Skip to content

Person OSINT investigation workflow from a privacy perspective

  • by

This time I want to lay out my own investigative workflow, enhanced with some diagrams.

I did not want to just chart out the methodology – the idea is to discuss this from a privacy perspective. This is why I added some privacy tips that might help you minimise your attack surface, if you were a target of an OSINT investigation.

This might sound counterintuitive, coming from somebody who relies on OSINT to get investigative results – but as I say, OSINT and privacy are like yin and yang – maintaining the balance is important.

For those interested in creating their own charts or mind maps – the diagrams were created using the Diagrams App (formerly

* Personal information

The workflow described below applies to individual investigation targets, but can also be used to map out their friends, associates and social contacts, in as much depth or detail as required.

Each target should be researched separately for optimal results and clarity.

personal info OSINT

Protecting your real name and surname from appearing online is nowadays close to impossible – at least for somebody who wants to live a relatively normal life that includes enjoying day to day benefits offered by technology.

While having your name and surname out there is not detrimental in the case of most people, disclosing your middle name or maiden name on social media is typically giving away too much information unnecessarily. This goes particularly for the maiden name part, since sometimes one can encounter a security question asking about the mother’s maiden name.

For a person with a generic first name and surname, disclosing their middle name or even the middle name initial might mean the difference between remaining obscure or being positively identified.

Aliases and nicknames (AKA, also known as) are not to be confused with online usernames or handles (see the Digital Footprint section below). They can be either pseudonyms, childhood nicknames, nicknames used by friends or similar, in-real-life attributes. Commonly they are revealed when they’re used online or publicly in connection with your real name and surname.

Date of birth should never be disclosed – unfortunately many people do this either through social media, or by appending a partial DOB to an online handle (e.g.: “johnnysmith1989”). Remember that even a vague indication of age or an age group increases the chance of somebody being positively identified.

Appearance, hobbies and interests are also typically disclosed voluntarily on social media, either by the target individual or their relatives. Some information can also appear in news outlets or be otherwise disclosed by third parties. While benign on their own, they might assist in identifying or even tracking down individuals of interest.

Examples of visual identification of personal information include:

  • Photographs of documents
  • Photographs of individuals and their activities
  • Screenshots of social media profiles
  • Screenshots of leaked or breached content

NOTE: For even more info on researching persons and relying on some less known, unorthodox sources, check out my older blog post on this subject here.

* Family and relatives

Typical family members and relatives can be mapped out using the workflow below and then, after a pivot into the personal information workflow, x-rayed individually for the purpose of creation a profile for each person. These profiles might not be as detailed as the main subject’s profile – but all depends on the requirements and the baseline set by the investigator.

Mapping out family trees can be done using social media info, genealogy sites, but also various announcement sites and sources like RIP notices.

family and relatives OSINT

The best visual identification sources for this category are family photographs, wedding pictures, etc.

* Physical location

A physical location of interest might be somebody’s current address, previous address, workplace address or a list of regularly visited places. Locations can be profiled using online maps and categorised according to their type.

physical location OSINT

* Employment

Employment information can be very beneficial to an online investigator. Things like current / past employment (including their detailed timelines), company name and location, roles / job titles, type of work done, responsibilities – all this can build a very comprehensive picture of a professional.

This category is often exploited by penetration testers / red teamers who operate in a corporate environment and seek out social engineering pretexts based on publicly available employment details.

Many people struggle when it comes to finding the right balance between managing their professional networks & building their personal brand and ensuring the adequate privacy of their accounts.

employment OSINT

* Education

This category is closely connected to employment details since education is one of the building blocks of professional success and self development.

Showing off credentials and qualifications might increase the chances for a better job, but it might also lead to better crafted phishing emails that will reference the publicly accessible professional information on your LinkedIn profile – “Click here to find out more about this free course you might be interested in!”

education OSINT

* Transportation

The focus on the means of transportation in OSINT is not just limited to private vehicles. Route analysis of any kind – including public transport – can yield many clues to an investigator about a person’s routine and the nature of their activities.

While the most obvious source for verifying what car somebody is driving is photographic evidence from social media, valuable information can be gleaned from classified ads sites where people trade in second hand cars, as well as various online forums for car enthusiasts.

transportation OSINT

* Digital footprint

Researching the digital footprint is the bread and butter of an OSINT investigator, so no wonder this is the main and the most populated category.

There are two important aspects of recording and verifying somebody’s digital footprint: visual identification and breach data records searches.

digital footprint OSINT

Whenever you sign up for a service of any kind, you should assume a data breach of that service will happen – it’s just a matter of when. 

Whenever your information goes on the Internet, it’s not fully yours anymore. Personal data can be exposed on various people search websites (thankfully this is not usually a problem in Europe, thanks to the GDPR). Information can also be retrieved from search engines (both live and cached pages), as well as third party publications.

Stylometry is one of the most under-appreciated methods of analysing somebody’s digital footprint. Essentially it focuses on studying a linguistic style of written texts. It’s one of the methods of connecting various, seemingly unrelated accounts online. For example, notice how I might reuse certain phrases across multiple blog posts, write only using UK English spelling and put spaces around a dash ‘ / ‘ symbol? That’s part of my stylometric pattern.

Leave a Reply

Your email address will not be published. Required fields are marked *