Welcome to part two of my guide to the OSINT intelligence cycle, if you haven't read part one check it out here. Once an investigator has mapped out their investigative plan and fulfilled all the preliminary requirements uncovered during the planning and direction phase, the next step in the OSINT intelligence cycle is collection.
Part Two: Collection
In most investigations, a great deal of time and effort is devoted to collections and some shops even employ dedicated staff whose sole job is locating and collecting information for investigations. This phase is dedicated to the gathering of information relevant to an ongoing or anticipated investigation.
Without proper data collection an investigation will not have the necessary information for the other phases, which may lead to data gaps and/or inaccurate analysis. I’m not sure who coined the phrase “You don’t know what you don’t know…”, but my first boss frequently leveraged the saying to remind new analysts that if they don’t collect all of the available and relevant information, their final analysis will suffer as a result. Some of my top recommendations for this phase include:
Disassociate From Personal Accounts
By now one would hope this wouldn't have to be reiterated but investigators, including professionals, continue to use personal accounts for OSINT investigations. While everyone has their own threat models, it is highly recommended to never use a personal account for an OSINT investigation. Additionally, apps and social media platforms siphon up a great deal of data that can be used to fingerprint and associate users across accounts. When possible utilize a VPN service, virtual machines, or even dedicated pieces of hardware to ensure you are not tied back to your other accounts. Do not let your sock puppet accounts and your real accounts interact in any way. Following these steps mitigate the risks of other mistakes or oversights that might occur, such as forgetting to turn LinkedIn viewing mode to private or accidentally clicking “like” on a target’s post while scrolling through their feed.
Collect First, Analyze Later
Some posts, stories, or other content posted by the target may be time-sensitive. The collection phase is not the time to pause and reflect on every bit of information encountered, and doing so may cause data to become unavailable should the subject decide to edit or remove it. When finding something relevant to the investigation, save it and then move forward. It is fine to star or make a quick note of something if you are afraid you will miss it later, but save the actual analysis for when all the relevant data becomes available. If there is any doubt on if a data point has value to the investigation, include it.
Start Broad, Then Narrow As Needed
When collecting intelligence I tend to do multiple passes on platforms or search engines. Each pass gets more restricted or filtered down than the one before it, starting with fewer to no keywords or search constraints and then adding them as necessary. Never begin with searches that are too narrow as they may exclude relevant results that aren’t exact matches. If the number of results seem too low or something you expect to find seems omitted, broaden your search and try again. Sifting through false positives is far more preferred than losing relevant data via a false negative.
Set Up Filters And Alerts For Ongoing Collection
Collection is not a one and done phase. Sometimes additional passes of collection are required as the analysis matures and new questions arise. In the case of an ongoing event, new information may periodically become available as well. Setting up filters or alerts on Google, Tweetdeck, or other platforms makes follow-up passes more streamlined. This allows an analyst to focus on other searches while being notified of any changes or new data in previous ones.
Document When And How Pivots Occur
There’s nothing quite like briefing management about the attribution of a target and having them ask “Why do you think this other name or username is the same as the target you are briefing on, they don’t seem related at all?” Remembering how a particular bit of information came to light during the collection phase is important considering that long investigations that contain many users can become unruly rather quickly. Additionally, an analyst never knows when management or an official will question how a specific piece of data was discovered. Screen recording and other specialized software make the process easier, but they are by no means required.
The collection phase of the OSINT intelligence cycle ensures that all relevant data points are made available to those processing and analyzing the information in later phases. Proper collection reduces data gaps and ensures that the final product considers all relevant information. The next phase, Processing, is where the collected raw information is formatted and developed into something more suitable for analysis.