What is OSINT?
And how does Ohlsen Consulting use OSINT in its investigations?
Open Source Intelligence (OSINT)
Open Source Intelligence (OSINT) is the collection of publicly-available information to conduct investigations. While some people might think of hacking or illegally accessing confidential information, Ohlsen Consulting realizes that obtaining or using illegally acquired material opens the investigator and the client to ramifications that range from public embarrassment to legal jeopardy. We do not seek to acquire legally protected information.
Ohlsen Consulting uses OSINT techniques in every investigation and prides ourselves on finding information others don't. The primary categories of OSINT are compiled marketing/peoplesearch sites, social media, intentionally/unintentionally published documents and websites, news coverage, government records, and the deep and dark webs.
Private databases: We use private marketing and aggregation databases like Pipl Pro, Spytox, and MyLife, and investigative databases like LexisNexis and TracersIP, to compile email addresses, phone numbers, addresses, and social profiles.
Social Media: Social media research consists of identifying active and inactive accounts and activity. Accounts are identified using the above peoplesearch databases, web searches, and by searching the networks directly using the phone numbers, email addresses, and other usernames we've compiled. After identifying accounts, we use a variety of search tools to find content. For example, we use 23 different Facebook searches—privacy is governed by the owner of the original content, so a "locked down" profile may have commented on other page's public content or have been tagged in a photo or video. That content will be visible if the content publisher has set the content to public.
Web Research: A client once asked me to describe what I do. After giving a brief explanation, he asked me, "So you just Google stuff?" My reply? "Well, yes, but I start on page 10." There is much more to web research than simply "Googling it." While all of our web research starts with the biggest search engine on the planet, different engines return different results. Every query is searched in at least two engines, and sites like Startpage.com and DuckDuckGo are used to see Google results without Google's algorithm. We also search FTP servers and sites like Exalead for documents. A decade ago, it wasn't possible to search a certain state's appeals court records by attorney. However, all of the PDFs of decisions were crawled by Google. A site-specific search of the court's website for PDFs that mentioned the target's name returned dozens of cases we would not otherwise have identified.
We also look for sites owned by the target and examine the sites themselves. Are there un-crawled directories or documents hosted on the site? Is there a Google Analytics tracker that we can use to identify other sites owned by the same target?
News Coverage: We search all targets through an "All News" Nexis search (among others). But Nexis doesn't catalog everything. The Wall Street Journal's historical database is also searched, as are local newspaper websites directly. However, one of our favorite resources is Newsbank. Most public libraries allow free remote access with a library card, and the site is a huge repository of smaller newspapers. Google News' newspaper archive and NewspaperArchive.com are also searched.
Public Records: In our opinion, OSINT also includes information published by or requested from government agencies. Over the past decade, the firm has continued to iterate on its request process, ultimately using layers of anonymous LLCs, attorneys, and rotating addresses to maintain our (and our clients') anonymity. The firm has successfully acquired data in all 50 states, including those states with residency requirements. While there are obvious requests (salaries, per diem payments, CAFRs and budgets), there are also less obvious requests that have returned interesting results. By requesting flight manifests and detailed travel receipts, we determined that a public official was traveling regularly on a state-owned plane with the same younger aide but only booking one hotel room. In another instance, decade financial disclosures filed by a target's wife provided the missing connection between the target and questionable foreclosure-and-flips.
The Deep Web & The Dark Web: Only 4% of the internet is accessible through search engines, the so-called "surface web." The other 96% consists of the deep web, or what can't be found through a normal search engine. The dark web, a small subset of the deep web, can only be accessed using special browsers (TOR being the dominant one). The firm uses specialized search engines and the TOR Browser to search the deep and dark web to find content that has not been crawled by the major search engines or that the target is seeking to hide.
Ohlsen Consulting uses OSINT techniques in every investigation and prides ourselves on finding information others don't. The primary categories of OSINT are compiled marketing/peoplesearch sites, social media, intentionally/unintentionally published documents and websites, news coverage, government records, and the deep and dark webs.
Private databases: We use private marketing and aggregation databases like Pipl Pro, Spytox, and MyLife, and investigative databases like LexisNexis and TracersIP, to compile email addresses, phone numbers, addresses, and social profiles.
Social Media: Social media research consists of identifying active and inactive accounts and activity. Accounts are identified using the above peoplesearch databases, web searches, and by searching the networks directly using the phone numbers, email addresses, and other usernames we've compiled. After identifying accounts, we use a variety of search tools to find content. For example, we use 23 different Facebook searches—privacy is governed by the owner of the original content, so a "locked down" profile may have commented on other page's public content or have been tagged in a photo or video. That content will be visible if the content publisher has set the content to public.
Web Research: A client once asked me to describe what I do. After giving a brief explanation, he asked me, "So you just Google stuff?" My reply? "Well, yes, but I start on page 10." There is much more to web research than simply "Googling it." While all of our web research starts with the biggest search engine on the planet, different engines return different results. Every query is searched in at least two engines, and sites like Startpage.com and DuckDuckGo are used to see Google results without Google's algorithm. We also search FTP servers and sites like Exalead for documents. A decade ago, it wasn't possible to search a certain state's appeals court records by attorney. However, all of the PDFs of decisions were crawled by Google. A site-specific search of the court's website for PDFs that mentioned the target's name returned dozens of cases we would not otherwise have identified.
We also look for sites owned by the target and examine the sites themselves. Are there un-crawled directories or documents hosted on the site? Is there a Google Analytics tracker that we can use to identify other sites owned by the same target?
News Coverage: We search all targets through an "All News" Nexis search (among others). But Nexis doesn't catalog everything. The Wall Street Journal's historical database is also searched, as are local newspaper websites directly. However, one of our favorite resources is Newsbank. Most public libraries allow free remote access with a library card, and the site is a huge repository of smaller newspapers. Google News' newspaper archive and NewspaperArchive.com are also searched.
Public Records: In our opinion, OSINT also includes information published by or requested from government agencies. Over the past decade, the firm has continued to iterate on its request process, ultimately using layers of anonymous LLCs, attorneys, and rotating addresses to maintain our (and our clients') anonymity. The firm has successfully acquired data in all 50 states, including those states with residency requirements. While there are obvious requests (salaries, per diem payments, CAFRs and budgets), there are also less obvious requests that have returned interesting results. By requesting flight manifests and detailed travel receipts, we determined that a public official was traveling regularly on a state-owned plane with the same younger aide but only booking one hotel room. In another instance, decade financial disclosures filed by a target's wife provided the missing connection between the target and questionable foreclosure-and-flips.
The Deep Web & The Dark Web: Only 4% of the internet is accessible through search engines, the so-called "surface web." The other 96% consists of the deep web, or what can't be found through a normal search engine. The dark web, a small subset of the deep web, can only be accessed using special browsers (TOR being the dominant one). The firm uses specialized search engines and the TOR Browser to search the deep and dark web to find content that has not been crawled by the major search engines or that the target is seeking to hide.