OSINT RSS

Bellingcat pioneered the modern OSINT investigation methodology, proving that open sources can produce intelligence-grade analysis. Their toolkit is a curated collection of free tools organized by investigation type.

Key capabilities:

• Geolocation — tools to determine where a photo or video was taken using landmarks, shadows, vegetation, road markings, and architecture
• Chronolocation — determine when media was captured using sun position, shadow analysis, and metadata
• Verification — reverse image search, metadata extraction, manipulation detection to authenticate media
• Flight tracking — ADS-B data, ACARS messages, and satellite imagery for aircraft investigation
• Satellite imagery — free and commercial sources for monitoring locations over time

Notable investigations:

• MH17 shootdown — identified the exact Russian Buk missile launcher that shot down Malaysia Airlines Flight 17 over Ukraine
• Navalny poisoning — identified FSB agents who poisoned Alexei Navalny using phone metadata and travel records
• Syrian chemical attacks — verified locations and munitions used in chemical weapons strikes
• Uyghur detention camps — used satellite imagery to document construction and expansion of internment facilities in Xinjiang

Bellingcat demonstrated that citizen investigators with the right tools and methodology can hold governments and militaries accountable using nothing but publicly available information.

OpenStreetMap (OSM) contains billions of geographic features mapped by volunteers worldwide. Overpass Turbo provides a query language to search this massive database for specific features — making it an incredibly powerful geolocation tool.

How investigators use it:

• Building identification — query for hospitals, mosques, schools, military bases, or any tagged building type in a region
• Infrastructure matching — search for specific road configurations, railway crossings, bridge types, or power line towers
• Landmark geolocation — find specific feature combinations (e.g., “gas station near a mosque within 500m of a highway interchange”)
• Pattern matching — identify locations based on road patterns, building density, and infrastructure layouts visible in photos

Example queries:

• [amenity=hospital] — find all hospitals in a bounding box
• [military=base] — locate military installations
• [man_made=surveillance] — find mapped surveillance cameras
• [building=mosque](around:1000,lat,lon) — mosques within 1km of a point

Bellingcat developed a simplified OSM search interface that lets investigators query without learning the full Overpass query language. Combined with satellite imagery and ground-level photos, OSM queries can dramatically narrow down a location from a single image.

People reuse usernames across platforms. Sherlock and Maigret exploit this pattern to map a person’s entire online presence from a single username.

Sherlock:

• 400+ platforms — checks username availability across social media, forums, gaming platforms, developer sites
• Fast — scans all platforms in ~45 seconds using async requests
• Simple output — list of confirmed profiles with direct URLs
• 53k+ GitHub stars — the most popular username enumeration tool

Maigret (fork/evolution):

• 2,500+ sites — significantly larger database of checked platforms
• Profile parsing — extracts names, bios, profile pictures, and linked accounts
• Tag-based search — filter by platform category (dating, gaming, crypto, etc.)
• HTML reports — generates visual reports with profile data aggregation
• Lower false positives — uses more sophisticated matching than simple HTTP status codes

Investigation workflow: Start with a known username → run Sherlock for quick hits → run Maigret for deeper analysis → cross-reference discovered profiles → identify connected accounts and real identity indicators.

OPSEC note: These tools demonstrate why using unique usernames per platform and avoiding PII in handles is critical for personal security.

SpiderFoot automates the tedious data-collection phase of OSINT investigations. Instead of manually querying dozens of services, it runs all relevant modules in parallel and correlates the results.

Input types:

• Domain names, IP addresses, subnets
• Email addresses, phone numbers, usernames
• Names, Bitcoin addresses, ASN numbers

What it discovers:

• DNS & infrastructure — subdomains, MX records, NS records, IP history
• Web presence — linked domains, technologies used, web archives
• Data leaks — breached credentials, paste sites, dark web mentions
• Social profiles — accounts linked to emails or usernames
• Threat intelligence — malware associations, blacklists, reputation scores
• Geolocation — IP geolocation, physical address lookups

Two versions:

• SpiderFoot HX — hosted SaaS with a web UI, team collaboration, and scheduling
• SpiderFoot OSS — free, open-source, self-hosted with a local web interface

SpiderFoot is the “automated first pass” in most OSINT workflows — run it first to get a broad picture, then use specialized tools like Maltego for deep-dive analysis on interesting findings.

While Google indexes web pages, Shodan and Censys index the devices and services running on the internet — every open port, every banner, every certificate.

Shodan:

• Banner grabbing — connects to every public IP and grabs service banners (HTTP headers, SSH versions, FTP banners, SMTP info)
• Search filters — port:22, country:US, org:"Department of Defense", product:"Apache"
• Vulnerability detection — identifies known CVEs based on service versions
• Historical data — track how a device’s exposure has changed over time
• Shodan Monitor — continuous monitoring of your own infrastructure

Censys:

• TLS certificate search — find all certificates issued to a domain or organization
• Cloud infrastructure mapping — discover cloud-hosted assets across AWS, GCP, Azure
• Attack surface management — enterprise features for discovering unknown internet-facing assets

What investigators find:

• Unsecured webcams and CCTV systems
• Exposed SCADA/ICS systems controlling critical infrastructure
• Open databases (MongoDB, Elasticsearch) leaking sensitive data
• Default-credential routers and IoT devices
• Military and government systems with unexpected exposure

Aircraft and ships broadcast their positions via ADS-B and AIS transponders. OSINT investigators exploit these broadcasts to track movements that governments and corporations want to keep quiet.

Aircraft tracking:

• ADS-B Exchange — unfiltered feed of all ADS-B data. Unlike FlightRadar24, it doesn’t honor military/government block requests
• FlightRadar24 — largest network of ADS-B receivers, excellent historical data
• ACARS/HFDL — text messages between aircraft and ground stations (receivable via SDR)

Maritime tracking:

• MarineTraffic — real-time AIS vessel positions worldwide
• VesselFinder — alternative AIS tracking with fleet management features
• AIS dark periods — when ships disable transponders, the gaps themselves become intelligence (sanctions evasion, illicit transfers)

Notable OSINT investigations:

• CIA rendition flights — journalists tracked N-registered aircraft making repeated trips to black sites
• Russian oligarch yachts — tracked during sanctions enforcement after Ukraine invasion
• Military exercises — unusual tanker patterns and reconnaissance aircraft reveal operations before official announcements
• North Korea sanctions — ship-to-ship transfers detected via AIS gaps near Chinese ports

Traditional geolocation requires human analysts to manually identify landmarks, signage, and environmental clues. AI geolocation tools like GeoSpy automate this process using computer vision models trained on millions of geotagged images.

How it works:

• Visual feature extraction — identifies architecture styles, road surface types, vegetation species, power line configurations
• Signage & text recognition — reads text in any script, matches to known locations
• Sky & lighting analysis — estimates hemisphere, latitude range, and time from sun position and sky color
• Terrain classification — identifies soil types, elevation patterns, and geological features
• Probabilistic output — returns a confidence score and probability heatmap rather than a single point

Other AI geolocation tools:

• GeoEstimation — academic model from IIIT, open-source
• PlaNet — Google research model that divides Earth into cells and classifies photos
• PIGEON — Stanford model trained on Google Street View, achieves country-level accuracy on 92% of images
• ChatGPT/Claude vision — multimodal LLMs increasingly capable at geolocation reasoning

Privacy implications: AI geolocation means any photo you post — even with metadata stripped — can potentially reveal your location. A single background detail (road sign, building style, vegetation pattern) may be enough.

Before you can investigate an organization, you need to map its digital footprint. TheHarvester and Recon-ng automate the collection of emails, subdomains, and infrastructure details from public sources.

TheHarvester:

• Data sources — Google, Bing, LinkedIn, Twitter, Shodan, DNSdumpster, CertSpotter, and more
• Email harvesting — discovers email addresses associated with a domain from search results, LinkedIn, and other public sources
• Subdomain discovery — finds subdomains via DNS brute force, certificate transparency logs, and search engines
• Virtual host discovery — identifies multiple domains hosted on the same IP

Recon-ng:

• Metasploit-style framework — modular architecture with workspaces, module loading, and a database backend
• API key management — stores and manages API keys for various services (Shodan, VirusTotal, FullContact)
• Modules for everything — contact discovery, credential harvesting, infrastructure mapping, social media enumeration
• Reporting — exports to HTML, CSV, JSON, and integrates with other tools

Typical workflow: theHarvester -d target.com -b all for a quick scan → import results into Recon-ng for deeper enumeration → use Recon-ng modules to cross-reference findings against additional data sources → export to Maltego for visualization.

The OSINT Framework is an interactive mind map that organizes hundreds of free OSINT tools into categories. It’s the starting point for anyone building an OSINT toolkit.

Tool categories:

• Username — Sherlock, Maigret, Namechk, KnowEm
• Email — Hunter.io, EmailRep, Have I Been Pwned
• Domain/IP — WHOIS, Shodan, Censys, SecurityTrails
• Social media — platform-specific search tools, archiving tools
• Geolocation — Google Earth, Overpass Turbo, SunCalc
• Image/video — reverse image search, EXIF viewers, InVID
• Dark web — Tor search engines, paste site monitors, leak databases
• People search — public records, court records, property records

The intelligence cycle for OSINT:

• 1. Planning & Direction — define what you need to know, set scope and objectives
• 2. Collection — gather raw data from open sources using tools
• 3. Processing — clean, organize, and structure the collected data
• 4. Analysis — evaluate data for relevance, reliability, and meaning. Connect dots, identify patterns
• 5. Dissemination — produce and deliver finished intelligence to stakeholders

Key principles: Always verify from multiple independent sources. Document your methodology. Preserve evidence (screenshots, archives). Maintain operational security. Understand legal and ethical boundaries. OSINT is powerful — use it responsibly.