Matt Zbrog
Open-source intelligence (OSINT) is the collection and analysis of data gathered from public sources. Dating back to the 20th century, and once purely the domain of the military and intelligence communities, today’s internet-connected and data-driven world has brought OSINT into a wide array of investigations and firmly placed it in the mainstream.
As people’s lives have moved more online, investigations have gone increasingly online, too. Social media accounts can provide a snapshot of someone’s life, and often those snapshots can include critical clues. At its core, OSINT can be as simple as a Google search. But today’s OSINT operators know much more sophisticated, as well as much more elegant, methods of investigation.
OSINT is no longer a niche aspect of an investigation; many times it’s now the core. But new opportunities come with new challenges, and leveraging OSINT in an investigation requires a specific set of skills, as well as a firm understanding of the discipline’s strengths and weaknesses.
To learn more about the role of OSINT in modern investigations, read on.
Mason Wilder, CFE, is a research manager for the Association of Certified Fraud Examiners (ACFE). In this role, he manages the creation and updating of ACFE materials for continuing professional education, works on research initiatives such as the “Report to the Nations” and benchmarking reports, conducts trainings, writes for all ACFE publications, and responds to member and media requests.
“OSINT is critical to investigations today,” Wilder says. “I always recommend utilizing OSINT early and often in any kind of engagement, because there’s a wealth of information available through public sources that can benefit any and every type of investigation.”
One of the largest shifts for OSINT over the last decade has been driven by changes in social media. Wilder notes that few of those changes have made an OSINT investigator’s job easier. As popular social media sites change their policies and functionalities—particularly as it relates to privacy—OSINT investigators have had to adapt.
Graph searching, which refers to a type of URL manipulation, previously allowed savvy operators to view photos and status updates of users on Facebook without being connected to those users directly; changes to the platform’s underlying architecture have since closed the loop.
Twitter once geocoded every tweet automatically, providing the crucial dimension of location to a person’s activity; geocoding is now an opt-in-only feature. Third-party OSINT tools have struggled to keep up, and investigators have had to rely more on the native search functions of social media platforms.
“A more recent trend is a shift away from the big four or five social media platforms, and towards a fragmentation of people’s social media usage,” Wilder says. “That includes an increased adoption of secure messaging tools that are borderline social media—WhatsApp, Discord, Telegram—but not social media platforms in the way most of society thinks. In the last five years, we’ve seen more variation, and more platforms that are difficult to utilize in terms of OSINT.”
OSINT isn’t just the collection of publicly available information, but the analysis of it, too. Online, the difference between a clue and a red herring, or between fact and lie, is blurry. Some social media sites, like X, are only now starting to vet the truthfulness of what certain users post; others, like LinkedIn, have no requirements for data entered by a user into their profile.
“You can get a lot of information with OSINT, but there’s no guarantee that it’s accurate, comprehensive, or legitimate,” Wilder says. “You have to verify it.”
The world is teeming with data. Every OSINT investigation is faced with the problem of plenty. Filtering information out can be as important as bringing new information in, but a few tips and tools can make that process more efficient and effective. Wilder points to the power of Boolean searching, which leverages search operators such as quotation marks, parentheses, colons, and AND/OR descriptors to refine and filter search engine results.
“Going step by step and combining different search operators can be really useful,” Wilder says. “In just a couple of minutes, and with only a few searches, you can zero in from 50 million results to a couple thousand about exactly what you’re looking for.”
In some areas of OSINT, particularly those related to blockchain transactions, investigators do need third-party tools. While the majority of blockchains are transparent, with all transactions publicly available, their sheer number and complexity makes them difficult to read manually. If a suspect deliberately tries to cover their tracks, primitive interfaces like Etherscan will not be enough.
“Once cryptocurrency transactions reach a certain threshold of complexity and volume, it’s going to be incredibly tedious and convoluted to access with basic OSINT,” Wilder says. “Software solutions like Chainalysis, Elliptic, or TRM labs can simplify the process and streamline things for you.”
Even in non-cryptographic domains, many open-source resources exist to provide low-cost or no-cost help to OSINT investigators. One such resource is WhatsMyName, which allows someone to plug in a username and have it scan several hundred sites to find similar uses of that username. The app will then populate a list of hits that can be accessed in a single click. It’s an enormous timesaver, Wilder notes, and an example of a product built by and for the OSINT community.
“There’s a vibrant community of OSINT researchers constantly working on new tools and techniques and sharing that information,” Wilder says. “There’s constant innovation.”
As life becomes more digitized, OSINT will only become more instrumental in investigations. The rise of digital assets and the continued fragmentation of presence across different media platforms will continue to present OSINT investigators with complex challenges, as will AI-generated content. The need to verify the veracity, or phoniness, of text, images, and videos will be very important. But the increasingly mainstream status of OSINT can help, and simple tools like reverse image searching should be a staple of any investigator’s practice.
“People will often reuse pictures from other contexts to claim that some situation is either happening or happened, when a simple reverse image search shows you that picture is actually from several years earlier, in a totally different situation,” Wilder says. “Where it will be interesting to see if OSINT meets the need is in identifying AI-generated media: images, video, audio. There are a few tools similar to reverse image searching that can look for manipulation, but it’s still relatively early.”
AI-generated media will continue to be a significant trend. But the use of ChatGPT and other large language models (LLMs) in OSINT investigations remains suspect. The data that most LLMs are trained on is not fully up to date, and the results they provide users with can be inaccurate, and sometimes result in what programmers call hallucinations. OSINT investigators will then spend more time verifying ChatGPT results than they would seeking out information through more traditional means, such as Boolean searching on a typical search engine.
“I’d caution people interested in OSINT against trying to outsource your searches to ChatGPT and other AI-powered chat platforms,” Wilder says. “In their current form, the information they put out is not at all reliable.”
The future may be uncertain, but OSINT’s place in it is not. As more data is shared online, more investigations will start and end online. OSINT investigators will continue to adapt to the widening technological landscape. This is a rapidly evolving field, but it’s also one that’s open to newcomers, and the learning curve isn’t as steep as it might appear.
“In OSINT, a very minimal amount of training can have a significant impact,” Wilder says. “There’s no barrier for entry. You just need time on your hands and interest in the subject. That’s really all it takes.”
Matt Zbrog
Matt Zbrog is a writer and researcher from Southern California. Since 2018, he’s written extensively about the increasing digitization of investigations, the growing importance of forensic science, and emerging areas of investigative practice like open source intelligence (OSINT) and blockchain forensics. His writing and research are focused on learning from those who know the subject best, including leaders and subject matter specialists from the Association of Certified Fraud Examiners (ACFE) and the American Academy of Forensic Science (AAFS). As part of the Big Employers in Forensics series, Matt has conducted detailed interviews with forensic experts at the ATF, DEA, FBI, and NCIS.