The presentation discusses open-source intelligence (OSINT) techniques. It defines OSINT as the collection and analysis of publicly available information to produce actionable intelligence. The presenter outlines the OSINT process, which includes planning, collection, processing, analysis, and dissemination. Various OSINT tools, techniques and frameworks are also discussed, such as using web browsers, text recovery tools, archiving tools, and the multi-layered and mixed-media nature of the internet. The presentation provides an overview of how to effectively perform OSINT investigations.

1. Presented by Kellup A. Charles, D.Sc., CISSP
Open-Source Intelligence:
The Process, Method, and Techniques

2. Agenda
Bill Gibbs
Cap Tech Talks Host
1. About Capitol Technology University
2. Session Pointers
3. About the Presenter
4. Presentation
5. Q & A
6. Upcoming Webinars
7. Recording, Slides, Certificate

3. About
Established in 1927, We are
one of the only private
Universities in the state of
Maryland specifically
dedicated to engineering,
cybersecurity, computer
sciences and tech
management.

4. Nonprofit, Private &
Accredited
Capitol is a nonprofit, private accredited university
located in Laurel, Maryland, USA
Capitol Technology University is
accredited by the Commission on
Higher Education of the Middle
States Association of Colleges
and Schools
The University is authorized by
the State of Maryland to confer
Associate’s (A.A.S.), Bachelor’s
(B.S.), Master’s (M.S., M.B.A.,
T.M.B.A), and Doctoral
(D.B.A.,D.Sc., Ed.D, Ph.D.) degrees.

5. Session Pointers
• We will answer questions at the conclusion of the presentation. At any
time you can post a question in the text chat and we will answer as many
as we can.
• Microphones and webcams are not activated for participants.
• A link to the recording and to the slides will be sent to all registrants and
available on our webinar web page.
• A participation certificate is available by request for both Live Session and
On Demand viewers.

6. Presented by Kellup A. Charles, D.Sc., CISSP
Open-Source Intelligence:
The Process, Method, and Techniques

7. About the presenter: Dr. Kellup Charles
• Chair of Cybersecurity Programs at Capitol
• Professor, Director of Cyber Labs
• Director of Center for Cybersecurity Research & Analysis
• Doctor of Science in Cybersecurity (Capital Tech. Univ)
• M.S. in Telecommunication Mgmt. (MD Univ. College)
• B.S. in Computer Science (NC A&T State University)
• 20+ years in government information security
• Creator/Executive Editor of SecurityOrb.com
• CISSP, CCNA, CISA, NSA-IAM, ITILv3)

8. Open-Source
Intelligence:
The Process, Method
and Techniques
Dr. Kellep A. Charles, CISSP
Cybersecurity Chair
Capitol Technology University

9. Disclaimer
Any views or opinions expressed in this presentation are solely
my own and do not reflect, represent, or associate to my
current and previous employers including the organizations I
participate in.
• I cannot provide any legal advice or recommendations.
• I do not condone nor encourage malicious behavior nor give permission nor
authorize to do anything related to content with this presentation.
• The information presented is solely for information and educational awareness.

10. AGENDA
• Define and Discuss OSINT Techniques & Methods
• OSINT Process and Framework
• Review OSINT Tools and Techniques
• Future of OSINT
• OSINT Demonstration

11. Dr. Kellep A. Charles
Cybersecurity Chair at Capitol Technology University
www.captechu.edu
Over 25 years as an Information Security Practitioner
Research Areas: Incident Response, Digital Forensics,
Vulnerability Scanners, Open-Source Intelligence
Certified Information Systems Security Professional
Certified Information Systems Auditor
ABOUT ME

12. Journey
• The reconnaissance phase consists of open-source
intelligence (OSINT) gathering techniques to better
understand the target organization and network.
• Collected artifacts from a Digital Forensics and
Incident Response investigation

13. What is Open-Source Intelligence (OSINT)?
● OSINT is primarily used in:
○ national security functions
○ law enforcement functions
○ business intelligence functions
○ Information Security functions
● In the intelligence community (IC), the term
"open" refers to overt publicly available
sources as opposed to "covert" or
clandestine sources (Wire Tapping)
● It is just another arrow within the
investigative analyst process, just like
techniques such as:
○ interviewing
○ surveillance
○ fingerprinting
○ and any number of others open to the
skilled professional investigator or
analyst
The collection and analysis of data gathered from open sources (overt and publicly available
sources) to produce actionable intelligence against a target/mission.

14. OSINT sources can be divided up into six different
categories of information flow:
Media - print newspapers, magazines, radio,
and television from across and between countries.
Internet - online publications, blogs, discussion groups,
citizen media (i.e. – cell phone videos, and user created
content), YouTube, and other social media websites (i.e.
– Facebook, Twitter, Instagram, etc.). This source also
outpaces a variety of other sources due to its timeliness
and ease of access.
Public government data - public government reports,
budgets, hearings, telephone directories, press
conferences, websites, and speeches. Although this
source comes from an official source they are publicly
accessible and may be used openly and freely.
Professional and academic publications - information
acquired from journals, conferences,
symposia, academic papers, dissertations, and theses.
Commercial data - commercial imagery, financial and
industrial assessments, and databases.
Grey literature - technical reports, preprints, patents,
working papers, business documents, unpublished
works, and newsletters.
OSINT Source Categories

15. OSINT is not a new capability
• Initially, was primarily paper-based resources (libraries and other common paper
media such as newspapers, industry publications, flyers and propaganda)
• Older OSINT research was limited by both the coverage of its information and
the ability of the researcher
• “What you saw was what you got and that was that…”
• The arrival of the Internet and particularly, the explosion in the use of social
media technology changed the status quo
• Created a multilingual, geographically distributed, completely unregulated publishing
platform on which any user could also become an author and a publisher
• The Internet promoted OSINT from a supporting role to finally sit alongside
other more clandestine and less accessible investigative capabilities
The street finds its own uses for things… - William Gibson

16. What threats can OSINT help with?
● As our physical and digital realities are
becoming more and more interlaced,
individuals and organizations are creating
more informational weaknesses and
thereby, more opportunities for an ever-
widening range of attacks and other threats
to occur:
○ Hacking
○ Information leaks
○ Extremist activity
○ Geopolitical threats
○ Fraud
○ Violent attacks
○ Disinformation campaigns

17. •Risk of getting detected:
This concerns the direct contact made by
using active techniques, or third-party
services that may give you away as the
one who performed the search.
•Risk of losing access to that information:
Once they know you’re tracking their steps or
looking for their information, they can
start erasing their own trails and shut
down public data from social networks,
profiles, and the like.
•Risk of becoming the victim:
After all, you can end up being the target of
an investigation, or even worse, the
organization you belong to can suffer
that fate. Great care should be taken
when using active OSINT techniques.
Risks of Performing an OSINT Investigation

18. Sock Puppets
• A Sock Puppet is fake persona, or an alternative online
identity used to collect and investigate open-source
information on a target.
• The main goal of the Sock Puppet is to not have the
profile linked back to the investigator.
• This is vital as to provide operational security (OPSEC) to
protect the investigator from retaliation or to prevent
bringing awareness to the target that they are being
investigated by a specific entity.

19. Sock Puppets (cont'd)
• To effectively create and use a functional sock puppet here are a few
recommendations:
• Anonymize the account so that it does not record the original IP address or location
(VPN/TOR/Public Wi-Fi)
• Certain social media platforms may prevent creating an account from a VPN or TOR connect.
In that case, using a public Wi-Fi is recommended.
• When logging to the sock account, be sure to always use a VPN, TOR or public Wi-Fi, under
no circumstances should the creator use a direct IP address that may link back to them.
• Make the account as legitimate as possible by producing daily activities, using it for a long
period of time and making online connections.

20. Sock Puppets (cont'd)
To effectively create and use a functional sock puppet here are a few recommendations:
• When creating a name for the account, it is recommended using a fake name generator. In
doing so, the investigator will be provided with an identity of a person that has never
existed. The identity will have a name, address, mother’s maiden name, weight, height, date
of birth, in addition to many other useful information need to create a person. Female
accounts then to have more success when creating a sock puppet.
• https://www.fakenamegenerator.com/
• Providing an image is highly recommended. The creator has two options, using a cartoon
avatar or providing an image of a human that does not exist through the use of artificial
intelligence. Never use a real person’s face as individuals can use tools such as Google
identify the photo’s original owner.
• https://thispersondoesnotexist.com/

21. Sock Puppets (cont'd)
To effectively create and use a functional sock puppet here are a few recommendations:
• When creating an email account for the sock puppet, it is recommended using any email
provider such as gmail.com, mail.com or yahoo.com to name a few. As previously stated, be
sure the IP address cannot be link to the creator.
• Obtain a burner cell phone and SIM card that can be used account verification. Be sure to not
have the phone linked back to the investigator by paying with cash or a privacy-based credit
card.
• Having more than one sock puppet is highly recommended in case something goes wrong,
the investigator will have an active back-up.
Sock Puppets are important for the protection of the investigator, things change fast in the online world, and it is important the
investigator keep up with the changes.

22. OSINT can be passive or active.
• Passive methods are those that do not involve
interaction with target systems and are not
subject to automatic detection.
> Collecting with a wide and invisible net
• Active methods are data collection where
analysts interact with target systems, which can
involve employing advanced techniques or even
simple interactions, such as registering on an
organization’s website to get materials available
to registered users only.
> Collecting with a trained fishing pole
OSINT Methods

23. The OSINT Process describes the steps of collecting, analyzing, and disseminating
publicly sourced information:
1. Planning and Direction
2. Collection
3. Processing and Exploitation
4. Analysis and Production
5. Dissemination and Integration
OSINT Process

24. OSINT Process: Planning and Direction
1. Planning and Direction
• The first step in the OSINT cycle involves planning the
priorities and requirements for the mission.
• Prior to collecting OSINT, operators should have a clear understanding of the
types of information they need, how to find those sources, and what they hope
to accomplish with the acquired information.
• These precautionary logistics will guarantee the productivity and efficiency of the
operation during the next phases of the OSINT cycle.

25. OSINT Process: Collection
2. Collection
• After proper planning has occurred, the collection of OSINT
can begin.
• OSINT resources include any materials that are freely
available online, such as news articles, social media posts,
and blogs.
• Teams can utilize their preferred collection tools and
resources to obtain this data.

26. OSINT Process: Processing and Exploitation
3. Processing and Exploitation
• Once you’ve acquired your data, you can start processing the information.
• Then, you’ll want to compile it into a common evidence repository, timeline, or report. In this
stage, you’re simplifying the content you’ve found and making it legible for the recipients of
the data.
• Processing the data will help analysts utilize the information more efficiently in the following
steps of the OSINT cycle.

27. OSINT Process: Analysis and Production
4. Analysis and Production
• After the initial processing of the collected data, your teams will then need to
perform an in-depth analysis of the information.
• This is a crucial step in the OSINT cycle, as it will allow your teams to use the data
they’ve acquired to interpret and anticipate events.
• Operators can organize their analyzed information into a detailed document or
presentation, which will be read by a designated audience.

28. OSINT Process: Dissemination and Integration
5. Dissemination and Integration
• The final step in the OSINT cycle entails delivering the collected and analyzed intelligence to
the proper stakeholders.
• Analysts then receive feedback, which dictates whether the OSINT cycle should begin again.
• Following the proper procedures of the OSINT cycle can guarantee the success of your open-
source online research and investigations.

29. OSINT Framework
What is the OSINT Framework?
A great place to start is the OSINT
Framework, put together by
Justin Nordine. The framework provides
links to a large collection of resources
for a huge variety of tasks from
harvesting email addresses to
searching social media or the dark web.

30. Four OSINT Foundations
1. Multi-Layered
2. Cyber Geography
3. Mixed Medium
4. Tangibility

31. OSINT Foundation: Multi-Layered
There are three layers to the Internet - the surface,
the deep, and the dark web.
1. The Surface Web - Everything you see on
the surface of the internet while online forms
part of the "surface web", which comprises just 4%
of the entire net. The data available on the surface
is purposely indexed by search engines, and this is
the reason you can access it easily compared
to information on other web layers.
2. The Deep Web - forms 95% of the net and
includes data not indexed by search engines and
can be tracked by search engines.
3. The Dark Web - includes sites designed to
be hidden which mostly have TOR (The Onion
Router) URLs that are impossible to remember,
guess or understand. TOR websites aren’t popular,
and they are not accessible without using specific
software programs, as a great deal of data is
encrypted and hosted mostly anonymously. On the
dark net, there are sites related to black-
markets and illegal activities.
● Link to the Hidden Wiki:
http://zqktlwiuavvvqqt4ybvgvi7tyo4hjl5xgfuvpdf6ot
jiycgwqbym2qad.onion/wiki/

32. OSINT Foundation: Cyber Geography
With cyber geography, just like physical geography, the Internet has its own unique
regions based upon linguistic divisions
• Research has shown that about 50% of searches on Google are for information about
services that are in the same geographic location as the user search engine
• Results are ordered according to the physical geography of the user
• No country redirects when conducting searches across multiple cyber geographies

33. OSINT Foundation: Mixed Media
• Mixed medium at the layer of the user
experience
• The Internet (surface, deep or dark) is
not made-up of one single technology
• Complex mixture of searching and
display technologies

34. OSINT Foundation: Tangibility
• The Internet is actively distinguished from the real world
• The Internet has become so deeply intertwined with our daily lives
• For many users, particularly within western economies, access to the Internet is as
important as the provision of a stable electricity grid or clean water supply

35. Web Browsers
● Default web browsers (not highly recommended)
● Google Chrome or Firefox (preferred, flexibility
and extendibility)
● Flexibility with tabbed browsing is the term used
to describe the functionality within web browsers
that allows multiple pages to be open within one
web browsing window
● This functionality allows the investigator to have
multiple windows open at any one time.
● The benefit of mastering tabbed browsing across
two separate web browsers is that multiple
investigative threats can be followed and cross
referenced by the investigator
● This approach can prove invaluable, especially if
combined with a dual monitor display.
● Extendibility with add-ons Chrome and especially
Firefox can have their functionality hugely
extended by the addition of small pieces of software
called "add-ons".
● Find add-ons:
○ chrome.google.com/webstore/category/e
xtensions
○ firefoxaddons.mozilla.org.

36. Free Form Text Data Recovery Tools
Resurrect pages - its function, as
described by the provider: "What do
you do when a page is dead but you
still want to see it? Call in the clerics
and perform a resurrection!"
Memento Fox - its function, as described
by the provider, is time travel for the
web. Memento Fox implements the
Memento protocol that links resources
with their previous versions automatically,
so you can see the web as it was in the
past.

37. Archiving and Preservation Tools
● YouTube video downloader express -
allows the download of YouTube videos
in various formats. Once installed in
Firefox, a button appears under the
YouTube video. In an investigation, it is
used for archiving relevant YouTube
videos to the user's home computer. As
YouTube videos can be taken down at
any time, this is a great tool for
preserving videos.
● Abduction webpage screenshot
screen capture - allows the user to take
screenshots of a specific section of a
web page. Once installed in Firefox, it
can be found using right click menu >
save page as image. In an investigation,
it can preserve individual images or
whole pages in a logical manner.
Note: this tool is not a forensic-grade image
capture tool.
● Saved text to file - saves selected text
to a text file. Once installed in Firefox, it
can be found by right click menu > save
text to file. In investigations, it is handy
for making notes and memos as an
investigation progresses.

38. Images
● The first tool is search by image in Google. Its
function, as described by the provider, is to
access the Google image search. Once installed
in the Firefox browser, right click "menu search"
in Google with this image. In an investigation, it
is useful for finding related or similar images,
e.g. more pictures of the same individual.
● The second tool is tineye reverse image search.
TinEye is the original reverse image search
engine, using image recognition with a growing
index of billions of images. You can use TinEye
to find out where an image came from, how it is
being used, if modified versions of the image
exist, or to find a higher resolution version

39. Meta Search Engines
Search engines, such as Google and Bing, can be described as single source intelligence
and using single sources of intelligence, within the context of an investigation, is
generally considered to be a bad thing.
So if that is the problem, what is the solution?
Meta search engines are search engines that query other search engines and aggregate these
search results they can be divided into early-stage investigative tools and mid-to-late
stage investigative tools.

40. Meta Search Engine Tools (cont'd)
The following meta search engines can be reached by Googling the name :
• Zula
• Dogpile
• Poly meta
Zula - its source search engines are Google, Yahoo and Bing. It queries the largest number of single source
search engines and presents them using tabbed browsing. It also provides a useful breadcrumb display of
previously used search strings.
Dogpile - its source search engines are Google and Yahoo. Nothing special, apart from being a fast tool for a
meta browser.
Ali meter - its source engines are Google, Yahoo, Bing, and Ask. It has a very useful concept-,mapping feature
Carrot 2 clustering engine its source engines are Google and Bing it has a unique approach to visualizing tag
clouds of search results

41. OSINT Virtual Machine (VM)
● Trace Labs created a specialized OSINT
VM specifically to bring together the most
effective OSINT tools and customized
scripts
● Built to enable OSINT investigators to get
started and have access to the most
popular OSINT tools and scripts all neatly
packaged under one roof.
● https://www.tracelabs.org/

42. To address these challenges, OSINT tools must:
• Improve data coverage by providing access to relevant sources, including fringe web
spaces, that are not commonly available through commercial, off-the-shelf vendors.
• Leverage machine learning capabilities – Artificial Intelligence (AI) is a major priority for
governments, helping analysts process and contextualize intelligence more efficiently.
• Be intuitive and user-friendly for lower-level intelligence analysts, providing more efficient
workflows and better speed-to-information.
OSINT Tool Requirements

43. Artificial Intelligence: The Future of OSINT?
• “OSINT AI” should not be confused with “OSINT
automation.” For many decades already, numerous
automated scripts, apps and services have been
developed in the open-source intelligence world.
• Machine vision, learning, natural language processing
(NLP), autonomous machines and robotics.
• Perfect ally for boosting OSINT processes when it comes
to reconnaissance, information collection, analysis and
filtering large amounts of data.
• Government and intelligence agencies are already using
AI to help with their social collection efforts. Military
forces, in particular, rely on AI to help them succeed in
fights against terrorism, cyber-attacks, fake
propaganda, and national security, amongst many others.

44. Conclusion
● Both amateur and professional criminals
are using sophisticated strategies and
seemingly innocuous networks to conduct
illicit business.
● More and more media networks are being
infiltrated and used outside their intended
purposes.
● Evolving threats require predictive and
intelligence-led security strategies.
● Security teams must gather intelligence
from every corner that they can.
● Open-source threat intelligence software
is essential for any enterprise using public
data sources to inform their decision-
making.
● Not only can OSINT help protect against
hidden intentional attacks such as
information leaks, theft, and fraud, but it
also has the ability to gain real-time and
location-based situational awareness to
help protect people at work, at events,
institutions, or even the shopping mall.

45. Tomorrow’s Tech Careers Start Here.

46. Upcoming Webinars
The Occupational
Safety and Health
Emphasis on Mental
Well-Being
Darin Dillow
Feb. 16, 2023
Physics-Informed
Machine Learning:
The Next Evolution in
Neural Network
Development
Dr. Karriem Perry
Nov. 17
Transformational
Leadership: Leading
and Following from
the Front
Dr. Reginald Freeman
Jan. 19, 2023

47. www.captechu.edu/webinar-series
To Register for Webinars or View
On Demand Webinars:

48. Recording, Slides & Certificate
A copy of the slides and a
link to the recording will be
sent to all registrants.
Watch for an email
A Certificate of Completion
is available upon request to
both live session and On
Demand viewers
Simply reply to the email

49. Thanks for Joining Us!
Thank You!
This concludes today’s webinar
Watch for a follow up email that contains:
1. How to get a Participation Certificate (Available by
request for both Live Session and On Demand
viewers)
2. Link to the webinar recording and slides