I’ve always been a fan of Lifehacker’s How I Work series, while this isn’t for Lifehacker, this is my “How I do Open Source Intelligence”. Recently a friend called and asked how I tracked data when doing OSINT. These are the tools and processes I use. It’s the what works for me, and your mileage may vary.
The tools I use are a legal pad, a computer, a web browser, a personal wiki, a data analysis tool and depending on the work Tails and a SD card.
I learned in my Intelligence Analysis classes to always get a legal pad out, and start with a series of questions. Try to shoot for 20 or so to start with, more will be added along the way.
While it’s tempting to just fire up a note or word tool on a computer, tablet or smart phone for taking notes, try to resist the urge. Going straight to the computer cause the questions to be forgotten. The pen and paper is a tool designed to collect your thoughts and keep you focused. It’ll always be “open” next to the computer.
A real world quick example: I handed out envelopes to a class. Inside was a set of numbers, and a cryptic phrase. The groups that went straight to the computer spent about an hour. The group that went the legal pad route and then the computer were done in much less time.
Personally I prefer having a laptop. It’s mobile and allows you to work anywhere with a web connection. Depending on the type of project your working on, a coffee shop and a privacy filter go a long way.
As long as the computer can run the tools you’re choosing to use, the make and OS don’t matter. I tend to use either Debian Linux, Windows 7, or Tails. Use what you’re comfortable with, as long as you have the right tools installed.
While there are many out there, I prefer Firefox with extensions. The other browsers are catching up, but right now Firefox is in the lead when it comes to OSINT style extensions. Michael Bazzell’s Open Source Intelligence Techniques has a good list to start with in it.
Depending on what I’m working on, I may use business oriented sites and search engines as well. A good list of tools and sites can be found at Dale Pearson’s OSINT tool site.
Somewhere to put things
While there are many different ways to store the data you collect, I prefer a wiki. The best one I found so far is the Zim Desktop Wiki. It is installed on your computer, with a fairly clean interface. Everything is stored in a “notebook” with a page tree on the side, so everything can be seen. I tend to name the “notebook” with the name of the project, and then create pages and sub-pages with names and other information as needed.
An expample page would be John Doe, and would contain a summary. The sub-pages would be employment history, previous addresses, family, etc.
Remember the web searches I mentioned above, you’ll want to save those pages since they change. The Internet Archive’s Wayback Machine might have a copy of the page, but it might not. Pages can be saved to the Zim notebook directory, or into Zim itself. I tend to save to the directory, and include the file name in a sub-page.
So far, I’ve been talking about collecting raw data based on the questions on the legal pad. However raw data is really useless, it doesn’t become Intelligence until it’s been analyzed.
The first product I learned on was i2 Analyst’s Notebook. It is a fairly manual processes for either link analysis or building a timeline. It’s not cheap, and needs really good notes to use it. Lastly it doesn’t pull data from the Internet.
The first tool I ever used, was Paterva’s Maltego, but I never understood how to use it properly. Transforms can get more information, and corroborate other findings, but it’s only as good as what one starts with. While the transforms are nice, it takes more analysis to weed things out. There is more to OSINT than running Maltego transforms.
Paterva’s Casefile is designed to be the “offline” version of Maltego. It’s more like i2’s software, lacking internet access. The entities in this are a little better for intelligence in my opinion, than what is in Maltego.
The entities file for Casefile can be installed into Maltego. This allows one to work in a Casefile like manner but have the transforms to assist in the research.
Project dependent tools
These two are used depending on what type of project I’m working on.
A SD card comes in handy. They’re easier to hide than most USB Sticks. It’s easy to slip in to a sock, hide under the insole of a shoe, palm, or in some cases drop without being noticed. The built in reader is less noticeable than a USB stick hanging off the side of the computer. SD cards are fairly easy to destroy by cutting if you need to. The only downside to an SD card when compared to a USB device is not all laptops will boot from them. So running a tool like Tails with persistence can be problematic, at least when it’s in a built in SD card reader. There are USB SD Card readers, which allow the card to be booted, but it’s more noticeable.
Tails – I tend to use this when in questionable environments, doing searches I want to hide (via TOR), or want to hit sites on the dark web. I have it installed on an SD Card, and carry a copy of it on CD. While it’s not a perfect tool, it does get the job done.
Lastly The Report
Collecting everything, and doing all the related analysis is still a useless waste of time, if there is’t a report to go with it. An intelligence report isn’t written like a regular white paper, or anything else. The first paragraph is actually the concluding paragraph, with the first sentence between 24 to 26 words long being the main idea of the whole paper. Sort of like how I started this post off.