A Louisiana private investigator and process server offers an overview of some simple but lesser-known OSINT techniques.
What is OSINT?
According to the Office of the Director of National Intelligence, Open-Source Intelligence (OSINT) is:
“the publicly available information appearing in print or electronic form including radio, television, newspapers, journals, the Internet, commercial databases, videos, graphics, and drawings.“
The important phrase to focus on here is “publicly available.”
The term “open source” refers to information that is available for the public to access. If specialist skills, hacking, or physical tools are required to access a piece of information, it can’t reasonably be considered open source.
The term “intelligence” refers to the extraction and analysis of data to gain insights, which are then used to inform decisions and actions. Traditionally, OSINT was a technique used by the national security and law enforcement communities. But with more people living online lives via social media, video platforms, and eCommerce, amateur detectives — individually and via crowdsourcing — have deployed OSINT skills to investigate cold cases and gather evidence about Capitol rioters. And investigative journalists are using OSINT to report stories; most notably, citizen-journalists at the collective, Bellingcat, used OSINT to to identify who shot down a passenger jet over Ukraine in 2014 and to track Russia’s alleged war crimes in Ukraine.
Of course, sometimes amateur sleuths also make tragic mistakes.
Crucially, open-source information is not just limited to what you can find using the major search engines. Web pages and other resources that can be found using Google certainly constitute massive sources of open-source information, but they are far from the only sources. Even with manipulation of certain keyword strings and using advanced searching techniques (Google dorking), a huge portion of the internet is still not readily accessible, simply because these websites are not indexed.
These millions of unindexed websites are called the “deep web”. The deep web is the hidden underwater part of the online iceberg. It consists of a huge number of websites, databases, files, and more that for a variety of reasons (including the presence of login pages or paywalls), cannot be indexed by Google, Bing, Yahoo, Duck Duck Go, or any other search engine you care to think of. Despite this, much of the content of the deep web can be considered open-source because it’s readily available to the public. For example, Raidforums dot com, one of the largest deep-web marketplaces for breached data (which was seized by the FBI in April 2022), was accessible to anyone, if you knew where to look.
What type of information is considered OSINT?
Information can also be considered open source if it is:
- Published or broadcast for public viewing. This includes news, radio, podcasts, TV, etc.
- Available to the public by request, such as census data.
- Available to the public by subscription or purchase. This could include industry journals, academic publications, dissertations, conference proceedings, etc.
- Seen or heard by a casual observer.
- Obtained by visiting a certain location or attending a public event.
- Stored in public records databases.
- Government reports, documents, websites, arrest records, and court filings.
- Social networks and social media sites.
- The Internet at large which includes blogs, forums, video and image sharing sites, metadata and digital files, deep web resources, etc.
- Company profiles, annual reports, company news, employee profiles, and resumes.
- Geo-spatial information or maps and commercial imagery products.
What are some common OSINT tools & techniques used by private investigators?
To close things out, we’ll take a look at some of the most commonly used tools for collecting and processing open source intelligence.
Google Dorking
“Google dork” queries are advanced search techniques often used by IT professionals and hackers within Google to exploit weaknesses in a website’s code and extract information. For example, a “filetype:” query narrows search results to a specific file type, and “site:” only returns results from a specified website or domain.
EXAMPLE: “Brandon LaVan” filetype:pdf
This search will specifically search for the name “Brandon LaVan”, and the results will only be in .pdf format.
EXAMPLE: “Lake Charles” site:drive.google.com
This search will specifically search for the term “Lake Charles”, and the results will only come from any Google Drive that is open to the public.
Indeed (for Employers)
I discovered this trick in 2022, and it’s my personal favorite. Since most people have an Indeed account and keep their resume updated, the investigator must create an account as an employer. An employer account gives access to a full database of resumes. You cannot search names, but you can filter high schools, cities, jobs, and other keywords. (FREE)
Dehashed
This powerful tool allows searches of the deep web for breached data. A user can search for usernames, passwords, VIN, email addresses, IP addresses, and names. (PAID)
Epieos
If you ever obtain an unknown gmail address, Epieos is a great reverse-email search engine that will provide a name, picture, and a link to any reviews that were left on Google Maps.
(FREE)
PimEyes
If you need to identify a person in a photo or locate all the places where a person’s image may be located on the internet, PimEyes is one of the best reverse face searches on the market. (PAID)
Save to Contact (Search)
Another little trick I learned when trying to locate a “skip” but only having their cellphone number: Buy a burner phone that you only use for investigations and skip tracing, Save the subject’s number into your phone contacts, then give every social media platform permission to “Find your Contacts.” If the number was used to create an account, you’ll find that account. (FREE)
IntelTechniques Search
This search engine, created by Michael Bazzell, is a one-stop shop for most OSINT search engines on the web. Search the web for usernames, VINs, social media, names, IP addresses, communities, domains, businesses, videos, images, etc. (FREE)
Takeaways
Of course, the examples given here are just a tiny fraction of what is possible using open-source intelligence tools and techniques. There are lots of free and premium tools that can be used to find and analyze open source information, with common functionality including:
- Metadata search
- Code search
- People and identity investigation
- Phone number research
- Email search and verification
- Linking social media accounts
- Image analysis
- Geo-spatial research and mapping
- Wireless network detection and packet analysis
There’s more to open-source research than any one person can ever learn. The good news is there’s a whole deep web out there to explore. It’s a continuing mission, and always an adventure.
*If you’d like to stretch your skills as an OSINT investigator, you can download a free OSINT guide from my blog by clicking here.
About the author:
Brandon LaVan is a licensed private investigator & process server and the owner-operator of Southwest Louisiana Process Service in Elton, Louisiana. His company specializes in locating and serving hard-to-serve subjects in hard-to-serve locations. Brandon currently spends most of his time doing surveillance, open-source intelligence, dark web Investigations, and delivering paper. Prior to becoming a PI in 2019, he had 9 years of law enforcement experience in Jefferson Davis Parish and Calcasieu Parish.