This time I want to lay out my own investigative workflow, enhanced with some diagrams.
I did not want to just chart out the methodology – the idea is to discuss this from a privacy perspective. This is why I added some privacy tips that might help you minimise your attack surface, if you were a target of an OSINT investigation.
This might sound counterintuitive, coming from somebody who relies on OSINT to get investigative results – but as I say, OSINT and privacy are like yin and yang – maintaining the balance is important.
For those interested in creating their own charts or mind maps – the diagrams were created using the Diagrams App (formerly draw.io).
* Personal information
The workflow described below applies to individual investigation targets, but can also be used to map out their friends, associates and social contacts, in as much depth or detail as required.
Each target should be researched separately for optimal results and clarity.
Protecting your real name and surname from appearing online is nowadays close to impossible – at least for somebody who wants to live a relatively normal life that includes enjoying day to day benefits offered by technology.
While having your name and surname out there is not detrimental in the case of most people, disclosing your middle name or maiden name on social media is typically giving away too much information unnecessarily. This goes particularly for the maiden name part, since sometimes one can encounter a security question asking about the mother’s maiden name.
For a person with a generic first name and surname, disclosing their middle name or even the middle name initial might mean the difference between remaining obscure or being positively identified.
The biggest risk factor in disclosing names, surnames and other details are the social media accounts. If you need to have them in your real name, keep this information down to the bare minimum and always set your accounts to private.
Aliases and nicknames (AKA, also known as) are not to be confused with online usernames or handles (see the Digital Footprint section below). They can be either pseudonyms, childhood nicknames, nicknames used by friends or similar, in-real-life attributes. Commonly they are revealed when they’re used online or publicly in connection with your real name and surname.
Pick generic handles for online accounts or something that is not related to / cannot be linked to in-real-life nicknames or AKAs.
Date of birth should never be disclosed – unfortunately many people do this either through social media, or by appending a partial DOB to an online handle (e.g.: “johnnysmith1989”). Remember that even a vague indication of age or an age group increases the chance of somebody being positively identified.
Avoid sharing or using your date of birth in handles, as PIN numbers, passwords or parts of passwords. If they are ever breached or disclosed, this information will remain online forever.
Appearance, hobbies and interests are also typically disclosed voluntarily on social media, either by the target individual or their relatives. Some information can also appear in news outlets or be otherwise disclosed by third parties. While benign on their own, they might assist in identifying or even tracking down individuals of interest.
Examples of visual identification of personal information include:
- Photographs of documents
- Photographs of individuals and their activities
- Screenshots of social media profiles
- Screenshots of leaked or breached content
NOTE: For even more info on researching persons and relying on some less known, unorthodox sources, check out my older blog post on this subject here.
* Family and relatives
Typical family members and relatives can be mapped out using the workflow below and then, after a pivot into the personal information workflow, x-rayed individually for the purpose of creation a profile for each person. These profiles might not be as detailed as the main subject’s profile – but all depends on the requirements and the baseline set by the investigator.
Mapping out family trees can be done using social media info, genealogy sites, but also various announcement sites and sources like RIP notices.
The best visual identification sources for this category are family photographs, wedding pictures, etc.
* Physical location
A physical location of interest might be somebody’s current address, previous address, workplace address or a list of regularly visited places. Locations can be profiled using online maps and categorised according to their type.
Remember that the physical location can be given away by many unexpected sources: GPS coordinates in photographs, geolocation based on the elements of the photo’s background, tagging on social media, leaked content from fitness apps and wearable gadgets and many more…
* Employment
Employment information can be very beneficial to an online investigator. Things like current / past employment (including their detailed timelines), company name and location, roles / job titles, type of work done, responsibilities – all this can build a very comprehensive picture of a professional.
This category is often exploited by penetration testers / red teamers who operate in a corporate environment and seek out social engineering pretexts based on publicly available employment details.
Many people struggle when it comes to finding the right balance between managing their professional networks & building their personal brand and ensuring the adequate privacy of their accounts.
Check out Think Before You Link – an online campaign and a mobile app created by the UK’s CPNI (Centre for the Protection of National Infrastructure). This resource is aimed at helping professionals detect fake profiles used by various malicious actors.
* Education
This category is closely connected to employment details since education is one of the building blocks of professional success and self development.
Showing off credentials and qualifications might increase the chances for a better job, but it might also lead to better crafted phishing emails that will reference the publicly accessible professional information on your LinkedIn profile – “Click here to find out more about this free course you might be interested in!”
* Transportation
The focus on the means of transportation in OSINT is not just limited to private vehicles. Route analysis of any kind – including public transport – can yield many clues to an investigator about a person’s routine and the nature of their activities.
While the most obvious source for verifying what car somebody is driving is photographic evidence from social media, valuable information can be gleaned from classified ads sites where people trade in second hand cars, as well as various online forums for car enthusiasts.
* Digital footprint
Researching the digital footprint is the bread and butter of an OSINT investigator, so no wonder this is the main and the most populated category.
There are two important aspects of recording and verifying somebody’s digital footprint: visual identification and breach data records searches.
Whenever you sign up for a service of any kind, you should assume a data breach of that service will happen – it’s just a matter of when.
To avoid exposing your details in data breaches, use non-repetitive usernames and handles, unique passwords and burner email addresses. Don’t sign up for anything from your static, home IP address – use public WiFi. IP address exposure can be mitigated by using a VPN.
Whenever your information goes on the Internet, it’s not fully yours anymore. Personal data can be exposed on various people search websites (thankfully this is not usually a problem in Europe, thanks to the GDPR). Information can also be retrieved from search engines (both live and cached pages), as well as third party publications.
You can file data removal requests with any site that publishes your personal information. When it comes to Google and other search engines, you can leverage “the right to be forgotten” and ask for the removal of certain search results, preventing them from being indexed by a search engine.
Stylometry is one of the most under-appreciated methods of analysing somebody’s digital footprint. Essentially it focuses on studying a linguistic style of written texts. It’s one of the methods of connecting various, seemingly unrelated accounts online. For example, notice how I might reuse certain phrases across multiple blog posts, write only using UK English spelling and put spaces around a dash ‘ / ‘ symbol? That’s part of my stylometric pattern.
To learn about limitations of stylometry, read this article from MIT Press Direct.