Many newcomers to open source intelligence immediately gravitate towards the tools and become reliant on them rather quickly. This becomes problematic when the tools break, become deprecated, or otherwise unavailable. While automation, collection assistance, and visualization tools can help immensely in an investigation, they cannot analyze the work and do your job for you.
One of my most repeated bits of advice for those new to OSINT or those wishing to improve their current OSINT skills is to go back to the basics, namely the intelligence cycle. This series of articles aims to reframe each phase of the intelligence cycle to show specifically how I apply it during one of my OSINT investigations.
Part One: Planning and Direction
The planning and direction phase of the OSINT intelligence cycle is where an analyst should determine their investigative requirements, outline what questions they are attempting to answer, and make note of any special circumstances that might arise due to the target, the situation, or the platforms that might be used.
At best, going into an OSINT investigation without a plan or direction can cause an investigation to take longer than needed. At worst? An investigator may lack the proper dependencies required for the investigation or risk being detected by the target due to technical oversights. During this phase of the intelligence cycle, I tend to take the following steps:
Identify what question(s) need to be answered:
Write down any questions that need to be answered as part of the investigation and avoid chasing tangents that do not assist in answering these questions. I tend to have one main question to answer, and many smaller questions that when combined may help answer the main question. The main question of “Who is behind this account?” might have subquestions such as: “What is their name?”, “What country are they in?”, “What is their approximate age?”, and "Are they on any other platforms?". Keep in mind it is perfectly fine to add, remove, or modify these questions as the investigation progresses.
Identify what platform(s) may need to be accessed:
Be sure to set up any required accounts and acquire any additional software or hardware before beginning the investigation. Early on, it may not be possible to know all of the platforms a target frequents. However, it is always a good idea to try and identify potential platforms and any prerequisites needed to access them based on the target's currently known information. Most mainstream social media platforms will share the same requirements, usually a sock puppet account and perhaps an email or telephone number for verification. However, if investigating a platform that is home to a small, tight-knit group that tends to be suspicious to outsiders they may have heightened requirements for new joiners. Some groups may require vetting by another member before allowing new users to join, which will require additional setup and prep.
Assess the technical capabilities of the target(s):
It is important to assess a target’s technical capabilities and if that might increase the chances of being detected during the investigation. Knowing how technologically savvy a target is might also offer insight into how likely they are to make technical mistakes. This isn’t always possible to answer in the planning stage, however as the intelligence cycle continues it may become clearer. While it doesn’t hurt to always assume a target contains advanced technological skills, it might not be feasible for every analyst to take state actor level precautions for every target. As a rule of thumb, I suggest taking precautions at a higher level than a target’s perceived technical abilities.
Determine end goal(s):
Set reasonable goals and expectations for the investigations and write them down. What is the expected outcome of the investigation? Will it result in a written report, notifying the authorities, or something else? Knowing the end goal ahead of time will help drive the OSINT investigation. Identifying the end goal(s) help keep an investigation on track and will assist in making decisions during the other phases that may be dependent on the end goals.
The planning and direction phase of an OSINT investigation helps an investigator start off on the right foot by ensuring they have what is needed to begin investigating a target. This phase of the OSINT intelligence cycle is critical to mitigating time lost spent going down unrelated rabbit holes or setting up accounts mid-investigation. Once an investigator completes initial work in the planning and direction phase, it is time to move on to the next phase of the intelligence cycle: Collection.