS, the cyber security training company, has a number of free tutorials on OSINT. You need to be registered to access some of the material, but the quality is quite good.
Sector35, an OSINT specialist from the Netherlands, offers a weekly OSINT magazine that is filled with news about OSINT tools, sites and cases. On his site, he offers a search function, so you can search older newsletters for things like a specific service. Much recommended for any OSINT researcher.
Toddington, a Canadian OSINT organization that specializes in OSINT training and investigations, is offering an email newsletter that is published irregularly.
The Herd Locker offers a newsletter with a twist: the site uses an algorithm to find the most useful OSINT tweets of the last 7 days, and shows them in a list:
The algorithm reads every tweet and filters out links to stuff it has seen before: ignoring retweets, duplicate posts, shortened URLs pointing to the same content and so on. It notes who shared things first and keeps score by how many times it sees the link again.
Open Source Intelligence Techniques by Michael Bazzell is considered by many the OSINT bible. It’s a massive, book, with hundreds of pages, and it contains a variety of useful resources on many aspects of OSINT. The book focuses not only on finding and preserving online evidence, but the writer (an ex-FBI investigator) also puts heavy emphasis on operational security and digital privacy.
NOWHERE TO HIDE: Open Source Intelligence Gathering by Daniel Farber Huang is fairly recent, and shows the FBI’s investigative and OSINT techniques used to pursue the hundreds of thousands of leads the FBI received from the general public after the Capitol riots. NOWHERE TO HIDE is filled with real world case studies, specific resources and practical “how to” guides to equip both beginner and seasoned OSINT investigators with the right tools for their OSINT toolboxes.
A Tradecraft Primer: Structured Analytic Techniques for Improving Intelligence Analysis (PDF) by the United States government provides a good summary of analysis techniques that are tools in the OSINT analysts' toolbox. The book explains techniques like “what if?” analysis, Red Team analysis, contrarian techniques, and others. The book also provides examples of the techniques.
Extreme Privacy by Michael Bazzell focuses on keeping people hidden instead of finding people. The book provides explicit details of every action that is needed to make someone completely disappear, and includes document templates and a chronological order of steps to take. The book is a great guide for people in the reputation management industry: It shows not only where the risks are, but also what to do about privacy leaks after the information has gotten out already.
The Privacy, Security, and OSINT Show
Michael Bazzell is an ex FBI investigator who specializes is OSINT. On his weekly podcast, he covers a all kinds of subjects that are related to OSINT and privacy. Michael also helps people “disappear” digitally, and often covers techniques and tactics on his podcast. Be sure to check out the podcast notes as well. The podcast is available via Apple, Spotify and Soundcloud.
The OSINT Curious Project tries to keep people curious about exploring web services or trying out new techniques to access important OSINT data. The group creates Open Source Intelligence news, blogs, instructional videos, and podcasts. The podcast is available via Apple, Spotify and Anchor FM.
The OSINT Bunker is a defence and security based podcast aimed at expanding people’s knowledge of the geopolitical landscape. The podcast is created by authors of the UK Defense Journal, and often delves into current geopolitical and military affairs from an OSINT perspective.
Check out this enormous list of OSINT resources by OSINT professional Ivan30394639. This list is labeled, and is continuously updated.
Need more links to resources? This is a great collection of global OSINT resources by former OSINT investigator IntelScott.
The OSINT Dojo offer links to OSINT resources, including links to OSINT CTFs (Capture the Flag) and quizzes.
Jack Baylor has also created an interesting collection of free OSINT resources, books, VMs, etc. If you want to know how to build your own OSINT lab, or what books to read, be sure to check it out.
OSINT isn’t about the tools you use, but still, every OSINT professional has software that they find more useful than others. Here is some OSINT software to get you started:
Maltego is OSINT software that makes it easy to access many different sources at once, and find links between individual pieces of information. It provides the user with a library of “transforms”: essentially scripted actions for discovery of data from open sources. For example: you can ran a transform on an email address, to see if it has ever been used to register a domain name. Maltego will then output the linked domain names.
A well-known plugin for Maltego, “Social Links”, offers the same capability for social media: you can search for social media presence, and pivot from the result, like email addresses. The beauty of Maltego is that it allows you to visualize that information in a graph format, so you can perform link analysis and data mining actions on the collected data. The software is excellent if you want to find connections between people, companies, domains and other publicly accessible information on the internet.
One of the reasons Maltego is quite popular, is because it has a free, community version next to the paid version. Maltego runs in Java, so it works with Windows, Mac and Linux platforms.
SpiderFoot is an OSINT reconnaissance tool that automatically queries over 100 public data sources to gather intelligence on IP addresses, domain names, e-mail addresses, names and much more. The software itself is free, and open source.
Spiderfoot also offers a paid service, called Spiderfoot HX. Spiderfoot HX is the premium, subscription-based version of SpiderFoot that offers additional performance enhancements, more data sources and data visualization capabilities.
Shodan is highly praised by most cyber investigators. The sites describes itself as “the world’s first search engine for Internet-connected devices”, and they do that job very well. The services scans the global internet for internet-connected devices, and allows researchers to search for specific devices, operating systems or software versions. Researchers have used Shodan to find internet connected devices like camera’s, printers, IoT devices, traffic lights, nuclear power plants, and more.
Shodan is often used by penetration tester and hackers, to find out which internet-facing systems are running outdated software. The site offers both free and paid access.
Hunchly is a web capture tool that does the job, and it does it well: it was designed specifically to create evidence trails for online investigations. The tool quietly runs in a web browser and automatically collects, documents, and annotates every website that is visited during an investigation. Investigators can tag and categorize content, quickly create reports, and run local searches on the material they have collected (online and offline).
Hunchly is spyware, but also offers a free trial.
There’s also a free Hunchly Mobile for mobile devices, which collects evidence from mobile devices. The mobile version is not the same as the standard Hunchly, and is more geared towards evidence collection from victims, witnesses and investigators.
Paliscope is an all-in-one tool for online investigations, that allows users to keep an overview of complicated investigations. Users can save webpages, documents, pictures, or specific bits of information. The software offers screen recording and has a built-in browser. Users can install additional functions through plugins, like Camera Forensics and Darknet Voyager. Paliscope keeps an audit trail that verifies when and where information has been found, which comes in handy if legal issues are at play.
Recon-NG is a commandline-tool that is popular with OSINT specialists that are tech-capable. The tool is a full-featured reconnaissance framework designed with the goal of providing a powerful environment to conduct open source web-based reconnaissance quickly and thoroughly. To get the most optimal results, many modules that the Recon-NG offers, need and API key to query a data source. API keys (Application Programming Interface keys) are often free or low cost.
Recon-NG is quite versatile: The tool includes a “marketplace”, that offers many content-specific modules that can be enabled by the user. Recon-NG allows a user to store results in a number of built-in databases. The names of the databases indicate the kind of information they contain:
For more OSINT tools, please have a look at the OSINT Framework, a site maintained by Justin Nordine. The site offers a wide selection of tools, broken down by area of interest.
Looking for full-time OSINT jobs?
The Dutch organization Aware Online offers a list of OSINT vacancies in the Netherlands, mostly in Dutch.
The US website ClearanceJobs often has OSINT vacancies as well. Bear in mind that most need a security clearance.