OSINT techniques: Complete list of expert tactics for investigators

OSINT investigation techniques encompass approaches that you can use to investigate, collect, analyze, and convert open source information into intelligence. OSINT methods are used by investigative professionals and law enforcement around the world. Techniques range from social media intelligence (SOCMINT) to public records, domain infrastructure, open-source multimedia analysis, and more. Below are 100+ categorized OSINT investigation techniques.

OSINT techniques are procedures followed when researching information in public domains for intelligence purposes. These OSINT methods attempt to locate information in open sources, authenticate the validity of the information, correlate findings with other sources and create intelligence from the information, while staying within legal and ethical guidelines.

The 5 main intelligence disciplines represent types of source material that intelligence is collected from and interpreted through. OSINT is one of the five main intelligence disciplines. Intelligence is also acquired through human engagement, signal analysis, visual data, or scientific measurements in the other four areas.

1. HUMINT: Human Intelligence – Intelligence gained by way of interviews or human contacts/sources.
2. SIGINT: Signals Intelligence – Intelligence gathered by communications and electronic signals.
3. IMINT: Imagery Intelligence – Intelligence gained by analyzing imagery.
4. MASINT: Measurement and Signature Intelligence – Scientific and technical information obtained by sensor measurements.
5. OSINT: Open Source Intelligence – Derived from public information (internet, media publications, public government information, etc.).

OSINT differs from other intelligence disciplines in several important ways.

Legality and ethical use

Perhaps the most significant advantage of OSINT tradecraft is that it relies solely on information that is publicly available and/or obtained through legal means. Methods do not consist of hacking, cracking, password attacks, social engineering, or any other means to circumvent computer or physical security to obtain private data.

Because of this, OSINT is often regarded as both ethical and legal.

Non-intrusive collection

The techniques involved with OSINT are passive by nature. Unlike other forms of intelligence gathering, when conducting OSINT you’re only collecting what’s available in the public eye. Then, you process and analyze that information.

This is why OSINT is extremely useful for either assessments or opening stages of an investigation.

Diverse data sources

OSINT is also unique because of its sources. OSINT investigative methods pull from websites, blogs, news sources, public government records, social media, forums, multimedia files, and even the dark web.

With sources this diverse, analysts can obtain a full picture of who or what they are researching.

Analytical focus

Open source intelligence gathering isn’t simply about harvesting data. OSINT researchers spend a lot of time analyzing information they’ve gathered to create intelligence.

Whether you’re doing threat hunting, tracking digital breadcrumbs, or performing sentiment analysis, making sense of the information you collect is how you turn open-source data into actionable OSINT.

Scalability

OSINT research can range from small to massive in scale. You can manually search for information with nothing but a web browser. Or you can write scripts and use powerful tools to process huge volumes of information. You can grab bits of data or pull from multiple datasets to aggregate and correlate.

Timeliness and real-time insights

OSINT can be used to gain timely (and even real-time) intelligence. For example, monitoring social media or live news can provide awareness into what is currently happening on the ground. Uncovering emerging threats or even changes in public opinion.

Real-time awareness can be valuable for crisis management, cybersecurity and more.

Verification and cross-referencing

Unfortunately, open source data can be deceitful or include false information. Verification and cross-referencing of information is therefore an important part of OSINT techniques. OSINT analysts will not take any information they’ve uncovered at face value from just one source.

Instead, they will seek to verify it by gathering it through other means or reach out to independent sources who can validate the information.

By collecting information about the same topic from multiple sources, you can start to verify the intelligence you’re receiving.

Let’s take a look at some of the many tools, techniques, and methods used in OSINT today.

Social media analysis involves gathering information from social media sites. Although widely applied towards cybersecurity, journalism, investigations and threat intel purposes, professional social media analysis services exist for marketing and business competitive intelligence as well.

Below are OSINT investigation techniques related to gleaning intelligence from profiles, posts and activity on social media.

Network mapping and analysis

Network mapping and analysis lays out the relationships between users by tracking how users interact with each other through follows, mentions, replies, and reposts. Network analysis can be used to identify influencers or highly connected groups, as well as recognizing collusion from suspected disinformation spreaders within the same network or community.

Popular network mapping and analysis strategies are:

• Friend/follower analysis – Identify all social connections to and from a target for influence or association mapping.
• Link-analysis graphing – By measuring common likes, reposts, replies, and mentions, we can begin to draw connections and map a network.
• Hashtag/keyword networks – Identify communities and sentiment by following common hashtags or keywords.

Hashtag tracking

Tracking hashtags can allow one to follow trends, emerging discussions and how topics or information propagate.

Online communities can also be identified through analysis of hashtags surrounding a cause or campaign.

Common hashtag tracking techniques used in OSINT include:

• Frequency analysis – Tracking the frequency of a hashtag over a period of time.
• Mapping co-occurrences – Finding what other hashtags are commonly used with the chosen hashtag.
• Geotag and hashtag correlation – Correlating hashtags with location data in order to help pinpoint where a conversation is occurring.
• Identifying hashtag influencers – Identifying who is using a hashtag most.

Profile analysis

Profile analysis is collecting publicly available information about users’ profiles. This includes bios, location, follower/following counts, recent posts, etc. It’s useful for building a profile around someone or a group of people’s behavior and can be used to attribute an online alias to someone real.

Profile analysis includes specific OSINT methods such as:

• Screenname reconnaissance – Finding other accounts a user has that match the same screenname.
• Metadata analysis – Looking at the information public to everyone. Join date, follower/following, bios, times of activity, etc.
• Archived posts – Looking through older posts/timeline.

Social media geolocation techniques

Social media geolocation refers to techniques used to locate where someone or something is by analyzing social media data for clues. This practice can either mean identifying the latitude and longitude coordinates based off geo-location data from social media posts, check-ins, or EXIF data within photo/video documents.

Social media geolocation can also refer to the investigative process of pinpointing a user or social media item’s location through an analysis of their language, imagery of landmarks, weather conditions, or event-specific mentions. This location can then be compared to a map or public knowledge like flight records or event schedules to narrow down the location. Social media geolocation can be useful for investigation purposes, crisis response, or understanding how information spreads regionally.

Examples of social media geolocation OSINT techniques:

• Geo-tagged posts – Location data given by GPS coordinates or social media location tags (photo posts, social media statuses, location check-ins).
• Reverse image searching – Analyzing photos using Google Reverse Image Search or another EXIF viewer.
• Location cross referencing across platforms – Finding matching mentions of locations on different social media platforms.

Keyword monitoring

Social listening platforms search public social media channels for keywords. Useful for catching early mentions of potential threats, your brand, or what people are saying about a live event.

Keyword tracking is done using these OSINT techniques:

• Boolean search – Using search operators (AND, OR, NOT) to refine social media searches for keywords.
• Real-time keyword alerts – Setting alerts to notify you when certain keywords are mentioned.
• Sentiment searches – Running sentiment analysis to return high positive or negative keyword mentions.
• Clustering around topics of interest – Finding related keywords to track the evolution of conversation.

Image analysis

Images shared on social media can be analyzed for clues found in the visual content of faces, logos, landmarks, etc. In addition, metadata can provide important information (EXIF data when available). Reverse image searches can be conducted to determine where else the image has been posted online, or to verify whether an image is legitimate.

Some image analysis OSINT investigation techniques include:

• Reverse image search – Finding where else an image has been posted online (via Google Images, TinEye, etc.). Example: Identifyif.co .
• EXIF data extraction – Reviewing metadata included in an image (if available) which may include camera make and model, GPS location, date/time stamps, etc.
• Visual object recognition – Finding faces, landmarks, logos, or other easily recognizable objects within an image (using AI/ML software).
• Pixel error level analysis (ELA) – Identifying edited or manipulated areas in an image based on compression artifacts.

Temporal analysis

Examining when posts were made may show patterns in the data. This could be the time a user usually posts or the speed at which information spreads. The time posts are made can also identify time zone hints and correlate online events with real world events.

Some examples of time-based analysis techniques used in OSINT:

• Posting timeline – Keeping track of when a user posts. This can identify possible time zones or posting habits. This is a feature available in ShadowDragon® Horizon®.
• Event Correlation – Correlating the timing of posts to large scale events/incidents.

Cross-platform correlation

Activity and content across platforms are correlated together. This is useful in tying together multiple accounts of one user by matching usernames, photos, or writing style.

How to use cross-platform correlation in OSINT:

• Identity stitching (aka identity resolution) – Associating accounts together by matching reused photos, usernames or analyzing writing style.
• Content duplication – Searching for content that has been posted/reposted on other common social media platforms to discover where it originally came from.

Fake account detection

Fake account detection OSINT involves identifying suspect accounts through commonalities found throughout their profile. Fake accounts often have bad grammar/spelling, default usernames/profile pictures, minimal interactions with other users or overposting/reposting. Network patterns and similarities in content can be used to analyze if this is simply spam posting or part of a coordinated attack.

Some methods of fake account detection OSINT can consist of:

• Looking for common profile patterns – Suspicious usernames, typos, profile pictures, times of posts, etc.
• Engagement analysis – Scammers may show little interaction (likes/comments) to their high levels of posting or followers.
• Fake networks – Audit the ratio of followers/following and comb through fake accounts.
• Copy/paste posts – Exact match posts that have been distributed through multiple fake accounts or botnets.

Geolocation Techniques refer to methods used to determine the physical location of something using open-source data. Geolocation can be performed by identifying visual indicators in images and videos, satellite imagery/maps, metadata, and comparing information such as social media posts and public records.

OSINT practitioners use geolocation methods to verify open-source data and gather context. Below are several techniques one can utilize when trying to geolocate data during an OSINT investigation.

Geotagging information

Geotagging data is metadata added to a digital file that points to geographic coordinates or a place name. This can be extracted by analysts to see where a photo was taken or where a social media post was made. Geotagging can allow analysts to gather direct and possibly precise location data.

Below are some geotagging techniques you can use during an OSINT investigation:

• Extract EXIF data – Extract embedded GPS location data from image files using a tool like ExifTool.
• Searching social media – Check geo-tagged social media posts on popular social media networks.
• Perform a reverse image search – Run the picture through a service like Google Images or Yandex in case someone else has posted the image with the location tagged.
• View shared photos on a map – View geotagged photos uploaded to Flickr that have been clustered on a map.

Usage of satellite imagery

Satellite imagery allows analysts to look at an overhead view of a location to confirm locations seen in photos or check for changes to a landscape overtime. Analysts can pull up the location in Google Earth or Sentinel Hub and overlay what they know about a subject to help verify what they are looking at matches terrain, infrastructure, or vegetation in the real world.

Specific satellite imagery techniques used in OSINT include:

• Google Earth/Maps – Terrain, features and infrastructure found in the image compared with satellite imagery.
• Yandex, Bing, or HERE Maps – These mapping platforms may offer imagery from different dates or angles.
• Street View matching – Looking for an exact match using Google Street View or Mapillary.

Location-based services

Location-based services (LBS) are applications that collect and track location information using GPS, Wi-Fi, or cellular data. In OSINT, location-based services can refer to using location information disclosed by users from apps or social media platforms.

Examples of location-related OSINT techniques:

• Mobile application data leaks – Finding apps on a device that leak location data via API or insecure connection.
• History of check-ins – Using social media platforms, Swarm, or Google Maps Timeline (if available) to collect check-in information or visit history.
• Bluetooth proximity data – Collecting proximity information to other nearby devices using an app or service that records proximity information.
• Geolocation APIs – Leveraging a Geolocation API such as Google Maps API or OpenCelliD to approximate device locations.

Wi-Fi SSID mapping

Determining the Wi-Fi network name (SSID) and its associated BSSID (MAC address) can allow for geolocation of that BSSID. Sites such as WiGLE.net aggregate crowd-sourced information which can associate those values to a geographic location.

Some specific Wi-Fi SSID mapping techniques include:

• Searching WiGLE.net – Provide a BSSID or network name to WiGLE.net and see if they have mapped it to a location.
• WarDriving or examining public Wi-Fi logs – Searching public Wireless access point logs or capturing wireless signals legally.
• Correlating image metadata – Searching through SSID and BSSID information embedded in image metadata and cross-correlating with known AP locations.
• SSID name standards – Use the standard of how SSIDs are named to determine an approximate location (e.g., venue names).

Image and video analysis

Image and video analysis encompasses identifying visual markers in images or video. These can include landmarks, street signs, vegetation, building structures, etc., that can help pinpoint where an image/video was taken.

Examples of image and video analysis OSINT techniques:

• Landmarks and natural features – Taking unique features found in pictures.
• Street signs and languages – Analyzing signs/language found in picture/video to narrow down locale.
• Shadows/sun position – Estimating the approximate time and direction from shadows
• Metadata (EXIF data) – Retrieving GPS coordinates/times if they are recorded.
• Weather matching – Comparing weather patterns visible in media to historical weather data.

IP geolocation

IP geolocation services identify where a person accessing the internet is physically located, using their IP address.

Examples of IP geolocation methods utilized in OSINT include:

• Public IP lookup tools – Search for an IP address using services such as IPinfo.io, MaxMind GeoIP, or iplocation.net.
• Comparing timezones – Correlating timestamps can help narrow down locations.
• Checking IP history – Lookup past locations of an IP via SecurityTrails or ViewDNS.
• Tor/VPN detection – Determine if an IP is hidden for legitimacy.

Domain and IP address analysis OSINT techniques are investigative processes used to analyze domain names and Internet Protocol (IP) addresses with tools and resources that are available in the public realm.

These tools can be leveraged to gain insight into various information about websites or online activity such as structure, ownership, history, behavior, and threats.

Using domain and IP address analysis, you can trace digital artifacts back to countries, organizations, or individuals. You can also perform investigations into suspicious domains to determine if they’re legitimate or pose a threat. Here are some domain and IP address analysis techniques you can use for OSINT.

WHOIS lookup

WHOIS searches can be used to discover registration information tied to domains including registrar, registration and expiration dates, as well as contact information if privacy is not protected. WHOIS data can be helpful in associating domains with people, businesses or other organizations as well as identifying commonalities across domains.

There are a few variations of WHOIS lookups used in OSINT:

• WHOIS databases (WhoisXML API, who.is) – Look up domain ownership, registrar, and contact information.
• Reverse WHOIS searches – Find other domains that have the same email addresses, organization name or registrant name associated with them.
• Registrar / registration pattern discovery – Search for other domains using the same infrastructure (same registrar, name servers, etc.).

Reverse IP lookup

When performing reverse IP lookups, you’ll find all the domains pointed to by an IP address. Security researchers use reverse IP lookups to discover other sites affiliated with a given website. This can include sites belonging to the same company. Shared hosting can also be revealed using reverse IP lookups.

Typical uses for reverse IP lookups include:

• Search SecurityTrails or ViewDNS to uncover additional domain names associated with the same IP address.
• Finding common infrastructure by matching groups of sites with shared hosts.
• Finding shared hosting – Expose relationships between websites hosted together.

DNS enumeration

DNS enumeration is the process of using DNS queries to extract information about the domain name configuration and services hosted on a domain.

This can involve:

• Query tools like dig or nslookup – Extract A, MX, TXT, and NS records and SPF, DKIM, and DMARC policies.
• Parsing mail/name server records – Determine use of third-party services or incorrectly configured DNS records.
• Reviewing DNS delegation – Map how control is distributed across infrastructure.

Subdomain enumeration

Subdomain enumeration identifies domains located under a domain.

Listed below are some targeted subdomain enumeration techniques useful for OSINT:

• Search Certificate transparency logs such as crt.sh – Returns subdomains served over SSL.
• Use tools such as Amass or Sublist3r – Crawls websites for subdomains by both passive and active querying.
• DNS brute-force with wordlists – Discover obscure services.

SSL certificate analysis

SSL certificates contain metadata such as issuer, expiry date, valid domain names, etc.

Tactics include:

• Search engines for certificates like Censys or Shodan – Inspect certificate relationships.
• Look for SAN fields – Discover other domains bundled with certificate.
  Expired/reused certificates – Follow infrastructure reuse.

Port scanning

Port scanning is used to identify services running on an IP address.

Common port scanning OSINT methods are:

• Nmap or masscan scans – Identify open ports and the services running on them.
• Shodan can be used for passive scanning – Identify services that have previously been exposed.
• Banner and version analysis – Identifies specific software versions and configuration information.

Domain history tools

Domain History will reveal previous owners and changes made to the configuration.

Here are some domain history tools and tricks:

• DomainTools and SecurityTrails – View historical WHOIS and DNS records.
• Past name server and registrar data – Discover past ownership.
• Map reputation against change – Create a timeline to visualize reputation with infrastructure changes.

IP block analysis

IP block analysis allows analysts to see what larger block of network addresses an IP address falls into.

Some simple approaches to IP block analysis include:

• Looking up ASN with bgp.he.net or similar – Determining who controls the IP range.
• Mapping IPs to ASN – Finding associated IPs.
• Cluster analysis of IPs – Grouping together network infrastructure controlled by the same group of people.

Public records OSINT research is the process of locating, verifying, and connecting official documents and government records that are available to the public by law. These can range from background information on individuals and businesses to real estate, litigation, and financial transactions.

You can leverage public records during an OSINT investigation to help confirm identities, uncover associations and networks, establish links between individuals you’re researching, and uncover patterns such as prior ownership. Below are just a few examples of public records you’ll encounter during OSINT research.

Court records

Court records can give you access to litigation documents. This can range from criminal charges, to civil complaints, judgments, and dockets.

Ways to utilize court records for OSINT:

• Use PACER and local court databases – Search federal and state level cases, rulings, and verdicts.
• Utilize Justia and CourtListener – Search public dockets, party names, and case summaries.
• Review litigation history – Determine if your subjects of interest have a history of lawsuits.

Property records

Property records contain information on real estate ownership, transactions, and assessments.

OSINT resources for property records:

• County assessor/recorder sites – Search deeds, ownership, property taxes.
• Parcel and GIS maps – View property lines, zoning, and building structures.
• Timeline of ownership – Identify past owners of the property.

Vital records (birth, marriage, death records)

Vital records are great sources for biographical information that can help confirm identities and relationships.

OSINT tips for vital records:

• Ancestry and FamilySearch – Search historical records.
• State vital records offices – Request copies. Some states will issue certified copies via online requests.
• Cross-reference with obituaries or announcements – Help confirm identities or relationships.

Corporate filings

Corporate filings detail the formation, organization, and management of companies.

OSINT examples for corporate filings:

• Secretary of State registries – Search businesses for registration information.
• OpenCorporates and EDGAR – Search corporate disclosures and filings.
• Past filings – Look for prior owners or leadership.

Licensing and permits

Licenses and permit information shows if someone or a business is legally allowed to operate.

Here are some examples of license and permit searches you can run to gather data:

• State and local licensing agencies – Look up licenses and permits.
• Professional certification directories – Verify someone’s credentials for certain licensed jobs.
• Business licenses – Locate businesses.

Bankruptcy records

Find out who filed for bankruptcy, who their creditors are, and what assets they declared.

Here are some OSINT methods for researching bankruptcies:

• PACER bankruptcy search – Search U.S. bankruptcy filings.
• Bankruptcy monitors – Keep track of who has gone insolvent.
• Asset searches – Determine what someone owns.

Political donations

Records of political donations can show connections, who is funding what influence, and political bias.

Here are a few tools and techniques:

• FEC.gov and OpenSecrets.org – Look up federal-level contributions.
• FollowTheMoney.org – Investigate state-level contributions.
• Donor pattern analysis – Find patterns of repeat donations.

FOIA requests

FOIA (Freedom of Information Act) allow you to access government documents that have not been released to the public.

FOIA methods you can use as part of OSINT:

• FOIA.gov and individual agency sites – File requests and monitor their progress.
• MuckRock – File requests and search through existing requests.
• Review documents before they’re released – Compare news reports to actual released documents.

Advanced search techniques for OSINT involve methods and strategies you can use when leveraging search engines and other online tools to find relevant information that’s sometimes obscure information from public sources.

When performing open-source intelligence investigations, advanced search operators allow you to refine your results and home in on that specific information you seek rather than simply typing into a search engine. Below are some examples of advanced search operators you can use for OSINT.

Boolean operators

Boolean operators allow you to add or exclude keywords from your searches to help narrow down your results or increase specificity.

Here are some examples of advanced Boolean search operators you can use for OSINT:

• AND, OR, NOT – Includes keywords to widen or limit your results (“CEO” AND “resigned”).
• “ ” – Requires an exact match (“internal audit report”).
• ( ) – Used to group logic together to establish an order of operations (“data breach” OR “security incident”) AND “2023”).

Site-specific searches

Site specific searches allow you to glean information from a particular website or domain.

These techniques include:

• site:domain.com – Search within a specific site. (site:linkedin.com “John Smith”).
• Searching .gov and .edu sites – Access official information (site:.gov “global warming report”).
• Searching social media or forums – Searching for forum posts or comments (site:reddit.com “insider trading”).

File type searches

Filters by file type only show results that are downloadable files such as PDFs or spreadsheets.

Here are some examples:

• filetype:pdf, filetype:xls, etc. – Searches for results that are files of a type. ( filetype:xls “salary sheet”).
• You can use keywords for finding specific information. ( filetype:ppt “project plan”).
• Search for whitepapers by using filetype:pdf (“sensor tuning manual”).

Searching by language

If you know the language used by the records you’re seeking, try searching in that language. You can often find things that don’t show up in English.

Tips for language-specific searches:

• Google language preferences – Select your language before you search Google.
• Keyword translation – Use keywords in the original language.
• Search local newspapers – Find media that publishes in the language you want.

Time-restricted searches

When you limit your search by dates, you only get results with a publication date that falls in the range you specify.

Techniques include:

• Using search engine tools – Limit your results to a particular day, month or year.
• Follow news as it breaks – Watch how stories develop.
• Find newly released information – Limit your search to results published recently.

Cache and archive searches

Deleted or modified information can sometimes be found in cached copies of pages or archives.

Here are some ideas:

• Google cache – View cached copies by appending cache: followed by the url.
• Internet Archive (Wayback Machine) – Search past snapshots of pages.
• Archive.today and others – Take a static snapshot of a page.

Reverse image search

Reverse image searches are used to find where an image came from and where it’s been used elsewhere.

Options include:

• Google Images and TinEye – Paste/upload the image and search for similar images.
• Extract EXIF data – See when and where a photo was taken.
• Forensic analysis – Determine whether an image is a deepfake or real.

Deep web searches

Websites on the deep web can’t be found with normal search engines.

You can search them like this:

• Database searching – Use academic, legal or commercial search portals.
• Finding internal search results – Search the site itself.
• Aggregating search results – Pull together results from multiple hidden sources.

Forum and community OSINT investigation techniques are methods that help you gather and analyze data from online forums, message boards, and internet communities. They utilize open sources to identify patterns, uncover threats, gather sentiments, or collect intelligence on certain topics or groups of interest.

Here are some of the most common OSINT investigation techniques for forum and community monitoring.

Niche forums

Monitoring niche online forums allows one to see potential insider information and identify subculture trends and early signs of conversation around potential topics of interest.

Below are some examples of OSINT techniques specific to targeted forums:

• Searching niche communities – Searching site:stackexchange.com or site:forum.bodybuilding.com.
• Identifying regional or hobby-based forums – Searching site:shroomery.org “microdosing report”, for example.
• Discovering obscure forums through search engines – For example, intitle:”forum” AND “supply chain disruption”.

User behavior analysis

Examining the patterns of posting, frequency, tone, and topics of interest can allow you to develop a behavior profile.

Some techniques for behavioral analysis:

• Posting frequency / timing – Identify outliers (ie someone that posts only late at night)
• Tone/topics of posts – Analyze motive & interest over time.
• Monitoring shifts in behavior – Watch for changes in behavior (ex: aggression, organizing).

Keyword alerts and topic tracking

Keyword alerts allow you to track conversations as they happen.

• Create alerts – Get notified when your keywords are mentioned.
• Track keywords across communities – Monitor your topics for growth or shifts.
• Add keyword layers – Filter your keywords to further refine your topic.

Engagement analysis

Tracking engagement will allow you to see who has an impact on content and who is affected by it.

• Tracking comments, likes, and forwards – Monitor what’s popular.
• Flag viral conversations – Determine what makes a post go viral.
• Identify power users – See who is driving the conversation.

Username tracking

Monitoring usernames across platforms helps you link identities together.

Alias correlation – See when a person is using the same alias.

Username breakdown – Analyze for commonly identifiable information.

Searching leaks – Attach aliases to identities when available.

Thread analysis

Analyzing threads allows you to see how conversations evolve and where key information is divulged.

• Timestamp analysis of posts – Follow the narrative as it happens.
• Identifying opinion leaders – See who is driving the conversation.
• Spotting planted false flags – Identify false/misleading information.

Network mapping

Mapping interactions allows you to see networks of influencers or coordination

• Creating interaction graphs – See the connections.
• Identifying hubs – See who is central.
• Mapping interactions across threads – Find repeated connections.

Temporal analysis

Temporal analysis follows the timing and frequency of posts to identify patterns.

• Tracking frequency – See if there are bursts related to events.
• Cross-platform time alignment – Find synchronized messaging.
• Day-night cycles – Determine where people are likely coming from.

Dark web forums

Keep tabs on dark web forums to gain visibility into criminal activity and adversary behavior.

• Browse via Tor – Search for hidden websites and forums.
• Search dark web search engines – Use specialized tools like Ahmia.
• Monitor chatter – Monitor mentions of tools, techniques, and dumped data.

Community sentiment analysis

Using NLP tools, investigators can evaluate the overall community sentiment.

• Using NLP tools – Flag positive, negative or aggressive language.
• Tracking emotional tone over time – Identify spikes in sentiment during specific time periods.
• Language trends – Identify mobilization or shifts in opinion.

Forum archiving

Archiving keeps transient or deleted posts around for future reference.

• Wayback Machine – View historical content.
• Download static versions – Save HTML or PDF output.
• Automated backup – Archive content for safekeeping.

Cross-platform correlation

This correlates communication across platforms to determine relationships/collaboration.

• Connecting topic discussions across platforms – See how a story moves from platform to platform.
• Correlating memes or key words – Spot replication.
• Finding multi-platform users – Link users across forums.

Automation

Gather mass amounts of data all at once and monitor constantly with automation.

• Running Python scripts – Beautiful Soup or Scrapy.
• Browser automation – Puppeteer or Selenium.
• Schedule repeat crawls – Continuously monitor changes.

Video and audio analysis for OSINT are processes used to analyze visual or audio data that is publicly available to watch or listen to. OSINT video and audio analysis techniques gather information from video and audio feeds then sift through that data.

Processes can consist of computer vision, object recognition, audio matching, speech-to-text, facial recognition, and emotion recognition to find patterns or topics/subjects of interest.

Metadata examination

Extracting metadata off video/audio files can sometimes provide you details about when and where it was recorded, what device and software was used to create it, etc.

• Use ExifTool or MediaInfo – Extract metadata present in headers.
• Cross-reference GPS/timestamps – Correlate time and location data with known events and locations of interest.
• Device identification – Identify common devices across different media samples.

Audio transcription

Transcribing audio will allow you to analyze text data and extract keywords.

• Speech-to-text tools such as Whisper or Google Cloud Speech-to-Text – Automate the transcription process.
• Manually transcribe audio – Manually transcribing confusing audio can help with accuracy.
• Keyword extraction – Look for names, orgs, events.

Video background analysis

Backgrounds can provide location hints and contextual information.

• Frame by frame analysis – Check for landmarks, signs, surroundings.
• Reverse image searching – Confirm locations.
• Cross reference scenes – Similarities between videos.

Voice recognition

Speaker recognition is used to determine who made a recording.

• Voice biometrics – Compare pitch, tone, speaking rhythm.
• Speaker diarization – Determines who is speaking when listening to recordings.
• Compare with known samples.

Object recognition

Object recognition detects individuals, cars, and other objects within video footage.

• YOLO or OpenCV – Detect and classify objects.
• Identify guns/cars – Compare objects to known variants.
• Motion tracking – Follow objects as they move throughout scenes.

Background noise analysis

Background noise may provide hints as to the context of a recording, such as where it took place or what time of day it occurred.

• Spectrogram analysis – See a visual representation of sound frequencies.
• Detect ambient sounds – Identify background noise.
• Audio fingerprinting – Compare audio that was captured in similar locations.

Video timestamp analysis

Timestamps can indicate when a video was taken.

• Timestamp analysis (embedded in video) – See if there is a timestamp or one found in metadata.
• Frame counting (clock jumps) – See if there are any edits or tampering.
• Comparison to known times – See if it lines up with reported times.

Deepfake detection

Detecting deepfakes means finding the media that has been synthesized/generated.

• Using Deepware or Microsoft Video Authenticator to detect if media is synthesized.
• Looking at artifacts within each frame.
• Listening for AI generated voices.

Sentiment analysis

The tone and intention behind words is determined through sentiment analysis.

• Detect whether sentiment is positive, negative, or neutral. NLP tools can be used.
• Identify urgency, calmness, aggressiveness, etc. through emotion detection.
• Recognize sarcasm, rhetoric, and tone through contextual analysis.

Feature extraction

Feature extraction pulls important attributes from media.

• Detect faces/voices by looking for frequently occurring landmarks.
• Keyframe selection – Skim through video media and detect frames that encompass the entire media.
• Feature vector generation – Convert media into an input for machine learning.

Pattern recognition

Pattern recognition allows you to spot repeated behaviors or sequences.

• Machine learning classifiers – Find repeating patterns.
• Behavioral mapping – Look for routines or anomalies.
• Timeline stitching – Piece together information from multiple sources to form a timeline.

Speech and facial recognition

Speech to text and facial recognition technologies can help you identify individuals from video and audio recordings.

• Face recognition tools such as Clearview AI or Amazon Rekognition – Match a face to your dataset.
• Speech identification – Use voiceprints to match a voice to a known person.
• Multimodal fusion – Correlate voice and facial recognition data.

OSINT data aggregation tools refer to services or software applications that help to gather publicly available information from multiple sources, organize the data and normalize it for consumption. These tools help analysts find links or patterns.

They aggregate information already present in open sources such as social media, public records, forums, blogs, news websites, dark web, etc. into one searchable database.

There are different types of OSINT tools for data aggregation.

Search aggregators

Search aggregators search through multiple search engines or databases at once.

• Startpage and DuckDuckGo – Meta search engines.
• Carrot2 and MillionShort – Specialized search engines (aggregate results from databases).
• Use advanced queries (Boolean operators) to filter results from most search engines.

Social media aggregation

These tools aggregate publicly available content from social networks.

• BuzzSumo or Meltwater – Track clicks, impressions, etc.
• Search tweets/mentions (grouped by hashtag).
• Search geotagged content.

Custom databases

These tools compile OSINT into searchable databases.

• HaveIBeenPwned – Lookup breach data.
• Domain/IP databases (e.g., WhoisXML or DomainTools) – Investigate infrastructure.
• Creating internal databases – Aggregate research results.

API integration

APIs let you collect data programmatically at scale.

• Plug into APIs provided by services or tools such as Shodan or ShadowDragon® SocialNet®.
• Maltego and SpiderFoot – Import from third party sources.
• Build your own scrapers – Automate repetitive queries.
• APIs allow you to collect data automatically at scale.

Data visualization

Use visualization tools to display data as charts, graphs, or maps.

• Link analysis applications (ShadowDragon® Horizon®) – Map links between individuals and other data, including businesses or aliases.
• Timeline visualization tools – View activities overtime.
• Geographical Mapping – Plot data on Google Earth, ArcGIS, etc.

Custom web crawlers

Web Crawlers will search and index targeted websites.

• Scrapy or BeautifulSoup Libraries – Develop custom crawlers.
• Tor / I2P Web Crawlers – Index the dark web.
• Trending Graphs – View changes over time.

Threat intelligence platforms

Platforms that collect cybersecurity intelligence into actionable threats.

• Recorded Future or ThreatConnect – Correlate Signals
• Track threat feeds – Uncover suspicious activity or data breaches.
• Network IOC enrichment – Provide context around threats.

Social media listening tools

Tools that monitor keywords, sentiment, and mentions across social media.

• Brandwatch or Talkwalker.
• Set alerts to monitor breaking news.
• Analyze sentiment and trends.

OSINT networking and collaboration techniques

Follow these OSINT networking and collaboration tips to connect with and collaborate with fellow OSINT enthusiasts.

Join online communities

OSINT subreddits and forums – Share your knowledge and learn from the community about OSINT tools and cases.

• Slack, Discord, or Telegram groups – Discuss interesting discoveries.
• OSINT blogs and websites – Keep up with news and follow leaders in the OSINT industry.
• OSINT subreddits and forums – Connect with other OSINT users to discuss tools and cases.

Participate in webinars

• Learn from the experts by attending trainings like SANS OSINT Summit or Layer 8 Conference.
• Ask questions and network with like-minded individuals during live sessions.
• Review recordings for additional training.

Crowdsourcing information

• GeoConfirmed – Join efforts to verify information.
• Social media CTAs – Ask for crowds help.
• Open source mapping tools (OpenStreetMap or Wikimapia).

OSINT communities

• Trace Labs – Join OSINT competitions.
• OSINT Curious – Learn from the pros.

Collaborative platforms

• GitHub – Host and share tools and research.
• Google Workspace or Notion – Keep everything organized.
• Trello or Miro – Workflow management.

Crowdsourced investigations

• Break down tasks into microtasks that contributors can do.
• Have shared dashboards and logs.
• Configure secure portals for users to submit information.

Professional networks

• Participate in social media groups. Follow thought leaders.
• Attend industry conferences.
• Attend meetups that cross industry groups.

Information sharing groups

• ISACs – Share information with folks in your industry.
• Private email lists or Signal groups.
• Feed tools (Feedly, Octoparse).

Advanced OSINT techniques involve more complex methods and technology. You use them to streamline your Open Source intelligence collection and analysis process.

Technical OSINT will allow you to dig deeper than surface-level data. Learn how to spot trends and turn your findings into useful information.

Sock puppet accounts and anonymous research profiles

Sock puppets are fake identities used to collect information or observe behaviors anonymously.

Building plausible personas – Construct believable profiles with supporting digital breadcrumbs.

Combatting browser fingerprinting – Cover your tracks with VM’s, Tor, etc.

Operational security (OPSEC) – Don’t let your real profile know about other profiles in use.

Data mining and big data analysis

Data mining is discovering patterns from large datasets.

• Mining big lists – Collecting data from social networks/sites, forums, archives.
• Frequency / sentiment analysis – Gauging spikes over time.
• Triangulating databases – Combine datasets to create profiles.

Machine learning and AI

Automate identification/pattern recognition with machine learning and AI.

• Facial recognition – Compare imagery on multiple platforms.
• NLP parsing – Pull entities from text.
• Clustering algorithms – Identify similar behavior/entities.

OSINT automation with Python and scripting

Automate repetitive OSINT tasks.

• Automated data collection with Python libraries (BeautifulSoup, Scrapy, Selenium, etc.).
• Schedule jobs (e.g., CronJobs).
• Build custom tools.

Cross-referencing OSINT with HUMINT

Pairing OSINT findings with HUMINT allows you to see the whole picture.

• Interviews can confirm or deny what you discover online.
• Interviews can add context or first-hand knowledge to your OSINT.
• Reach out to journalists or those on the ground.

Data correlation and pattern recognition

Finding patterns among datasets can link pieces of information together.

• Matching pseudonyms across platforms – They are the same person.
• Mapping relationships – Horizon® or Obsidian Canvas can help.
• Network analysis – Look for clusters and ties between individuals.

Threat intelligence

Advanced OSINT allows you to detect and predict security threats.

• Searching dark web forums – Spot developing threats.
• Researching TTPs – Determine threat actor behavior.
• Creating predictive models – Predict risks/events.

Cross-platform correlation

Find patterns and attribution by correlating intelligence across platforms.

• Matching usernames – Identify aliases used across platforms.
• Compare post and metadata – Link posts/profiles.
• Image and video matching – Detect copied/pasted images/videos.

Predictive analytics

Analytics that determine likely future events based on past/present data trends.

• Forecasting civil unrest – Predicting riots, protests, etc.
• Fraud/risk prediction – Predicting monetary damages/disturbances.
• Action prediction – Predicting behaviors based on historical data.

Physical OSINT techniques refer to research about physical places, events, or persons using open sources. You can consider these techniques both an investigation technique and human intelligence research that just exists in digital space but for the physical world. Physical aspects of OSINT can be used to help with geolocation, behavior analysis, and situational awareness.

Journalism, crisis mapping, protest monitoring, due diligence, and regular old-fashioned investigation research.

Here are some OSINT techniques you can utilize for physical intelligence.

Public records search (property records, court records, business registrations)

Records available to the public give you an idea who owns what, who is affiliated with whom and what legal actions have taken place.

• Searching property records on your local property tax assessor website or county clerk website – Determine who owns what and who transfers property.
• Searching court records – Look for civil, criminal, or bankruptcy records.
• Searching business registries – Business databases or sites like OpenCorporates.

Open source mapping tools

Maps can help you discover and confirm locations.

Google Maps, OpenStreetMap, Bing Maps – Look at geography and road/building networks.
Google Street View, Mapquest traffic – Check location accuracy with Street View or satellite images.

Google historical images – Look at past imagery.

Drone surveillance

Drones provide investigators with live imagery. Always abide by all local regulations and privacy guidelines.

• Documenting physical structures/crowd size – Capture overhead imagery.
• Monitoring changes on the ground – Track development or destruction.
• Crowd sourcing intel for humanitarian operations – Map disaster zones.

Field interviews

Interviews allow you to collect first person accounts to add context to your OSINT.

• Casual interviews – Talk to people on the ground.
• Collecting anonymous tips – Set up a form or hotline.
• Validating reports – Fact check online reports with people on the ground.

Satellite imagery analysis

Gain insights from satellite imagery you can view from afar.

• Sentinel Hub, Google Earth, Maxar – Monitor places in bulk.
• Detect changes – Analyze imagery from different time periods.
• Mark images – Tag and share regions of interest.

Public event monitoring

Crowd tracking can uncover the action and behavior of groups of people.

• Analyzing live streams – Monitor events on social media.
• Track hashtags – Aggregate real-time data.
• Find organizers – Locate prominent figures.

Leveraging public interviews

Interviews conducted by other sources can help identify people/places and provide first-hand information.

• Pulling out statements/sayings – Can be used as potential leads.
• Observing background information – Look for clues.
• Authenticating the interview – Validate with alternate sources.

Cross-referencing with OSINT data

Pair information you discover in the field with information you discover online.

• Person’s name/picture with social media accounts – See if they match.
• Timelines — Do events line up?
• Photo GPS/data with imagery

Crowdsourced mapping

Crowdsourcing websites will map incidents and dangers as they happen.

• Ushahidi or Humanitarian OpenStreetMap efforts.
• Mapillary/Wikimapia – Verify crowdsourced photos.
• DIY Maps – Gather geotagged contributions.

Consider using an OSINT checklist to help you keep things structured and ethical when applying these methods.

Here are 15 of the most popular OSINT tools that cover everything from collection to analysis to monitoring for every step in the intelligence cycle:

1. ShadowDragon® Horizon®: Intuitive, browser-based link-analysis platform that collects, maps and monitors publicly available information from 600+ sources. In addition to the surface web, you can collect and analyze intelligence from deep and dark web sources.
2. ExifTool: A simple tool that extracts metadata from images and documents. Great pieces of metadata to analyze are coordinates hidden in images or properties inside documents.
3. DNSDumpster: DNS reconnaissance tool that uncovers domains and subdomains along with their entire supporting internet infrastructure. DNS reconnaissance tool.
4. Google Earth Pro: Offers analysts a geospatial analysis platform that can take advantage of Google’s large library of satellite imagery and terrain. Researchers can also access historical satellite imagery.
5. SpiderFoot: Automates OSINT collection by attacking your initial search terms with dozens of modules. These modules help find related domains, IPs, emails and much more.
6. Shodan: A popular tool to search for internet connected devices. Find servers, IoT cameras, bugs and services that are exposed to the internet.
7. Censys: Captures full packet network data to gain visibility into certificates, assets and the supporting internet infrastructure.
8. DomainTools: Allows you to perform in-depth domain and DNS research. Conduct research with tools like WHOIS history and domain risk scoring.
9. Gephi: Use Gephi to map and visualize complex relationships between people and companies, as well as devices.
10. theHarvester: Collect emails, subdomains, usernames, passwords and other intelligence from public information sources.
11. DeHashed: Search through breached databases for emails, passwords and accounts.
12. X-Ray Contact: Email validation and email relationship tool. Find connections between email addresses, names, companies and digital identities.
13. SecurityTrails: Gain access to historical DNS records and domain info, as well as the underlying infrastructure.
14. Meltwater: Monitor publicly available information sources for brand mentions and sentiment. In addition to social media, monitor news sources and websites (including blogs).
15. Recorded Future: Get real-time threat intelligence gathered from web sources. In addition to standard open sources, gather intelligence from technical and dark web sources. Recorded Future is now part of Mastercard.

For more on the leading OSINT tools, including both free and paid options, check out 24 best OSINT tools for advanced intelligence gathering in 2026.

There are hundreds (even thousands) of OSINT tools, but fortunately, you don’t need to learn every tool. Instead, focus on building a repeatable workflow that accomplishes your goals. While OSINT can be used in various situations and for various purposes, there are some fundamental elements that remain consistent:

1. Know what you’re looking for
2. Collect open data
3. Validate it
4. Convert it into actionable intelligence

We’ll break down how to get started below.

Starting points

Begin with simple questions and/or things you’re already curious about in daily life. Pick a low-risk subject (business, person, website) and try to answer specific questions about it using only public information.

Things to learn:

• Google Dorks (advanced searching using operators and filters)
• Where to look for data (social profiles, website domain records, public records, etc.)
• How to validate information (reference 2+ outside sources)

The key to a successful OSINT investigation is to collect valid data points and link them together accurately to paint a fuller picture.

Tools to learn first

Here’s a short list of useful tools to help you master the basics:

• Web browser: Having a browser profile you dedicate solely to OSINT research will help isolate your activity
• Search: Dork Assistant to generate effective advanced Google Search operators (a.k.a. Google Dorks)
• Metadata lookup: ExifTool
• Domain and network lookup: DNSDumpster, DomainTools for WHOIS lookup
• Automation: SpiderFoot
• Link analysis, enriching info and monitoring: ShadowDragon® Horizon®

Optional but helpful:

• VPN for privacy
• Notes tool to record your findings

Learning to use a few tools well will help you master OSINT investigations more effectively than downloading hundreds of tools that you don’t need or know how to use.

Legal and ethical concerns

Just because you can find publicly available information doesn’t mean you can use that information in any way you choose. OSINT deals with open data. Never hack devices or passwords, and never circumvent access controls to gain access to information.

Use OSINT for ethical, constructive purposes. Don’t use your skills to spy, harass, or invade privacy.

Always double and triple check your sources. Just because you found it in a Google search doesn’t make it true. Open sources can also be forged, so always cross-reference information.

A good rule of thumb when it comes to ethical, responsible OSINT is this:

If you have to ask yourself if what you’re doing is ethical, chances are it’s not. 

Beginner OSINT workflow

Follow this beginner-friendly workflow to conduct your first few OSINT investigations.

1. Identify your objective. For example: “Uncover publicly available information about XY Corporation’s online activity.”
2. Google it. Use advanced search operators (Google Dorks) like site: and filetype: to search deeper than the page-one SERP.
3. Search other sources. Don’t rely solely on Google. Search social media profiles, company websites, subdomains, blog posts, press releases, news sites, public records, etc.
4. Conduct a deeper analysis. Metadata can show you who uploaded an image, where it came from, etc. Look up domain registration records to see who operates a website.
5. Validate your findings. Confirm that key details you discover are available from two or more external sources.
6. Connect the dots. Find relationships between individuals, domains, groups, and businesses. (Use ShadowDragon® Horizon® for advanced correlation and link analysis.)
7. Take notes. Document your investigative steps, information you collect, where you found it, and your conclusions.
8. Summarize your findings. Turn your discovered data into a one-page brief. Summarize what you found and why it matters.

Getting started with OSINT is about learning how to think like an investigator. Start with the basics and build your workflow step by step.

Let’s look at a few examples of how multiple OSINT investigation techniques come together during investigations. These examples are based on commonly used tactics and techniques.

Tracking down a threat actor using correlation across social media platforms

A researcher was conducting research on a phishing campaign. Starting with just one piece of information: a username located within a phishing email.

Starting with that username and searching across platforms, the investigator observes multiple accounts belonging to the same user across various social media platforms. Some using aliases and others what appears to be their real name, but two of the accounts have the same picture.

Reverse image searching the photo along with checking creation dates of previous images/posts, our researcher found:

• Similar posting times (posts at same times on different platforms).
• Old forum posts with recycled email addresses.
• A link to a personal blog, where the domain registration details were partially exposed.

Starting from there, the researcher leveraged domain lookup tools which tied the blog back to a registrant email found in older breach data. Now the investigator can more confidently tie this phishing campaign to a known threat actor.

In this investigation, the analyst used the following OSINT methods:

• Enumeration
• Reverse image search
• Correlation across social media platforms
• Domain lookups and breach database searches

Verifying a geolocation claim from social media content

There is a video circulating online that purports to depict an event in a particular city. An analyst needs to verify if that is true.

First, the analyst will look for location clues in the footage such as:

• Street signs and language
• Architecture
• Weather/shadow angles

Our investigator overlaid satellite images from Google Earth Pro to see if they could match objects in the video. In this instance, both the clothing store on the corner and the intersection matched up with one city many states away.

Additional verification methods include:

• Finding historical satellite matches of buildings.
• Determining time of day by where the sun is.
• Researching local news outlets to see if they reported the event.

Verdict: Real video, wrong location.

The techniques used by the investigator in this investigation include:

• Visual analysis
• Geolocation using satellite imagery
• Temporal verification through sun/shadow analysis
• Cross-referencing with local reporting

Enumerating infrastructure behind a suspicious domain

A security operations center (SOC) discovers a suspicious domain name during a suspected phishing attack. The SOC analyst begins their incident response with a simple DNS query.

Upon entering a domain into a tool such as DNSDumpster, an analyst can enumerate:

• Subdomains of a target domain
• IP Addresses
• Mail servers and infrastructure

During DNS enumeration, our analyst notices several other domains host onto the same IP address with copycat name similarities. Through research of historical DNS records, they discover expired domains using similar naming conventions that were used in the past for scams.

By pivoting off of exposed infrastructure, our analyst uncovers additional information on related domains. This leads to the SOC blacklisting future domains.

OSINT techniques applied in this scenario:

• DNS / subdomain enumeration
• Infrastructure enumeration
• DNS record tearing
• Pattern recognition

As you can see from these examples, typically a single piece of information will not give you all the answers. It’s about correlating signals from multiple sources and validating them to create a story backed by evidence.

Proficiency in OSINT requires finding, validating, and correlating information from hundreds, if not thousands, of open sources. These sources can range from social media posts to domain registrations, media files, public records, and much more. When working with large amounts of information from diverse sources, it’s essential to have the proper tools to work smarter, stay organized, and find relevant patterns and links.

For analysts who are interested in a step-by-step guide to directories of tools, check out the OSINT Framework. It is a community-driven catalogue of OSINT tools. At ShadowDragon®, we have developed multiple OSINT tools to help simplify your investigations, automate data collection, and reveal connections across the exposed layer. Tools such as Horizon Monitor® can help you track personas, map networks, conduct threat actor behavior analysis, and track threat infrastructure without sacrificing operational security or ethics. Get in touch with our team for a demo.