My name is Chris J, and this is how I do OSINT.

I’ve always been a fan of Lifehacker’s How I Work series, while this isn’t for Lifehacker, this is my “How I do Open Source Intelligence”. Recently a friend called and asked how I tracked data when doing OSINT. These are the tools and processes I use. It’s the what works for me, and your mileage may vary.

The tools I use are a legal pad, a computer, a web browser, a personal wiki, a data analysis tool and depending on the work Tails and a SD card. 

Legal Pad
20140115_054506

I learned in my Intelligence Analysis classes to always get a legal pad out, and start with a series of questions. Try to shoot for 20 or so to start with, more will be added along the way.

While it’s tempting to just fire up a note or word tool on a computer, tablet or smart phone for taking notes, try to resist the urge. Going straight to the computer cause the questions to be forgotten. The pen and paper is a tool designed to collect your thoughts and keep you focused. It’ll always be “open” next to the computer.

A real world quick example: I handed out envelopes to a class. Inside was a set of numbers, and a cryptic phrase. The groups that went straight to the computer spent about an hour. The group that went the legal pad route and then the computer were done in much less time.

A computer
20140115_060701Personally I prefer having a laptop. It’s mobile and allows you to work anywhere with a web connection. Depending on the type of project your working on, a coffee shop and a privacy filter go a long way.

As long as the computer can run the tools you’re choosing to use, the make and OS don’t matter. I tend to use either Debian Linux, Windows 7, or Tails. Use what you’re comfortable with, as long as you have the right tools installed.

Tools
Web Browser
While there are many out there,  I prefer Firefox with extensions. The other browsers are catching up, but right now Firefox is in the lead when it comes to OSINT style extensions. Michael Bazzell’s Open Source Intelligence Techniques has a good list to start with in it.

Search engines I use for OSINT:
duckduckgo
yandex
baidu
google
bing
Each site does things different. There are lots of good articles explaining how to use them on the net.

Depending on what I’m working on, I may use business oriented sites and search engines as well. A good list of tools and sites can be found at Dale Pearson’s OSINT tool site.

Somewhere to put things
Personal Wiki
While there are many different ways to store the data you collect, I prefer a wiki. The best one I found so far is the Zim Desktop Wiki. It is installed on your computer, with a fairly clean interface. Everything is stored in a “notebook” with a page tree on the side, so everything can be seen. I tend to name the “notebook” with the name of the project, and then create pages and sub-pages with names and other information as needed.

An expample page would be John Doe, and would contain a summary. The sub-pages would be employment history, previous addresses, family, etc.

Remember the web searches I mentioned above, you’ll want to save those pages since they change. The Internet Archive’s Wayback Machine might have a copy of the page, but it might not. Pages can be saved to the Zim notebook directory, or into Zim itself. I tend to save to the directory, and include the file name in a sub-page.

Data Analysis
So far, I’ve been talking about collecting raw data based on the questions on the legal pad. However raw data is really useless, it doesn’t become Intelligence until it’s been analyzed.

The first product I learned on was i2 Analyst’s Notebook. It is a fairly manual processes for either link analysis or building a timeline. It’s not cheap, and needs really good notes to use it. Lastly it doesn’t pull data from the Internet.

The first tool I ever used, was Paterva’s Maltego, but I never understood how to use it properly. Transforms can get more information, and corroborate other findings, but it’s only as good as what one starts with. While the transforms are nice, it takes more analysis to weed things out.  There is more to OSINT than running Maltego transforms.

Paterva’s Casefile is designed to be the “offline” version of Maltego. It’s more like i2’s software, lacking internet access. The entities in this are a little better for intelligence in my opinion, than what is in Maltego.

The entities file for Casefile can be installed into Maltego. This allows one to work in a Casefile like manner but have the transforms to assist in the research.

Project dependent tools
These two are used depending on what type of project I’m working on.

20140115_061515A SD card comes in handy. They’re easier to hide than most USB Sticks. It’s easy to slip in to a sock, hide under the insole of a shoe, palm, or in some cases drop without being noticed.  The built in reader is less noticeable than a USB stick hanging off the side of the computer. SD cards are fairly easy to destroy by cutting if you need to. The only downside to an SD card when compared to a USB device is not all laptops will boot from them. So running a tool like Tails with persistence can be problematic, at least when it’s in a built in SD card reader. There are USB SD Card readers, which allow the card to be booted, but it’s more noticeable.

Tails – I tend to use this when in questionable environments, doing searches I want to hide (via TOR), or want to hit sites on the dark web. I have it installed on an SD Card, and carry a copy of it on CD. While it’s not a perfect tool, it does get the job done.

Lastly The Report
Collecting everything, and doing all the related analysis is still a useless waste of time, if there is’t a report to go with it. An intelligence report isn’t written like a regular white paper, or anything else. The first paragraph is actually the concluding paragraph, with the first sentence between 24 to 26 words long being the main idea of the whole paper. Sort of like how I started this post off.

2 thoughts on “My name is Chris J, and this is how I do OSINT.

  1. Pingback: My name is Chris J, and this is how I do OSINT....

  2. AvatarLachlan

    Hi. Hoping I can get some input here.

    I am looking for a better open source way to automate my intel collection, analysis, and reporting. My area predominately evolves around industrial anti-terrorism, but includes other highly charged criminal activities. I have been utilizing a mix of programs, such as MS Access for data storage, sorting, a reporting templates; and Diva GIS for mapping of threat and incident locations.

    I am looking at expanding collection, analysis, and reporting capabilities. I am an individual, so need to pursue free open source software. I am considering using Paterva’s Casefile as I cannot afford Maltego. But I want to compliment what can be done in Casefile with another software which can collect web-based information, including the ability to use API’s, and maybe export the data to Casefile.

    Any thoughts please?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *