Whether or not you realized it at the time, you have probably collected Open Source Intelligence, (OSINT) at some point in your investigative career. True to its name, OSINT is open-source, meaning that all its information is available to the public. Since OSINT is accessible to everyone, it might not seem like a valuable tool private investigators can add to their kit. However, one of the notable characteristics of open-source information is just how much data it encompasses and, as Joseph Jones, a licensed private investigator and the Vice President of Bosco Legal Services, says, “Information is power.” But wading through all the data to get to the useful information takes skill and the right resources. Learn more about this skill and how you can harness it for your investigations in the article below.

What is it?

According to the Office of the Director of National Intelligence, Open Source Intelligence (OSINT) is the publicly available information appearing in print or electronic form including radio, television, newspapers, journals, the Internet, commercial databases, videos, graphics, and drawings. The important phrase to focus on here is “publicly available.”

Open-source intelligence is a variety of data encompassing countless topics and subjects. If specialist skills, physical tools, or hacking are required to access a piece of information, it can’t reasonably be considered open source.

OSINT is not limited to what you can find via popular search engines. There are sites on the deep web that are not indexed/found by your regular search engine though the information is still legal to obtain by the general public. This creates a lot of data that qualifies as OSINT. Access to such a vast source of information is both a blessing and a curse in that you can find a lot of what you need, but you have to sort through a lot of useless data to get it. Even with all this information, chances are you will not find everything you need to make or break a case. These OSINT limitations make this information most useful alongside other forms of intelligence.

What makes information open source?

Information is typically considered open source if it fits into any of these descriptions:

  • Published or broadcast for public viewing. This includes news, radio, podcasts, TV, etc.
  • Available to the public by request, such as census data.
  • Available to the public by subscription or purchase. This could include industry journals, academic publications, dissertations, conference proceedings, etc.
  • Seen or heard by a casual observer.
  • Obtained by visiting a certain location or attending a public event.
  • Stored in public records databases.
  • Government reports, documents, websites, arrest records, and court filings.
  • Social networks and social media sites.
  • The Internet at large includes blogs, forums, video and image sharing sites, metadata and digital files, dark web resources, etc.
  • Company profiles, annual reports, company news, employee profiles, and résumé.
  • Geospatial information or maps and commercial imagery products.

OSINT Tools

Since there is so much information to sort through to achieve your investigation goals, tools are essential to comb through and organize OSINT effectively. But there are a couple of things to keep in mind before you start filling your toolbox. First and foremost, have a strategy and set of goals laid out before starting your search. Even with the best tools at your fingertips, you need a clear purpose in order to use them properly. You also need to know how to use them. Many people used Facebook’s Graph Search function to gather OSINT but were at a loss when the company decided to shut down that particular function. But those who understood the tool’s role and the theory behind it found ways to work around the inconvenience. So before you go out and equip yourself with a bunch of tools, understand what they accomplish and how they accomplish it so that you don’t become reliant on them.

Commonly Used Tools

There are a great number of tools you can use and learn more about by taking in-depth courses and training, but here are just a couple to introduce you to the basics of OSINT:

Google Dork Queries

While there are many free and useful tools available to licensed private investigators, some of the most commonly used open-source intelligence tools are search engines like Google.

There are a series of advanced search functions called “Google Dork” queries that can be used to identify the information and assets they expose. Google Dork queries are based on the search operators used by IT professionals and hackers daily to conduct their work. Common examples include “filetype:”, which narrows search results to a specific file type, and “site:”, which only returns results from a specified website or domain.

Examples:
“Brandon LaVan” filetype:pdf
This search will specifically search for the name “Brandon LaVan”, and the results will only be in .pdf format.

“Lake Charles” site:drive.google.com
This search will specifically search for the term “Lake Charles”, and the results will only come from any Google Drive that is open to the public.

Maltego

This tool is perfect for tracking the online movements of a single entity. It collects information from various sources, analyzes the relationships between pieces of information, and uses transforms to generate results into a graph format that’s easier to understand.

Shodan

Shodan is commonly known as the “search engine for hackers.” It provides information about various kinds of digital assets and networks that connect to the internet. It can help you find servers, routers, webcams, and more while also giving you their location and who’s using them.

theHarvester

This tool is ideal for gathering email accounts and domain-related information from public sources. It is also useful for those who want to know what a hacker or bad actor can see about their organization.

Recon-Ng

Similar to Maltego, this tool is effective for collecting information about a certain target, but it uses the power of modular tools. It contains numerous modules including DNS and email and web application reconnaissance.

TinEye

If you need information about an online image, this tool is the way to go. You can use it to perform any image-related search on the web including whether an image is available online and where that image has appeared.

Metagoofil

Metagoofil is a command-line tool that you can use to gather the metadata of public documents. Those who use this tool can scan for a specific type of document on a specific domain.

Indeed (for Employers)

Since most people have an Indeed account and keep their resume updated, the investigator must create an account as an employer. With an employer account, it gives access to a full database of resumes. You cannot search names, but you can filter high schools, cities, jobs, and other keywords.

Dehashed

A very powerful tool that allows searches of the Deep Web for breached data. A user can search for Usernames, Passwords, VIN, Email Addresses, IP Addresses, and Names.

Epieos

If you ever obtain an unknown Gmail address, Epieos is a great reverse email search engine that will provide a name, picture, and a link to any reviews that were left on Google Maps.

Pimeyes

If you need to identify a person in a photo or locate all the places where a person’s image may be located on the internet, Pimeyes is one of the best reverse face searches on the market.

A search engine created by Michael Bazzell, that is a “One Stop Shop” of most OSINT search engines on the web. Search the web for usernames, VINs, social media, names, IP addresses, communities, domains, businesses, videos, images, etc.

Of course, the examples given here are just a tiny fraction of what is possible using open source intelligence tools and techniques. There are a huge number of free and premium tools that can be used to find and analyze open source information, with common functionality including:

How PIs can use OSINT

OSINT has a variety of uses in different situations, from uncovering information for security reasons to gathering marketing data, but it is especially useful to private investigators as they filter information for various cases. According to Joseph Jones, “There’s so much information you can gather online; there are very few investigators that OSINT won’t help.” More specifically, OSINT allows PIs to locate targets, their assets such as phones and cars, their coworkers, and even their habits and frequented locations. As Jones pointed out, OSINT also keeps investigators from going into cases blind. It provides the information needed to create a solid surveillance plan. And for Valerie McGilvrey, a skip tracer, author, and speaker, OSINT helps her navigate social media platforms. She says, “Even if someone is deliberately hiding and not doing things to create a record in a professional database, they’ll be found using OSINT because people are just not willing to give up their instant audience.” Just remember that to use any online information as evidence in court, it must be forensically preserved to be considered valid.

Bottom line, if people aren’t found in databases, they can be found with OSINT.” – Valerie McGilvrey