Databases are essential tools in all kinds of investigations, including open-source research (OSINT). Each one serves a different investigative purpose and has its moment to shine.
Databases: Your First Agency Investment
To private investigators in the United States, it’s no secret that subscription databases are the first investment they need to make after hanging their license and insurance certificates on the wall. These databases are essential professional tools in all kinds of investigations, including open-source intelligence (OSINT) research.
While OSINT involves collecting, analyzing, and interpreting information accessible publicly on the Internet and elsewhere, subscription databases are behind a paywall and several layers of protection, from two-factor authentication to IP address monitoring. These databases provide convenience (data aggregated from various public records sources delivered at a lighting speed) and “proprietary intelligence” (unlisted information supplied by commercial entities).
“These databases can be a great launching point with reliable data,” senior threat researcher and OSINT instructor John TerBush commented on a recent OSINT Curious webcast.
In my experience as a private investigator, databases can provide a sharp edge at every stage of your research, especially when your subject is deliberately stealthy or has a very common name.
The first trick is to get access to these services. Unless you’re a PI or a detective for a law enforcement agency, you have no reason to be familiar with TLO, IRBsearch, Tracers, DelvePoint, IdiCORE, CLEAR, or SkipSmasher, to name a few. Some professionals working with investigators, notably lawyers, are accustomed to LexisNexis or WestLaw, which typically offer a lower level of access to personal identifiers.
Professional investigators have to be vetted to gain access to the highest tier of data. They undergo a background check and often submit to a physical inspection of their offices, to show that data is safeguarded, including electronically. They also need to start each session with an affirmation of permissible purpose and compliance with federal laws, such as FCRA and GLBA. But once a private investigator is in, at a cost that isn’t negligible (read: a sizable monthly budget), they have access to a wealth of information that other intelligence professionals around the world only wish they had in their own countries.
A Vital Tool for Steering Your Investigation
As a private investigator specializing in OSINT, I find that professional databases are especially helpful for beginning your research of a person with a very common name in a big metro area. Identifying a recent e-mail address and current cell number can save lots of time locating the right social media account.
I subscribe to several subscription databases and can only talk about the products I know well. All of these databases contain some version of a credit header (the identifying information that accompanies consumers’ credit reports in the U.S.), aggregated civil and criminal records, property records, professional licenses, voting records, vehicle registration in certain states, etc., but each also has its own particular specialty.
How Specific Databases Perform and When to Use Them
My first go-to databases to kickstart an OSINT search are idiCORE and IRBsearch. I find that idiCORE has unique private sources of e-mail addresses and cell numbers. They’ve helped me solve countless cases, including linking a VoIP or burner phone number to an individual.
One strength of IRBsearch is its versatile e-mail search capability. It does require a lot of playing around, however. (For example, if you try to get all the e-mails attached to one residential address, the query often returns “no hit” and needs to be adjusted until you produce results.) Another advantage is that IRB will disclose their source. Once, I was researching someone suspected of workers-comp fraud, and I learned from IRB that, two years before the alleged accident, the subject’s email was used to register an account with a website offering to “help” people prepare a disability claim.
In other cases, when the subject’s e-mail address is linked to many payday loan service or day-trading websites, it can give soft clues about their lifestyle. Once I have identified that active e-mail, I run it through multiple search engines: (eTools and various OSINT tools, depending on the type of search: free (My Life, emailrep.io) or paid (Spokeo, PIPL, etc.)
But while I often find cell numbers from databases to be current (people really like to hang on to their number!), many databases dig up fossilized e-mails from the CompuServe or Netscape eras. Still, those moot e-mails can also be gold. Creatures of habit often recycle old user names (the portion preceding the @) using a different email service, or input them as such to open a social media account. (See the great tools UserSearch.org and What’s My Name.)
Once, on an international child abduction case, an old e-mail led to an online resume of the abducting parent, which indicated where in the world they had settled. (Unfortunately, that country was not a signatory of the Hague Abduction Convention.) Another time, working on a harassment case, I looked for a subject on Reddit and tried every user name possible, using every Google dork I had. I finally ran a user name from a unique, not-so-fresh e-mail address presented to me by idiCORE. It turned out that within the past two weeks, this person had created (and deleted) a Reddit account with that particular username. In lengthy posts, which I managed to retrieve thanks to the Reddit archive (Pushshift.io), this individual was confessing to their entire side of the story and detailing their intentions.
I also find that professional paid databases can give you the context necessary to push an OSINT investigation forward. For instance, when working on fraud cases, social media searches often return very little, as our subjects have learned how to clamp down their Facebook, set their Instagram to private, go stealth on Twitter or TikTok. I find that TracersInfo, a very PI-friendly database, gives me the best data on relatives and associates. Their data goes back to the early ‘80s, if not the ‘70s. They know exactly who your subject has been living with for the past 30 or 40 years.
“Who’s the mom or who’s the girlfriend? Game over,” mused cyber-security expert Daniel Clemens at the Osmosis 2020 conference. It’s not always that simple, as mapping the relatives may require going three or four degrees deep in order to find a break. But a grandmother or a cousin may have photos of our subjects, comments by them, or links to their under-the-radar social media accounts.
Subscription databases are only one tool set, but they remain essential for a timely investigation. For instance, early during the Covid lockdowns in the U.S., I was trying to locate a student in New Jersey who couldn’t be found at his usual dorm, as his campus was shut down. A phone pretext to a relative revealed that he was staying with a sister, but the young man had five of them! Thanks to paid databases, we figured out the addresses of all the sisters. Using a popular dating app and the geolocation sensors on the Chrome browser, I conducted searches within one mile around each home. The student’s live profile popped up in the vicinity of the second sister’s house, and soon after, the process server was on their way.
Are These Fancy Tools Really Necessary?
OSINT purists could interject here and say that a lot of the free, often spammy sources online peddle the same old e-mail data or addresses that private investigators pay a premium for in professional databases. A thorough search using Whitepages.com — not for the phone number, mind you, but to identify family members and neighbors — can turn up wonders. And they have a point, as a good OSINT investigator should be able to stay nimble, leaping here and there without fancy tools. Subscription databases are also famously riddled with antiquated or inaccurate information: You’ll find misspelled names, data of relatives mixed together, wrong apartment numbers, etc.
While all of this is true, even from sour lemons you’ll likely end up making lemonade. Again, each paid database has its specialty and will offer tidbits that can boost your OSINT search in ways that you didn’t expect.
Having grown up in the European Union, where stringent privacy laws make such databases impossible, I am perhaps excessively attached to them. When asked by newly licensed investigators which one to subscribe to, I always recommend at least three. And I try to keep an eye on attempts by lawmakers of all political parties to legislate away access to this paywalled intelligence.
In the context of the fear of “Big Data,” TracersInfo can’t be praised enough for entrusting PIs with all the data necessary, such as full date of birth (or date of death), to help ensure they’re pulling information about the right person and avoiding mistakes. Yet, if access to these databases had to disappear, as much as I would mourn the convenience and the reliable information they offer, I would certainly take comfort in the fact that my favorite and most essential databases will likely remain: subscription media databases such as LexisNexis, Dow Jones Factiva, ProQuest Dialog, and Newspaper.com. These too are essential tools, accessible without a PI license, that prove incredibly useful in all of my cases, especially international OSINT investigations.
About the author:
Emmanuelle Welch, CFE, (@frenchpi) is the founder of French Connection Research, an investigative agency licensed in New York and the District of Columbia which specializes in open-source investigation and transatlantic white-collar crime.